github-webhook-handler 0.7.1 → 2.0.0

package/.github/dependabot.yml

@@ -0,0 +1,20 @@
+version: 2
+updates:
+  - package-ecosystem: 'github-actions'
+    directory: '/'
+    schedule:
+      interval: 'weekly'
+    commit-message:
+      prefix: 'chore'
+      include: 'scope'
+    cooldown:
+      default-days: 5
+  - package-ecosystem: 'npm'
+    directory: '/'
+    schedule:
+      interval: 'weekly'
+    commit-message:
+      prefix: 'chore'
+      include: 'scope'
+    cooldown:
+      default-days: 5

package/.github/workflows/test-and-release.yml

@@ -0,0 +1,56 @@
+name: Test & Maybe Release
+on: [push, pull_request]
+
+jobs:
+  test:
+    strategy:
+      fail-fast: false
+      matrix:
+        node: [lts/*, current]
+        os: [macos-latest, ubuntu-latest, windows-latest]
+    runs-on: ${{ matrix.os }}
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@v6
+      - name: Use Node.js ${{ matrix.node }}
+        uses: actions/setup-node@v6
+        with:
+          node-version: ${{ matrix.node }}
+      - name: Install Dependencies
+        run: npm install --no-progress
+      - name: Check build is up to date
+        run: |
+          npm run build
+          git diff --exit-code || (echo "::error::Build artifacts not committed. Run 'npm run build' and commit the changes." && exit 1)
+      - name: Run tests
+        run: npm test
+
+  release:
+    name: Release
+    needs: test
+    runs-on: ubuntu-latest
+    if: github.event_name == 'push' && github.ref == 'refs/heads/master'
+    permissions:
+      contents: write
+      issues: write
+      pull-requests: write
+      id-token: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+      - name: Setup Node.js
+        uses: actions/setup-node@v6
+        with:
+          node-version: lts/*
+          registry-url: 'https://registry.npmjs.org'
+      - name: Install dependencies
+        run: npm install --no-progress --no-package-lock --no-save
+      - name: Build
+        run: npm run build
+      - name: Release
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          NPM_CONFIG_PROVENANCE: true
+        run: npx semantic-release

package/CHANGELOG.md

@@ -0,0 +1,9 @@
+## [2.0.0](https://github.com/rvagg/github-webhook-handler/compare/v1.0.0...v2.0.0) (2026-01-28)
+
+### ⚠ BREAKING CHANGES
+
+* modernise, ESM, promises, update deps, GHA, auto-release (#58)
+
+### Features
+
+* modernise, ESM, promises, update deps, GHA, auto-release ([#58](https://github.com/rvagg/github-webhook-handler/issues/58)) ([bc84845](https://github.com/rvagg/github-webhook-handler/commit/bc848457d5c28110ac24335af520ec3b921355fc))

package/README.md

@@ -1,12 +1,15 @@
 # github-webhook-handler
 
-[![NPM](https://nodei.co/npm/github-webhook-handler.png?downloads=true&downloadRank=true)](https://nodei.co/npm/github-webhook-handler/)
-[![NPM](https://nodei.co/npm-dl/github-webhook-handler.png?months=6&height=3)](https://nodei.co/npm/github-webhook-handler/)
+[![NPM](https://nodei.co/npm/github-webhook-handler.svg?style=flat&data=n,v&color=blue)](https://nodei.co/npm/github-webhook-handler/)
 
 GitHub allows you to register **[Webhooks](https://developer.github.com/webhooks/)** for your repositories. Each time an event occurs on your repository, whether it be pushing code, filling issues or creating pull requests, the webhook address you register can be configured to be pinged with details.
 
 This library is a small handler (or "middleware" if you must) for Node.js web servers that handles all the logic of receiving and verifying webhook requests from GitHub.
 
+## Requirements
+
+Node.js >= 20
+
 ## Tips
 
 In Github Webhooks settings, Content type must be `application/json`.
@@ -16,28 +19,29 @@ In Github Webhooks settings, Content type must be `application/json`.
 ## Example
 
 ```js
-var http = require('http')
-var createHandler = require('github-webhook-handler')
-var handler = createHandler({ path: '/webhook', secret: 'myhashsecret' })
+import http from 'node:http'
+import createHandler from 'github-webhook-handler'
+
+const handler = createHandler({ path: '/webhook', secret: 'myhashsecret' })
 
-http.createServer(function (req, res) {
-  handler(req, res, function (err) {
+http.createServer((req, res) => {
+  handler(req, res, (err) => {
     res.statusCode = 404
     res.end('no such location')
   })
 }).listen(7777)
 
-handler.on('error', function (err) {
+handler.on('error', (err) => {
   console.error('Error:', err.message)
 })
 
-handler.on('push', function (event) {
+handler.on('push', (event) => {
   console.log('Received a push event for %s to %s',
     event.payload.repository.name,
     event.payload.ref)
 })
 
-handler.on('issues', function (event) {
+handler.on('issues', (event) => {
   console.log('Received an issue event for %s action=%s: #%d %s',
     event.payload.repository.name,
     event.payload.action,
@@ -46,11 +50,11 @@ handler.on('issues', function (event) {
 })
 ```
 
-for multiple handlers, please see [multiple-handlers-issue](https://github.com/rvagg/github-webhook-handler/pull/22#issuecomment-274301907).
+For multiple handlers, see [multiple-handlers-issue](https://github.com/rvagg/github-webhook-handler/pull/22#issuecomment-274301907).
 
