Prepare CLI 3.0.2 release#2909
Merged
Merged
Conversation
…lifecycle (#2817) ## Summary - Adds a note to the TS "Self-Managing Your Server" doc clarifying that plugin `onStart` hooks do not fire when callers skip `app.start()` and run their own server lifecycle. - Documents the workaround: invoke the plugin's `onStart` manually after `await app.initialize()`. ## Why Surfaced by: - microsoft/teams.ts#512 - users adopting the `IHttpServerAdapter` pattern for non-Express frameworks (Fastify, Restify, etc.) skip `app.start()` and so silently lose any plugin setup that lives in `onStart`. - microsoft/teams.ts#544 - concrete repro: `DevToolsPlugin` registers its router inside `onStart`, so a self-managed `ExpressAdapter` setup leaves DevTools un-started until the user manually invokes `devToolsPlugin.onStart({ port })`. The `IHttpServerAdapter` interface already supports this self-managed flow; this PR just makes the caveat explicit in the doc. ## Test plan - [x] Verify the rendered doc page shows the new note in the right section (after the Express self-managed example, before the "See the full Express adapter example" link). - [x] Sanity-check that the suggested `await myPlugin.onStart({ port: 3978 })` call shape matches the plugin lifecycle interface. Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
## Summary Adds a URL-shareable docs page that helps developers choose between the **Microsoft 365 Agents SDK** and the **Microsoft Teams SDK** when building for Microsoft Teams. The page is structured around the **durable distinction** between the two SDKs (channel breadth vs Teams-feature depth) rather than feature-checklist parity, with a **basic vs premier** framing for the Teams scenario. ## What's in it - **Architectural diagram** showing the two SDKs target different backends (Teams Bot Service, Azure Bot Service) but speak the same Activity Protocol - **Channel grouping**: purple (reachable from both SDKs) vs amber (M365 Agents SDK optimized path) - **Feature inventory image** illustrating breadth (M365 Agents SDK) vs depth (Microsoft Teams SDK) - **Basic and Premier feature reference tables** for the Teams scenario - **Bot Framework migration decision table** with paths for both SDKs ## Sidebar visibility Frontmatter uses `sidebar_class_name: 'sidebar-hidden'` so the page is reachable by URL but doesn't appear in the left navigation. Intent: guidance content for developers asking "which SDK?", not a top-level navigation item. ## Test plan - [ ] Local Docusaurus dev server renders `/teams-sdk/teams/choosing-an-sdk` cleanly - [ ] Mermaid diagram in "How they relate" renders without arrow crossings or layout glitches - [ ] `sdk-feature-comparison.png` displays at appropriate size - [ ] All internal links resolve (e.g. `./enabling-in-copilot`) - [ ] All external links open correctly (Microsoft Learn, GitHub repos) - [ ] Page does not appear in the left sidebar (URL-only) 🤖 Generated with [Claude Code](https://claude.com/claude-code) --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
…d Identity" (#2696) ## Update Documentation: User Managed Identity → User Assigned Managed Identity - [x] Review all documentation files containing "User Managed Identity" - [x] Update typescript.incl.md to use "User Assigned Managed Identity" - [x] Update python.incl.md to use "User Assigned Managed Identity" - [x] Update app-authentication/README.md to use "User Assigned Managed Identity" - [x] Update federated-identity-credentials.md to use "User Assigned Managed Identity" - [x] Update user-managed-identity.md content to use "User Assigned Managed Identity" - [x] Update app-authentication.mdx to use "User Assigned Managed Identity" - [x] Verify all changes are consistent and accurate - [x] Rebase onto latest main branch and resolve conflicts <!-- START COPILOT CODING AGENT SUFFIX --> <!-- START COPILOT ORIGINAL PROMPT --> <details> <summary>Original prompt</summary> > In our docs, we say "User managed identity" when what we really mean is "User assigned managed identity". Can you update the language please </details> <!-- START COPILOT CODING AGENT TIPS --> --- 💬 We'd love your input! Share your thoughts on Copilot coding agent in our [2 minute survey](https://gh.io/copilot-coding-agent-survey). --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: heyitsaamir <48929123+heyitsaamir@users.noreply.github.com>
## Summary Product rename: **Teams CLI** → **Teams Developer CLI** across the repo. What got touched: - **Package**: `packages/cli/package.json` description + the `Teams Developer CLI [Beta]` help banner in `packages/cli/src/index.ts`. (The npm name `@microsoft/teams.cli` is left alone — renaming that is a whole different beast.) - **Docs**: every "Teams CLI" mention across `teams.md/docs/**`, `teams.md/src/**`, and `teams.md/static/llms_docs/**`. - **Blog**: `2026-04-28-teams-cli-preview/index.md` body. Slug + folder kept the same to avoid breaking the live URL. - **Plugin / skill**: `plugins/teams-sdk/**`, `.claude-plugin/marketplace.json`, root `README.md`, `packages/cli/README.md`. Left intentionally untouched: - Internal identifiers (`teams-cli` keychain serviceName, envPaths, USER_AGENT, tmpdir prefix, test resource group defaults) — changing these would invalidate caches/configs. - Unrelated terms like "Teams client", `@microsoft/teams.client`, "Teams Developer Portal". - Generic "the CLI" phrases that read fine in context. ## Test plan - `npm run build --workspace=@microsoft/teams.cli` — confirm clean build - Run `node packages/cli/dist/index.js --help` and check the banner says `Teams Developer CLI [Beta]` - Skim the docs site preview to confirm headings/links still resolve
Fixes [#565](microsoft/teams.ts#565) ## What `teams app doctor` was assuming an Azure Bot resource is always named after its MicrosoftAppId. That's only true for bots this CLI creates — bots stamped out by Portal/Bicep/Terraform (or our own `migrate --azure-name foo`) get human-readable names, and doctor would shrug `✗ Azure bot not found` and skip every downstream check. ## How - **Discovery**: keep the `--name <botId>` fast path, then fall back to Azure Resource Graph filtering on `properties.msaAppId`. If the graph extension can't be installed, fall back again to listing bots and fetching each one's properties in parallel. - **Resource name plumbing**: `AzureContext` now carries the real Azure resource name. Doctor uses `azure.name ?? botId` for `az bot show`, `az bot msteams show`, and the authsetting calls — same shape, just the right name. - **Migrate**: new `--azure-name <name>` flag so users can give the Azure resource a friendly name. Defaults to `botId` so nothing changes for existing scripts. ## Tests 6 new unit tests covering: fast-path hit, graph fallback, list+show last-resort fallback, both-empty, no-match, and az exploding. ## Verified e2e Created a real teams-managed app, migrated to Azure with `--azure-name migrate-test-renamed`, then ran doctor on the resulting Teams app: | | Public `teams` CLI | This branch | |---|---|---| | Azure bot discovered | ✗ not found | ✔ | | Endpoint reachable | (skipped) | ✔ | | Teams channel | (skipped) | ✔ | | `az bot authsetting list` (SSO path) | `ParentResourceNotFound` | ✔ `[]` |
Bumps [fast-uri](https://github.com/fastify/fast-uri) from 3.0.6 to 3.1.2. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/fastify/fast-uri/releases">fast-uri's releases</a>.</em></p> <blockquote> <h2>v3.1.2</h2> <h2>⚠️ Security Release</h2> <ul> <li>Fix for <a href="https://github.com/fastify/fast-uri/security/advisories/GHSA-v39h-62p7-jpjc">https://github.com/fastify/fast-uri/security/advisories/GHSA-v39h-62p7-jpjc</a></li> </ul> <h2>What's Changed</h2> <ul> <li>Handle malformed fragment decoding as a parse error by <a href="https://github.com/mcollina"><code>@mcollina</code></a> in <a href="https://redirect.github.com/fastify/fast-uri/pull/171">fastify/fast-uri#171</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/fastify/fast-uri/compare/v3.1.1...v3.1.2">https://github.com/fastify/fast-uri/compare/v3.1.1...v3.1.2</a></p> <h2>v3.1.1</h2> <h2>⚠️ Security Release</h2> <ul> <li>Fix for <a href="https://github.com/fastify/fast-uri/security/advisories/GHSA-q3j6-qgpj-74h6">https://github.com/fastify/fast-uri/security/advisories/GHSA-q3j6-qgpj-74h6</a></li> </ul> <h2>What's Changed</h2> <ul> <li>build(deps-dev): bump tsd from 0.32.0 to 0.33.0 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/fastify/fast-uri/pull/148">fastify/fast-uri#148</a></li> <li>build(deps): bump actions/checkout from 4 to 5 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/fastify/fast-uri/pull/149">fastify/fast-uri#149</a></li> <li>chore(.npmrc): ignore scripts by <a href="https://github.com/Fdawgs"><code>@Fdawgs</code></a> in <a href="https://redirect.github.com/fastify/fast-uri/pull/150">fastify/fast-uri#150</a></li> <li>build(deps-dev): remove <code>@fastify/pre-commit</code> by <a href="https://github.com/Fdawgs"><code>@Fdawgs</code></a> in <a href="https://redirect.github.com/fastify/fast-uri/pull/151">fastify/fast-uri#151</a></li> <li>build(deps): bump actions/setup-node from 4 to 5 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/fastify/fast-uri/pull/152">fastify/fast-uri#152</a></li> <li>ci(ci): add concurrency config by <a href="https://github.com/Fdawgs"><code>@Fdawgs</code></a> in <a href="https://redirect.github.com/fastify/fast-uri/pull/153">fastify/fast-uri#153</a></li> <li>build(deps): bump actions/setup-node from 5 to 6 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/fastify/fast-uri/pull/154">fastify/fast-uri#154</a></li> <li>build(deps): bump actions/checkout from 5 to 6 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/fastify/fast-uri/pull/156">fastify/fast-uri#156</a></li> <li>chore(license): standardise license