botbuilder-js icon indicating copy to clipboard operation
botbuilder-js copied to clipboard

Published 20 hours ago verified publisher icon microsoft

fix: [#4797] Add recognizers-text packages as vendors

Open sw-joelmut opened this issue 11 months ago • 1 comments
trafficstars

Fixes #4797

Description

This PR adds the recognizers-text package as a vendor dependency for BotBuilder libraries. To achieve this behavior, we compiled the recongizers-text with 1.1.4 version, updated vulnerable dependencies, and add it as a workspace, so they are connected with BotBuilder libraries. When publishing BotBuilder packages to npm, we created a script that copies all recognizers-text packages related to a specific BotBuilder library, installing related dependencies, and updating compiled code with the copied references. The script will be executed post updating versions script.

[!IMPORTANT] All recognizers-text packages under botbuilder-vendors/vendors have been compiled with tsup, reduced their package.json information, and changed the require statements to match local vendors.

Specific Changes

  • Added recognizers-text packages to depcheck ignores due to now being used as normal dependencies.
  • Updated .gitignore to ignore vendors folder
  • Added localDependencies property to botbuilder-dialogs, dialogs-adaptive, and dialogs-adaptive-testing, containing the recognizers-text dependencies.
  • Updated botbuilder-dialogs i18n require statements because of moving cldr-data folder from vendor to vendors.
  • Updated repo-utils Package interface by adding main and localDependencies properties.
  • Updated repo-utils, adding hasLocalDependencies option to filter only workspaces that have localDependencies properties.
  • Added botbuilder-vendors library containing all recognizers-text vendor packages, each one having the compiled 1.1.4 version and a compacted package.json file.
    • It also contains a script that will be executed after the 'update-versions' script is run, copying selected recognizers-text packages to each BotBuilder library that requires it and update their references in the BotBuilder compiled code.
    • Added botbuilder-vendors/vendors folder to the root package.json workspaces so they are installed and added to the yarn.lock file.

Testing

The following image shows an execution example of the script. imagen

sw-joelmut avatar Dec 17 '24 12:12 sw-joelmut

Pull Request Test Coverage Report for Build 12420517834

Details

  • 10 of 10 (100.0%) changed or added relevant lines in 1 file are covered.
  • No unchanged relevant lines lost coverage.
  • Overall coverage remained the same at 84.625%
Totals Coverage Status
Change from base Build 12259066809: 0.0%
Covered Lines: 20513
Relevant Lines: 23091
💛 - Coveralls

coveralls avatar Dec 17 '24 13:12 coveralls

@sw-joelmut Are you going to merge it? This vulnerability has been here for a couple of years.

guy-microsoft avatar Jul 06 '25 08:07 guy-microsoft

@sw-joelmut Are you going to merge it? This vulnerability has been here for a couple of years.

Hi @tracyboehrer,

Is there a plan on merging or releasing this PR? There’s attention on resolving this vulnerability, and the community would appreciate any information on the next steps.

Thanks!

sw-joelmut avatar Jul 07 '25 15:07 sw-joelmut

Hi @tracyboehrer, conflicts are fixed in this PR.

ceciliaavila avatar Aug 18 '25 17:08 ceciliaavila