 ## API
 
-github-webhook-handler exports a single function, use this function to *create* a webhook handler by passing in an *options* object. Your options object should contain:
+github-webhook-handler exports a single function. Use this function to *create* a webhook handler by passing in an *options* object. Your options object should contain:
 
  * `"path"`: the complete case sensitive path/route to match when looking at `req.url` for incoming requests. Any request not matching this path will cause the callback function to the handler to be called (sometimes called the `next` handler).
  * `"secret"`: this is a hash key used for creating the SHA-1 HMAC signature of the JSON blob sent by GitHub. You should register the same secret key with GitHub. Any request not delivering a `X-Hub-Signature` that matches the signature generated using this key against the blob will be rejected and cause an `'error'` event (also the callback will be called with an `Error` object).
@@ -65,14 +69,15 @@ See the [GitHub Webhooks documentation](https://developer.github.com/webhooks/)
 Included in the distribution is an *events.json* file which maps the event names to descriptions taken from the API:
 
 ```js
-var events = require('github-webhook-handler/events')
-Object.keys(events).forEach(function (event) {
-  console.log(event, '=', events[event])
-})
+import events from 'github-webhook-handler/events.json' with { type: 'json' }
+
+for (const [event, description] of Object.entries(events)) {
+  console.log(event, '=', description)
+}
 ```
 
-Additionally, there is a special `'*'` even you can listen to in order to receive _everything_.
+Additionally, there is a special `'*'` event you can listen to in order to receive _everything_.
 
 ## License
 
-**github-webhook-handler** is Copyright (c) 2014 Rod Vagg [@rvagg](https://twitter.com/rvagg) and licensed under the MIT License. All rights not explicitly granted in the MIT License are reserved. See the included [LICENSE.md](./LICENSE.md) file for more details.
+**github-webhook-handler** is Copyright (c) 2014 Rod Vagg and licensed under the MIT License. All rights not explicitly granted in the MIT License are reserved. See the included [LICENSE.md](./LICENSE.md) file for more details.

package/github-webhook-handler.d.ts

@@ -1,16 +1,20 @@
-///<reference types="node" />
+/// <reference types="node" />
 
-import { IncomingMessage, ServerResponse } from "http";
-import { EventEmitter } from "events";
+import { IncomingMessage, ServerResponse } from 'node:http'
+import { EventEmitter } from 'node:events'
 
 interface CreateHandlerOptions {
-    path: string;
-    secret: string;
-    events?: string | string[];
+  path: string
+  secret: string
+  events?: string | string[]
 }
 
-interface handler extends EventEmitter {
-    (req: IncomingMessage, res: ServerResponse, callback: (err: Error) => void): void;
+interface Handler extends EventEmitter {
+  (req: IncomingMessage, res: ServerResponse, callback: (err?: Error) => void): void
+  sign(data: string | Buffer): string
+  verify(signature: string, data: string | Buffer): boolean
 }
 
-export default function createHandler(options: CreateHandlerOptions): handler;
+declare function createHandler (options: CreateHandlerOptions | CreateHandlerOptions[]): Handler
+
+export default createHandler

package/github-webhook-handler.js

@@ -1,29 +1,47 @@
-const EventEmitter = require('events').EventEmitter
-    , inherits     = require('util').inherits
-    , crypto       = require('crypto')
-    , bl           = require('bl')
-    , bufferEq     = require('buffer-equal-constant-time')
-
-function create (options) {
-  if (typeof options != 'object')
-    throw new TypeError('must provide an options object')
+import { EventEmitter } from 'node:events'
+import crypto from 'node:crypto'
+import bl from 'bl'
+
+function findHandler (url, arr) {
+  if (!Array.isArray(arr)) {
+    return arr
+  }
 
-  if (typeof options.path != 'string')
-    throw new TypeError('must provide a \'path\' option')
+  let ret = arr[0]
+  for (let i = 0; i < arr.length; i++) {
+    if (url === arr[i].path) {
+      ret = arr[i]
+    }
+  }
+
+  return ret
+}
 
-  if (typeof options.secret != 'string')
-    throw new TypeError('must provide a \'secret\' option')
+function checkType (options) {
+  if (typeof options !== 'object') {
+    throw new TypeError('must provide an options object')
+  }
 
-  var events
+  if (typeof options.path !== 'string') {
+    throw new TypeError("must provide a 'path' option")
+  }
 
