Bot Framework JS SDK 4.23.2

Notable changes in this release

• Node 22 support
• Dependency updates for security alerts
• Federated Credentials for bot-to-channel auth. This is supported for single tenant only.

What's Changed

• port: [#4632] Support Federated Identity Credential by @sw-joelmut in #4765
• port: [#6841] SkillDialog.InterceptOAuthCardsAsync doesn't support CloudAdapter by @ceciliaavila in #4766
• fix: CVE-2024-52798 vulnerability with path-to-regexp by @JhontSouth in #4817
• bump: Update d3-format package by @JhontSouth in #4842
• fix: Run the coveralls step only for windows by @ceciliaavila in #4843
• bump: nanoid from 3.3.6 to 3.3.8 by @dependabot in #4812
• feat: Support Sso for SharePoint bot ACEs by @bentsai10 in #4806
• port:[#6879] Bot is not accepting v2 tokens from Bot Framework Emulator - Single Tenant Bots by @JhontSouth in #4847
• fix: Upgrade path-to-regexp and find-my-way packages to latest version by @ceciliaavila in #4756
• bump: http-proxy-middleware from 2.0.6 to 2.0.7 by @dependabot in #4778
• bump: [#4684] Upgrade Nighwatch by @sw-joelmut in #4768
• bump: elliptic from 6.5.7 to 6.6.0 by @dependabot in #4780
• bump: [#4684] Upgrade filenamify using import-sync for esm-only package by @ceciliaavila in #4782
• fix: Upgrade cookie dependency to latest version by @ceciliaavila in #4771
• bump: [#4684] Replace nanoid with native module crypto by @ceciliaavila in #4769
• bump: Update p-map package by @JhontSouth in #4820
• Suppress fake secret in unit test. by @tracyboehrer in #4850
• bump: Update chai package by @JhontSouth in #4844
• refactor: [#4684] Replace browserify with tsup by @sw-joelmut in #4774
• port: [#6861]TeamsSSOTokenExchangeMiddleware.DeduplicatedTokenExchangeIdAsync fails on BlobStorage ETag validation by @ceciliaavila in #4800
• bump: [#4684] Update nock dependency to latest version by @ceciliaavila in #4760
• bump: rollup from 4.21.0 to 4.22.4 by @dependabot in #4755
• bump: [#4684] Upgrade rimraf dependency to v5 by @ceciliaavila in #4761
• bump: [#4684] Update sinon dependency to latest version by @ceciliaavila in #4762

Other

• bump: [#4684] Update applicationinsights dependency to version 2.x by @ceciliaavila in #4758
• fix: [#4746] Fix INodeBuffer in TypeScript 5.6 and ESNext target by @sw-joelmut in #4757
• feat: Add TS 5.6 and ESNext target support by @sw-joelmut in #4763
• feat: [#4684] Consolidate and update browser-echo-bot dependencies by @sw-joelmut in #4764
• fix: Workspaces for update-versions script by @sw-joelmut in #4783
• port: Add dataset to SearchInvokeValue by @sw-joelmut in #4777
• bump: Update ESLint packages and migrate to eslint.config.cjs files by @JhontSouth in #4776
• fix: [#4684] Update INodeSocket type by @sw-joelmut in #4767
• Caret ranges for generator SDK version (any v4) by @tracyboehrer in #4787
• fix: Upgrade cross-spawn dependency to latest version by @sw-joelmut in #4798
• feat: Update versions for generators by @ceciliaavila in #4796
• refactor: Fix test:consumer pipeline randomly failing by @sw-joelmut in #4793
• fix: [#4684] ESLint issues in botbuilder-ai by @ceciliaavila in #4790
• fix: Update Generators versions: Add missing directory to workspaces by @ceciliaavila in #4801
• fix: [#4684] ESLint issues in botbuilder-azure-blobs by @ceciliaavila in #4802
• fix: [#4684] ESLint issues in botbuilder-lg by @ceciliaavila in #4803
• fix: [#4684] ESLint issues in botbuilder-applicationinsights by @ceciliaavila in #4804
• feat: Add support for Node 22 by @ceciliaavila in #4808
• fix: [#4684] ESLint issues in botbuilder-dialogs-adaptive-runtime-core by @ceciliaavila in #4809
• fix: [#4684] ESLint issues in botbuilder-dialogs-adaptive-runtime by @ceciliaavila in #4810
• fix: [#4684] ESLint issues in botbuilder-dialogs-adaptive-runtime-integration libraries by @ceciliaavila in #4811
• fix: [#4684] ESLint issues in botbuilder-dialogs-adaptive-testing by @sw-joelmut in #4821
• fix: [#4684] ESLint issues in botframework-connector by @sw-joelmut in #4822
• fix: [#4684] ESLint issues in botbuilder-testing by @sw-joelmut in #4823
• fix: [#4684] ESLint issues in botbuilder-dialogs-declarative by @ceciliaavila in #4813
• fix: [#4684] ESLint issues in botbuilder-stdlib by @ceciliaavila in #4814
• fix: [#4684] ESLint issues in botframework-config by @ceciliaavila in #4815
• fix: [#4684] ESLint issues in botbuilder-ai-luis by @sw-joelmut in #4824
• fix: [#4684] ESLint issues in botframework-streaming by @sw-joelmut in #4825
• fix: [#4684] ESLint issues in botbuilder-dialogs-adaptive by @sw-joelmut in #4826
• fix: [#4684] ESLint issues in botbuilder-azure by @sw-joelmut in #4828
• fix: ESLint issues in bobuilder-core by @JhontSouth in #4827
• fix: Remove ESLint config file in bobuilder-ai-qna by @JhontSouth in #4829
• fix: ESLint issues in botbuilder by @JhontSouth in #4830
• fix: ESLint issues in botbuilder-azure-queues by @JhontSouth in #4831
• fix: ESLint issues in botbuilder-dialogs by @JhontSouth in #4832
• fix: ESLint issues in adaptive-expressions by @JhontSouth in #4833
• fix: [#4684] ESLint issues in adaptive-expressions-ie11 by @JhontSouth in #4835
• fix: ESLint issues in botframework-schema by @JhontSouth in #4836
• fix: ESLint issues in bobuilder-ai-orchestrator by @JhontSouth in #4837
• fix: ESLint issues in botbuilder-repo-utils by @JhontSouth in #4838
• fix: Remove unused resolutions by @JhontSouth in #4816
• fix: Remaining ESLint issues by @sw-joelmut in #4846
• port: [#6882] Mock expired token for 'throws exception on expired token' unit test by @JhontSouth in #4848

