☝️ Important announcement: Greenkeeper will be saying goodbye 👋 and passing the torch to Snyk on June 3rd, 2020! Find out how to migrate to Snyk and more at greenkeeper.io

The dependency @octokit/request was updated from 5.4.0 to 5.4.1.

🚨 View failing branch.

This version is covered by your current version range and after updating it in your project the build failed.

@octokit/request is a direct dependency of this project, and it is very likely causing it to break. If other packages depend on yours, this update is probably also breaking those in turn.

Your Greenkeeper Bot 🌴

The dependency @octokit/request was updated from 5.2.1 to 5.3.0.

🚨 View failing branch.

This version is covered by your current version range and after updating it in your project the build failed.

@octokit/request is a direct dependency of this project, and it is very likely causing it to break. If other packages depend on yours, this update is probably also breaking those in turn.

Your Greenkeeper Bot 🌴

Compare octokit/auth-oauth-app.js#35

The dependency @octokit/request-error was updated from 1.2.0 to 1.2.1.

🚨 View failing branch.

This version is covered by your current version range and after updating it in your project the build failed.

@octokit/request-error is a direct dependency of this project, and it is very likely causing it to break. If other packages depend on yours, this update is probably also breaking those in turn.

Your Greenkeeper Bot 🌴

https://developer.github.com/changes/2020-02-14-deprecating-password-auth/

☝️ Important announcement: Greenkeeper will be saying goodbye 👋 and passing the torch to Snyk on June 3rd, 2020! Find out how to migrate to Snyk and more at greenkeeper.io

The devDependency prettier was updated from 2.0.2 to 2.0.3.

🚨 View failing branch.

This version is covered by your current version range and after updating it in your project the build failed.

prettier is a devDependency of this project. It might not break your production code or affect downstream projects, but probably breaks your build or test tools, which may prevent deploying or publishing.

Your Greenkeeper Bot 🌴

🚨 The automated release from the master branch failed. 🚨

I recommend you give this issue a high priority, so other packages depending on you could benefit from your bug fixes and new features.

You can find below the list of errors reported by semantic-release. Each one of them has to be resolved in order to automatically publish your package. I’m sure you can resolve this 💪.

Errors are usually caused by a misconfiguration or an authentication problem. With each error reported below you will find explanation and guidance to help you to resolve it.

Once all the errors are resolved, semantic-release will release your package the next time you push a commit to the master branch. You can also manually restart the failed CI job that runs semantic-release.

If you are not sure how to resolve this, here is some links that can help you:

• Usage documentation
• Frequently Asked Questions
• Support channels

If those don’t help, or if this issue is reporting something you think isn’t right, you can always ask the humans behind semantic-release.

Cannot push to the Git repository.

semantic-release cannot push the version tag to the branch master on the remote Git repository with URL https://x-access-token:[secure]@github.com/octokit/auth-basic.js.

This can be caused by:

• a misconfiguration of the repositoryUrl option
• the repository being unavailable
• or missing push permission for the user configured via the Git credentials on your CI environment

Good luck with your project ✨

Your semantic-release bot 📦🚀

The current flow using all Octokit auth libraries is as follows.

1. Require the auth strategy method

Example

import { createBasicAuth } from "@octokit/auth-basic";

2. Create async auth method

Example

const auth = createBasicAuth({
  username: "octocat",
  password: "secret",
  on2Fa() {
    return prompt("2Fa Code");
  }
});

3. Use the auth method to retrieve authentication options before a request

Example

const authentication = await auth({ url: "/authorizations" });
const { data } = await request("/authorizations", {
  headers: authentication.headers
});

The challenge is: how to make sure that the request() call has all required authentications, included a 2Fa code?

With the current implementation await auth({url: '/authorizations'}) directly returns username and password and returns headers.authorization set to Basic <encoded username:password>. So if the user has 2Fa enabled, the request would fail with 401 Unauthorized and the user would need to catch the error, ask the user for a 2Fa code and retry the same request.

An alternative approach would be to always send a request to assure that the authentication is still valid. For basic auth, instead of just returning the username/password synchronously, a request could be sent to check if the user has 2Fa enabled, in which case the user would be prompted and the returned authentication would include the 2Fa code and x-github-otp header. But that approach has its own tradeoffs:

1. Extra requests would need to be sent which would not be required for accounts that don’t have 2Fa enabled
2. A 2Fa code expires, which means a 401 Unauthorized response would still need to be handled by re-requesting a 2Fa code from the user with some custom code

Yet another approach could mean that the async auth() has an additional auth.wrap(request, options) method which could directly be passed to @octokit/request as request.hook option. That would make it possible to catch & handle request errors. This would imply that all @octokit/auth-* libraries would need to return the auth.wrap(request, options) method, it could act as a replacement of the .headers and .query keys.