-  if (typeof options.events == 'string' && options.events != '*')
-    events = [ options.events ]
+  if (typeof options.secret !== 'string') {
+    throw new TypeError("must provide a 'secret' option")
+  }
+}
 
-  else if (Array.isArray(options.events) && options.events.indexOf('*') == -1)
-    events = options.events
+function create (initOptions) {
+  let options
+  if (Array.isArray(initOptions)) {
+    for (let i = 0; i < initOptions.length; i++) {
+      checkType(initOptions[i])
+    }
+  } else {
+    checkType(initOptions)
+  }
 
-  // make it an EventEmitter, sort of
-  handler.__proto__ = EventEmitter.prototype
+  Object.setPrototypeOf(handler, EventEmitter.prototype)
   EventEmitter.call(handler)
 
   handler.sign = sign
@@ -31,54 +49,74 @@ function create (options) {
 
   return handler
 
-
   function sign (data) {
-    return 'sha1=' + crypto.createHmac('sha1', options.secret).update(data).digest('hex')
+    return `sha1=${crypto.createHmac('sha1', options.secret).update(data).digest('hex')}`
   }
 
   function verify (signature, data) {
-    return bufferEq(Buffer.from(signature), Buffer.from(sign(data)))
+    const sig = Buffer.from(signature)
+    const signed = Buffer.from(sign(data))
+    if (sig.length !== signed.length) {
+      return false
+    }
+    return crypto.timingSafeEqual(sig, signed)
   }
 
   function handler (req, res, callback) {
-    if (req.url.split('?').shift() !== options.path || req.method !== 'POST')
+    let events
+
+    options = findHandler(req.url, initOptions)
+
+    if (typeof options.events === 'string' && options.events !== '*') {
+      events = [options.events]
+    } else if (Array.isArray(options.events) && options.events.indexOf('*') === -1) {
+      events = options.events
+    }
+
+    if (req.url !== options.path || req.method !== 'POST') {
       return callback()
+    }
 
     function hasError (msg) {
       res.writeHead(400, { 'content-type': 'application/json' })
       res.end(JSON.stringify({ error: msg }))
 
-      var err = new Error(msg)
+      const err = new Error(msg)
 
       handler.emit('error', err, req)
       callback(err)
     }
 
-    var sig   = req.headers['x-hub-signature']
-      , event = req.headers['x-github-event']
-      , id    = req.headers['x-github-delivery']
+    const sig = req.headers['x-hub-signature']
+    const event = req.headers['x-github-event']
+    const id = req.headers['x-github-delivery']
 
-    if (!sig)
+    if (!sig) {
       return hasError('No X-Hub-Signature found on request')
+    }
 
-    if (!event)
+    if (!event) {
       return hasError('No X-Github-Event found on request')
+    }
 
-    if (!id)
+    if (!id) {
       return hasError('No X-Github-Delivery found on request')
+    }
 
-    if (events && events.indexOf(event) == -1)
+    if (events && events.indexOf(event) === -1) {
       return hasError('X-Github-Event is not acceptable')
+    }
 
-    req.pipe(bl(function (err, data) {
+    req.pipe(bl((err, data) => {
       if (err) {
         return hasError(err.message)
       }
 
-      var obj
+      let obj
 
-      if (!verify(sig, data))
+      if (!verify(sig, data)) {
         return hasError('X-Hub-Signature does not match blob signature')
+      }
 
       try {
         obj = JSON.parse(data.toString())
@@ -89,13 +127,14 @@ function create (options) {
       res.writeHead(200, { 'content-type': 'application/json' })
       res.end('{"ok":true}')
 
-      var emitData = {
-          event   : event
-        , id      : id
-        , payload : obj
-        , protocol: req.protocol
-        , host    : req.headers['host']
-        , url     : req.url
+      const emitData = {
+        event,
+        id,
+        payload: obj,
+        protocol: req.protocol,
+        host: req.headers.host,
+        url: req.url,
+        path: options.path
       }
 
       handler.emit(event, emitData)
@@ -104,5 +143,4 @@ function create (options) {
   }
 }
 
