[Snyk] Upgrade: botbuilder, botbuilder-dialogs

[DevangPatelUK]

Snyk has created this PR to upgrade multiple dependencies.

👯‍♂ The following dependencies are linked and will therefore be updated together.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

Name	Versions	Released on

botbuilder
from 4.22.2 to 4.22.3 | 1 version ahead of your current version | 2 months ago
on 2024-06-27
botbuilder-dialogs
from 4.22.2 to 4.22.3 | 1 version ahead of your current version | 2 months ago
on 2024-06-27

Issues fixed by the recommended upgrade:

	Issue	Score	Exploit Maturity
	Prototype Pollution SNYK-JS-AXIOS-6144788	586	No Known Exploit
	Denial of Service (DoS) SNYK-JS-WS-7266574	586	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-AXIOS-6124857	586	Proof of Concept

Release notes

Package name: botbuilder

• 4.22.3 - 2024-06-27
  

  This is the June 2024 patch release of the Bot Framework JS SDK. This release contains security updates.

  What's Changed

  • fix: Remove CVE-2020-28469 with with glob-parent 5.1.1 (High) by @ JhontSouth in #4670
  • fix: CodeQL SM04509 issue by @ andres-robinet-sw in #4671
  • bump: Upgrade axios version to ^1.7.2 by @ JhontSouth in #4680
  • fix: Remove CVE-2024-37890 vulnerability by updating the ws package by @ sw-joelmut in #4683
  • fix: Remove CVE-2020-36632 vulnerability by @ JhontSouth in #4687
  • fix: Remove CVE-2022-21680 vulnerability by @ JhontSouth in #4688
  • fix: Remove CVE-2022-21680 vulnerability by @ JhontSouth in #4689
  • fix: Remove CVE-2023-45133 vulnerability by @ JhontSouth in #4691
  • fix: CVE-2020-8203 with lodash.pick by @ andres-robinet-sw in #4692
  • fix: Remove CVE-2020-7774 vulnerability by updating the y18n package by @ sw-joelmut in #4693
  • fix: Remove CVE-2022-0144 vulnerability by @ JhontSouth in #4695
  • fix: Remove CVE-2024-4068 vulnerability by @ JhontSouth in #4696
  • feat: Support Single Tenant authentication through BotFramework-Emulator by @ JhontSouth in #4643
  • refactor: AgentSettings Circular Structure and improve internals by @ sw-joelmut in #4641
  • chore: Moved @ types/jswebtoken (in both places) to dependencies. by @ tracyboehrer in #4646
  • chore: [#4636] Add more information to Tenant parameters by @ sw-joelmut in #4649
  • fix: SM03944 suppression by @ tracyboehrer in #4654
  • Removed unused build assets by @ tracyboehrer in #4658
  • fix: [#4657] bump the npm_and_yarn group across 2 directories with 20 updates by @ JhontSouth in #4663
  • fix: SM04509 suppression by @ tracyboehrer in #4667
  • fix: SM02383 suppression by @ tracyboehrer in #4668
  • fix: [#4483] Switching npm dependency bcrypt to bcryptjs by @ JhontSouth in #4669
• 4.22.2 - 2024-04-15
  

  This is the April 2024 JS SDK patch release. This release contains minor bug fixes and security updates.

  What's Changed

  • fix: add content type header by @ XVincentX in #4587
  • fix: [#4544] JwtTokenExtractor.getIdentity:err! FetchError: request to https://login.botframework.com/v1/.well-known/openidconfiguration by @ ceciliaavila in #4583
  • bump: Update swagger-client to stop using lodash-compat by @ JhontSouth in #4604
  • fix: Removed Copyright from generated code by @ tracyboehrer in #4612
  • fix: [#4584] ChannelAccount cannot accept extensible properties by @ JhontSouth in #4618
  • bump: Update follow-redirects to ^1.15.4 by @ JhontSouth in #4617
  • bump: Update @ azure/msal-node and @ azure/msal-browser by @ JhontSouth in #4619
  • bump: undici from 5.28.2 to 5.28.3 by @ dependabot in #4620
  • bump: axios from 0.21.1 to 0.28.0 by @ dependabot in #4621
  • bump: ip from 1.1.5 to 1.1.9 by @ dependabot in #4622
  • bump: ip from 1.1.5 to 1.1.9 in /testing/browser-functional/browser-echo-bot by @ dependabot in #4623
  • bump: es5-ext from 0.10.53 to 0.10.63 by @ dependabot in #4624
  • fix: [botframework-connector] Use HashSet instead of string array for endorsement by @ crdev13 in #4526
  • bump: tar to 6.1.9 by @ tracyboehrer in #4627
  • bump: axios to 0.21.2 by @ tracyboehrer in #4628
  • chore: Removed autorest gen related by @ tracyboehrer in #4629
  • bump: axios and ws by @ tracyboehrer in #4630
  • bump: follow-redirects from 1.15.5 to 1.15.6 in /testing/browser-functional/browser-echo-bot by @ dependabot in #4633
  • bump: follow-redirects from 1.15.5 to 1.15.6 by @ dependabot in #4634
  • fix: [#4440][Bot node.js] Compile error for accessing "conversation" and "organizer" fields for get meeting details bot API by @ ceciliaavila in #4442
  • bump: express from 4.18.2 to 4.19.2 in /testing/browser-functional/browser-echo-bot by @ dependabot in #4638
  • bump: express from 4.17.3 to 4.19.2 by @ dependabot in #4637
  • getValue parity by @ tracyboehrer in #4639
  • chore: Moved @ types/jsonwebtoken to dependencies by @ tracyboehrer in #4640
  • bump: undici from 5.28.3 to 5.28.4 by @ dependabot in #4642

