Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: [#4490] Usage of a vulnerable package - Upgrade recognizers-text-number #4524

Merged
merged 3 commits into from
Aug 18, 2023
Merged

fix: [#4490] Usage of a vulnerable package - Upgrade recognizers-text-number #4524

merged 3 commits into from
Aug 18, 2023

Conversation

ceciliaavila
Copy link
Collaborator

Fixes #4490

Description

This PR upgrades the recognizers-text-number package to the latest version 1.3.1 containing the fix for the lodash.trimend security issue CVE-2020-28500.
It only upgrades this package leaving the rest of the recognizers-text packages in version 1.1.4 to avoid introducing breaking changes.

Specific Changes

  • Upgraded recognizers-text-number in botbuilder-dialogs-adaptive and botbuilder-dialogs.
  • Added @microsoft/recognizers-text-number ~1.3.1 in the root's package.json resolutions section to force the latest version when the package is a nested dependency.
  • Updated unit tests to work with the new entities that are now recognized.
  • Updated yarn.lock file.

Testing

These images show the unit tests passing after the upgrade.
image

@ceciliaavila ceciliaavila requested a review from a team as a code owner August 18, 2023 14:52
@coveralls
Copy link

coveralls commented Aug 18, 2023
edited
Loading

Pull Request Test Coverage Report for Build 5904039003

  • 0 of 0 changed or added relevant lines in 0 files are covered.
  • No unchanged relevant lines lost coverage.
  • Overall coverage remained the same at 84.852%
Totals Coverage Status
Change from base Build 5903299207: 0.0%
Covered Lines: 20134
Relevant Lines: 22485
💛 - Coveralls

@tracyboehrer tracyboehrer merged commit 7110e8a into main Aug 18, 2023
13 checks passed
@tracyboehrer tracyboehrer deleted the southworks/update/recognizers-text-number branch August 18, 2023 15:34
@ceciliaavila ceciliaavila mentioned this pull request Aug 21, 2023
Closed
@guy-microsoft
Copy link

@tracyboehrer Hi, do you have an estimation of when it's going to be published? Are you going to publish it as a patch version for 4.20?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tracyboehrer tracyboehrer tracyboehrer approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Usage of a vulnerable package
4 participants
@ceciliaavila @coveralls @guy-microsoft @tracyboehrer