-
-module.exports = create
+export default create

package/package.json

@@ -1,11 +1,19 @@
 {
   "name": "github-webhook-handler",
-  "version": "0.7.1",
+  "version": "2.0.0",
   "description": "Web handler / middleware for processing GitHub Webhooks",
+  "type": "module",
   "main": "github-webhook-handler.js",
+  "exports": "./github-webhook-handler.js",
   "types": "github-webhook-handler.d.ts",
+  "engines": {
+    "node": ">=20"
+  },
   "scripts": {
-    "test": "node test.js"
+    "lint": "standard",
+    "build": "true",
+    "test:unit": "node --test test.js",
+    "test": "npm run lint && npm run test:unit"
   },
   "keywords": [
     "github",
@@ -18,13 +26,98 @@
   },
   "license": "MIT",
   "dependencies": {
-    "bl": "~1.1.2",
-    "buffer-equal-constant-time": "~1.0.1"
+    "bl": "^6.1.6"
   },
   "devDependencies": {
-    "@types/node": "*",
-    "run-series": "~1.1.4",
-    "tape": "~4.6.0",
-    "through2": "~2.0.1"
+    "@semantic-release/changelog": "^6.0.3",
+    "@semantic-release/commit-analyzer": "^13.0.1",
+    "@semantic-release/git": "^10.0.1",
+    "@semantic-release/github": "^12.0.2",
+    "@semantic-release/npm": "^13.1.3",
+    "@semantic-release/release-notes-generator": "^14.1.0",
+    "conventional-changelog-conventionalcommits": "^9.1.0",
+    "semantic-release": "^25.0.2",
+    "standard": "^17.1.2"
+  },
+  "release": {
+    "branches": [
+      "master"
+    ],
+    "plugins": [
+      [
+        "@semantic-release/commit-analyzer",
+        {
+          "preset": "conventionalcommits",
+          "releaseRules": [
+            {
+              "breaking": true,
+              "release": "major"
+            },
+            {
+              "revert": true,
+              "release": "patch"
+            },
+            {
+              "type": "feat",
+              "release": "minor"
+            },
+            {
+              "type": "fix",
+              "release": "patch"
+            },
+            {
+              "type": "chore",
+              "release": "patch"
+            },
+            {
+              "type": "docs",
+              "release": "patch"
+            },
+            {
+              "type": "test",
+              "release": "patch"
+            },
+            {
+              "scope": "no-release",
+              "release": false
+            }
+          ]
+        }
+      ],
+      [
+        "@semantic-release/release-notes-generator",
+        {
+          "preset": "conventionalcommits",
+          "presetConfig": {
+            "types": [
+              {
+                "type": "feat",
+                "section": "Features"
+              },
+              {
+                "type": "fix",
+                "section": "Bug Fixes"
+              },
+              {
+                "type": "chore",
+                "section": "Trivial Changes"
+              },
+              {
+                "type": "docs",
+                "section": "Trivial Changes"
+              },
+              {
+                "type": "test",
+                "section": "Tests"
+              }
+            ]
+          }
+        }
+      ],
+      "@semantic-release/changelog",
+      "@semantic-release/npm",
+      "@semantic-release/github",
+      "@semantic-release/git"
+    ]
   }
 }

package/test.js

@@ -1,333 +1,350 @@
-const test     = require('tape')
-    , crypto   = require('crypto')
-    , handler  = require('./')
-    , through2 = require('through2')
-    , series   = require('run-series')
-
+import { test } from 'node:test'
+import assert from 'node:assert'
+import crypto from 'node:crypto'
+import { PassThrough } from 'node:stream'
+import handler from './github-webhook-handler.js'
 
 function signBlob (key, blob) {
-  return 'sha1=' +
-  crypto.createHmac('sha1', key).update(blob).digest('hex')
+  return `sha1=${crypto.createHmac('sha1', key).update(blob).digest('hex')}`
 }
 
-
 function mkReq (url, method) {
-  var req = through2()
+  const req = new PassThrough()
   req.method = method || 'POST'
   req.url = url
   req.headers = {
-      'x-hub-signature'   : 'bogus'
-    , 'x-github-event'    : 'bogus'
-    , 'x-github-delivery' : 'bogus'
+    'x-hub-signature': 'bogus',
+    'x-github-event': 'bogus',
+    'x-github-delivery': 'bogus'
   }
   return req
 }
 
-
 function mkRes () {
-  var res = {
-      writeHead : function (statusCode, headers) {
-        res.$statusCode = statusCode
-        res.$headers = headers
-      }
-
-    , end       : function (content) {
-        res.$end = content
-      }
+  const res = {
+    writeHead (statusCode, headers) {
+      res.$statusCode = statusCode
+      res.$headers = headers
+    },
+    end (content) {
+      res.$end = content
+    }
   }
-
   return res
 }
 
-
-test('handler without full options throws', function (t) {
-  t.plan(4)
-
-  t.equal(typeof handler, 'function', 'handler exports a function')
-
-  t.throws(handler, /must provide an options object/, 'throws if no options')
-
-  t.throws(handler.bind(null, {}), /must provide a 'path' option/, 'throws if no path option')
-
-  t.throws(handler.bind(null, { path: '/' }), /must provide a 'secret' option/, 'throws if no secret option')
+test('handler without full options throws', () => {
+  assert.strictEqual(typeof handler, 'function', 'handler exports a function')
+  assert.throws(() => handler(), /must provide an options object/, 'throws if no options')
+  assert.throws(() => handler({}), /must provide a 'path' option/, 'throws if no path option')
+  assert.throws(() => handler({ path: '/' }), /must provide a 'secret' option/, 'throws if no secret option')
 })
 
+test('handler without full options throws in array', () => {
+  assert.throws(() => handler([{}]), /must provide a 'path' option/, 'throws if no path option')
+  assert.throws(() => handler([{ path: '/' }]), /must provide a 'secret' option/, 'throws if no secret option')
+})
 