notice by <a href="https://github.com/Fdawgs"><code>@Fdawgs</code></a> in <a href="https://redirect.github.com/fastify/fast-uri/pull/159">fastify/fast-uri#159</a></li> <li>style: remove trailing whitespace by <a href="https://github.com/Fdawgs"><code>@Fdawgs</code></a> in <a href="https://redirect.github.com/fastify/fast-uri/pull/161">fastify/fast-uri#161</a></li> <li>ci: remove unused github files by <a href="https://github.com/Tony133"><code>@Tony133</code></a> in <a href="https://redirect.github.com/fastify/fast-uri/pull/162">fastify/fast-uri#162</a></li> <li>chore: update readme by <a href="https://github.com/Tony133"><code>@Tony133</code></a> in <a href="https://redirect.github.com/fastify/fast-uri/pull/164">fastify/fast-uri#164</a></li> <li>build(deps): bump fastify/workflows/.github/workflows/plugins-ci-package-manager.yml from 5 to 6 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/fastify/fast-uri/pull/165">fastify/fast-uri#165</a></li> <li>build(deps): bump fastify/workflows/.github/workflows/plugins-ci.yml from 5 to 6 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/fastify/fast-uri/pull/166">fastify/fast-uri#166</a></li> <li>build(deps-dev): bump neostandard from 0.12.2 to 0.13.0 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/fastify/fast-uri/pull/167">fastify/fast-uri#167</a></li> <li>ci: add lock-threads workflow by <a href="https://github.com/Fdawgs"><code>@Fdawgs</code></a> in <a href="https://redirect.github.com/fastify/fast-uri/pull/169">fastify/fast-uri#169</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/Tony133"><code>@Tony133</code></a> made their first contribution in <a href="https://redirect.github.com/fastify/fast-uri/pull/162">fastify/fast-uri#162</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/fastify/fast-uri/compare/v3.1.0...v3.1.1">https://github.com/fastify/fast-uri/compare/v3.1.0...v3.1.1</a></p> <h2>v3.1.0</h2> <h2>What's Changed</h2> <ul> <li>ci: remove master branch support by <a href="https://github.com/Fdawgs"><code>@Fdawgs</code></a> in <a href="https://redirect.github.com/fastify/fast-uri/pull/126">fastify/fast-uri#126</a></li> <li>chore(test) remove .gitkeep by <a href="https://github.com/Fdawgs"><code>@Fdawgs</code></a> in <a href="https://redirect.github.com/fastify/fast-uri/pull/128">fastify/fast-uri#128</a></li> <li>ci(ci): set job permissions by <a href="https://github.com/Fdawgs"><code>@Fdawgs</code></a> in <a href="https://redirect.github.com/fastify/fast-uri/pull/129">fastify/fast-uri#129</a></li> <li>ci: set permissions at workflow level by <a href="https://github.com/Fdawgs"><code>@Fdawgs</code></a> in <a href="https://redirect.github.com/fastify/fast-uri/pull/131">fastify/fast-uri#131</a></li> <li>ci: set workflow permissions to read-only by default by <a href="https://github.com/Fdawgs"><code>@Fdawgs</code></a> in <a href="https://redirect.github.com/fastify/fast-uri/pull/132">fastify/fast-uri#132</a></li> <li>ci(ci): restore job level permissions by <a href="https://github.com/Fdawgs"><code>@Fdawgs</code></a> in <a href="https://redirect.github.com/fastify/fast-uri/pull/133">fastify/fast-uri#133</a></li> <li>build(deps-dev): bump tsd from 0.31.2 to 0.32.0 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/fastify/fast-uri/pull/134">fastify/fast-uri#134</a></li> <li>ci(ci): pin actions to commit-hash by <a href="https://github.com/Fdawgs"><code>@Fdawgs</code></a> in <a href="https://redirect.github.com/fastify/fast-uri/pull/135">fastify/fast-uri#135</a></li> <li>ci: add node 24 to test matrix by <a href="https://github.com/Fdawgs"><code>@Fdawgs</code></a> in <a href="https://redirect.github.com/fastify/fast-uri/pull/136">fastify/fast-uri#136</a></li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/fastify/fast-uri/commit/919dd8ea7689fcc220d0d9b71307f5095e723ef9"><code>919dd8e</code></a> Bumped v3.1.2</li> <li><a href="https://github.com/fastify/fast-uri/commit/c65ba573714af6b8e19e481d9444c27bc4355d07"><code>c65ba57</code></a> fixup: linting</li> <li><a href="https://github.com/fastify/fast-uri/commit/6c86c17c3d76fb93aa3700ec6c0fa00faeb97293"><code>6c86c17</code></a> Merge commit from fork</li> <li><a href="https://github.com/fastify/fast-uri/commit/a95158ad308df4d92bbde4eba699ce5165e9f796"><code>a95158a</code></a> Handle malformed fragment decoding without throwing (<a href="https://redirect.github.com/fastify/fast-uri/issues/171">#171</a>)</li> <li><a href="https://github.com/fastify/fast-uri/commit/cea547c91c6aae610041b17b75792ca4aa035a6d"><code>cea547c</code></a> Bumped v3.1.1</li> <li><a href="https://github.com/fastify/fast-uri/commit/876ce79b662c3e5015e4e7dffe6f37752ad34f35"><code>876ce79</code></a> Merge commit from fork</li> <li><a href="https://github.com/fastify/fast-uri/commit/dcdf690b71a7bb3a19887ada65a9ab160d83bcc0"><code>dcdf690</code></a> ci: add lock-threads workflow (<a href="https://redirect.github.com/fastify/fast-uri/issues/169">#169</a>)</li> <li><a href="https://github.com/fastify/fast-uri/commit/c860e6589b1ac346f66e114b4eadb9613768108c"><code>c860e65</code></a> build(deps-dev): bump neostandard from 0.12.2 to 0.13.0 (<a href="https://redirect.github.com/fastify/fast-uri/issues/167">#167</a>)</li> <li><a href="https://github.com/fastify/fast-uri/commit/9b4c6dc82fde0ca44e674403ece9185d85bb6d5f"><code>9b4c6dc</code></a> build(deps): bump fastify/workflows/.github/workflows/plugins-ci.yml (<a href="https://redirect.github.com/fastify/fast-uri/issues/166">#166</a>)</li> <li><a href="https://github.com/fastify/fast-uri/commit/85d09a9f7aa76b32c2bb005a90a71e144c361d24"><code>85d09a9</code></a> build(deps): bump fastify/workflows/.github/workflows/plugins-ci-package-mana...</li> <li>Additional commits viewable in <a href="https://github.com/fastify/fast-uri/compare/v3.0.6...v3.1.2">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/microsoft/teams-sdk/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…2824) Bumps [@babel/plugin-transform-modules-systemjs](https://github.com/babel/babel/tree/HEAD/packages/babel-plugin-transform-modules-systemjs) from 7.28.5 to 7.29.4. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/babel/babel/releases">@babel/plugin-transform-modules-systemjs's releases</a>.</em></p> <blockquote> <h2>v7.29.4 (2026-05-05)</h2> <h4>:bug: Bug Fix</h4> <ul> <li><code>babel-plugin-transform-modules-systemjs</code> <ul> <li><a href="https://redirect.github.com/babel/babel/pull/17974">#17974</a> [7.x backport]fix(systemjs): improve module string name support (<a href="https://github.com/JLHwung"><code>@JLHwung</code></a>)</li> </ul> </li> </ul> <h4>Committers: 1</h4> <ul> <li>Huáng Jùnliàng (<a href="https://github.com/JLHwung"><code>@JLHwung</code></a>)</li> </ul> <h2>v7.29.3 (2026-04-30)</h2> <h4>:eyeglasses: Spec Compliance</h4> <ul> <li><code>babel-parser</code> <ul> <li><a href="https://redirect.github.com/babel/babel/pull/17923">#17923</a> Support flow extends bound (<a href="https://github.com/JLHwung"><code>@JLHwung</code></a>)</li> </ul> </li> </ul> <h4>:bug: Bug Fix</h4> <ul> <li><code>babel-helper-create-class-features-plugin</code>, <code>babel-plugin-proposal-decorators</code> <ul> <li><a href="https://redirect.github.com/babel/babel/pull/17931">#17931</a> fix(decorators): replace super within all removed static elements (<a href="https://github.com/JLHwung"><code>@JLHwung</code></a>)</li> </ul> </li> <li><code>babel-register</code> <ul> <li><a href="https://redirect.github.com/babel/babel/pull/17915">#17915</a> Fix thread synchronization issues in <code>@babel/register</code> (<a href="https://github.com/liuxingbaoyu"><code>@liuxingbaoyu</code></a>)</li> </ul> </li> <li><code>babel-compat-data</code>, <code>babel-plugin-bugfix-safari-rest-destructuring-rhs-array</code>, <code>babel-preset-env</code> <ul> <li><a href="https://redirect.github.com/babel/babel/pull/17788">#17788</a> Add bugfix plugin for Safari array rest destructuring bug (<a href="https://github.com/JLHwung"><code>@JLHwung</code></a>)</li> </ul> </li> </ul> <h4>:nail_care: Polish</h4> <ul> <li><code>babel-parser</code> <ul> <li><a href="https://redirect.github.com/babel/babel/pull/17782">#17782</a> Improve trailing comma comment handling (<a href="https://github.com/JLHwung"><code>@JLHwung</code></a>)</li> </ul> </li> </ul> <h4>:memo: Documentation</h4> <ul> <li><a href="https://redirect.github.com/babel/babel/pull/17847">#17847</a> Replace npmjs.com links with npmx.dev (<a href="https://github.com/nicolo-ribaudo"><code>@nicolo-ribaudo</code></a>)</li> </ul> <h4>:running_woman: Performance</h4> <ul> <li><code>babel-helper-import-to-platform-api</code>, <code>babel-plugin-proposal-import-wasm-source</code>, <code>babel-plugin-transform-json-modules</code> <ul> <li><a href="https://redirect.github.com/babel/babel/pull/17818">#17818</a> Load async Wasm and JSON imports in parallel (<a href="https://github.com/nicolo-ribaudo"><code>@nicolo-ribaudo</code></a>)</li> </ul> </li> </ul> <h4>Committers: 4</h4> <ul> <li>Babel Bot (<a href="https://github.com/babel-bot"><code>@babel-bot</code></a>)</li> <li>Huáng Jùnliàng (<a href="https://github.com/JLHwung"><code>@JLHwung</code></a>)</li> <li>Nicolò Ribaudo (<a href="https://github.com/nicolo-ribaudo"><code>@nicolo-ribaudo</code></a>)</li> <li><a href="https://github.com/liuxingbaoyu"><code>@liuxingbaoyu</code></a></li> </ul> <h2>v7.29.2 (2026-03-16)</h2> <h4>:eyeglasses: Spec Compliance</h4> <ul> <li><code>babel-parser</code> <ul> <li><a href="https://redirect.github.com/babel/babel/pull/17840">#17840</a> [7.x backport] async x => {} must be in leading pos (<a href="https://github.com/JLHwung"><code>@JLHwung</code></a>)</li> </ul> </li> </ul> <h4>:bug: Bug Fix</h4> <ul> <li><code>babel-helpers</code>, <code>babel-plugin-transform-async-generator-functions</code>, <code>babel-preset-env</code>, <code>babel-runtime-corejs3</code> <ul> <li><a