Bot Framework JS SDK 4.23.1

What's Changed

• bump: micromatch from 4.0.7 to 4.0.8 in /testing/browser-functional/browser-echo-bot by @dependabot in #4732
• bump: micromatch from 4.0.2 to 4.0.8 by @dependabot in #4733
• bump: [#4684] Update multiple dependencies inside public libraries to latest version by @sw-joelmut in #4739
• bump: webpack from 5.92.0 to 5.94.0 in /testing/browser-functional/browser-echo-bot by @dependabot in #4736
• fix: [#4684] Update some dependencies to latest version by @sw-joelmut in #4737
• fix: [#4684] Update versions command by @sw-joelmut in #4742
• bump: body-parser from 1.20.2 to 1.20.3 by @dependabot in #4743
• bump: express from 4.19.2 to 4.20.0 in /testing/browser-functional/browser-echo-bot by @dependabot in #4744
• fix: Upgrade express dependency to latest version by @ceciliaavila in #4747
• fix: Replace globby with fast-glob by @JhontSouth in #4745
• fix: Upgrade send dependency to latest version by @ceciliaavila in #4749
• bump: [#4684] Update @azure/cosmos and @azure/core-auth dependencies to their latest version by @sw-joelmut in #4748
• bump: [#4684] Update multiple dependencies inside internal libraries to latest version by @sw-joelmut in #4752

Bot Framework JS SDK 4.23.0

This is the August 2024 release of the Bot Framework JS SDK. This release contains Node 18 & 20 support, as well as security fixes.

NOTE
Due to the update to the last Azure Identity and MSAL.Node packages, Node versions prior to Node 18 are no longer supported. This is because those packages don't support out-of-support Node versions.

What's Changed

• bump: [#4550] Add Node 18 and 20 support by @sw-joelmut in #4726

• fix: Remove CVE-2022-3517 vulnerability by @JhontSouth in #4699

• fix: Remove CVE-2022-25881 vulnerability by updating the http-cache-semantics package by @sw-joelmut in #4703

• fix: Remove CVE-2020-8203 vulnerability in lodash.set by @andres-robinet-sw in #4704

• fix: Remove CVE-2021-3807 vulnerability by @JhontSouth in #4705

• fix: Remove CVE-2022-23539 vulnerability by updating the jsonwebtoken packages by @sw-joelmut in #4706

• fix: Remove CVE-2022-3517 vulnerability with minimatch by @JhontSouth in #4707

• bump: semver from 5.7.1 to 7.6.2 by @dependabot in #4710

• bump: hosted-git-info from 2.8.8 to 2.8.9 by @dependabot in #4711

• bump: elliptic from 6.5.3 to 6.5.5 by @dependabot in #4712

• fix: Remove CVE-2020-28469 vulnerability by updating the glob-parent package by @sw-joelmut in #4713

• fix: Remove remaining vulnerabilities by updating the hosted-git-info, tar, semver, ejs, elliptic packages by @sw-joelmut in #4714