-test('handler ignores invalid urls', function (t) {
-  var options = { path: '/some/url', secret: 'bogus' }
-    , h       = handler(options)
-
-  t.plan(6)
+test('handler ignores invalid urls', async () => {
+  const options = { path: '/some/url', secret: 'bogus' }
+  const h = handler(options)
 
-  h(mkReq('/'), mkRes(), function (err) {
-    t.error(err)
-    t.ok(true, 'request was ignored')
+  await new Promise((resolve) => {
+    h(mkReq('/'), mkRes(), (err) => {
+      assert.ifError(err)
+      resolve()
+    })
   })
 
-  // near match
-  h(mkReq('/some/url/'), mkRes(), function (err) {
-    t.error(err)
-    t.ok(true, 'request was ignored')
+  await new Promise((resolve) => {
+    h(mkReq('/some/url/'), mkRes(), (err) => {
+      assert.ifError(err)
+      resolve()
+    })
   })
 
-  // partial match
-  h(mkReq('/some'), mkRes(), function (err) {
-    t.error(err)
-    t.ok(true, 'request was ignored')
+  await new Promise((resolve) => {
+    h(mkReq('/some'), mkRes(), (err) => {
+      assert.ifError(err)
+      resolve()
+    })
   })
 })
 
-test('handler ingores non-POST requests', function (t) {
-  var options = { path: '/some/url', secret: 'bogus' }
-    , h       = handler(options)
+test('handler ignores non-POST requests', async () => {
+  const options = { path: '/some/url', secret: 'bogus' }
+  const h = handler(options)
 
-  t.plan(4)
-
-  h(mkReq('/some/url', 'GET'), mkRes(), function (err) {
-    t.error(err)
-    t.ok(true, 'request was ignored')
+  await new Promise((resolve) => {
+    h(mkReq('/some/url', 'GET'), mkRes(), (err) => {
+      assert.ifError(err)
+      resolve()
+    })
   })
 
-  h(mkReq('/some/url?test=param', 'GET'), mkRes(), function (err) {
-    t.error(err)
-    t.ok(true, 'request was ignored')
+  await new Promise((resolve) => {
+    h(mkReq('/some/url?test=param', 'GET'), mkRes(), (err) => {
+      assert.ifError(err)
+      resolve()
+    })
   })
 })
 
-test('handler accepts valid urls', function (t) {
-  var options = { path: '/some/url', secret: 'bogus' }
-    , h       = handler(options)
-
-  t.plan(1)
-
-  h(mkReq('/some/url'), mkRes(), function (err) {
-    t.error(err)
-    t.fail(false, 'should not call')
-  })
+test('handler accepts valid urls', async () => {
+  const options = { path: '/some/url', secret: 'bogus' }
+  const h = handler(options)
 
-  h(mkReq('/some/url?test=param'), mkRes(), function (err) {
-    t.error(err)
-    t.fail(false, 'should not call')
+  let callbackCalled = false
+  h(mkReq('/some/url'), mkRes(), () => {
+    callbackCalled = true
   })
 
-  setTimeout(t.ok.bind(t, true, 'done'))
+  await new Promise((resolve) => setTimeout(resolve, 10))
+  assert.strictEqual(callbackCalled, false, 'callback should not be called for valid POST')
 })
 
+test('handler accepts valid urls in Array', async () => {
+  const options = [{ path: '/some/url', secret: 'bogus' }, { path: '/someOther/url', secret: 'bogus' }]
+  const h = handler(options)
 
-test('handler can reject events', function (t) {
-  var acceptableEvents   = {
-          'undefined'                     : undefined
-        , 'a string equal to the event'   : 'bogus'
-        , 'a string equal to *'           : '*'
-        , 'an array containing the event' : ['bogus']
-        , 'an array containing *'         : ['not-bogus', '*']
-      }
-    , unacceptableEvents = {
-          'a string not equal to the event or *'   : 'not-bogus'
-        , 'an array not containing the event or *' : ['not-bogus']
-      }
-    , acceptable         = Object.keys(acceptableEvents)
-    , unacceptable       = Object.keys(unacceptableEvents)
-    , acceptableTests    = acceptable.map(function (events) {
-        return acceptableReq.bind(null, events)
-      })
-    , unacceptableTests  = unacceptable.map(function (events) {
-        return unacceptableReq.bind(null, events)
-      })
+  let callbackCalled = false
+  h(mkReq('/some/url'), mkRes(), () => { callbackCalled = true })
+  h(mkReq('/someOther/url'), mkRes(), () => { callbackCalled = true })
 
-  t.plan(acceptable.length + unacceptable.length)
-  series(acceptableTests.concat(unacceptableTests))
+  await new Promise((resolve) => setTimeout(resolve, 10))
+  assert.strictEqual(callbackCalled, false, 'callback should not be called for valid POSTs')
+})
 
