botbuilder-ai@4.20.0 is still installing @azure/ms-rest-js@1.11.2 for @azure/cognitiveservices-luis-runtime

[aftabmustafa]

Versions

What package version of the SDK are you using: botbuilder-ai@4.20.0
What nodejs version are you using: Node 18
What browser version are you using: Google Chrome
What os are you using: MacOS Ventura

Describe the bug

When I am trying to install botbuilder-ai@4.20.0 package, it is still installing @azure/cognitiveservices-luis-runtime/@azure/ms-rest-js@1.11.2 but based on the PR 4508 it should install @azure/cognitiveservices-luis-runtime/@azure/ms-rest-js@2.7.0. The older version of ms-rest-js package is using tough cookie which has been identified as a critical vulnerability.

To Reproduce

Steps to reproduce the behavior:

1. install botbuilder-ai package using this command npm i botbuilder-ai
2. Run npm ls tough-cookie to see the @azure/cognitiveservices-luis-runtime and @azure/ms-rest-js version

Expected behavior

@azure/ms-rest-js version under @azure/cognitiveservices-luis-runtime should be equal to 2.7.0

Screenshots

Additional context

#4504

[ceciliaavila]

Hi @aftabmustafa,
PR#4508 was merged last week. The fix should be in version 4.21.0-dev.20230724.faf57c5 of botbuilder-ai.
Could you check if the preview version installs the correct version of ms-rest-js?

[aftabmustafa]

Hi,
I still see tough-cookie

[guy-microsoft]

@ceciliaavila Hi, is there an ETA for a fix?

[ceciliaavila]

@ceciliaavila Hi, is there an ETA for a fix?

Hi @guy-microsoft,
We are testing a post-install script to remove the vulnerable dependencies because none of the usual ways of forcing package versions worked in this case.
We estimate having the script ready by tomorrow's end of day.

[guy-microsoft]

Thanks!

[ceciliaavila]

@ceciliaavila Hi, is there an ETA for a fix?

Hi @guy-microsoft, We are testing a post-install script to remove the vulnerable dependencies because none of the usual ways of forcing package versions worked in this case. We estimate having the script ready by tomorrow's end of day.

Unfortunately, the script didn't solve the issue. Although the tough-cookie package was removed from the node_modules and the yarn.lock file, the npm audit command still reports the vulnerability.
Next week, we'll try as an alternative, upgrading @azure/cognitiveservices-luis-runtime to version 4.x. This version has significant changes, we'll attempt to avoid breaking compat.

[aftabmustafa]

Just out of curiosity, will version 4.x of @azure/cognitiveservices-luis-runtime install the latest version of @azure/ms-rest-js?

[ceciliaavila]

Just out of curiosity, will version 4.x of @azure/cognitiveservices-luis-runtime install the latest version of @azure/ms-rest-js?

Yes, it will install @azure/ms-rest-js@^2.0.3 which resolves to 2.7.0.

[guy-microsoft]

@ceciliaavila Hi, do you have an estimation of when it's going to be published? Are you going to publish it as a patch version for 4.20?

[ceciliaavila]

@ceciliaavila Hi, do you have an estimation of when it's going to be published? Are you going to publish it as a patch version for 4.20?

Hi @guy-microsoft, I don't know the release plan, maybe @tracyboehrer can help us with that.

[aftabmustafa]

Can we expect the change to be available in version 4.21.0-dev.20230825.81e2d98?

[ceciliaavila]

Can we expect the change to be available in version 4.21.0-dev.20230825.81e2d98?

Hi @aftabmustafa, Yes. The PR was merged on the 22 so the 20230825 preview version contains the changes.

[guy-microsoft]

@tracyboehrer Hi, do you have an ETA of when it's going to be in a non-preview (non dev) version?