• fix: [#4684] Remove unnecessary resolutions by @sw-joelmut in #4719

• fix: Remove undefined value in @azure/msal-node by @JhontSouth in #4718

• bump: fast-xml-parser from 4.2.5 to 4.4.1 by @dependabot in #4721

• port: [#6813][#6798] Not able to create instance of BlobsTranscriptStore using TokenCredential instead of connectionString and containerName by @JhontSouth in #4720

• fix: Remove browser-echo-bot vulnerabilities by @JhontSouth in #4717

• fix: CVE-2024-42460 vulnerability with elliptic by @JhontSouth in #4729

• bump: axios from 1.7.2 to 1.7.4 by @dependabot in #4730

• port: [#6793][#6792] Composer Bot with QnA Intent recognized triggers duplicate QnA queries by @JhontSouth in #4700

Full Changelog: 4.22.3...4.23.0

Bot Framework for JS SDK 4.22.3

This is the June 2024 patch release of the Bot Framework JS SDK. This release contains security updates.

What's Changed

• fix: Remove CVE-2020-28469 with with glob-parent 5.1.1 (High) by @JhontSouth in #4670
• fix: CodeQL SM04509 issue by @andres-robinet-sw in #4671
• bump: Upgrade axios version to ^1.7.2 by @JhontSouth in #4680
• fix: Remove CVE-2024-37890 vulnerability by updating the ws package by @sw-joelmut in #4683
• fix: Remove CVE-2020-36632 vulnerability by @JhontSouth in #4687
• fix: Remove CVE-2022-21680 vulnerability by @JhontSouth in #4688
• fix: Remove CVE-2022-21680 vulnerability by @JhontSouth in #4689
• fix: Remove CVE-2023-45133 vulnerability by @JhontSouth in #4691
• fix: CVE-2020-8203 with lodash.pick by @andres-robinet-sw in #4692
• fix: Remove CVE-2020-7774 vulnerability by updating the y18n package by @sw-joelmut in #4693
• fix: Remove CVE-2022-0144 vulnerability by @JhontSouth in #4695
• fix: Remove CVE-2024-4068 vulnerability by @JhontSouth in #4696
• feat: Support Single Tenant authentication through BotFramework-Emulator by @JhontSouth in #4643
• refactor: AgentSettings Circular Structure and improve internals by @sw-joelmut in #4641
• chore: Moved @types/jswebtoken (in both places) to dependencies. by @tracyboehrer in #4646
• chore: [#4636] Add more information to Tenant parameters by @sw-joelmut in #4649
• fix: SM03944 suppression by @tracyboehrer in #4654
• Removed unused build assets by @tracyboehrer in #4658
• fix: [#4657] bump the npm_and_yarn group across 2 directories with 20 updates by @JhontSouth in #4663
• fix: SM04509 suppression by @tracyboehrer in #4667
• fix: SM02383 suppression by @tracyboehrer in #4668
• fix: [#4483] Switching npm dependency bcrypt to bcryptjs by @JhontSouth in #4669

Bot Framework JS SDK 4.22.2

This is the April 2024 JS SDK patch release. This release contains minor bug fixes and security updates.

What's Changed

• fix: add content type header by @XVincentX in #4587
• fix: [#4544] JwtTokenExtractor.getIdentity:err! FetchError: request to https://login.botframework.com/v1/.well-known/openidconfiguration by @ceciliaavila in #4583
• bump: Update swagger-client to stop using lodash-compat by @JhontSouth in #4604
• fix: Removed Copyright from generated code by @tracyboehrer in #4612
• fix: [#4584] ChannelAccount cannot accept extensible properties by @JhontSouth in #4618
• bump: Update follow-redirects to ^1.15.4 by @JhontSouth in #4617
• bump: Update @azure/msal-node and @azure/msal-browser by @JhontSouth in #4619
• bump: undici from 5.28.2 to 5.28.3 by @dependabot in #4620
• bump: axios from 0.21.1 to 0.28.0 by @dependabot in #4621
• bump: ip from 1.1.5 to 1.1.9 by @dependabot in #4622
• bump: ip from 1.1.5 to 1.1.9 in /testing/browser-functional/browser-echo-bot by @dependabot in #4623
• bump: es5-ext from 0.10.53 to 0.10.63 by @dependabot in #4624
• fix: [botframework-connector] Use HashSet instead of string array for endorsement by @crdev13 in #4526
• bump: tar to 6.1.9 by @tracyboehrer in #4627
• bump: axios to 0.21.2 by @tracyboehrer in #4628
• chore: Removed autorest gen related by @tracyboehrer in #4629
• bump: axios and ws by @tracyboehrer in #4630
• bump: follow-redirects from 1.15.5 to 1.15.6 in /testing/browser-functional/browser-echo-bot by @dependabot in #4633
• bump: follow-redirects from 1.15.5 to 1.15.6 by @dependabot in #4634
• fix: [#4440][Bot node.js] Compile error for accessing "conversation" and "organizer" fields for get meeting details bot API by @ceciliaavila in #4442
• bump: express from 4.18.2 to 4.19.2 in /testing/browser-functional/browser-echo-bot by @dependabot in #4638
• bump: express from 4.17.3 to 4.19.2 by @dependabot in #4637
• getValue parity by @tracyboehrer in #4639
• chore: Moved @types/jsonwebtoken to dependencies by @tracyboehrer in #4640
• bump: undici from 5.28.3 to 5.28.4 by @dependabot in #4642