href="https://redirect.github.com/babel/babel/pull/17805">#17805</a> [7.x backport] fix: Properly handle await in finally (<a href="https://github.com/liuxingbaoyu"><code>@liuxingbaoyu</code></a>)</li> </ul> </li> <li><code>babel-preset-env</code></li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/babel/babel/commit/a458f66074b97d54773db8159af673d23b26079b"><code>a458f66</code></a> v7.29.4</li> <li><a href="https://github.com/babel/babel/commit/32ebd5aaf2526ddd176fd6a3d1e3dc594abdc8d9"><code>32ebd5a</code></a> [7.x backport]fix(systemjs): improve module string name support (<a href="https://github.com/babel/babel/tree/HEAD/packages/babel-plugin-transform-modules-systemjs/issues/17974">#17974</a>)</li> <li><a href="https://github.com/babel/babel/commit/aa8394e454337d118ac3d40bfa3ee1a3cb3f3ed2"><code>aa8394e</code></a> v7.29.0</li> <li><a href="https://github.com/babel/babel/commit/0053db620c05acf0036f593b5aaf4e372daa79d0"><code>0053db6</code></a> Update polyfill packages (<a href="https://github.com/babel/babel/tree/HEAD/packages/babel-plugin-transform-modules-systemjs/issues/17727">#17727</a>)</li> <li>See full diff in <a href="https://github.com/babel/babel/commits/v7.29.4/packages/babel-plugin-transform-modules-systemjs">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/microsoft/teams-sdk/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [mermaid](https://github.com/mermaid-js/mermaid) from 11.14.0 to 11.15.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/mermaid-js/mermaid/releases">mermaid's releases</a>.</em></p> <blockquote> <h2>mermaid@11.15.0</h2> <h3>Minor Changes</h3> <ul> <li> <p><a href="https://redirect.github.com/mermaid-js/mermaid/pull/7174">#7174</a> <a href="https://github.com/mermaid-js/mermaid/commit/0aca21739c0d1fcaaa206e04a6cd574ebc415483"><code>0aca217</code></a> Thanks <a href="https://github.com/milesspencer35"><code>@milesspencer35</code></a>! - feat(sequence): Add support for decimal start and increment values in the <code>autonumber</code> directive</p> </li> <li> <p><a href="https://redirect.github.com/mermaid-js/mermaid/pull/7512">#7512</a> <a href="https://github.com/mermaid-js/mermaid/commit/8e17492f7365ba50896382feb69a23efd9d8a22d"><code>8e17492</code></a> Thanks <a href="https://github.com/aruncveli"><code>@aruncveli</code></a>! - feat(flowchart): add datastore shape</p> <p>In Data flow diagrams, a datastore/warehouse/file/database is used to represent data persistence. It is denoted by a rectangle with only top and bottom borders, and can be used in flowcharts with <code>A@{ shape: datastore, label: "Datastore" }</code>.</p> </li> <li> <p><a href="https://redirect.github.com/mermaid-js/mermaid/pull/6440">#6440</a> <a href="https://github.com/mermaid-js/mermaid/commit/9ad8dde6d049adde85d8ed2d476c09b5820f3f4b"><code>9ad8dde</code></a> Thanks <a href="https://github.com/yordis"><code>@yordis</code></a>, <a href="https://github.com/lgazo"><code>@lgazo</code></a>! - feat: add Event Modeling diagram</p> </li> <li> <p><a href="https://redirect.github.com/mermaid-js/mermaid/pull/7707">#7707</a> <a href="https://github.com/mermaid-js/mermaid/commit/27db774627be1cee881961dfd0d2cb21cd01b79d"><code>27db774</code></a> Thanks <a href="https://github.com/txmxthy"><code>@txmxthy</code></a>! - feat(architecture): expose four fcose layout knobs for <code>architecture-beta</code> diagrams (<code>nodeSeparation</code>, <code>idealEdgeLengthMultiplier</code>, <code>edgeElasticity</code>, <code>numIter</code>) so authors can tune layout density and spread overlapping siblings without changing diagram source</p> </li> <li> <p><a href="https://redirect.github.com/mermaid-js/mermaid/pull/7604">#7604</a> <a href="https://github.com/mermaid-js/mermaid/commit/bf9502fb6012a4b724679b401ac928f5ee55161c"><code>bf9502f</code></a> Thanks <a href="https://github.com/M-a-c"><code>@M-a-c</code></a>! - feat(class): add nested namespace support for class diagrams via dot notation and syntactic nesting</p> <p>If you have namespaces in class diagrams that use <code>.</code>s already and want to render them without nesting (≤v11.14.0 behaviour), you can use set <code>class.hierarchicalNamespaces=false</code> in your mermaid config:</p> <pre lang="yaml"><code>config: class: hierarchicalNamespaces: false </code></pre> </li> <li> <p><a href="https://redirect.github.com/mermaid-js/mermaid/pull/7272">#7272</a> <a href="https://github.com/mermaid-js/mermaid/commit/88cdd3dc0aab9577174561b04e14760c565a232b"><code>88cdd3d</code></a> Thanks <a href="https://github.com/xinbenlv"><code>@xinbenlv</code></a>! - feat(sankey): add outlined label style, configurable nodeWidth/nodePadding, and custom node colors</p> </li> </ul> <h3>Patch Changes</h3> <ul> <li> <p><a href="https://redirect.github.com/mermaid-js/mermaid/pull/7737">#7737</a> <a href="https://github.com/mermaid-js/mermaid/commit/e9b0f34d8d82a6260077764ee45e1d7d90957a0f"><code>e9b0f34</code></a> Thanks <a href="https://github.com/ashishjain0512"><code>@ashishjain0512</code></a>! - fix: prevent unbalanced CSS styles in classDefs</p> </li> <li> <p><a href="https://redirect.github.com/mermaid-js/mermaid/pull/7737">#7737</a> <a href="https://github.com/mermaid-js/mermaid/commit/37ff937f1da2e19f882fd1db01235db4d01f4056"><code>37ff937</code></a> Thanks <a href="https://github.com/ashishjain0512"><code>@ashishjain0512</code></a>! - fix: create CSS styles using the CSSOM</p> <p>This removes some invalid CSS and normalizes some CSS formatting.</p> </li> <li> <p><a href="https://redirect.github.com/mermaid-js/mermaid/pull/7508">#7508</a> <a href="https://github.com/mermaid-js/mermaid/commit/bfe60cc67b9a6dec64f9161f58e4d24a06c42b65"><code>bfe60cc</code></a> Thanks <a href="https://github.com/biiab"><code>@biiab</code></a>! - fix(stateDiagram): <code>end note</code> now only closes a note when used on a new line</p> </li> <li> <p><a href="https://redirect.github.com/mermaid-js/mermaid/pull/7737">#7737</a> <a href="https://github.com/mermaid-js/mermaid/commit/faafb5d49106dd32c367f3882505f2dd625aa30e"><code>faafb5d</code></a> Thanks <a href="https://github.com/ashishjain0512"><code>@ashishjain0512</code></a>! - fix(gantt): add iteration limit for <code>excludes</code> field</p> </li> <li> <p><a href="https://redirect.github.com/mermaid-js/mermaid/pull/7737">#7737</a> <a href="https://github.com/mermaid-js/mermaid/commit/65f8be2a42faf869b811469571983cba7eeeca99"><code>65f8be2</code></a> Thanks <a href="https://github.com/ashishjain0512"><code>@ashishjain0512</code></a>! - fix: disallow some CSS at-rules in custom CSS</p> </li> <li> <p><a href="https://redirect.github.com/mermaid-js/mermaid/pull/7726">#7726</a> <a href="https://github.com/mermaid-js/mermaid/commit/1502f32f3c5fb944925b0c527fbbde3c4f041824"><code>1502f32</code></a> Thanks <a href="https://github.com/aloisklink"><code>@aloisklink</code></a>! - fix(wardley): fix unnecessary sanitization of text</p> </li> <li> <p><a href="https://redirect.github.com/mermaid-js/mermaid/pull/7578">#7578</a> <a href="https://github.com/mermaid-js/mermaid/commit/1f98db8e326299ac97a2fa60abfd509d8f5f16e2"><code>1f98db8</code></a> Thanks <a href="https://github.com/Gaston202"><code>@Gaston202</code></a>! - fix(class): self-referential class multiplicity labels no longer rendered multiple times</p> <p>Fixes <a href="https://redirect.github.com/mermaid-js/mermaid/issues/7560">#7560</a>. Resolves an issue where cardinality labels on self-referential class relationships were rendered three times due to edge splitting in the dagre layout. The fix ensures that each sub-edge only carries its relevant label positions.</p> </li> <li> <p><a href="https://redirect.github.com/mermaid-js/mermaid/pull/7592">#7592</a> <a href="https://github.com/mermaid-js/mermaid/commit/2343e38498a3b31f8ce5e79f1f009e0b56fbe086"><code>2343e38</code></a> Thanks <a href="https://github.com/knsv-bot"><code>@knsv-bot</code></a>! - fix(sequence): add background box behind alt/else section title labels in sequence diagrams</p> </li> <li> <p><a href="https://redirect.github.com/mermaid-js/mermaid/pull/7589">#7589</a> <a href="https://github.com/mermaid-js/mermaid/commit/7fb9509b8b5cb1dc48519dc60cf6cdc6afba0462"><code>7fb9509</code></a> Thanks <a href="https://github.com/NYCU-Chung"><code>@NYCU-Chung</code></a>! - fix(block): prevent column widths from shrinking when mixing different column spans</p> </li> <li> <p><a href="https://redirect.github.com/mermaid-js/mermaid/pull/7632">#7632</a> <a href="https://github.com/mermaid-js/mermaid/commit/3f9e0f15bedc1e2c71ddb6b34192d1a21124cfc2"><code>3f9e0f1</code></a> Thanks <a href="https://github.com/ekiauhce"><code>@ekiauhce</code></a>! - fix(sequence): correct messageAlign label position for right-to-left arrows in sequence diagrams</p> </li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/mermaid-js/mermaid/commit/41646dfd43ac83f001b03c70605feb036afae46d"><code>41646df</code></a> Merge pull request <a href="https://redirect.github.com/mermaid-js/mermaid/issues/7739">#7739</a> from aloisklink/ci/fix-release</li> <li><a href="https://github.com/mermaid-js/mermaid/commit/2671f5c44a1515960ebc41c09a365c41860f95ee"><code>2671f5c</code></a> docs: fix v11.15.0 release</li> <li><a href="https://github.com/mermaid-js/mermaid/commit/f4bf04b5db8bed603e40ed3d5ce5228d6b07754e"><code>f4bf04b</code></a> Merge pull request <a href="https://redirect.github.com/mermaid-js/mermaid/issues/7738">#7738</a> from mermaid-js/changeset-release/master</li> <li><a href="https://github.com/mermaid-js/mermaid/commit/abfb563e1dcbd46d617f44a6361bd6d926dc6289"><code>abfb563</code></a> Version Packages</li> <li><a href="https://github.com/mermaid-js/mermaid/commit/60b289f428d0a0832ad95ed4e1fb326344e23532"><code>60b289f</code></a> Release Candidate 11.15.0 (<a href="https://redirect.github.com/mermaid-js/mermaid/issues/7737">#7737</a>)</li> <li><a href="https://github.com/mermaid-js/mermaid/commit/d37c0db39ca2405b4473361063df2c47109dc2c9"><code>d37c0db</code></a> Merge pull request <a href="https://redirect.github.com/mermaid-js/mermaid/issues/7730">#7730</a> from aloisklink/fix/fix-edgeLabelRightLeft-changes</li> <li><a href="https://github.com/mermaid-js/mermaid/commit/5ab5a2895fa8b7e90de85b43a4b99aa50b39b0f1"><code>5ab5a28</code></a> docs: improve nested namespace changeset</li> <li><a href="https://github.com/mermaid-js/mermaid/commit/18f8b4c5bf67aface3485272b48042f2fdd6fad2"><code>18f8b4c</code></a> fix: revert endEdgeLabelLeft/endEdgeLabelRight change</li> <li><a href="https://github.com/mermaid-js/mermaid/commit/504b2eb73d4d827baa817efd47ab6f44ae769b5a"><code>504b2eb</code></a> Merge pull request <a href="https://redirect.github.com/mermaid-js/mermaid/issues/7726">#7726</a> from aloisklink/fix/correct-unnecessary-html-escapes...