Skip to content

fix: [#4797] Add recognizers-text packages as vendors #4818

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 16 commits into
base: main
Choose a base branch
from
Open

fix: [#4797] Add recognizers-text packages as vendors #4818

wants to merge 16 commits into from

Conversation

@sw-joelmut
Copy link
Collaborator

@sw-joelmut sw-joelmut commented Dec 17, 2024

Fixes #4797

Description

This PR adds the recognizers-text package as a vendor dependency for BotBuilder libraries.
To achieve this behavior, we compiled the recongizers-text with 1.1.4 version, updated vulnerable dependencies, and add it as a workspace, so they are connected with BotBuilder libraries.
When publishing BotBuilder packages to npm, we created a script that copies all recognizers-text packages related to a specific BotBuilder library, installing related dependencies, and updating compiled code with the copied references.
The script will be executed post updating versions script.

Important

All recognizers-text packages under botbuilder-vendors/vendors have been compiled with tsup, reduced their package.json information, and changed the require statements to match local vendors.

Specific Changes

  • Added recognizers-text packages to depcheck ignores due to now being used as normal dependencies.
  • Updated .gitignore to ignore vendors folder
  • Added localDependencies property to botbuilder-dialogs, dialogs-adaptive, and dialogs-adaptive-testing, containing the recognizers-text dependencies.
  • Updated botbuilder-dialogs i18n require statements because of moving cldr-data folder from vendor to vendors.
  • Updated repo-utils Package interface by adding main and localDependencies properties.
  • Updated repo-utils, adding hasLocalDependencies option to filter only workspaces that have localDependencies properties.
  • Added botbuilder-vendors library containing all recognizers-text vendor packages, each one having the compiled 1.1.4 version and a compacted package.json file.
    • It also contains a script that will be executed after the 'update-versions' script is run, copying selected recognizers-text packages to each BotBuilder library that requires it and update their references in the BotBuilder compiled code.
    • Added botbuilder-vendors/vendors folder to the root package.json workspaces so they are installed and added to the yarn.lock file.

Testing

The following image shows an execution example of the script.
imagen

@sw-joelmut sw-joelmut requested a review from a team as a code owner December 17, 2024 12:51
@coveralls
Copy link

coveralls commented Dec 17, 2024
edited
Loading

Pull Request Test Coverage Report for Build 12420517834

Details

  • 10 of 10 (100.0%) changed or added relevant lines in 1 file are covered.
  • No unchanged relevant lines lost coverage.
  • Overall coverage remained the same at 84.625%
Totals Coverage Status
Change from base Build 12259066809: 0.0%
Covered Lines: 20513
Relevant Lines: 23091
💛 - Coveralls

This was referenced Jan 20, 2025
Closed
Closed
sw-joelmut and others added 8 commits January 22, 2025 14:13
@sw-joelmut
Merge branch 'main' into southworks/add/recognizers-text-vendors
3abcad6
@sw-joelmut
Merge branch 'main' into southworks/add/recognizers-text-vendors
d599dbd
Merge branch 'main' into southworks/add/recognizers-text-vendors
3e99b1b 
# Conflicts:
#	yarn.lock
@sw-joelmut
Merge branch 'main' into southworks/add/recognizers-text-vendors
ff028c7
Merge branch 'main' into southworks/add/recognizers-text-vendors
d3518eb
@sw-joelmut
add --set-dependencies flag
1f23ac0
@sw-joelmut
fix lint
ae94ecd
@dependabot
chore(deps): bump tar-fs from 2.1.1 to 2.1.2 (#4871)
5f96874 
Bumps [tar-fs](https://github.com/mafintosh/tar-fs) from 2.1.1 to 2.1.2.
- [Commits](mafintosh/tar-fs@v2.1.1...v2.1.2)

---
updated-dependencies:
- dependency-name: tar-fs
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@guy-microsoft
Copy link

guy-microsoft commented Jul 6, 2025

@sw-joelmut Are you going to merge it? This vulnerability has been here for a couple of years.

@sw-joelmut
Copy link
Collaborator Author

sw-joelmut commented Jul 7, 2025

@sw-joelmut Are you going to merge it? This vulnerability has been here for a couple of years.

Hi @tracyboehrer,

Is there a plan on merging or releasing this PR? There’s attention on resolving this vulnerability, and the community would appreciate any information on the next steps.

Thanks!

@ceciliaavila ceciliaavila mentioned this pull request Aug 4, 2025
Open
@ceciliaavila
Copy link
Collaborator

ceciliaavila commented Aug 18, 2025

Hi @tracyboehrer, conflicts are fixed in this PR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tracyboehrer tracyboehrer Awaiting requested review from tracyboehrer

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Dependency loadsh.trimend is out of date and the dependency has known public CVEs - CVE-2020-28500

5 participants

@sw-joelmut @coveralls @guy-microsoft @ceciliaavila