-  function acceptableReq (events, callback) {
-    var h = handler({
-        path    : '/some/url'
-      , secret  : 'bogus'
-      , events  : acceptableEvents[events]
-    })
+test('handler can reject events', async () => {
+  const acceptableEvents = {
+    undefined,
+    'a string equal to the event': 'bogus',
+    'a string equal to *': '*',
+    'an array containing the event': ['bogus'],
+    'an array containing *': ['not-bogus', '*']
+  }
+  const unacceptableEvents = {
+    'a string not equal to the event or *': 'not-bogus',
+    'an array not containing the event or *': ['not-bogus']
+  }
 
-    h(mkReq('/some/url'), mkRes(), function (err) {
-      t.error(err)
-      t.fail(false, 'should not call')
+  for (const [desc, events] of Object.entries(acceptableEvents)) {
+    const h = handler({
+      path: '/some/url',
+      secret: 'bogus',
+      events
     })
 
-    setTimeout(function () {
-      t.ok(true, 'accepted because options.events was ' + events)
-      callback()
-    })
+    let callbackCalled = false
+    h(mkReq('/some/url'), mkRes(), () => { callbackCalled = true })
+
+    await new Promise((resolve) => setTimeout(resolve, 10))
+    assert.strictEqual(callbackCalled, false, `accepted because options.events was ${desc}`)
   }
 
-  function unacceptableReq (events, callback) {
-    var h = handler({
-        path    : '/some/url'
-      , secret  : 'bogus'
-      , events  : unacceptableEvents[events]
+  for (const [desc, events] of Object.entries(unacceptableEvents)) {
+    const h = handler({
+      path: '/some/url',
+      secret: 'bogus',
+      events
     })
 
-    h.on('error', function () {})
+    h.on('error', () => {})
 
-    h(mkReq('/some/url'), mkRes(), function (err) {
-      t.ok(err, 'rejected because options.events was ' + events)
-      callback()
+    await new Promise((resolve) => {
+      h(mkReq('/some/url'), mkRes(), (err) => {
+        assert.ok(err, `rejected because options.events was ${desc}`)
+        resolve()
+      })
     })
   }
 })
 
+test('handler is an EventEmitter', () => {
+  const h = handler({ path: '/', secret: 'bogus' })
 
-// because we don't inherit in a traditional way
-test('handler is an EventEmitter', function (t) {
-  t.plan(5)
-
-  var h = handler({ path: '/', secret: 'bogus' })
-
-  t.equal(typeof h.on, 'function', 'has h.on()')
-  t.equal(typeof h.emit, 'function', 'has h.emit()')
-  t.equal(typeof h.removeListener, 'function', 'has h.removeListener()')
-
-  h.on('ping', function (pong) {
-    t.equal(pong, 'pong', 'got event')
-  })
+  assert.strictEqual(typeof h.on, 'function', 'has h.on()')
+  assert.strictEqual(typeof h.emit, 'function', 'has h.emit()')
+  assert.strictEqual(typeof h.removeListener, 'function', 'has h.removeListener()')
 
+  let received
+  h.on('ping', (pong) => { received = pong })
   h.emit('ping', 'pong')
+  assert.strictEqual(received, 'pong', 'got event')
 
-  t.throws(h.emit.bind(h, 'error', new Error('threw an error')), /threw an error/, 'acts like an EE')
+  assert.throws(() => h.emit('error', new Error('threw an error')), /threw an error/, 'acts like an EE')
 })
 
-
-test('handler accepts a signed blob', function (t) {
-  t.plan(4)
-
-  var obj  = { some: 'github', object: 'with', properties: true }
-    , json = JSON.stringify(obj)
-    , h    = handler({ path: '/', secret: 'bogus' })
-    , req  = mkReq('/')
-    , res  = mkRes()
+test('handler accepts a signed blob', async () => {
+  const obj = { some: 'github', object: 'with', properties: true }
+  const json = JSON.stringify(obj)
+  const h = handler({ path: '/', secret: 'bogus' })
+  const req = mkReq('/')
+  const res = mkRes()
 
   req.headers['x-hub-signature'] = signBlob('bogus', json)
-  req.headers['x-github-event']  = 'push'
-
-  h.on('push', function (event) {
-    t.deepEqual(event, { event: 'push', id: 'bogus', payload: obj, url: '/', host: undefined, protocol: undefined })
-    t.equal(res.$statusCode, 200, 'correct status code')
-    t.deepEqual(res.$headers, { 'content-type': 'application/json' })
-    t.equal(res.$end, '{"ok":true}', 'got correct content')
+  req.headers['x-github-event'] = 'push'
+
+  const eventPromise = new Promise((resolve) => {
+    h.on('push', (event) => {
+      assert.deepStrictEqual(event, {
+        event: 'push',
+        id: 'bogus',
+        payload: obj,
+        url: '/',
+        host: undefined,
+        protocol: undefined,
+        path: '/'
+      })
+      assert.strictEqual(res.$statusCode, 200, 'correct status code')
+      assert.deepStrictEqual(res.$headers, { 'content-type': 'application/json' })
+      assert.strictEqual(res.$end, '{"ok":true}', 'got correct content')
+      resolve()
+    })
   })
 