</li> <li><a href="https://github.com/mermaid-js/mermaid/commit/1502f32f3c5fb944925b0c527fbbde3c4f041824"><code>1502f32</code></a> fix(wardley): fix unnecessary sanitization of text</li> <li>Additional commits viewable in <a href="https://github.com/mermaid-js/mermaid/compare/mermaid@11.14.0...mermaid@11.15.0">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/microsoft/teams-sdk/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Updated the link as per Microsoft guidelines
…2821) ## Summary The Step 3 and Step 4 `oauth2PermissionScopes` payloads in `sso-setup.mdx` were missing two fields: - `userConsentDescription` - `userConsentDisplayName` When the scope is `type: "User"` (which it is here), these fields are what end users see at the consent prompt. Without them, the prompt falls back to the admin text or default strings — a degraded UX. This PR also expands `adminConsentDescription` from `"Access as user"` (which was identical to the display name) to an actual descriptive sentence. ## Context [PR #2705](#2705) opened by @hggzm originally added these fields against the pre-rewrite `sso-setup.md`. That file was renamed to `sso-setup.mdx` and substantially rewritten in #2719, leaving #2705 with an unresolvable rebase conflict (modify/delete). This PR re-applies the contribution against the current file. Closes the gap; #2705 can be closed as superseded. Refs: #2670, #2705 Co-authored-by: Hugo Gonzalez <hugogonzalez@microsoft.com>
## Summary - make `teams self-update` use the package manager that owns the current install (before it would just `npm`.) - refuse to self-update source/local installs instead of updating some random global package, spooky stuff avoided - share update version checks, handle prereleases properly, and wire up `--disable-auto-update` ## Test plan - npm -w @microsoft/teams.cli run check-types - npm -w @microsoft/teams.cli test - npm -w @microsoft/teams.cli run build - tested npm self-update: installed internal `@microsoft/teams.cli@2.10.0` globally with npm, then `teams self-update` updated it to `3.0.0-preview.5` - tested pnpm self-update: installed internal `@microsoft/teams.cli@2.11.0` globally with pnpm, then `teams self-update` updated it to `3.0.0-preview.5` - tested bun self-update: installed internal `@microsoft/teams.cli@2.10.0` globally with bun, then `teams self-update` updated it to `3.0.0-preview.5` --------- Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Fixes #2830. `discoverAzureBot` and its helpers collapsed every az failure into `null`, indistinguishable from a real "bot not found." `app update --json` then returned a misleading `NOT_FOUND_AZURE_BOT`; under `--yes`, an agent could try to recreate a bot that already exists but couldn't be read. Rebased on top of #2825's fallback chain. Only the bug-shaped catches are removed; the two structural ones are kept: - `findBotByName` outer catch — **removed** (pure suppression). - `findBotByMsaAppIdViaList` outer catch — **removed** (pure suppression). - `findBotByMsaAppIdViaList` per-bot catch — **kept** (per-element resilience inside `Promise.all`). - `findBotByMsaAppIdViaGraph` outer catch — **kept** (intentional fallback signal: routes "graph extension unavailable" to the list path; pinned by #2825's tests). `discoverAzureBot` rewraps the surviving catch as `CliError('API_ARM_ERROR', 'Failed to discover Azure bot: <stderr>')` — preferring `error.stderr` over `error.message` so the real az diagnostic surfaces instead of `Command failed: cmd /c az.cmd ...`. `app doctor` wraps the call so a throw becomes a `fail` entry instead of terminating the report. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Update docs to include updated quoted replies examples --------- Co-authored-by: Corina Gum <> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
## Summary - Adds an external-redirect entry for [Python support for the Microsoft Teams SDK is now generally available](https://devblogs.microsoft.com/microsoft365dev/python-support-for-the-microsoft-teams-sdk-is-now-generally-available/) so it shows up in the docs blog listing - Mirrors the format used by the existing Nov 18 entry and follows `BLOGGING.md` - The auto-sync script (`scripts/sync-devblogs.ts`) didn't catch this post because it isn't tagged `teams-ai-library` on devblogs ## Test plan - [ ] `npm run docs:dev` shows the post in `/teams-sdk/blog` - [ ] Clicking through redirects to the devblogs URL - [ ] `npx tsx scripts/sync-devblogs.ts --dry-run` reports no new posts to add (i.e. no duplicate would be created on next sync) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
## Summary Adds an in-depth guide for message reactions covering outbound add/remove and inbound `messageReaction` handling, plus links the existing "Reactions" section in the Sending Messages essentials page to the new guide. ## What's covered in the guide - Public-developer-preview banner - Adding and removing reactions (`api.reactions.add` / `api.reactions.delete` / `Reactions.AddAsync` / `Reactions.DeleteAsync`) - Receiving reactions: `messageReaction` activity handlers across all three SDKs, plus the .NET-only `OnMessageReactionAdded` / `OnMessageReactionRemoved` sub-handlers - Available reaction types — the modern set of 6 (`like`, `heart`, `1f440_eyes`, `2705_whiteheavycheckmark`, `launch`, `1f4cc_pushpin`) - Skin tone variants (`-tone1` … `-tone5`) - Rate limits (2 reactions/sec, 429 + Retry-After) - Best practices and differences from Feedback ## What's intentionally omitted - **Custom reactions section** — aligned with the Microsoft Learn agent reactions PR ([msteams-docs#13991](MicrosoftDocs/msteams-docs#13991)), which is omitting custom reaction examples due to a known client-side rendering issue. A commented-out link to the Learn reactions reference remains in the source for restoration once that PR lands. - **Advanced API client usage** — the previous draft's example referenced an `ApiClient` constructor that doesn't exist in the current SDK; removed rather than rewritten. ## Coordination - C# samples follow the project convention from #2735 (cancellationToken in handler signatures, threaded through `Send`, `Task.Delay`, and reaction API calls). - The TypeScript include uses `api.reactions.delete()` ahead of [microsoft/teams.ts#567](microsoft/teams.ts#567), which renames `remove()` → `delete()` to align with teams.py and teams.net. ## Test plan - [x] `npm start` regenerates docs cleanly with no content gaps - [x] Per-language renders (TS / Python / C#) verified in the dev server - [x] Cross-link from `essentials/sending-messages` → in-depth guide resolves correctly - [ ] Visual review on the deployed preview --------- Co-authored-by: Corina Gum <14900841+corinagum@users.noreply.github.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
## Summary Removes the `:::tip[.NET]` callout block from the reactions in-depth guide's C# include. The block instructed readers to suppress `ExperimentalTeamsReactions` via `#pragma` or `<NoWarn>` — that's no longer applicable now that the `[Experimental]` attribute is being removed from teams.net (sibling PR). ## Cross-SDK coordination Part of the cross-SDK Reactions-GA pass. Sibling PRs: - microsoft/teams.ts#575 — Mark reactions API as GA - microsoft/teams.py#427 — Mark reactions API as GA - microsoft/teams.net#509 — Mark reactions API as GA (Libraries + core) ## Test plan - [x] `npm start` regenerates docs cleanly with no content gaps - [x] C# in-depth guide renders without the opt-in callout (verified in local dev server) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Adding Teams Reaction Reference page from learn so developers can use any emojiID for reactions. --------- Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
## Summary - Stop inserting dots into C# project names during scaffold - Add tests so `PmAgent` stays `PmAgent` instead of becoming `Pm.Agent` - Historically, it looks like this was accidentally added. Fixes microsoft/teams.ts#137 Fixes microsoft/teams.ts#371 ## Test plan - `npm --prefix packages/cli test -- project-new-csharp.test.ts` - `npm --prefix packages/cli run check-types` - Manually scaffolded `project new csharp PmAgent --template echo --json`
## Summary - Let the full description prompt accept empty input during app create, so it can fall back to the short description - Show the reinstall hint after RSC permission updates when the app version auto-bumps - Include `needsReinstall` in RSC JSON output when relevant ## Test plan - npm -w @microsoft/teams.cli test -- manifest-builder-icons.test.ts rsc-set.test.ts rsc-web-app-info.test.ts - npm -w @microsoft/teams.cli run check-types
Add preview slash command documentation to the On Activity page, including behavior notes and language-specific examples for TypeScript, C#, and Python.
