Upgrade @actions/core to 3.0.0 and @actions/github to 9.0.0#673
Closed
truggeri wants to merge 3 commits into
Closed
Upgrade @actions/core to 3.0.0 and @actions/github to 9.0.0#673truggeri wants to merge 3 commits into
truggeri wants to merge 3 commits into
Conversation
- Upgrade @actions/core from ^1.11.1 to ^3.0.0 - Upgrade @actions/github from ^6.0.1 to ^9.0.0 - Upgrade @octokit/request-error from ^5.1.1 to ^7.1.0 - Replace @vercel/ncc with esbuild for bundling (ESM support) - Add jest-resolver.js for ESM-only package resolution - Update jest.config.js with transform and resolver settings - Fix RequestError constructor usage in tests (removed headers) - Add skipLibCheck to tsconfig.json for @octokit/core subpath types
Contributor
Author
|
From Copilot, Here's a comprehensive changelog for the three upgraded packages in this PR, sourced from the official actions/toolkit RELEASES.md and octokit/request-error.js releases:
|
| Version | Type | Changes |
|---|---|---|
| 3.0.0 | 💥 Breaking | Package is now ESM-only. CommonJS consumers must use dynamic import() instead of require(). |
| 2.0.3 | Patch | Bump @actions/http-client to 3.0.2 |
| 2.0.1 | Patch | Bump @actions/exec from 1.1.1 to 2.0.0 |
| 2.0.0 | 💥 Breaking | Add support for Node 24; bump @actions/http-client from 2.0.1 to 3.0.0 |
Source:
packages/core/RELEASES.md
@actions/github — ^6.0.1 → ^9.0.0
| Version | Type | Changes |
|---|---|---|
| 9.0.0 | 💥 Breaking | Package is now ESM-only. CommonJS consumers must use dynamic import() instead of require(). Fix TypeScript compilation by migrating to ESM, enabling proper imports from @octokit/core/types. |
| 8.0.1 | Patch | Update undici to 6.23.0; update @actions/http-client to 3.0.2 |
| 8.0.0 | 💥 Breaking | Minimum Node.js version is now 20 (previously 18). Updated @octokit dependencies: @octokit/core ^7.0.6, @octokit/plugin-paginate-rest ^14.0.0, @octokit/plugin-rest-endpoint-methods ^17.0.0, @octokit/request ^10.0.7, @octokit/request-error ^7.1.0. |
| 7.0.0 | Major | Update to v3.0.1 of @actions/http-client |
Source:
packages/github/RELEASES.md
@octokit/request-error — ^5.1.1 → ^7.1.0
| Version | Type | Changes |
|---|---|---|
| 7.1.0 | Feature | Inherit options from base Error class to add support for the cause property (#535/#536) |
| 7.0.2 | Patch | Update @octokit/types to v16 |
| 7.0.1 | Patch | Update @octokit/types to v15 |
| 7.0.0 | 💥 Breaking | Drop support for Node.js v18. Minimum is now Node 20. |
| 6.0.0 | 💥 Breaking | Removed code and headers properties (previously deprecated). Switched package to ESM instead of CommonJS. |
| 6.1.8 | Patch | Update @octokit/types to v14 |
| 6.1.7 | Security | Fix ReDoS regex vulnerability |
| 6.1.6 | Patch | Bump @octokit/types to fix Deno compatibility |
| 6.1.5 | Patch | Add explicit ` |
| 6.1.4 | Patch | Improve performance of request error instantiations |
| 6.1.3 | Patch | Correct title in README |
| 6.1.2 | Patch | Ensure statusCode is always an integer |
| 6.1.1 | Patch | Add default fallback and types export |
| 6.1.0 | Feature | Add provenance |
| 6.0.3 | Patch | Update @octokit/types to v13 |
| 6.0.2 | Patch | Add main entry point |
| 6.0.1 | Patch | Remove Node.js/Browser specific builds |
Summary of breaking changes relevant to this PR
- ESM-only — All three packages moved to ESM-only in their new major versions (
@actions/core3.0,@actions/github9.0,@octokit/request-error6.0). This is the main reason the PR switches the bundler from@vercel/ncc→esbuild. - Node.js 20 minimum —
@actions/github8.0 and@octokit/request-error7.0 dropped Node 18 support. - Removed
headersproperty —@octokit/request-error6.0 removed the previously-deprecatedcodeandheadersproperties fromRequestError, which is why the test insrc/main.test.tswas updated.
jeffwidman
previously approved these changes
Mar 25, 2026
jeffwidman
left a comment
Member
There was a problem hiding this comment.
I'm not 100% confident in all this, but I think tha'ts okay because if it breaks it won't block really bad things so we'll have time to fix-forward, plus if it's broken I expect it to be completely broken, not just partially...
The @actions/github v9 exports map does not expose ./lib/context. Added src/dependabot/github-context.ts that derives the Context type and constructor from the github.context singleton, and updated all files to import from it.
6f895d5 to
fd27937
Compare
Switched dry-run script from ts-node to esbuild bundling to handle ESM-only dependencies.
fd27937 to
c25a4c0
Compare
Contributor
Author
|
Splitting into separate PRs for each dependency upgrade. |
This was referenced Mar 26, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
There are five open advisories on
undicithat require us to upgrade actions packages to resolve. This PR upgrades@actions/coreand@actions/githubto their latest major versions, along with aligning@octokit/request-errorto the version required by the new@actions/github.Resolved advisories
Note that based on CodeQL check, it appears there may end up being new advisories that we become exposed to.
Package upgrades
@actions/core@actions/github@octokit/request-errorBreaking changes addressed
ESM-only packages — Both
@actions/core3.0 and@actions/github9.0 are now ESM-only (no CommonJSrequiresupport).@vercel/ncccannot bundle ESM-only packages, so the build toolchain was switched from ncc → esbuild, which handles ESM natively.RequestErrorconstructor change —@octokit/request-errorv7 removedheadersfromRequestErrorOptions. Updated the test insrc/main.test.tsto match the new API.Jest ESM resolution — Added a custom
jest-resolver.jsthat adds theimportcondition for@actions/*packages and falls back to direct file resolution for subpaths not in the exports map (e.g.@actions/github/lib/context). Updatedjest.config.jswithtransformIgnorePatternsto transform ESM dependencies through ts-jest.TypeScript config — Added
skipLibCheck: truetotsconfig.jsonto handle@octokit/core/typessubpath imports in library.d.tsfiles, which require exports map support unavailable undermoduleResolution: "node".Files changed
@vercel/nccwithesbuild, updated build script@actions/*packagesskipLibCheck: trueheadersfromRequestErrorconstructor optionsTesting
dist/index.jssuccessfully via esbuild