The last consideration is that if a user has 2Fa enabled with SMS then an SMS is only sent for one of the following routes

• POST /authorizations - Create a new authorization
• PUT /authorizations/clients/:client_id - Get-or-create an authorization for a specific app
• PUT /authorizations/clients/:client_id/:fingerprint - Get-or-create an authorization for a specific app and fingerprint
• PATCH /authorizations/:authorization_id - Update an existing authorization
• DELETE /authorizations/:authorization_id - Delete an authorization

So if the user requests GET /authorizations and the server responses with 401 Unauthorized, then the user will not retrieve a 2Fa code if they have SMS configured as delivery.

I'm currently double checking that assumption.

Update

I can confirm that all these routes can be used to trigger an SMS for accounts that have 2Fa enabled:

• {POST,PATCH,PUT} /authorizations
• {POST,PATCH,PUT} /authorizations/:authorization_id (authorization_id can be bogus, e.g. POST /authorizations/1 will work)
• {POST,PATCH,PUT} /authorizations/clients/:client_id/:fingerprint (client_id and fingerprint can be bogus, e.g. POST /authorizations/clients/1/1 works)

All above routes works, even though the following are not even valid routes and will return 404 when a valid OTP is passed

• {PATCH,PUT} /authorizations
• POST /authorizations/clients/:client_id
• POST /authorizations/:authorization_id
• POST /authorizations/clients/:client_id/:fingerprint

I can also confirm that the above path’s won’t work with GET, HEAD, or DELETE methods. I tested

• GET /authorizations
• DELETE /authorizations/:authorization_id

☝️ Important announcement: Greenkeeper will be saying goodbye 👋 and passing the torch to Snyk on June 3rd, 2020! Find out how to migrate to Snyk and more at greenkeeper.io

The dependency @octokit/request was updated from 5.4.1 to 5.4.2.

🚨 View failing branch.

This version is covered by your current version range and after updating it in your project the build failed.

@octokit/request is a direct dependency of this project, and it is very likely causing it to break. If other packages depend on yours, this update is probably also breaking those in turn.

Your Greenkeeper Bot 🌴

🆕🐥☝ First Timers Only.

This issue is reserved for people who never contributed to Open Source before. We know that the process of creating a pull request is the biggest barrier for new contributors. This issue is for you 💝

About First Timers Only.

🤔 What you will need to know.

The Pika CDN is now Skypack, see https://www.pika.dev/cdn. The CDN at https://cdn.pika.dev/ no longer works, all URLs must be replaced with the new CDN: https://cdn.skypack.dev/. We currently recommend using cdn.pika.dev to import the library into the browser, but that no longer works. Replacing it with cdn.skypack.dev will make it work again.

📋 Step by Step

• 🙋 Claim this issue: Comment below.

  More than one person can work on this issue, don't worry if it's already claimed.

• 📝 Update the file \README.md (press the little pen Icon) and edit as shown below:

@@ -40,11 +40,11 @@ See the [official deprecation announcement](https://developer.github.com/changes
 Browsers
 </th><td width=100%>
 
-Load `@octokit/auth-basic` directly from [cdn.pika.dev](https://cdn.pika.dev)
+Load `@octokit/auth-basic` directly from [cdn.skypack.dev](https://cdn.skypack.dev)
 
 ```html
 <script type="module">
-  import { createBasicAuth } from "https://cdn.pika.dev/@octokit/auth-basic";
+  import { createBasicAuth } from "https://cdn.skypack.dev/@octokit/auth-basic";
 </script>
 ```
 

• 💾 Commit your changes

• 🔀 Start a Pull Request. There are two ways how you can start a pull request:

  1. If you are familiar with the terminal or would like to learn it, here is a great tutorial on how to send a pull request using the terminal.
  2. You can edit files directly in your browser

• 🏁 Done Ask for a review :)

If there are more than one pull requests with the correct change, we will merge the first one, but attribute the change to all authors who made the same change using @Co-authored-by, so yo can be sure your contribution will count.

🤔❓ Questions

Leave a comment below!

This issue was created by First-Timers-Bot.

☝️ Important announcement: Greenkeeper will be saying goodbye 👋 and passing the torch to Snyk on June 3rd, 2020! Find out how to migrate to Snyk and more at greenkeeper.io

The devDependency fetch-mock was updated from 9.3.0 to 9.3.1.

🚨 View failing branch.

This version is covered by your current version range and after updating it in your project the build failed.

fetch-mock is a devDependency of this project. It might not break your production code or affect downstream projects, but probably breaks your build or test tools, which may prevent deploying or publishing.

Your Greenkeeper Bot 🌴

The devDependency semantic-release was updated from 17.0.2 to 17.0.3.

🚨 View failing branch.

This version is covered by your current version range and after updating it in your project the build failed.

semantic-release is a devDependency of this project. It might not break your production code or affect downstream projects, but probably breaks your build or test tools, which may prevent deploying or publishing.

Your Greenkeeper Bot 🌴