## Summary - Consolidated the three separate blog posts (announcement, agentic identity, Bot Framework migration) into a single comprehensive announcement post - Added a "Migration from Teams SDK 2.0" section summarizing backward-compatible APIs, breaking changes, and removed packages - Fixed "Agents 365" → "Agent 365" naming and updated links to `learn.microsoft.com/microsoft-agent-365/` - Updated publish date to 5/19 ## Test plan - [ ] Verify the blog post renders correctly with `npm start` in the `teams.md` directory - [ ] Confirm all internal anchor links (`#agentic-identity`, `#migration-from-bot-framework-v4`, `#migration-from-teams-sdk-20`, etc.) resolve correctly - [ ] Verify the Tabs/TabItem MDX components render properly in the MSAL Authentication section - [ ] Confirm SVG diagrams display correctly in both light and dark themes --------- Co-authored-by: Umang <3513186+umangsehgal@users.noreply.github.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> Co-authored-by: Nick Walker <nickwalk@microsoft.com>
New blog for agent sending reactions. --------- Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> Co-authored-by: Nick Walker <nickwalk@microsoft.com>
fixing broken image link --------- Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> Co-authored-by: Nick Walker <nickwalk@microsoft.com>
## Summary - point CLI update checks and self-update installs at npm `latest` - update self-update expectations for npm/pnpm installs This lets the final preview bridge and stable v3 both move users onto the stable CLI channel. Tiny but important. ## Validation - `npm -w @microsoft/teams.cli test -- self-update.test.ts update-info.test.ts` - `npm -w @microsoft/teams.cli run build`
Bumps [qs](https://github.com/ljharb/qs) and [express](https://github.com/expressjs/express). These dependencies needed to be updated together. Updates `qs` from 6.14.2 to 6.15.2 <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/ljharb/qs/blob/main/CHANGELOG.md">qs's changelog</a>.</em></p> <blockquote> <h2><strong>6.15.2</strong></h2> <ul> <li>[Fix] <code>stringify</code>: skip null/undefined entries in <code>arrayFormat: 'comma'</code> + <code>encodeValuesOnly</code> instead of crashing in <code>encoder</code></li> <li>[Fix] <code>stringify</code>: use configured <code>delimiter</code> after <code>charsetSentinel</code> (<a href="https://redirect.github.com/ljharb/qs/issues/555">#555</a>)</li> <li>[Fix] <code>stringify</code>: apply <code>formatter</code> to encoded key under <code>strictNullHandling</code> (<a href="https://redirect.github.com/ljharb/qs/issues/554">#554</a>)</li> <li>[Fix] <code>stringify</code>: skip null/undefined filter-array entries instead of crashing in <code>encoder</code> (<a href="https://redirect.github.com/ljharb/qs/issues/551">#551</a>)</li> <li>[Fix] <code>parse</code>: handle nested bracket groups and add regression tests (<a href="https://redirect.github.com/ljharb/qs/issues/530">#530</a>)</li> <li>[readme] fix grammar (<a href="https://redirect.github.com/ljharb/qs/issues/550">#550</a>)</li> <li>[Dev Deps] update <code>@ljharb/eslint-config</code></li> <li>[Tests] add regression tests for keys containing percent-encoded bracket text</li> </ul> <h2><strong>6.15.1</strong></h2> <ul> <li>[Fix] <code>parse</code>: <code>parameterLimit: Infinity</code> with <code>throwOnLimitExceeded: true</code> silently drops all parameters</li> <li>[Deps] update <code>@ljharb/eslint-config</code></li> <li>[Dev Deps] update <code>@ljharb/eslint-config</code>, <code>iconv-lite</code></li> <li>[Tests] increase coverage</li> </ul> <h2><strong>6.15.0</strong></h2> <ul> <li>[New] <code>parse</code>: add <code>strictMerge</code> option to wrap object/primitive conflicts in an array (<a href="https://redirect.github.com/ljharb/qs/issues/425">#425</a>, <a href="https://redirect.github.com/ljharb/qs/issues/122">#122</a>)</li> <li>[Fix] <code>duplicates</code> option should not apply to bracket notation keys (<a href="https://redirect.github.com/ljharb/qs/issues/514">#514</a>)</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/ljharb/qs/commit/9aca4076fe788338c67cf7e115f0be6bc58d85a8"><code>9aca407</code></a> v6.15.2</li> <li><a href="https://github.com/ljharb/qs/commit/5e33d33447ed0bf1ddab9abc41d27dea4687d992"><code>5e33d33</code></a> [Dev Deps] update <code>@ljharb/eslint-config</code></li> <li><a href="https://github.com/ljharb/qs/commit/21f80b33e5c8b3f7eba1034fff0da4a4a37a1d41"><code>21f80b3</code></a> [Fix] <code>stringify</code>: skip null/undefined entries in <code>arrayFormat: 'comma'</code> + `e...</li> <li><a href="https://github.com/ljharb/qs/commit/a0a81ea2071acce3eff41a040f719ac8f5c4f64c"><code>a0a81ea</code></a> [Fix] <code>stringify</code>: use configured <code>delimiter</code> after <code>charsetSentinel</code></li> <li><a href="https://github.com/ljharb/qs/commit/e3062f78f5233b338ceeb8e8dfa5a07dea4b32a8"><code>e3062f7</code></a> [Fix] <code>stringify</code>: apply <code>formatter</code> to encoded key under <code>strictNullHandling</code></li> <li><a href="https://github.com/ljharb/qs/commit/0c180a40adb8c6703fffc85b2ff06ca209f5c1e0"><code>0c180a4</code></a> [Fix] <code>stringify</code>: skip null/undefined filter-array entries instead of crashi...</li> <li><a href="https://github.com/ljharb/qs/commit/3a8b94aec19bd664720f6f6b1e66c4a0dfe4b656"><code>3a8b94a</code></a> [Tests] add regression tests for keys containing percent-encoded bracket text</li> <li><a href="https://github.com/ljharb/qs/commit/96755abd357c0e534dd3442a84a04d08864bfe0d"><code>96755ab</code></a> [readme] fix grammar</li> <li><a href="https://github.com/ljharb/qs/commit/a419ce5bbfcdb98a299f1a0bb47ea055baef20e6"><code>a419ce5</code></a> [Fix] <code>parse</code>: handle nested bracket groups and add regression tests</li> <li><a href="https://github.com/ljharb/qs/commit/3f5e1c528c967d915096787efbffa73cf6044170"><code>3f5e1c5</code></a> v6.15.1</li> <li>Additional commits viewable in <a href="https://github.com/ljharb/qs/compare/v6.14.2...v6.15.2">compare view</a></li> </ul> </details> <br /> Updates `express` from 4.22.1 to 4.22.2 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/expressjs/express/releases">express's releases</a>.</em></p> <blockquote> <h2>v4.22.2</h2> <h2>What's Changed</h2> <ul> <li>fix: restore >20 array parsing for <code>req.query</code> repeated keys (<a href="https://github.com/expressjs/express/commit/8d09bfe6d88983da5c3e12cfdd54782c4dc675db"><code>8d09bfe6</code></a>) <ul> <li>This also unifies array-cap behavior across notations. Indexed notation (<code>a[0]=...</code>) was historically capped at qs's default <code>arrayLimit</code> of 20 even in older qs versions; after this change it also allows up to 1000 items.</li> </ul> </li> <li>deps: qs@~6.15.1</li> <li>deps: body-parser@~1.20.5</li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/suuuuuuminnnnnn"><code>@suuuuuuminnnnnn</code></a> made their first contribution in <a href="https://redirect.github.com/expressjs/express/pull/7021">expressjs/express#7021</a></li> <li><a href="https://github.com/SAY-5"><code>@SAY-5</code></a> made their first contribution in <a href="https://redirect.github.com/expressjs/express/pull/7181">expressjs/express#7181</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/expressjs/express/compare/v4.22.1...v4.22.2">https://github.com/expressjs/express/compare/v4.22.1...v4.22.2</a></p> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/expressjs/express/blob/v4.22.2/History.md">express's changelog</a>.</em></p> <blockquote> <h1>4.22.2 / 2026-05-011</h1> <ul> <li>fix: restore >20 array parsing for <code>req.query</code> repeated keys (<a href="https://github.com/expressjs/express/commit/8d09bfe6d88983da5c3e12cfdd54782c4dc675db"><code>8d09bfe6</code></a>) <ul> <li>This also unifies array-cap behavior across notations. Indexed notation (<code>a[0]=...</code>) was historically capped at qs's default <code>arrayLimit</code> of 20 even in older qs versions; after this change it also allows up to 1000 items.</li> </ul> </li> <li>deps: qs@~6.15.1</li> <li>deps: body-parser@~1.20.5</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/expressjs/express/commit/df0abc9333a3398b97b71f6ea7cd77d5ea3e9f97"><code>df0abc9</code></a> 4.22.2</li> <li><a href="https://github.com/expressjs/express/commit/836d36668ea750f78b4373b4de79bbd22634e6ec"><code>836d366</code></a> <code>4.x</code> update qs to 6.15.1, body-parser 1.20.5 (<a href="https://redirect.github.com/expressjs/express/issues/7224">#7224</a>)</li> <li><a href="https://github.com/expressjs/express/commit/8d09bfe6d88983da5c3e12cfdd54782c4dc675db"><code>8d09bfe</code></a> fix: restore array parsing for req.query repeated keys (<a href="https://redirect.github.com/expressjs/express/issues/7181">#7181</a>)</li> <li><a href="https://github.com/expressjs/express/commit/d39e8ad1778a0b8a606a5a7b17096d0cc5ec722d"><code>d39e8ad</code></a> deps: body-parser@~1.20.4 (<a href="https://redirect.github.com/expressjs/express/issues/7021">#7021</a>)</li> <li><a href="https://github.com/expressjs/express/commit/efe85d9fdc9e3a62f7a1121b4f5f484862298b48"><code>efe85d9</code></a> deps: qs@^6.14.1 (<a href="https://redirect.github.com/expressjs/express/issues/6972">#6972</a>)</li> <li><a href="https://github.com/expressjs/express/commit/f62378e1bc776259c0a471476c2dc043a02ac762"><code>f62378e</code></a> 📝 add note to history</li> <li>See full diff in <a href="https://github.com/expressjs/express/compare/v4.22.1...v4.22.2">compare view</a></li> </ul> </details> <br /> Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/microsoft/teams-sdk/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
## Summary - move CLI versioning/package metadata to stable v3 - update CLI docs, README install snippets, and teams-dev skill guidance for stable installs - refresh RELEASE.md with stable, preview bridge, and npm tag steps This is stacked on #2841 so the stable release also keeps self-update on npm `latest`. ## Validation - `npm -w @microsoft/teams.cli test -- self-update.test.ts update-info.test.ts` - `npm -w @microsoft/teams.cli run build` - `npm -w teams-md run build`
Showed the post to Erika, who works on the A365 docs, and she suggested replacement targets for a couple of links. Suggestion only, you are free to take it or leave it 😄
