OfficeDev · jadahiya-MSFT · Oct 29, 2024 · Jan 3, 2025 · Jan 3, 2025 · Jan 6, 2025
@@ -20,9 +20,9 @@
   </ItemGroup>
 
   <ItemGroup>
-    <PackageReference Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="8.0.10" />
-    <PackageReference Include="Microsoft.Graph" Version="5.61.0" />
-    <PackageReference Include="Microsoft.Fast.Components.FluentUI" Version="3.7.8" />
+    <PackageReference Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="8.0.11" />
+    <PackageReference Include="Microsoft.Graph" Version="5.68.0" />
+    <PackageReference Include="Microsoft.Fast.Components.FluentUI" Version="3.8.0" />
     <PackageReference Include="Microsoft.TeamsFx" Version="2.5.*" />
     <PackageReference Include="Microsoft.Bot.Connector" Version="4.22.9" />
   </ItemGroup>

@@ -19,7 +19,7 @@
     "@rollup/plugin-typescript": "^11.1.6",
     "@rollup/plugin-terser": "0.4.4",
     "rollup": "^4.24.4",
-    "webpack": "^5.96.1",
+    "webpack": "^5.97.1",
     "webpack-cli": "^5.1.4",
     "testlibraryfortreeshaking": "^1.0.24"
   }

@@ -0,0 +1,7 @@
+{
+  "type": "none",
+  "comment": "Updated dependency versions to address CG vulnerabilities",
+  "packageName": "@microsoft/teams-js",
+  "email": "[email protected]",
+  "dependentChangeType": "none"
+}
@@ -62,7 +62,7 @@
     "beachball": "^2.43.0",
     "copy-webpack-plugin": "12.0.2",
     "cross-env": "^7.0.3",
-    "css-loader": "^6.11.0",
+    "css-loader": "^7.1.2",
     "eslint": "^8.57.0",
     "eslint-config-prettier": "^9.1.0",
     "eslint-plugin-node": "^11.1.0",
@@ -80,34 +80,36 @@
     "jest-environment-jsdom": "^29.7.0",
     "jest-junit": "^15.0.0",
     "jsdom": "^24.1.0",
-    "lerna": "^8.1.5",
+    "lerna": "^8.1.9",
     "merge2": "1.0.2",
     "path": "^0.12.7",
     "prettier": "^3.3.2",
     "rimraf": "^5.0.7",
-    "rollup": "^4.24.4",
-    "rollup-plugin-node-polyfills": "^0.2.1",
+    "rollup": "^4.24.2",
+    "rollup-plugin-dts": "^6.1.1",
+    "rollup-plugin-polyfill-node": "^0.13.0",
     "shx": "^0.3.4",
-    "style-loader": "^3.3.4",
+    "style-loader": "^4.0.0",
     "ts-jest": "^29.1.2",
     "ts-loader": "^9.5.1",
     "ts-node": "^10.9.2",
     "tslib": "^2.3.1",
     "typedoc": "^0.24.8",
     "typescript": "^4.9.5",
-    "webpack": "^5.96.1",
+    "webpack": "^5.97.1",
     "webpack-assets-manifest": "^5.2.1",
     "webpack-bundle-analyzer": "^4.10.2",
-    "webpack-cli": "^5.1.4",
-    "webpack-dev-server": "^5.1.0",
+    "webpack-cli": "^6.0.1",
+    "webpack-dev-server": "^5.2.0",
     "webpack-merge": "^6.0.1",
-    "webpack-subresource-integrity": "^5.1.0",
+    "webpack-subresource-integrity": "^5.2.0-rc.1",
     "yargs": "^17.7.2"
   },
   "pnpm": {
     "overrides": {
       "@azure/identity": ">=4.2.1",
       "cookie": ">=0.7.0",
+      "cross-spawn": ">=7.0.5",
       "dns-packet": "^1.3.2",
       "express": "^4.21.0",
       "follow-redirects": "^1.15.6",
@@ -119,6 +121,7 @@
       "merge": "^2.1.1",
       "micromatch": ">=4.0.8",
       "minimist": "^0.2.4",
+      "nanoid": ">=3.3.8",
       "nth-check": ">=2.0.1",
       "postcss": "^8.4.31",
       "semver": "^7.5.2",
@@ -135,11 +138,12 @@
     },
     "overrides-explanation": {
       "WHAT IS THIS SECTION": "pnpm ignores this section and comments aren't allowed in JSON files. This section documents why the above overrides have been put in place. If you add an override, describe it in this section.",
-      "cookie": "There is a vulnerability in older versions of the express package that is consumed by webpack, this has been patched in a later version of cookie that webpack has not updated yet. Once they update this package, we can remove this override",
+      "cookie": "There is a vulnerability with cookie versions less than 0.7.0. This package is currently being consumed in @types/webpack and needs to be updated there. For now we will override this until that is fixed.",
+      "cross-spawn": "There is a vulnerability with cross-spawn versions less than 7.0.5 This package is currently being consumed in @types/webpack and needs to be updated there. For now we will override this until that is fixed.",
       "express": "There is a vulnerability in older versions of the express package that is consumed by webpack-dev-server, this has been patched in a later version of express that webpack-dev-server has not updated yet. Once they update this package, we can remove this override",
       "follow-redirects": "There is a vulnerability in the follow-redirects package, and a fix has been provided. However, we consume the follow-redirects package via webpack-dev-server, Lerna, and wait-on, eventually. We are using this newer version of follow-redirects to avoid the vulnerability. If webpack-dev-server, Lerna, and wait-on packages are ever updated to a version of follow-redirects that fixes the vulnerability, we can remove this override and update the three packages accordingly.",
-      "http-proxy-middleware": "There is a vulnerability in older versions of the express package that is consumed by webpack-dev-server, this has been patched in a later version of http-proxy-middleware that webpack-dev-server has not updated yet. Once they update this package, we can remove this override",
-      "micromatch": "There is a vulnerability in older versions of the express package that is consumed by webpack, this has been patched in a later version of micromatch that webpack has not updated yet. Once they update this package, we can remove this override",
+      "micromatch": "There is a vulnerability with micromatch versions less than 4.0.8 This package is currently being consumed in @types/webpack and needs to be updated there. For now we will override this until that is fixed.",
+      "nanoid": "There is a vulnerability with nanoid versions less than 3.3.8 This package is currently being consumed in @types/webpack and needs to be updated there. For now we will override this until that is fixed.",
       "socks": "There is a vulnerability in the ip package which has no fix. We consume ip via socks (eventually via lerna). Socks released a new version that removed the ip dependency. We are using this newer version of socks to avoid the vulnerability. If ip is ever updated or lerna (or any package in the chain) eventually updates to a version of socks that doesn't depend on ip, we can remove this override",
       "tar": "There is a vulnerability in the tar package which is being used by lerna that hasn't yet been updated. Once this is patched in lerna we can remove this override"
     }

@@ -7,7 +7,7 @@ import replace from '@rollup/plugin-replace';
 import terser from '@rollup/plugin-terser';
 import typescript from '@rollup/plugin-typescript';
 import { readFileSync } from 'fs';
-import nodePolyfills from 'rollup-plugin-node-polyfills';
+import nodePolyfills from 'rollup-plugin-polyfill-node';
 
 const packageJson = JSON.parse(readFileSync('./package.json', 'utf-8'));