  Full Changelog: 4.22.1...4.22.2

from botbuilder GitHub release notes

Package name: botbuilder-dialogs

• 4.22.3 - 2024-06-27
  

  This is the June 2024 patch release of the Bot Framework JS SDK. This release contains security updates.

  What's Changed

  • fix: Remove CVE-2020-28469 with with glob-parent 5.1.1 (High) by @ JhontSouth in #4670
  • fix: CodeQL SM04509 issue by @ andres-robinet-sw in #4671
  • bump: Upgrade axios version to ^1.7.2 by @ JhontSouth in #4680
  • fix: Remove CVE-2024-37890 vulnerability by updating the ws package by @ sw-joelmut in #4683
  • fix: Remove CVE-2020-36632 vulnerability by @ JhontSouth in #4687
  • fix: Remove CVE-2022-21680 vulnerability by @ JhontSouth in #4688
  • fix: Remove CVE-2022-21680 vulnerability by @ JhontSouth in #4689
  • fix: Remove CVE-2023-45133 vulnerability by @ JhontSouth in #4691
  • fix: CVE-2020-8203 with lodash.pick by @ andres-robinet-sw in #4692
  • fix: Remove CVE-2020-7774 vulnerability by updating the y18n package by @ sw-joelmut in #4693
  • fix: Remove CVE-2022-0144 vulnerability by @ JhontSouth in #4695
  • fix: Remove CVE-2024-4068 vulnerability by @ JhontSouth in #4696
  • feat: Support Single Tenant authentication through BotFramework-Emulator by @ JhontSouth in #4643
  • refactor: AgentSettings Circular Structure and improve internals by @ sw-joelmut in #4641
  • chore: Moved @ types/jswebtoken (in both places) to dependencies. by @ tracyboehrer in #4646
  • chore: [#4636] Add more information to Tenant parameters by @ sw-joelmut in #4649
  • fix: SM03944 suppression by @ tracyboehrer in #4654
  • Removed unused build assets by @ tracyboehrer in #4658
  • fix: [#4657] bump the npm_and_yarn group across 2 directories with 20 updates by @ JhontSouth in #4663
  • fix: SM04509 suppression by @ tracyboehrer in #4667
  • fix: SM02383 suppression by @ tracyboehrer in #4668
  • fix: [#4483] Switching npm dependency bcrypt to bcryptjs by @ JhontSouth in #4669
• 4.22.2 - 2024-04-15
  

  This is the April 2024 JS SDK patch release. This release contains minor bug fixes and security updates.

  What's Changed

  • fix: add content type header by @ XVincentX in #4587
  • fix: [#4544] JwtTokenExtractor.getIdentity:err! FetchError: request to https://login.botframework.com/v1/.well-known/openidconfiguration by @ ceciliaavila in #4583
  • bump: Update swagger-client to stop using lodash-compat by @ JhontSouth in #4604
  • fix: Removed Copyright from generated code by @ tracyboehrer in #4612
  • fix: [#4584] ChannelAccount cannot accept extensible properties by @ JhontSouth in #4618
  • bump: Update follow-redirects to ^1.15.4 by @ JhontSouth in #4617
  • bump: Update @ azure/msal-node and @ azure/msal-browser by @ JhontSouth in #4619
  • bump: undici from 5.28.2 to 5.28.3 by @ dependabot in #4620
  • bump: axios from 0.21.1 to 0.28.0 by @ dependabot in #4621
  • bump: ip from 1.1.5 to 1.1.9 by @ dependabot in #4622
  • bump: ip from 1.1.5 to 1.1.9 in /testing/browser-functional/browser-echo-bot by