Bot Framework JS SDK 4.23.1

What's Changed

• bump: micromatch from 4.0.7 to 4.0.8 in /testing/browser-functional/browser-echo-bot by @dependabot in #4732
• bump: micromatch from 4.0.2 to 4.0.8 by @dependabot in #4733
• bump: [#4684] Update multiple dependencies inside public libraries to latest version by @sw-joelmut in #4739
• bump: webpack from 5.92.0 to 5.94.0 in /testing/browser-functional/browser-echo-bot by @dependabot in #4736
• fix: [#4684] Update some dependencies to latest version by @sw-joelmut in #4737
• fix: [#4684] Update versions command by @sw-joelmut in #4742
• bump: body-parser from 1.20.2 to 1.20.3 by @dependabot in #4743
• bump: express from 4.19.2 to 4.20.0 in /testing/browser-functional/browser-echo-bot by @dependabot in #4744
• fix: Upgrade express dependency to latest version by @ceciliaavila in #4747
• fix: Replace globby with fast-glob by @JhontSouth in #4745
• fix: Upgrade send dependency to latest version by @ceciliaavila in #4749
• bump: [#4684] Update @azure/cosmos and @azure/core-auth dependencies to their latest version by @sw-joelmut in #4748
• bump: [#4684] Update multiple dependencies inside internal libraries to latest version by @sw-joelmut in #4752

Bot Framework JS SDK 4.23.0

This is the August 2024 release of the Bot Framework JS SDK. This release contains Node 18 & 20 support, as well as security fixes.

NOTE
Due to the update to the last Azure Identity and MSAL.Node packages, Node versions prior to Node 18 are no longer supported. This is because those packages don't support out-of-support Node versions.

What's Changed

• bump: [#4550] Add Node 18 and 20 support by @sw-joelmut in #4726

• fix: Remove CVE-2022-3517 vulnerability by @JhontSouth in #4699

• fix: Remove CVE-2022-25881 vulnerability by updating the http-cache-semantics package by @sw-joelmut in #4703

• fix: Remove CVE-2020-8203 vulnerability in lodash.set by @andres-robinet-sw in #4704

• fix: Remove CVE-2021-3807 vulnerability by @JhontSouth in #4705

• fix: Remove CVE-2022-23539 vulnerability by updating the jsonwebtoken packages by @sw-joelmut in #4706

• fix: Remove CVE-2022-3517 vulnerability with minimatch by @JhontSouth in #4707

• bump: semver from 5.7.1 to 7.6.2 by @dependabot in #4710

• bump: hosted-git-info from 2.8.8 to 2.8.9 by @dependabot in #4711

• bump: elliptic from 6.5.3 to 6.5.5 by @dependabot in #4712

• fix: Remove CVE-2020-28469 vulnerability by updating the glob-parent package by @sw-joelmut in #4713

• fix: Remove remaining vulnerabilities by updating the hosted-git-info, tar, semver, ejs, elliptic packages by @sw-joelmut in #4714

• fix: [#4684] Remove unnecessary resolutions by @sw-joelmut in #4719

• fix: Remove undefined value in @azure/msal-node by @JhontSouth in #4718

• bump: fast-xml-parser from 4.2.5 to 4.4.1 by @dependabot in #4721

• port: [#6813][#6798] Not able to create instance of BlobsTranscriptStore using TokenCredential instead of connectionString and containerName by @JhontSouth in #4720

• fix: Remove browser-echo-bot vulnerabilities by @JhontSouth in #4717

• fix: CVE-2024-42460 vulnerability with elliptic by @JhontSouth in #4729

• bump: axios from 1.7.2 to 1.7.4 by @dependabot in #4730

• port: [#6793][#6792] Composer Bot with QnA Intent recognized triggers duplicate QnA queries by @JhontSouth in #4700

Full Changelog: 4.22.3...4.23.0

Bot Framework for JS SDK 4.22.3

This is the June 2024 patch release of the Bot Framework JS SDK. This release contains security updates.

What's Changed

• fix: Remove CVE-2020-28469 with with glob-parent 5.1.1 (High) by @JhontSouth in #4670
• fix: CodeQL SM04509 issue by @andres-robinet-sw in #4671
• bump: Upgrade axios version to ^1.7.2 by @JhontSouth in #4680
• fix: Remove CVE-2024-37890 vulnerability by updating the ws package by @sw-joelmut in #4683
• fix: Remove CVE-2020-36632 vulnerability by @JhontSouth in #4687
• fix: Remove CVE-2022-21680 vulnerability by @JhontSouth in #4688
• fix: Remove CVE-2022-21680 vulnerability by @JhontSouth in #4689
• fix: Remove CVE-2023-45133 vulnerability by @JhontSouth in #4691
• fix: CVE-2020-8203 with lodash.pick by @andres-robinet-sw in #4692
• fix: Remove CVE-2020-7774 vulnerability by updating the y18n package by @sw-joelmut in #4693
• fix: Remove CVE-2022-0144 vulnerability by @JhontSouth in #4695
• fix: Remove CVE-2024-4068 vulnerability by @JhontSouth in #4696
• feat: Support Single Tenant authentication through BotFramework-Emulator by @JhontSouth in #4643
• refactor: AgentSettings Circular Structure and improve internals by @sw-joelmut in #4641
• chore: Moved @types/jswebtoken (in both places) to dependencies. by @tracyboehrer in #4646
• chore: [#4636] Add more information to Tenant parameters by @sw-joelmut in #4649
• fix: SM03944 suppression by @tracyboehrer in #4654
• Removed unused build assets by @tracyboehrer in #4658
• fix: [#4657] bump the npm_and_yarn group across 2 directories with 20 updates by @JhontSouth in #4663
• fix: SM04509 suppression by @tracyboehrer in #4667
• fix: SM02383 suppression by @tracyboehrer in #4668
• fix: [#4483] Switching npm dependency bcrypt to bcryptjs by @JhontSouth in #4669