-  h(req, res, function (err) {
-    t.error(err)
-    t.fail(true, 'should not get here!')
+  h(req, res, () => {
+    assert.fail('should not get here')
   })
 
-  process.nextTick(function () {
-    req.end(json)
-  })
+  process.nextTick(() => req.end(json))
+  await eventPromise
 })
 
-
-test('handler accepts a signed blob with alt event', function (t) {
-  t.plan(4)
-
-  var obj  = { some: 'github', object: 'with', properties: true }
-    , json = JSON.stringify(obj)
-    , h    = handler({ path: '/', secret: 'bogus' })
-    , req  = mkReq('/')
-    , res  = mkRes()
+test('handler accepts multi blob in Array', async () => {
+  const obj = { some: 'github', object: 'with', properties: true }
+  const json = JSON.stringify(obj)
+  const h = handler([{ path: '/', secret: 'bogus' }, { path: '/some/url', secret: 'bogus' }])
+  const req = mkReq('/some/url')
+  const res = mkRes()
 
   req.headers['x-hub-signature'] = signBlob('bogus', json)
-  req.headers['x-github-event']  = 'issue'
-
-  h.on('push', function (event) {
-    t.fail(true, 'should not get here!')
+  req.headers['x-github-event'] = 'push'
+
+  const eventPromise = new Promise((resolve) => {
+    h.on('push', (event) => {
+      assert.deepStrictEqual(event, {
+        event: 'push',
+        id: 'bogus',
+        payload: obj,
+        url: '/some/url',
+        host: undefined,
+        protocol: undefined,
+        path: '/some/url'
+      })
+      assert.strictEqual(res.$statusCode, 200, 'correct status code')
+      assert.deepStrictEqual(res.$headers, { 'content-type': 'application/json' })
+      assert.strictEqual(res.$end, '{"ok":true}', 'got correct content')
+      resolve()
+    })
   })
 
-  h.on('issue', function (event) {
-    t.deepEqual(event, { event: 'issue', id: 'bogus', payload: obj, url: '/', host: undefined, protocol: undefined })
-    t.equal(res.$statusCode, 200, 'correct status code')
-    t.deepEqual(res.$headers, { 'content-type': 'application/json' })
-    t.equal(res.$end, '{"ok":true}', 'got correct content')
+  h(req, res, () => {
+    assert.fail('should not get here')
   })
 
-  h(req, res, function (err) {
-    t.error(err)
-    t.fail(true, 'should not get here!')
-  })
+  process.nextTick(() => req.end(json))
+  await eventPromise
+})
 
-  process.nextTick(function () {
-    req.end(json)
+test('handler accepts a signed blob with alt event', async () => {
+  const obj = { some: 'github', object: 'with', properties: true }
+  const json = JSON.stringify(obj)
+  const h = handler({ path: '/', secret: 'bogus' })
+  const req = mkReq('/')
+  const res = mkRes()
+
+  req.headers['x-hub-signature'] = signBlob('bogus', json)
+  req.headers['x-github-event'] = 'issue'
+
+  h.on('push', () => assert.fail('should not get here'))
+
+  const eventPromise = new Promise((resolve) => {
+    h.on('issue', (event) => {
+      assert.deepStrictEqual(event, {
+        event: 'issue',
+        id: 'bogus',
+        payload: obj,
+        url: '/',
+        host: undefined,
+        protocol: undefined,
+        path: '/'
+      })
+      assert.strictEqual(res.$statusCode, 200, 'correct status code')
+      assert.deepStrictEqual(res.$headers, { 'content-type': 'application/json' })
+      assert.strictEqual(res.$end, '{"ok":true}', 'got correct content')
+      resolve()
+    })
   })
-})
 
+  h(req, res, () => {
+    assert.fail('should not get here')
+  })
 
-test('handler rejects a badly signed blob', function (t) {
-  t.plan(6)
+  process.nextTick(() => req.end(json))
+  await eventPromise
+})
 
-  var obj  = { some: 'github', object: 'with', properties: true }
-    , json = JSON.stringify(obj)
-    , h    = handler({ path: '/', secret: 'bogus' })
-    , req  = mkReq('/')
-    , res  = mkRes()
+test('handler rejects a badly signed blob', async () => {
+  const obj = { some: 'github', object: 'with', properties: true }
+  const json = JSON.stringify(obj)
+  const h = handler({ path: '/', secret: 'bogus' })
+  const req = mkReq('/')
+  const res = mkRes()
 
   req.headers['x-hub-signature'] = signBlob('bogus', json)
-  // break signage by a tiny bit
   req.headers['x-hub-signature'] = '0' + req.headers['x-hub-signature'].substring(1)
 
