search

microsoft / botbuilder-js

Welcome to the Bot Framework SDK for JavaScript repository, which is the home for the libraries and packages that enable developers to build sophisticated bot applications using JavaScript.
https://github.com/Microsoft/botframework
MIT License
677 stars 276 forks source link

Upgrade @azure/identity version in botframework-connector #4709

Closed khirasaki closed 2 days ago

khirasaki commented 1 month ago

Github issues should be used for bugs and feature requests. Use Stack Overflow for general "how-to" questions.

Versions

What package version of the SDK are you using. botbuilder-core@4.22.3 botbuilder@4.22.3 botframework-connector@4.22.3

What nodejs version are you using 18 What browser version are you using Chrome What os are you using MacOS

Describe the bug

botframework-connector@4.22.3 has an out-of-date dependency with @azure/identity:

"@azure/core-http": "^3.0.2",
"@azure/identity": "^2.0.4",
"@azure/msal-node": "^1.18.4",

I'm getting a warning about identity but I notice these other are also behind in their versions.

Here's the npm warning I'm getting:

% npm audit

npm audit report

@azure/identity <4.2.1 Severity: moderate Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability - https://github.com/advisories/GHSA-m5vv-6r4h-3vj9 fix available via npm audit fix --force Will install botframework-connector@4.14.1, which is a breaking change node_modules/botframework-connector/node_modules/@azure/identity botframework-connector >=4.15.0-dev.1982983 Depends on vulnerable versions of @azure/identity node_modules/botframework-connector botbuilder >=4.15.0-dev.1982983 Depends on vulnerable versions of botbuilder-core Depends on vulnerable versions of botframework-connector node_modules/botbuilder botbuilder-core >=4.15.0-dev.1982983 Depends on vulnerable versions of botframework-connector node_modules/botbuilder-core

4 moderate severity vulnerabilities

To address all issues (including breaking changes), run: npm audit fix --force

To Reproduce

Steps to reproduce the behavior: Install the latest versions of: "botbuilder": "^4.22.3", "botbuilder-core": "^4.22.3", "botframework-connector": "^4.22.3", and: "@azure/identity": "^4.3.0", "@azure/msal-node": "^2.6.0",

Conflict appears.

Expected behavior

Give a clear and concise description of what you expected to happen.

Screenshots

If applicable, add screenshots to help explain your problem.

Additional context

Add any other context about the problem here.

chaitutheprince commented 1 month ago

Any update on the above bug. we are waiting for it to resolve.

tracyboehrer commented 1 month ago

We are aware of the issue. There is another blocking issue that needs to be resolved first that is more difficult than just a dependency update. This is actively being worked on.

daniel-stoll commented 3 weeks ago

Hi there, do you have any updates/timeline that you can share with us? Much appreciated