Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgate zod package #4545

Closed
dominykas opened this issue Oct 11, 2023 · 14 comments · Fixed by #4563
Closed

Upgate zod package #4545

dominykas opened this issue Oct 11, 2023 · 14 comments · Fixed by #4563
Assignees
@sw-joelmut
Labels
feature-request A request for new functionality or an enhancement to an existing one. needs-triage The issue has just been created and it has not been reviewed by the team.

Comments

@dominykas
Copy link

dominykas commented Oct 11, 2023
edited
Loading

Is your feature request related to a problem? Please describe.

The zod version (1.11.17) used across the project has a security vulnerability, which gets picked up by various scanners, e.g. https://security.snyk.io/vuln/SNYK-JS-ZOD-5925617 and it is also over two years old.

Describe the solution you'd like

Please upgrade to v3.x release line (first released some 2+ years ago).

Describe alternatives you've considered

n/a

Additional context

Would it make sense to turn on Renovate (or change Dependabot config) for this project? There does not seem be a clearly visible dependency upgrade strategy in place.
@dominykas dominykas added feature-request A request for new functionality or an enhancement to an existing one. needs-triage The issue has just been created and it has not been reviewed by the team. labels Oct 11, 2023
@arthurfeduniv
Copy link

+1

1 similar comment
@Arthur264
Copy link

+1

@Ermak-13
Copy link

🔐

@alyaptsev
Copy link

@jineshjin
Copy link

+1

1 similar comment
@Joao-pina-fernandes
Copy link

👍

@Harvey1976
Copy link

+1 we are use the botkit to generate our application ,in recently trivy scan , we found the issue of Zod.

actually zod already fix this, but bot builder did not fix this. please upgrade of Zod to 3.xx

@sw-joelmut sw-joelmut self-assigned this Oct 26, 2023
@seanhsmith
Copy link

+1

1 similar comment
@cdeliens
Copy link

cdeliens commented Nov 7, 2023

+1

@hieumoscow
Copy link

Hi @sw-joelmut, have you started a branch to upgrade Zod to 3.22.4? I have a project that is blocked, due to this CVE, from going to production this week.

Can you help me to look into this issue please, thank you.

@sw-joelmut
Copy link
Collaborator

Hi @sw-joelmut, have you started a branch to upgrade Zod to 3.22.4? I have a project that is blocked, due to this CVE, from going to production this week.

Can you help me to look into this issue please, thank you.

Hi @hieumoscow,

We are working on this, we'll have news soon.

hieumoscow added a commit to hieumoscow/botbuilder-js that referenced this issue Nov 7, 2023
@hieumoscow
Fix Please upgrade zod package microsoft#4545
4c399a8
@hieumoscow hieumoscow mentioned this issue Nov 7, 2023
Closed
@hieumoscow
Copy link

hieumoscow commented Nov 7, 2023
edited
Loading

Hi @sw-joelmut, took me a bit of time to upgrade and test locally, it seems to run fine and parses the test.

However there is 1 test at the CloudAdapter Test that the stub seems unable to get the desired expired error message.

botbuilder-js/libraries/botbuilder/tests/cloudAdapter.test.js

Line 181 in 842baf3

expect(consoleStub.calledWithMatch({ message: 'The token has expired' })).to.be.true;

image

Could you please help me review. Pardon me for anythings that I might have missed out as it is my first time contributing to this repo.

@Harvey1976
Copy link

hi I check the Pull request proposed by @hieumoscow , it seems this PR is try to merge code to 4.21.release of bot kit.
as a user of botkit, current the zod CVE is blocked our project to release actually.
then , may I know the possbile release date of 4.21? thanks a lot

This was referenced Nov 8, 2023
Merged
Merged
Merged
tracyboehrer pushed a commit that referenced this issue Nov 9, 2023
@sw-joelmut @JhontSouth
fix: [#4545] Please upgrade zod package - botbuilder-dialogs (#4563)
6abfddf 
* remove zod in botbuilder-dialogs

* update support for TS

* update botbuilder api signature

* update bf-schema api signature

* set zod versions

* remove skip

* fix lint

---------

Co-authored-by: JhontSouth <jhonatan.sandoval@southworks.com>
tracyboehrer pushed a commit that referenced this issue Nov 9, 2023
@sw-joelmut @JhontSouth
fix: [#4545] Please upgrade zod package - botbuilder (#4561)
ecb77e1 
* update zod in botbuilder

* change ts support in test consumer

* fix ts config

* simplify use of safeParse

* fix lint

---------

Co-authored-by: JhontSouth <jhonatan.sandoval@southworks.com>
tracyboehrer pushed a commit that referenced this issue Nov 9, 2023
@sw-joelmut @JhontSouth
fix: [#4545] Please upgrade zod package - botbuilder-core (#4562)
45d7dda 
* updates zod version in botbuilder-core

* update support of compat tests

* update botbuilder-core api signature

* update bf-schema api signature

---------

Co-authored-by: JhontSouth <jhonatan.sandoval@southworks.com>
@tracyboehrer tracyboehrer changed the title Please upgrade zod package Upgate zod package Nov 9, 2023
@shabbir-dhangot
Copy link

What is the release version and date for this change to be made available for consumption?

tracyboehrer pushed a commit that referenced this issue Nov 13, 2023
@sw-joelmut
fix: [#4545] Please upgrade zod package - botbuilder-dialogs (#4563)
6557dc2 
* remove zod in botbuilder-dialogs

* update support for TS

* update botbuilder api signature

* update bf-schema api signature

* set zod versions

* remove skip

* fix lint

---------

Co-authored-by: JhontSouth <jhonatan.sandoval@southworks.com>
# Conflicts:
#	libraries/botframework-schema/etc/botframework-schema.api.md
#	testing/consumer-test/run.ts
#	yarn.lock
tracyboehrer pushed a commit that referenced this issue Nov 13, 2023
@sw-joelmut
fix: [#4545] Please upgrade zod package - botbuilder (#4561)
cbbda49 
* update zod in botbuilder

* change ts support in test consumer

* fix ts config

* simplify use of safeParse

* fix lint

---------

Co-authored-by: JhontSouth <jhonatan.sandoval@southworks.com>
# Conflicts:
#	libraries/botframework-schema/package.json
tracyboehrer pushed a commit that referenced this issue Nov 13, 2023
@sw-joelmut @JhontSouth
fix: [#4545] Please upgrade zod package - botbuilder-core (#4562)
958fb9b 
* updates zod version in botbuilder-core

* update support of compat tests

* update botbuilder-core api signature

* update bf-schema api signature

---------

Co-authored-by: JhontSouth <jhonatan.sandoval@southworks.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sw-joelmut sw-joelmut

Labels
feature-request A request for new functionality or an enhancement to an existing one. needs-triage The issue has just been created and it has not been reviewed by the team.
Projects
None yet
Milestone
No milestone