-  h.on('error', function (err, _req) {
-    t.ok(err, 'got an error')
-    t.strictEqual(_req, req, 'was given original request object')
-    t.equal(res.$statusCode, 400, 'correct status code')
-    t.deepEqual(res.$headers, { 'content-type': 'application/json' })
-    t.equal(res.$end, '{"error":"X-Hub-Signature does not match blob signature"}', 'got correct content')
+  const errorPromise = new Promise((resolve) => {
+    h.on('error', (err, _req) => {
+      assert.ok(err, 'got an error')
+      assert.strictEqual(_req, req, 'was given original request object')
+      assert.strictEqual(res.$statusCode, 400, 'correct status code')
+      assert.deepStrictEqual(res.$headers, { 'content-type': 'application/json' })
+      assert.strictEqual(res.$end, '{"error":"X-Hub-Signature does not match blob signature"}', 'got correct content')
+      resolve()
+    })
   })
 
-  h.on('push', function (event) {
-    t.fail(true, 'should not get here!')
-  })
+  h.on('push', () => assert.fail('should not get here'))
 
-  h(req, res, function (err) {
-    t.ok(err, 'got error on callback')
+  h(req, res, (err) => {
+    assert.ok(err, 'got error on callback')
   })
 
-  process.nextTick(function () {
-    req.end(json)
-  })
+  process.nextTick(() => req.end(json))
+  await errorPromise
 })
 
-test('handler responds on a bl error', function (t) {
-  t.plan(4)
-
-  var obj  = { some: 'github', object: 'with', properties: true }
-    , json = JSON.stringify(obj)
-    , h    = handler({ path: '/', secret: 'bogus' })
-    , req  = mkReq('/')
-    , res  = mkRes()
+test('handler responds on a stream error', async () => {
+  const obj = { some: 'github', object: 'with', properties: true }
+  const json = JSON.stringify(obj)
+  const h = handler({ path: '/', secret: 'bogus' })
+  const req = mkReq('/')
+  const res = mkRes()
 
   req.headers['x-hub-signature'] = signBlob('bogus', json)
-  req.headers['x-github-event']  = 'issue'
+  req.headers['x-github-event'] = 'issue'
 
-  h.on('push', function (event) {
-    t.fail(true, 'should not get here!')
-  })
+  h.on('push', () => assert.fail('should not get here'))
+  h.on('issue', () => assert.fail('should never get here'))
 
-  h.on('issue', function (event) {
-    t.fail(true, 'should never get here!')
+  const errorPromise = new Promise((resolve) => {
+    h.on('error', (err) => {
+      assert.ok(err, 'got an error')
+      assert.strictEqual(res.$statusCode, 400, 'correct status code')
+      resolve()
+    })
   })
 
-  h.on('error', function(err) {
-    t.ok(err, 'got an error')
-    t.equal(res.$statusCode, 400, 'correct status code')
-  });
-
-  h(req, res, function (err) {
-    t.ok(err)
+  h(req, res, (err) => {
+    assert.ok(err)
   })
 
-  var end = res.end
-  res.end = function () {
-    t.equal(res.$statusCode, 400, 'correct status code')
-  }
-
   req.write('{')
-  process.nextTick(function() {
-    req.emit('error', new Error('simulated explosion'))
-  });
+  process.nextTick(() => {
+    req.destroy(new Error('simulated explosion'))
+  })
 
+  await errorPromise
 })

package/.jshintrc

@@ -1,59 +0,0 @@
-{
-    "predef": [ ]
-  , "bitwise": false
-  , "camelcase": false
-  , "curly": false
-  , "eqeqeq": false
-  , "forin": false
-  , "immed": false
-  , "latedef": false
-  , "noarg": true
-  , "noempty": true
-  , "nonew": true
-  , "plusplus": false
-  , "quotmark": true
-  , "regexp": false
-  , "undef": true
-  , "unused": true
-  , "strict": false
-  , "trailing": true
-  , "maxlen": 120
-  , "asi": true
-  , "boss": true
-  , "debug": true
-  , "eqnull": true
-  , "esnext": true
-  , "evil": true
-  , "expr": true
-  , "funcscope": false
-  , "globalstrict": false
-  , "iterator": false
-  , "lastsemic": true
-  , "laxbreak": true
-  , "laxcomma": true
-  , "loopfunc": true
-  , "multistr": false
-  , "onecase": false
-  , "proto": false
-  , "regexdash": false
-  , "scripturl": true
-  , "smarttabs": false
-  , "shadow": false
-  , "sub": true
-  , "supernew": false
-  , "validthis": true
-  , "browser": true
-  , "couch": false
-  , "devel": false
-  , "dojo": false
-  , "mootools": false
-  , "node": true
-  , "nonstandard": true
-  , "prototypejs": false
-  , "rhino": false
-  , "worker": true
-  , "wsh": false
-  , "nomen": false
-  , "onevar": false
-  , "passfail": false
-}