Bot Framework JS SDK 4.22.2

This is the April 2024 JS SDK patch release. This release contains minor bug fixes and security updates.

What's Changed

• fix: add content type header by @XVincentX in #4587
• fix: [#4544] JwtTokenExtractor.getIdentity:err! FetchError: request to https://login.botframework.com/v1/.well-known/openidconfiguration by @ceciliaavila in #4583
• bump: Update swagger-client to stop using lodash-compat by @JhontSouth in #4604
• fix: Removed Copyright from generated code by @tracyboehrer in #4612
• fix: [#4584] ChannelAccount cannot accept extensible properties by @JhontSouth in #4618
• bump: Update follow-redirects to ^1.15.4 by @JhontSouth in #4617
• bump: Update @azure/msal-node and @azure/msal-browser by @JhontSouth in #4619
• bump: undici from 5.28.2 to 5.28.3 by @dependabot in #4620
• bump: axios from 0.21.1 to 0.28.0 by @dependabot in #4621
• bump: ip from 1.1.5 to 1.1.9 by @dependabot in #4622
• bump: ip from 1.1.5 to 1.1.9 in /testing/browser-functional/browser-echo-bot by @dependabot in #4623
• bump: es5-ext from 0.10.53 to 0.10.63 by @dependabot in #4624
• fix: [botframework-connector] Use HashSet instead of string array for endorsement by @crdev13 in #4526
• bump: tar to 6.1.9 by @tracyboehrer in #4627
• bump: axios to 0.21.2 by @tracyboehrer in #4628
• chore: Removed autorest gen related by @tracyboehrer in #4629
• bump: axios and ws by @tracyboehrer in #4630
• bump: follow-redirects from 1.15.5 to 1.15.6 in /testing/browser-functional/browser-echo-bot by @dependabot in #4633
• bump: follow-redirects from 1.15.5 to 1.15.6 by @dependabot in #4634
• fix: [#4440][Bot node.js] Compile error for accessing "conversation" and "organizer" fields for get meeting details bot API by @ceciliaavila in #4442
• bump: express from 4.18.2 to 4.19.2 in /testing/browser-functional/browser-echo-bot by @dependabot in #4638
• bump: express from 4.17.3 to 4.19.2 by @dependabot in #4637
• getValue parity by @tracyboehrer in #4639
• chore: Moved @types/jsonwebtoken to dependencies by @tracyboehrer in #4640
• bump: undici from 5.28.3 to 5.28.4 by @dependabot in #4642

Full Changelog: 4.22.1...4.22.2

Bot Framework JS SDK 4.22.0

This is the January 2024 4.22.0 release for the JS SDK. This contains a security fixes, Sharepoint support, and ASE improvements.

What's Changed

• feat: Add ASE channel validation in #4589

• feat: Add isVisible property to AceData with nanoid in #4606

• feat: Support for SharePoint (Viva) Adaptive Card Extension in #4551

• fix: USGovSingleTenant OAuthEndpoint in #4588

• bump: Update mocha package to avoid vulnerability in #4603

• fix: [#4582] UserAssignedIdentity(WorkloadIdentity) auth fails with 'scope https://api.botframework.com is not valid' in #4607

• fix: Remove old @microsoft/recognizers-text-number version with postinstall scripts in #4608

• fix: [#4544] JwtTokenExtractor.getIdentity:err! FetchError: request to 'login.botframework.com/v1/.well-known/openidconfiguration' in #4583

Proxy notes

The introduction of MSAL in 4.21.0 encountered an issue when used behind a proxy. This version adds an additional way to specify proxy settings. This does require a change to the bot startup code if required.

See this issue for details, and if additional discussion is required: #4544

Bot Framework JS SDK 4.21.4

This is the January 2024 patch release for the JS SDK. This contains a security fix for axios.

What's Changed

• fix: Update axios and fix issue in botframework-connector by @JhontSouth in #4592
• fix: Add HTTP method in fetch request by @JhontSouth in #4593

NOTICE
Node versions 16 and older no longer have long-term support. Bot Framework SDK still supports Node 16, but users of the SDK should transition to at least Node 18 as soon as possible. We will not be able to continue supporting Node 16 and older bots with this SDK.

Bot Framework JS SDK 4.21.3

This is the December 2023 JS release. This release contains improvements to SN+I functionality.