## Summary Adds a Trust Model page under Essentials → App Configuration documenting the layered authentication model the SDK uses for inbound JSON Web Tokens. ## Why A scanner flagged the SDK's `JsonWebToken` accessor class because it does not perform signature verification at the point of token parsing. A cross-SDK audit confirmed this is intentional architecture: signature verification runs at the HTTP boundary (via the activity pipeline's token validator), and the accessor class is a typed view over already-validated payloads. Every consumer of decoded claims is downstream of a validator pass. This page makes the architectural invariant explicit for SDK consumers, reviewers, and future contributors. ## What's covered - What the SDK validates automatically on `/api/messages` (signature, issuer, audience, lifetime, algorithm) - What downstream code can rely on (typed accessors over validated tokens) - How to add custom authentication to non-default surfaces (MCP, callbacks, webhooks) — references the `requireAuth` hook recently added in microsoft/teams.ts#540 / microsoft/teams.net#448 - Anti-patterns to avoid (constructing the accessor from untrusted input as a basis for authorization decisions) ## Build verified `npm run build` clean. ## Related PRs - TypeScript: microsoft/teams.ts#586 - Python: microsoft/teams.py#432 - .NET: microsoft/teams.net#517 --------- Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
) ## Summary - **New page**: `developer-tools/agents-playground/` with install, launch, common flags, migration-from-DevTools section, and a link out to the Microsoft Learn guide. Anonymous mode is positioned as the recommended migration path; `skipAuth: true` is documented as an alternative. - **Deprecation banners** added to the 4 retained DevTools pages (`developer-tools/devtools/README.md`, `chat.md`, `cards.md`, `inspect.md`). Each banner links to the new Agents Playground page and to the Microsoft Learn guide. - **Trimmed the deprecated DevTools pages** from 249 lines down to 54 lines total. Removed how-to content and external GitHub-blob screenshot references that no one new should be learning from. Kept frontmatter, H1, banner, and one summary paragraph per page. - **Migrated 15+ mdx files** under TS/C#/Python getting-started and MCP guides to point at Microsoft 365 Agents Playground. Python getting-started sections that were `N/A` now have real content. - **Renamed stale section markers**: `devtools-tip` → `inspector-tip`, `devtools-gif` → `inspector-image`, `devtools-resource-link` → `local-test-link`, `devtools-monitoring-tip` → `local-test-tip`, `devtools-plugin-example` → `local-test-note`. Touched 16 source files (templates + includes); regenerated all `docs/main/**` outputs. - **Replaced 3 screenshots** captured against the actual Agents Playground UI (`agents-playground-blank.png`, `agents-playground-echo-chat.png`, `agents-playground-mcp-client-pokemon.png`). Deleted 4 stale files (`devtools-echo-chat.png`, `devtools-blank.png`, `mcp-devtools.gif`, `mcp-client-pokemon.gif`). - **Kept**: `mcp-inspector.gif` (the canonical external MCP testing tool, unrelated to DevTools deprecation). ## Why DevTools is being replaced by Microsoft 365 Agents Playground. The docs needed to: 1. Stop teaching new users to wire up DevTools. 2. Give existing DevTools users a clear migration path. 3. Make the Agents Playground story discoverable in the same place they used to find DevTools. The migration section explicitly tells customers they can remove `@microsoft/teams.dev` (and the .NET equivalent) from their dependencies after deleting `DevtoolsPlugin`, since Playground is a standalone CLI tool and not a project dependency. ## Test plan - [x] `npm run generate:docs` (regenerates 64 templates across 3 languages) - [x] `npm run generate:llms` (regenerates llms.txt files) - [x] `npm run build` (succeeded; the 3 broken-anchor warnings are pre-existing sso-troubleshooting refs unrelated to this change) - [x] Walked the docs site in a browser via chrome-devtools MCP: agents-playground page renders, deprecation banner shows on the devtools pages, TS / Python / C# quickstarts show the new install + launch instructions - [ ] Reviewer to scan for any DevTools references that slipped through ## Related work PRs in the SDK repos: - teams.ts: deprecate `DevtoolsPlugin`, anonymous warning, samples cleanup - teams.py: anonymous warning - teams.net: `[Obsolete]` on DevTools (Libraries 2.0), samples cleanup, anonymous warning, package metadata 🤖 Generated with [Claude Code](https://claude.com/claude-code) --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Bumps [ws](https://github.com/websockets/ws) from 8.18.3 to 8.21.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/websockets/ws/releases">ws's releases</a>.</em></p> <blockquote> <h2>8.21.0</h2> <h1>Features</h1> <ul> <li>Introduced the <code>maxBufferedChunks</code> and <code>maxFragments</code> options (2b2abd45).</li> </ul> <h1>Bug fixes</h1> <ul> <li>Fixed a remote memory exhaustion DoS vulnerability (2b2abd45).</li> </ul> <p>A high volume of tiny fragments and data chunks could be sent by a peer, using modest network traffic, to crash a <code>ws</code> server or client due to OOM.</p> <pre lang="js"><code>import { WebSocket, WebSocketServer } from 'ws'; <p>const wss = new WebSocketServer({ port: 0 }, function () { const data = Buffer.alloc(1); const options = { fin: false }; const { port } = wss.address(); const ws = new WebSocket(<code>ws://localhost:${port}</code>);</p> <p>ws.on('open', function () { (function send() { ws.send(data, options, function (err) { if (err) return; send(); }); })(); });</p> <p>ws.on('error', console.error); ws.on('close', function (code, reason) { console.log(<code>client close - code: ${code} reason: ${reason.toString()}</code>); }); });</p> <p>wss.on('connection', function (ws) { ws.on('error', console.error); ws.on('close', function (code, reason) { console.log(<code>server close - code: ${code} reason: ${reason.toString()}</code>); }); }); </code></pre></p> <p>The vulnerability was responsibly disclosed and fixed by <a href="https://github.com/Nadav0077">Nadav Magier</a>.</p> <p>In vulnerable versions, the issue can be mitigated by lowering the value of the <code>maxPayload</code> option if possible.</p> <h2>8.20.1</h2> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/websockets/ws/commit/bca91adf15677e47dbe4f959653452727be28b94"><code>bca91ad</code></a> [dist] 8.21.0</li> <li><a href="https://github.com/websockets/ws/commit/2b2abd458a1b647d0b6033bd62a619c36189839a"><code>2b2abd4</code></a> [security] Limit retained message parts</li> <li><a href="https://github.com/websockets/ws/commit/78eabe2a6677b231bf9c82601bde86ff91639490"><code>78eabe2</code></a> [security] Add latest vulnerability to SECURITY.md</li> <li><a href="https://github.com/websockets/ws/commit/5d9b316230ea931532a6671cc450f18c11edd02f"><code>5d9b316</code></a> [dist] 8.20.1</li> <li><a href="https://github.com/websockets/ws/commit/c0327ec15a54d701eb6ccefaa8bef328cfc03086"><code>c0327ec</code></a> [security] Fix uninitialized memory disclosure in <code>websocket.close()</code></li> <li><a href="https://github.com/websockets/ws/commit/ce2a3d62437995a47e6056d485a33d21b6a8f867"><code>ce2a3d6</code></a> [ci] Test on node 26</li> <li><a href="https://github.com/websockets/ws/commit/58e45b872bb0f35a3edd553c27e105300a4f5bd0"><code>58e45b8</code></a> [ci] Do not test on node 25</li> <li><a href="https://github.com/websockets/ws/commit/5f26c245231a4b018479a9269e8c3da4773fe42f"><code>5f26c24</code></a> [ci] Run the lint step on node 24</li> <li><a href="https://github.com/websockets/ws/commit/843925544e2f4cffe445e0179947f56d6c5b608f"><code>8439255</code></a> [dist] 8.20.0</li> <li><a href="https://github.com/websockets/ws/commit/d3503c1fd36a310985108f62b343bae18346ab67"><code>d3503c1</code></a> [minor] Export the <code>PerMessageDeflate</code> class and header utils</li> <li>Additional commits viewable in <a href="https://github.com/websockets/ws/compare/8.18.3...8.21.0">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/microsoft/teams-sdk/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Adds docs for prompt preview feature across C#, TypeScript, and Python. <img width="996" height="812" alt="image" src="https://github.com/user-attachments/assets/b390471e-5d51-4fb1-b519-1ca7640e5201" />
Bumps [shell-quote](https://github.com/ljharb/shell-quote) to 1.8.4 and updates ancestor dependency [concurrently](https://github.com/open-cli-tools/concurrently). These dependencies need to be updated together. Updates `shell-quote` from 1.8.3 to 1.8.4 <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/ljharb/shell-quote/blob/main/CHANGELOG.md">shell-quote's changelog</a>.</em></p> <blockquote> <h2><a href="https://github.com/ljharb/shell-quote/compare/v1.8.3...v1.8.4">v1.8.4</a> - 2026-05-22</h2> <h3>Commits</h3> <ul> <li>[Fix] <code>quote</code>: validate object-token shapes <a href="https://github.com/ljharb/shell-quote/commit/4378a6e613db5948168684864e49b42b83134d2d"><code>4378a6e</code></a></li> <li>[Dev Deps] update <code>@ljharb/eslint-config</code>, <code>auto-changelog</code>, <code>eslint</code>, <code>npmignore</code> <a href="https://github.com/ljharb/shell-quote/commit/22ebec04349065a45ad8afc8cc8d53c4624634a6"><code>22ebec0</code></a></li> <li>[Tests] increase coverage <a href="https://github.com/ljharb/shell-quote/commit/9f3caa31900cc6ee64858b31134144c648ce206d"><code>9f3caa3</code></a></li> <li>[readme] replace runkit CI badge with shields.io check-runs badge <a href="https://github.com/ljharb/shell-quote/commit/3344a047dd1e95f71c4ca27522cbfd05c56277e0"><code>3344a04</code></a></li> <li>[Dev Deps] update <code>@ljharb/eslint-config</code> <a href="https://github.com/ljharb/shell-quote/commit/699c5113d135f4d4591574bebf173334ffa453d4"><code>699c511</code></a></li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/ljharb/shell-quote/commit/ff166e2b63eb5f932bd131a8886a99e9afdf45ae"><code>ff166e2</code></a> v1.8.4</li> <li><a href="https://github.com/ljharb/shell-quote/commit/4378a6e613db5948168684864e49b42b83134d2d"><code>4378a6e</code></a> [Fix] <code>quote</code>: validate object-token shapes</li> <li><a href="https://github.com/ljharb/shell-quote/commit/22ebec04349065a45ad8afc8cc8d53c4624634a6"><code>22ebec0</code></a> [Dev Deps] update <code>@ljharb/eslint-config</code>, <code>auto-changelog</code>, <code>eslint</code>, `npmig...</li> <li><a href="https://github.com/ljharb/shell-quote/commit/9f3caa31900cc6ee64858b31134144c648ce206d"><code>9f3caa3</code></a> [Tests] increase coverage</li> <li><a href="https://github.com/ljharb/shell-quote/commit/3344a047dd1e95f71c4ca27522cbfd05c56277e0"><code>3344a04</code></a> [readme] replace runkit CI badge with shields.io check-runs badge</li> <li><a href="https://github.com/ljharb/shell-quote/commit/699c5113d135f4d4591574bebf173334ffa453d4"><code>699c511</code></a> [Dev Deps] update <code>@ljharb/eslint-config</code></li> <li>See full diff in <a href="https://github.com/ljharb/shell-quote/compare/v1.8.3...v1.8.4">compare view</a></li> </ul> </details> <br /> Updates `concurrently` from 9.2.1 to 10.0.3 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/open-cli-tools/concurrently/releases">concurrently's releases</a>.</em></p> <blockquote> <h2>v10.0.3</h2> <p>Republish of <a href="https://github.com/open-cli-tools/concurrently/releases/tag/v10.0.1">https://github.com/open-cli-tools/concurrently/releases/tag/v10.0.1</a> with Trusted Publishing enabled (see <a href="https://redirect.github.com/open-cli-tools/concurrently/issues/595">#595</a>)</p> <p><strong>Full Changelog</strong>: <a href="https://github.com/open-cli-tools/concurrently/compare/v10.0.2...v10.0.3">https://github.com/open-cli-tools/concurrently/compare/v10.0.2...v10.0.3</a></p> <h2>v10.0.2</h2> <p>Test version to restore Trusted Publishing. Not published to npm.