@slack/bolt@3.11.0

📣 Important Announcement

Since this version, the default behavior of the OAuth flow has been changed for better security. The changes are:

• InstallProvider (The underlying OAuth module) verifies not only the query string but also its corresponding browser cookie data
• The default StateStore (ClearStateStore) makes sure that the state parameter is not too old (the default lifetime is 10 minutes)

Refer to #1335 #1391 slackapi/node-slack-sdk#1435 slackapi/node-slack-sdk#1436 for the context. If you encounter behavior changes described at #1412, consider either changing your app code or setting installerOptions.legacyStateVerification: true for now.

🎁 🐛 New features / improvements:

• #1391 Fix #1335 Proper use of state parameter for the OAuth CSRF protection - Thanks @seratch
• #1405 Fix #1404 SocketModeReceiver app process exits when any of its event listeners throws an exception - Thanks @seratch
• #1359 Fix #1358 Expose common utilities for building HTTP module based receivers - Thanks @seratch
• #1406 Add more error handlers to ExpressReceiver - Thanks @seratch @Gregoor
• #1392 Fix #1385 Create a signature validation function that is not tied to the request - Thanks @seratch @danerwilliams
• #1393 Fix #1376 CustomRoute interface should be accessible from developers - Thanks @seratch
• #1381 Fix #1380 by adding more event payload types - Thanks @seratch @aasiddiq
• #1400 Fix #1397 bolt-js does not accept ssl_check requests properly - Thanks @seratch
• #1340 Fix #1334 Export EnvelopedEvent interface to users - Thanks @martin-cycle
• #1366 Fix #1364 Update axios to latest 0.26.1 - Thanks @seratch @msrivastav13
• #1369 Fix #1368 Log httpServer.close error only when the server exists - Thanks @sbcgua
• #1336 #1401 #1403 #1407 Improve the SDK's test assets - Thanks @seratch @filmaj

📝 Document updates:

• #1384 Deploy the App to Heroku with one click - Thanks @MaurizioBella

Here are all the issues / pull requests included in the release.