Bot Framework JS SDK 4.21.1

This is the November 2023 Bot Framework JS SDK patch release. This release contains security related updates.

What's Changed

• fix: [#4545] Zod package - botbuilder-dialogs by @sw-joelmut in #4563
• fix: [#4545] Zod package - botbuilder by @sw-joelmut in #4561
• fix: [#4545] Zod package - botbuilder-core by @sw-joelmut in #4562
• chore: bump browserify-sign from 4.2.1 to 4.2.2 by @dependabot in #4553
• chore: bump browserify-sign from 4.2.1 to 4.2.2 in /testing/browser-functional/browser-echo-bot by @dependabot in #4554
• bump: Update babel related dependencies by @sw-joelmut in #4556

Full Changelog: 4.21.0...4.21.1

Bot Framework JS SDK 4.21.0

This is the October 2023 of the JS SDK. This release contains new Teams features and security fixes.

What's Changed

Teams

• port: [#4530] Add support for meeting participants added/removed events by @ceciliaavila in #4538
• port: [#4527][#6655] Implementation of Teams batch APIs by @ceciliaavila in #4535

Other Changes

• fix: [#2782] Migrate to MSAL from adal-node by @sw-joelmut in #4548
• fix: [#2782] Migrate to MSAL from adal-node - Add MSAL support by @ceciliaavila in #4543
• fix: use connectorClientOptions to create ConnectorFactory (#4420) by @k44 in #4421
• chore: bump get-func-name from 2.0.0 to 2.0.2 by @dependabot in #4540
• fix: fix the exchange token interface prarameter by @wenytang-ms in #4536
• chore: bump postcss from 8.3.5 to 8.4.31 by @dependabot in #4541
• chore: bump @babel/traverse from 7.12.1 to 7.23.2 by @dependabot in #4546
• chore(deps): bump @babel/traverse from 7.12.1 to 7.23.2 in /testing/browser-functional/browser-echo-bot by @dependabot in #4547
• feat: [#4349] Add new method to expose same functionality as BotFrameworkAdapter.processActivityDirect by @erquirogasw in #4380

New Contributors

• @wenytang-ms made their first contribution in #4536
• @k44 made their first contribution in #4421

Full Changelog: 4.20.1...4.21.0

Bot Framework JS SDK 4.20.1

What's Changed

• feat: [#4446] Azure Blob Storage should support Identity authentication by @ceciliaavila in #4486
• chore: bump fast-xml-parser from 4.2.2 to 4.2.4 by @dependabot in #4488
• port: [#6577] Can you add a log line for this exception? (#6587) by @erquirogasw in #4439
• feat: Add support for config auth type (fetch & submit) by @corinagum in #4485
• Dropped Node 12 from builds by @tracyboehrer in #4501
• port: [#4481] Outgoing Activity Locale being Overwritten by @ceciliaavila in #4489
• port: [#4482][#6588] UserId not being passed to AzureDiagnostics by @ceciliaavila in #4493
• chore: bump semver from 7.3.8 to 7.5.2 by @dependabot in #4495
• fix: Update restify Dependency in Yeoman Templates to v10.0.0 by @anishprasad01 in #4392
• chore: bump fast-xml-parser from 4.2.4 to 4.2.5 by @dependabot in #4502
• chore: bump semver from 5.7.1 to 5.7.2 in /testing/browser-functional/browser-echo-bot by @dependabot in #4499
• fix: [CVE-2023-26136] Update tough-cookie version by @sw-joelmut in #4508
• chore: bump word-wrap from 1.2.3 to 1.2.4 by @dependabot in #4506
• chore: bump word-wrap from 1.2.3 to 1.2.4 in /testing/browser-functional/browser-echo-bot by @dependabot in #4507
• feat: [#4503] azure-storage deprecation by @ceciliaavila in #4510
• fix: Remove request package from browser-functional by @ceciliaavila in #4512
• fix: Remove request package from botbuilder-core tests by @ceciliaavila in #4514
• fix: Replace chatdown package from botbuilder-core tests by @ceciliaavila in #4516
• fix: Replace Map with WeakMap to avoid memory leak by @ceciliaavila in #4517
• fix: Upgrading restify to fix error on Node version 18+ by @GregBorrelly in #4515
• fix: remove ms-rest-azure package by @ceciliaavila in #4521
• fix: Remove ms-rest package by @ceciliaavila in #4523
• fix: [#4490] Usage of a vulnerable package - Upgrade recognizers-text-number by @ceciliaavila in #4524
• fix: [#4509] botbuilder-ai@4.20.0 is still installing @azure/ms-rest-js@1.11.2 for @azure/cognitiveservices-luis-runtime by @ceciliaavila in #4519
• port: [#4529] Update JwtTokenExtractor by @ceciliaavila in #4531
• fix: [#4520] Upgrade restify to fix error on Node version 18+ by @ceciliaavila in #4528
• fix: [#4525] Replace read-text-file package to avoid using LGPL by @ceciliaavila in #4534

New Contributors

• @GregBorrelly made their first contribution in #4515

Full Changelog: 4.20.0...4.20.1