</p> <h2>v10.0.1</h2> <ul> <li>Ensure <code>FlowController</code> type is exported - <a href="https://redirect.github.com/open-cli-tools/concurrently/issues/594">#594</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/open-cli-tools/concurrently/compare/v10.0.0...v10.0.1">https://github.com/open-cli-tools/concurrently/compare/v10.0.0...v10.0.1</a></p> <h2>v10.0.0</h2> <h2>💥 Breaking Changes</h2> <ul> <li><strong>Dropped support for Node.js <22.0.0.</strong> Older Node.js version have reached end-of-life, and certain features require new-ish JS APIs.</li> <li><strong>concurrently is now ESM-only.</strong> It's now possible to <code>require(esm)</code>. See <a href="https://socket.dev/blog/require-esm-backported-to-node-js-20">here for interoperability</a>.</li> <li><strong>Prefix colors now default to automatic</strong> - <a href="https://redirect.github.com/open-cli-tools/concurrently/issues/581">#581</a> The colors used to default to <code>reset</code> (which does nothing). Concurrently now automatically selects a color, out of the box. The list of colors used is not jarring nor carries semantic meaning, and reads well in both dark and light terminal backgrounds.</li> <li><strong>Removed deprecated flags and options</strong> <ul> <li>CLI flag <code>--name-separator</code>: use commas instead.</li> <li>API option <code>killOthers</code>: use <code>killOthersOn</code> instead.</li> </ul> </li> </ul> <h2>✨ New Features</h2> <ul> <li>Support applying modifiers to hex prefix colors (e.g. <code>#ff0000.bold</code>) - <a href="https://redirect.github.com/open-cli-tools/concurrently/issues/450">#450</a></li> <li>Support chalk's color functions in prefixes (e.g. <code>rgb()</code>, <code>hex()</code>, <code>bgRgb()</code>, etc) - <a href="https://redirect.github.com/open-cli-tools/concurrently/issues/578">#578</a></li> <li>Set prefix background color via <code>bg#RRGGBB</code> - <a href="https://redirect.github.com/open-cli-tools/concurrently/issues/578">#578</a></li> <li>Allow shell override via <code>--shell</code> CLI flag/<code>shell</code> API option - <a href="https://redirect.github.com/open-cli-tools/concurrently/issues/288">#288</a>, <a href="https://redirect.github.com/open-cli-tools/concurrently/issues/589">#589</a>, <a href="https://redirect.github.com/open-cli-tools/concurrently/issues/556">#556</a> concurrently distinguishes between cmd.exe, powershell, and POSIX-based shells.</li> <li>Manual prefix coloring in templates e.g. <code>[{color}{name}{/color}]</code> - <a href="https://redirect.github.com/open-cli-tools/concurrently/issues/583">#583</a>, <a href="https://redirect.github.com/open-cli-tools/concurrently/issues/587">#587</a></li> </ul> <h2>🐛 Bug fixes</h2> <ul> <li>Scope quote normalization to CLI input - <a href="https://redirect.github.com/open-cli-tools/concurrently/issues/582">#582</a>, <a href="https://redirect.github.com/open-cli-tools/concurrently/issues/585">#585</a> It should now also be possible to run commands like <code>"/some/command" foo bar"</code></li> <li>Don't throw when color doesn't exist - <a href="https://redirect.github.com/open-cli-tools/concurrently/issues/580">#580</a></li> </ul> <h2>🔐 Security</h2> <ul> <li>Address <a href="https://app.snyk.io/vuln/SNYK-JS-SHELLQUOTE-16799355">vulnerability in <code>shellquote</code></a> - <a href="https://redirect.github.com/open-cli-tools/concurrently/issues/591">#591</a></li> </ul> <h2>Other changes</h2> <ul> <li>Warn about running on Snap - <a href="https://redirect.github.com/open-cli-tools/concurrently/issues/584">#584</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/philfreo"><code>@philfreo</code></a> made their first contribution in <a href="https://redirect.github.com/open-cli-tools/concurrently/pull/566">open-cli-tools/concurrently#566</a></li> <li><a href="https://github.com/garretmh"><code>@garretmh</code></a> made their first contribution in <a href="https://redirect.github.com/open-cli-tools/concurrently/pull/450">open-cli-tools/concurrently#450</a></li> <li><a href="https://github.com/CodeF53"><code>@CodeF53</code></a> made their first contribution in <a href="https://redirect.github.com/open-cli-tools/concurrently/pull/574">open-cli-tools/concurrently#574</a></li> <li><a href="https://github.com/nkappler"><code>@nkappler</code></a> made their first contribution in <a href="https://redirect.github.com/open-cli-tools/concurrently/pull/577">open-cli-tools/concurrently#577</a></li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/open-cli-tools/concurrently/commit/435f61b5c5611daa25b9d7e97dded2e1a370201e"><code>435f61b</code></a> 10.0.3</li> <li><a href="https://github.com/open-cli-tools/concurrently/commit/5ea69c6432de4ba4ff27d2f43a9970b8760213f8"><code>5ea69c6</code></a> ci: use node 24 in the release workflow</li> <li><a href="https://github.com/open-cli-tools/concurrently/commit/18e1281879125e9a0de76ec329cbb657e10cfcde"><code>18e1281</code></a> 10.0.2</li> <li><a href="https://github.com/open-cli-tools/concurrently/commit/e70686fdd0ccad95466cc99c3e7fdc7fcde16487"><code>e70686f</code></a> 10.0.1</li> <li><a href="https://github.com/open-cli-tools/concurrently/commit/a95bcebd7bfc559e1b27ec9673d71ea6200bb344"><code>a95bceb</code></a> Rename flow-controller{.d -> }.ts</li> <li><a href="https://github.com/open-cli-tools/concurrently/commit/ced4245a9a6739b43afbc8ae63565bd83a5a54c7"><code>ced4245</code></a> ci: configure trusted publisher flow</li> <li><a href="https://github.com/open-cli-tools/concurrently/commit/cf2eaa2b0fd36cc9f1eaf1f8c56de8d21bd0a42c"><code>cf2eaa2</code></a> 10.0.0</li> <li><a href="https://github.com/open-cli-tools/concurrently/commit/1b9bae47a9d966cc13c3da4a4dab5d0c40a16ded"><code>1b9bae4</code></a> deps: upgrade yargs to v18 (<a href="https://redirect.github.com/open-cli-tools/concurrently/issues/593">#593</a>)</li> <li><a href="https://github.com/open-cli-tools/concurrently/commit/b05ee750cafde7b10b544c0153ad56c53571b422"><code>b05ee75</code></a> Bump min Node.js version to v22</li> <li><a href="https://github.com/open-cli-tools/concurrently/commit/ae60bc4ef10d4292b44af42f26d1ab20bad2484c"><code>ae60bc4</code></a> Scope quote normalization to CLI input (<a href="https://redirect.github.com/open-cli-tools/concurrently/issues/585">#585</a>)</li> <li>Additional commits viewable in <a href="https://github.com/open-cli-tools/concurrently/compare/v9.2.1...v10.0.3">compare view</a></li> </ul> </details> <details> <summary>Maintainer changes</summary> <p>This version was pushed to npm by <a href="https://www.npmjs.com/~GitHub%20Actions">GitHub Actions</a>, a new releaser for concurrently since your current version.</p> </details> <br /> Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/microsoft/teams-sdk/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [esbuild](https://github.com/evanw/esbuild) to 0.28.1 and updates ancestor dependency [tsx](https://github.com/privatenumber/tsx). These dependencies need to be updated together. Updates `esbuild` from 0.28.0 to 0.28.1 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/evanw/esbuild/releases">esbuild's releases</a>.</em></p> <blockquote> <h2>v0.28.1</h2> <ul> <li> <p>Disallow <code>\</code> in local development server HTTP requests (<a href="https://github.com/evanw/esbuild/security/advisories/GHSA-g7r4-m6w7-qqqr">GHSA-g7r4-m6w7-qqqr</a>)</p> <p>This release fixes a security issue where HTTP requests to esbuild's local development server could traverse outside of the serve directory on Windows using a <code>\</code> backslash character. It happened due to the use of Go's <code>path.Clean()</code> function, which only handles Unix-style <code>/</code> characters. HTTP requests with paths containing <code>\</code> are no longer allowed.</p> <p>Thanks to <a href="https://github.com/dellalibera"><code>@dellalibera</code></a> for reporting this issue.</p> </li> <li> <p>Add integrity checks to the Deno API (<a href="https://github.com/evanw/esbuild/security/advisories/GHSA-gv7w-rqvm-qjhr">GHSA-gv7w-rqvm-qjhr</a>)</p> <p>The previous release of esbuild added integrity checks to esbuild's npm install script. This release also adds integrity checks to esbuild's Deno install script. Now esbuild's Deno API will also fail with an error if the downloaded esbuild binary contains something other than the expected content.</p> <p>Note that esbuild's Deno API installs from <code>registry.npmjs.org</code> by default, but allows the <code>NPM_CONFIG_REGISTRY</code> environment variable to override this with a custom package registry. This change means that the esbuild executable served by <code>NPM_CONFIG_REGISTRY</code> must now match the expected content.</p> <p>Thanks to <a href="https://github.com/sondt99"><code>@sondt99</code></a> for reporting this issue.</p> </li> <li> <p>Avoid inlining <code>using</code> and <code>await using</code> declarations (<a href="https://redirect.github.com/evanw/esbuild/issues/4482">#4482</a>)</p> <p>Previously esbuild's minifier sometimes incorrectly inlined <code>using</code> and <code>await using</code> declarations into subsequent uses of that declaration, which then fails to dispose of the resource correctly. This bug happened because inlining was done for <code>let</code> and <code>const</code> declarations by avoiding doing it for <code>var</code> declarations, which no longer worked when more declaration types were added. Here's an example:</p> <pre lang="js"><code>// Original code { using x = new Resource() x.activate() } <p>// Old output (with --minify)<br /> new Resource().activate();</p> <p>// New output (with --minify)<br /> {using e=new Resource;e.activate()}<br /> </code></pre></p> </li> <li> <p>Fix module evaluation when an error is thrown (<a href="https://redirect.github.com/evanw/esbuild/issues/4461">#4461</a>, <a href="https://redirect.github.com/evanw/esbuild/pull/4467">#4467</a>)</p> <p>If an error is thrown during module evaluation, esbuild previously didn't preserve the state of the module for subsequent module references. This was observable if <code>import()</code> or <code>require()</code> is used to import a module multiple times. The thrown error is supposed to be thrown by every call to <code>import()</code> or <code>require()</code>, not just the first. With this release, esbuild will now throw the same error every time you call <code>import()</code> or <code>require()</code> on a module that throws during its evaluation.</p> </li> <li> <p>Fix some edge cases around the <code>new</code> operator (<a href="https://redirect.github.com/evanw/esbuild/issues/4477">#4477</a>)</p> <p>Previously esbuild incorrectly printed certain edge cases involving complex expressions inside the target of a <code>new</code> expression (specifically an optional chain and/or a tagged template literal). The generated code for the <code>new</code> target was not correctly wrapped with parentheses, and either contained a syntax error or had different semantics. These edge cases have been fixed so that they now correctly wrap the <code>new</code> target in parentheses. Here is an example of some affected code:</p> <pre lang="js"><code>// Original code new (foo()`bar`)() new (foo()?.bar)() <p>// Old output<br /> new foo()<code>bar</code>();<br /> new (foo())?.bar();</p> <p></code></pre></p> </li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/evanw/esbuild/blob/main/CHANGELOG.md">esbuild's changelog</a>.