Security News
GitHub Removes Malicious Pull Requests Targeting Open Source Repositories
GitHub removed 27 malicious pull requests attempting to inject harmful code across multiple open source repositories, in another round of low-effort attacks.
@octokit/core
Advanced tools
The @octokit/core package is a core library for GitHub's REST API v3. It provides a simplified interface to interact with GitHub's API, allowing developers to authenticate, send requests, and process responses. This package is part of the Octokit SDK, which is a collection of libraries for working with the GitHub API.
Authentication
Authenticate with the GitHub API using a personal access token. This is essential for performing actions that require GitHub permissions.
{
const { Octokit } = require('@octokit/core');
const octokit = new Octokit({ auth: `personal_access_token` });
}
Send Requests
Send requests to the GitHub API. This example fetches a user's profile information using their username.
{
const { Octokit } = require('@octokit/core');
const octokit = new Octokit();
async function fetchUser() {
const response = await octokit.request('GET /users/{username}', {
username: 'octocat'
});
console.log(response.data);
}
fetchUser();
}
Custom Requests
Create custom requests to perform specific actions, such as creating an issue in a repository. This demonstrates how to use the package to interact with various parts of the GitHub API.
{
const { Octokit } = require('@octokit/core');
const octokit = new Octokit();
async function createIssue(owner, repo, title, body) {
const response = await octokit.request('POST /repos/{owner}/{repo}/issues', {
owner,
repo,
title,
body
});
console.log(response.data);
}
createIssue('octocat', 'Hello-World', 'New issue title', 'Issue body content');
}
The 'github' package is a Node.js wrapper for the GitHub API. It offers similar functionalities to @octokit/core but is less modular and not as actively maintained. @octokit/core benefits from being part of the larger Octokit SDK, which provides more comprehensive tools and a consistent API design.
Similar to 'github', 'node-github' is another wrapper for the GitHub API designed for Node.js. It provides access to the GitHub API but lacks the modularity and extensibility of @octokit/core. The Octokit libraries, including @octokit/core, are officially maintained by GitHub, offering better support and integration with GitHub's evolving API.
Extendable client for GitHub's REST & GraphQL APIs
If you need a minimalistic library to utilize GitHub's REST API and GraphQL API which you can extend with plugins as needed, then @octokit/core
is a great starting point.
If you don't need the Plugin API then using @octokit/request
or @octokit/graphql
directly is a good alternative.
Browsers |
Load @octokit/core directly from cdn.skypack.dev
|
---|---|
Node |
Install with
|
// Create a personal access token at https://github.com/settings/tokens/new?scopes=repo
const octokit = new Octokit({ auth: `personal-access-token123` });
const response = await octokit.request("GET /orgs/{org}/repos", {
org: "octokit",
type: "private",
});
See @octokit/request
for full documentation of the .request
method.
const octokit = new Octokit({ auth: `secret123` });
const response = await octokit.graphql(
`query ($login: String!) {
organization(login: $login) {
repositories(privacy: PRIVATE) {
totalCount
}
}
}`,
{ login: "octokit" }
);
See @octokit/graphql
for full documentation of the .graphql
method.
name | type | description |
---|---|---|
options.authStrategy
|
Function |
Defaults to @octokit/auth-token . See Authentication below for examples.
|
options.auth
|
String or Object
| See Authentication below for examples. |
options.baseUrl
|
String
|
When using with GitHub Enterprise Server, set
|
options.previews
|
Array of Strings
|
Some REST API endpoints require preview headers to be set, or enable additional features. Preview headers can be set on a per-request basis, e.g.
You can also set previews globally, by setting the
|
options.request
|
Object
|
Set a default request timeout ( There are more |
options.timeZone
|
String
|
Sets the
The time zone header will determine the timezone used for generating the timestamp when creating commits. See GitHub's Timezones documentation. |
options.userAgent
|
String
|
A custom user agent string for your app or library. Example
|
You can create a new Octokit class with customized default options.
const MyOctokit = Octokit.defaults({
auth: "personal-access-token123",
baseUrl: "https://github.acme-inc.com/api/v3",
userAgent: "my-app/v1.2.3",
});
const octokit1 = new MyOctokit();
const octokit2 = new MyOctokit();
If you pass additional options to your new constructor, the options will be merged shallowly.
const MyOctokit = Octokit.defaults({
foo: {
opt1: 1,
},
});
const octokit = new MyOctokit({
foo: {
opt2: 1,
},
});
// options will be { foo: { opt2: 1 }}
If you need a deep or conditional merge, you can pass a function instead.
const MyOctokit = Octokit.defaults((options) => {
return {
foo: Object.assign({}, options.foo, { opt1: 1 }),
};
});
const octokit = new MyOctokit({
foo: { opt2: 1 },
});
// options will be { foo: { opt1: 1, opt2: 1 }}
Be careful about mutating the options
object in the Octokit.defaults
callback, as it can have unforeseen consequences.