Full Changelog: 4.22.1...4.22.2

Bot Framework JS SDK 4.22.0

This is the January 2024 4.22.0 release for the JS SDK. This contains a security fixes, Sharepoint support, and ASE improvements.

What's Changed

• feat: Add ASE channel validation in #4589

• feat: Add isVisible property to AceData with nanoid in #4606

• feat: Support for SharePoint (Viva) Adaptive Card Extension in #4551

• fix: USGovSingleTenant OAuthEndpoint in #4588

• bump: Update mocha package to avoid vulnerability in #4603

• fix: [#4582] UserAssignedIdentity(WorkloadIdentity) auth fails with 'scope https://api.botframework.com is not valid' in #4607

• fix: Remove old @microsoft/recognizers-text-number version with postinstall scripts in #4608

• fix: [#4544] JwtTokenExtractor.getIdentity:err! FetchError: request to 'login.botframework.com/v1/.well-known/openidconfiguration' in #4583

Proxy notes

The introduction of MSAL in 4.21.0 encountered an issue when used behind a proxy. This version adds an additional way to specify proxy settings. This does require a change to the bot startup code if required.

See this issue for details, and if additional discussion is required: #4544

Bot Framework JS SDK 4.21.4

This is the January 2024 patch release for the JS SDK. This contains a security fix for axios.

What's Changed

• fix: Update axios and fix issue in botframework-connector by @JhontSouth in #4592
• fix: Add HTTP method in fetch request by @JhontSouth in #4593

NOTICE
Node versions 16 and older no longer have long-term support. Bot Framework SDK still supports Node 16, but users of the SDK should transition to at least Node 18 as soon as possible. We will not be able to continue supporting Node 16 and older bots with this SDK.

Bot Framework JS SDK 4.21.3

This is the December 2023 JS release. This release contains improvements to SN+I functionality.

Bot Framework JS SDK 4.21.1

This is the November 2023 Bot Framework JS SDK patch release. This release contains security related updates.

What's Changed

• fix: [#4545] Zod package - botbuilder-dialogs by @sw-joelmut in #4563
• fix: [#4545] Zod package - botbuilder by @sw-joelmut in #4561
• fix: [#4545] Zod package - botbuilder-core by @sw-joelmut in #4562
• chore: bump browserify-sign from 4.2.1 to 4.2.2 by @dependabot in #4553
• chore: bump browserify-sign from 4.2.1 to 4.2.2 in /testing/browser-functional/browser-echo-bot by @dependabot in #4554
• bump: Update babel related dependencies by @sw-joelmut in #4556

Full Changelog: 4.21.0...4.21.1

Bot Framework JS SDK 4.21.0

This is the October 2023 of the JS SDK. This release contains new Teams features and security fixes.

What's Changed

Teams

• port: [#4530] Add support for meeting participants added/removed events by @ceciliaavila in #4538
• port: [#4527][#6655] Implementation of Teams batch APIs by @ceciliaavila in #4535

Other Changes

• fix: [#2782] Migrate to MSAL from adal-node by @sw-joelmut in #4548
• fix: [#2782] Migrate to MSAL from adal-node - Add MSAL support by @ceciliaavila in #4543
• fix: use connectorClientOptions to create ConnectorFactory (#4420) by @k44 in #4421
• chore: bump get-func-name from 2.0.0 to 2.0.2 by @dependabot in #4540
• fix: fix the exchange token interface prarameter by @wenytang-ms in #4536
• chore: bump postcss from 8.3.5 to 8.4.31 by @dependabot in #4541
• chore: bump @babel/traverse from 7.12.1 to 7.23.2 by @dependabot in #4546
• chore(deps): bump @babel/traverse from 7.12.1 to 7.23.2 in /testing/browser-functional/browser-echo-bot by @dependabot in #4547
• feat: [#4349] Add new method to expose same functionality as BotFrameworkAdapter.processActivityDirect by @erquirogasw in #4380

New Contributors

• @wenytang-ms made their first contribution in #4536
• @k44 made their first contribution in #4421

Full Changelog: 4.20.1...4.21.0