fix: Remove CVE-2022-25881 vulnerability by updating the http-cache-semantics package #4703
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Addresses #4684
#minor
Description
This PR updates the version of the
http-cache-semantics
package to4.1.1
to fix the CVE-2022-25881 vulnerability.Along the way, to address this
http-cache-semantics
package issue with 3.x version, we removed bf-chatdown package, and ported its code to botbuilder-core as internal testing, to remove unnecessary vulnerable dependencies the project isn't using.Additionally, the lodash.template https://github.com/microsoft/botbuilder-js/security/dependabot/344 - CVE-2021-23337 was also address.
Specific Changes
http-cache-semantics
to4.1.1
.bf-chatdown
as it was usinghttp-cache-semantics
3.x version.bf-chatdown
code tobotbuilder-core
for internal testing.transcripts
tests to work with latest botbuilder changes.transcripts
tests to the testing flow.chatdown
andbotbuilder-dialogs-adaptive
.Testing
The following image shows the
http-cache-semantics
updated version, and thetrascripts
tests passing.