Authentication is optional for some REST API endpoints accessing public data, but is required for GraphQL queries. Using authentication also increases your API rate limit.
By default, Octokit authenticates using the token authentication strategy. Pass in a token using options.auth
. It can be a personal access token, an OAuth token, an installation access token or a JSON Web Token for GitHub App authentication. The Authorization
header will be set according to the type of token.
import { Octokit } from "@octokit/core";
const octokit = new Octokit({
auth: "mypersonalaccesstoken123",
});
const { data } = await octokit.request("/user");
To use a different authentication strategy, set options.authStrategy
. A list of authentication strategies is available at octokit/authentication-strategies.js.
Example
import { Octokit } from "@octokit/core";
import { createAppAuth } from "@octokit/auth-app";
const appOctokit = new Octokit({
authStrategy: createAppAuth,
auth: {
appId: 123,
privateKey: process.env.PRIVATE_KEY,
},
});
const { data } = await appOctokit.request("/app");
The .auth()
method returned by the current authentication strategy can be accessed at octokit.auth()
. Example
const { token } = await appOctokit.auth({
type: "installation",
installationId: 123,
});
There are four built-in log methods
octokit.log.debug(message[, additionalInfo])
octokit.log.info(message[, additionalInfo])
octokit.log.warn(message[, additionalInfo])
octokit.log.error(message[, additionalInfo])
They can be configured using the log
client option. By default, octokit.log.debug()
and octokit.log.info()
are no-ops, while the other two call console.warn()
and console.error()
respectively.
This is useful if you build reusable plugins.
If you would like to make the log level configurable using an environment variable or external option, we recommend the console-log-level package. Example
const octokit = new Octokit({
log: require("console-log-level")({ level: "info" }),
});
You can customize Octokit's request lifecycle with hooks.
octokit.hook.before("request", async (options) => {
validate(options);
});
octokit.hook.after("request", async (response, options) => {
console.log(`${options.method} ${options.url}: ${response.status}`);
});
octokit.hook.error("request", async (error, options) => {
if (error.status === 304) {
return findInCache(error.response.headers.etag);
}
throw error;
});
octokit.hook.wrap("request", async (request, options) => {
// add logic before, after, catch errors or replace the request altogether
return request(options);
});
See before-after-hook for more documentation on hooks.
Octokit’s functionality can be extended using plugins. The Octokit.plugin()
method accepts a plugin (or many) and returns a new constructor.
A plugin is a function which gets two arguments:
In order to extend octokit
's API, the plugin must return an object with the new methods.
// index.js
const { Octokit } = require("@octokit/core")
const MyOctokit = Octokit.plugin(
require("./lib/my-plugin"),
require("octokit-plugin-example")
);
const octokit = new MyOctokit({ greeting: "Moin moin" });
octokit.helloWorld(); // logs "Moin moin, world!"
octokit.request("GET /"); // logs "GET / - 200 in 123ms"
// lib/my-plugin.js
module.exports = (octokit, options = { greeting: "Hello" }) => {
// hook into the request lifecycle
octokit.hook.wrap("request", async (request, options) => {
const time = Date.now();
const response = await request(options);
console.log(
`${options.method} ${options.url} – ${response.status} in ${Date.now() -
time}ms`
);
return response;
});
// add a custom method
return {
helloWorld: () => console.log(`${options.greeting}, world!`);
}
};
You can build your own Octokit class with preset default options and plugins. In fact, this is mostly how the @octokit/<context>
modules work, such as @octokit/action
:
const { Octokit } = require("@octokit/core");
const MyActionOctokit = Octokit.plugin(
require("@octokit/plugin-paginate-rest").paginateRest,
require("@octokit/plugin-throttling").throttling,
require("@octokit/plugin-retry").retry
).defaults({
throttle: {
onAbuseLimit: (retryAfter, options) => {
/* ... */
},
onRateLimit: (retryAfter, options) => {
/* ... */
},
},
authStrategy: require("@octokit/auth-action").createActionAuth,
userAgent: `my-octokit-action/v1.2.3`,
});
const octokit = new MyActionOctokit();
const installations = await octokit.paginate("GET /app/installations");
FAQs
Extendable client for GitHub's REST & GraphQL APIs
The npm package @octokit/core receives a total of 0 weekly downloads. As such, @octokit/core popularity was classified as not popular.
We found that @octokit/core demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 4 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
GitHub removed 27 malicious pull requests attempting to inject harmful code across multiple open source repositories, in another round of low-effort attacks.
Security News
RubyGems.org has added a new "maintainer" role that allows for publishing new versions of gems. This new permission type is aimed at improving security for gem owners and the service overall.
Security News
Node.js will be enforcing stricter semver-major PR policies a month before major releases to enhance stability and ensure reliable release candidates.