[Snyk] Upgrade botbuilder from 4.22.2 to 4.23.1 #483
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Snyk has created this PR to upgrade botbuilder from 4.22.2 to 4.23.1.
ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.
The recommended version is 13 versions ahead of your current version.
The recommended version was released on a month ago.
Issues fixed by the recommended upgrade:
SNYK-JS-AXIOS-6144788
SNYK-JS-WS-7266574
SNYK-JS-AXIOS-6124857
Release notes
Package name: botbuilder
What's Changed
This is the August 2024 release of the Bot Framework JS SDK. This release contains Node 18 & 20 support, as well as security fixes.
NOTE
Due to the update to the last Azure Identity and MSAL.Node packages, Node versions prior to Node 18 are no longer supported. This is because those packages don't support out-of-support Node versions.
What's Changed
bump: [#4550] Add Node 18 and 20 support by @ sw-joelmut in #4726
fix: Remove CVE-2022-3517 vulnerability by @ JhontSouth in #4699
fix: Remove CVE-2022-25881 vulnerability by updating the http-cache-semantics package by @ sw-joelmut in #4703
fix: Remove CVE-2020-8203 vulnerability in lodash.set by @ andres-robinet-sw in #4704
fix: Remove CVE-2021-3807 vulnerability by @ JhontSouth in #4705
fix: Remove CVE-2022-23539 vulnerability by updating the jsonwebtoken packages by @ sw-joelmut in #4706
fix: Remove CVE-2022-3517 vulnerability with minimatch by @ JhontSouth in #4707
bump: semver from 5.7.1 to 7.6.2 by @ dependabot in #4710
bump: hosted-git-info from 2.8.8 to 2.8.9 by @ dependabot in #4711
bump: elliptic from 6.5.3 to 6.5.5 by @ dependabot in #4712
fix: Remove CVE-2020-28469 vulnerability by updating the glob-parent package by @ sw-joelmut in #4713
fix: Remove remaining vulnerabilities by updating the hosted-git-info, tar, semver, ejs, elliptic packages by @ sw-joelmut in #4714
fix: [#4684] Remove unnecessary resolutions by @ sw-joelmut in #4719
fix: Remove undefined value in @ azure/msal-node by @ JhontSouth in #4718
bump: fast-xml-parser from 4.2.5 to 4.4.1 by @ dependabot in #4721
port: [#6813][#6798] Not able to create instance of BlobsTranscriptStore using TokenCredential instead of connectionString and containerName by @ JhontSouth in #4720
fix: Remove browser-echo-bot vulnerabilities by @ JhontSouth in #4717
fix: CVE-2024-42460 vulnerability with elliptic by @ JhontSouth in #4729
bump: axios from 1.7.2 to 1.7.4 by @ dependabot in #4730
port: [#6793][#6792] Composer Bot with QnA Intent recognized triggers duplicate QnA queries by @ JhontSouth in #4700
Full Changelog: 4.22.3...4.23.0
This is the June 2024 patch release of the Bot Framework JS SDK. This release contains security updates.
What's Changed
This is the April 2024 JS SDK patch release. This release contains minor bug fixes and security updates.
What's Changed