</em></p> <blockquote> <h2>0.28.1</h2> <ul> <li> <p>Disallow <code>\</code> in local development server HTTP requests (<a href="https://github.com/evanw/esbuild/security/advisories/GHSA-g7r4-m6w7-qqqr">GHSA-g7r4-m6w7-qqqr</a>)</p> <p>This release fixes a security issue where HTTP requests to esbuild's local development server could traverse outside of the serve directory on Windows using a <code>\</code> backslash character. It happened due to the use of Go's <code>path.Clean()</code> function, which only handles Unix-style <code>/</code> characters. HTTP requests with paths containing <code>\</code> are no longer allowed.</p> <p>Thanks to <a href="https://github.com/dellalibera"><code>@dellalibera</code></a> for reporting this issue.</p> </li> <li> <p>Add integrity checks to the Deno API (<a href="https://github.com/evanw/esbuild/security/advisories/GHSA-gv7w-rqvm-qjhr">GHSA-gv7w-rqvm-qjhr</a>)</p> <p>The previous release of esbuild added integrity checks to esbuild's npm install script. This release also adds integrity checks to esbuild's Deno install script. Now esbuild's Deno API will also fail with an error if the downloaded esbuild binary contains something other than the expected content.</p> <p>Note that esbuild's Deno API installs from <code>registry.npmjs.org</code> by default, but allows the <code>NPM_CONFIG_REGISTRY</code> environment variable to override this with a custom package registry. This change means that the esbuild executable served by <code>NPM_CONFIG_REGISTRY</code> must now match the expected content.</p> <p>Thanks to <a href="https://github.com/sondt99"><code>@sondt99</code></a> for reporting this issue.</p> </li> <li> <p>Avoid inlining <code>using</code> and <code>await using</code> declarations (<a href="https://redirect.github.com/evanw/esbuild/issues/4482">#4482</a>)</p> <p>Previously esbuild's minifier sometimes incorrectly inlined <code>using</code> and <code>await using</code> declarations into subsequent uses of that declaration, which then fails to dispose of the resource correctly. This bug happened because inlining was done for <code>let</code> and <code>const</code> declarations by avoiding doing it for <code>var</code> declarations, which no longer worked when more declaration types were added. Here's an example:</p> <pre lang="js"><code>// Original code { using x = new Resource() x.activate() } <p>// Old output (with --minify)<br /> new Resource().activate();</p> <p>// New output (with --minify)<br /> {using e=new Resource;e.activate()}<br /> </code></pre></p> </li> <li> <p>Fix module evaluation when an error is thrown (<a href="https://redirect.github.com/evanw/esbuild/issues/4461">#4461</a>, <a href="https://redirect.github.com/evanw/esbuild/pull/4467">#4467</a>)</p> <p>If an error is thrown during module evaluation, esbuild previously didn't preserve the state of the module for subsequent module references. This was observable if <code>import()</code> or <code>require()</code> is used to import a module multiple times. The thrown error is supposed to be thrown by every call to <code>import()</code> or <code>require()</code>, not just the first. With this release, esbuild will now throw the same error every time you call <code>import()</code> or <code>require()</code> on a module that throws during its evaluation.</p> </li> <li> <p>Fix some edge cases around the <code>new</code> operator (<a href="https://redirect.github.com/evanw/esbuild/issues/4477">#4477</a>)</p> <p>Previously esbuild incorrectly printed certain edge cases involving complex expressions inside the target of a <code>new</code> expression (specifically an optional chain and/or a tagged template literal). The generated code for the <code>new</code> target was not correctly wrapped with parentheses, and either contained a syntax error or had different semantics. These edge cases have been fixed so that they now correctly wrap the <code>new</code> target in parentheses. Here is an example of some affected code:</p> <pre lang="js"><code>// Original code new (foo()`bar`)() new (foo()?.bar)() <p>// Old output<br /> new foo()<code>bar</code>();<br /> new (foo())?.bar();<br /> </code></pre></p> </li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/evanw/esbuild/commit/bb9db84c02433fbe37b3509f53f9f3e3cc48725e"><code>bb9db84</code></a> publish 0.28.1 to npm</li> <li><a href="https://github.com/evanw/esbuild/commit/9ff053e53b8eeb990f59355dbea365277ac45ee2"><code>9ff053e</code></a> security: add integrity checks to the Deno API</li> <li><a href="https://github.com/evanw/esbuild/commit/0a9bf2135b67c7e28989a5ba19f0f000805a5ab5"><code>0a9bf21</code></a> enforce non-negative size in gzip parser</li> <li><a href="https://github.com/evanw/esbuild/commit/e2a1a7132058ee067fe736eac15f695861b8654e"><code>e2a1a71</code></a> security: forbid <code>\\</code> in local dev server requests</li> <li><a href="https://github.com/evanw/esbuild/commit/83a2cbfc35809f4fd5152da59572d7bed7739d78"><code>83a2cbf</code></a> fix <a href="https://redirect.github.com/evanw/esbuild/issues/4482">#4482</a>: don't inline <code>using</code> declarations</li> <li><a href="https://github.com/evanw/esbuild/commit/308ad745d824c77bc607603451b257d0f2fd9a38"><code>308ad74</code></a> fix <a href="https://redirect.github.com/evanw/esbuild/issues/4471">#4471</a>: renaming of nested <code>var</code> declarations</li> <li><a href="https://github.com/evanw/esbuild/commit/f013f5f99a015bce92ec48d49181d4ad3177b29b"><code>f013f5f</code></a> fix some typos</li> <li><a href="https://github.com/evanw/esbuild/commit/aafd6e48b1088336a5f5a17e930be7e840d43d8c"><code>aafd6e4</code></a> chore: fix some minor issues in comments (<a href="https://redirect.github.com/evanw/esbuild/issues/4462">#4462</a>)</li> <li><a href="https://github.com/evanw/esbuild/commit/15300c30b5e22f7cfcbed850c246d35095658386"><code>15300c3</code></a> follow up: cjs evaluation fixes</li> <li><a href="https://github.com/evanw/esbuild/commit/1bda0c31d7697c0af44b3ab39b81e599e559a395"><code>1bda0c3</code></a> fix <a href="https://redirect.github.com/evanw/esbuild/issues/4461">#4461</a>, fix <a href="https://redirect.github.com/evanw/esbuild/issues/4467">#4467</a>: esm evaluation fixes</li> <li>Additional commits viewable in <a href="https://github.com/evanw/esbuild/compare/v0.28.0...v0.28.1">compare view</a></li> </ul> </details> <br /> Updates `tsx` from 4.20.6 to 4.22.4 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/privatenumber/tsx/releases">tsx's releases</a>.</em></p> <blockquote> <h2>v4.22.4</h2> <h2><a href="https://github.com/privatenumber/tsx/compare/v4.22.3...v4.22.4">4.22.4</a> (2026-05-31)</h2> <h3>Bug Fixes</h3> <ul> <li>resolve CommonJS directory requires inside dependencies (<a href="https://redirect.github.com/privatenumber/tsx/issues/803">#803</a>) (<a href="https://github.com/privatenumber/tsx/commit/1ce846335b7c445a3328c7d27f06424949356d97">1ce8463</a>)</li> </ul> <hr /> <p>This release is also available on:</p> <ul> <li><a href="https://www.npmjs.com/package/tsx/v/4.22.4"><code>npm package (@latest dist-tag)</code></a></li> </ul> <h2>v4.22.3</h2> <h2><a href="https://github.com/privatenumber/tsx/compare/v4.22.2...v4.22.3">4.22.3</a> (2026-05-19)</h2> <h3>Bug Fixes</h3> <ul> <li>decode typed loader source (<a href="https://github.com/privatenumber/tsx/commit/dce02fc3b8b64a58d24560714902b16f89332f1f">dce02fc</a>)</li> <li>preserve entrypoint with TypeScript preload hooks (<a href="https://github.com/privatenumber/tsx/commit/68f72f3304d8c3ff7048bde8571af9c163fcefa2">68f72f3</a>)</li> </ul> <hr /> <p>This release is also available on:</p> <ul> <li><a href="https://www.npmjs.com/package/tsx/v/4.22.3"><code>npm package (@latest dist-tag)</code></a></li> </ul> <h2>v4.22.2</h2> <h2><a href="https://github.com/privatenumber/tsx/compare/v4.22.1...v4.22.2">4.22.2</a> (2026-05-18)</h2> <h3>Bug Fixes</h3> <ul> <li>preserve CJS JSON require in ESM hooks (<a href="https://github.com/privatenumber/tsx/commit/35b700bd8620696df03827068af29dcd0d091a60">35b700b</a>)</li> <li>preserve named exports from CommonJS TypeScript (<a href="https://github.com/privatenumber/tsx/commit/11de737dae1fb9dae28db3716df5b1a7e1a6a089">11de737</a>)</li> <li>support module.exports require(esm) interop (<a href="https://github.com/privatenumber/tsx/commit/cf8f19918e4e0a0dc5ee5c52d8cc15e5e22d7c49">cf8f199</a>)</li> </ul> <hr /> <p>This release is also available on:</p> <ul> <li><a href="https://www.npmjs.com/package/tsx/v/4.22.2"><code>npm package (@latest dist-tag)</code></a></li> </ul> <h2>v4.22.1</h2> <h2><a href="https://github.com/privatenumber/tsx/compare/v4.22.0...v4.22.1">4.22.1</a> (2026-05-17)</h2> <h3>Bug Fixes</h3> <ul> <li>resolve tsconfig path aliases containing a colon (<a href="https://redirect.github.com/privatenumber/tsx/issues/780">#780</a>) (<a href="https://github.com/privatenumber/tsx/commit/6979f28810829dc79ec9baf406e162a18b65ab4b">6979f28</a>)</li> </ul> <hr /> <p>This release is also available on:</p> <ul> <li><a href="https://www.npmjs.com/package/tsx/v/4.22.1"><code>npm package (@latest dist-tag)</code></a></li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/privatenumber/tsx/commit/1ce846335b7c445a3328c7d27f06424949356d97"><code>1ce8463</code></a> fix: resolve CommonJS directory requires inside dependencies (<a href="https://redirect.github.com/privatenumber/tsx/issues/803">#803</a>)</li> <li><a href="https://github.com/privatenumber/tsx/commit/dce02fc3b8b64a58d24560714902b16f89332f1f"><code>dce02fc</code></a> fix: decode typed loader source</li> <li><a href="https://github.com/privatenumber/tsx/commit/68f72f3304d8c3ff7048bde8571af9c163fcefa2"><code>68f72f3</code></a> fix: preserve entrypoint with TypeScript preload hooks</li> <li><a href="https://github.com/privatenumber/tsx/commit/69455cfefbfe71100a3c58d3ce7cea42445d9113"><code>69455cf</code></a> test: cover package exports for ambiguous ESM reexports</li> <li><a href="https://github.com/privatenumber/tsx/commit/35b700bd8620696df03827068af29dcd0d091a60"><code>35b700b</code></a> fix: preserve CJS JSON require in ESM hooks</li> <li><a href="https://github.com/privatenumber/tsx/commit/ef807dba6832260fb4cafd78d81f5469a733966b"><code>ef807db</code></a> chore: update testing dependencies</li> <li><a href="https://github.com/privatenumber/tsx/commit/3917090d4f61863ea6ea16e4a9a3722a112cc3f7"><code>3917090</code></a> test: document compatibility test taxonomy</li> <li><a href="https://github.com/privatenumber/tsx/commit/de8113ffa8edbcd4e05fa218324c3e8c2a4afdbe"><code>de8113f</code></a> refactor: centralize Node capability facts</li> <li><a href="https://github.com/privatenumber/tsx/commit/c1f62db45ada60b24ceb3dfdf7f64173d9a15396"><code>c1f62db</code></a> test: consolidate tsconfig path edge coverage</li> <li><a href="https://github.com/privatenumber/tsx/commit/4e08174ec10276ac71c9a69eb28426ad702d0c76"><code>4e08174</code></a> test: consolidate loader hook coverage</li> <li>Additional commits viewable in <a href="https://github.com/privatenumber/tsx/compare/v4.20.6...v4.22.4">compare view</a></li> </ul> </details> <details> <summary>Maintainer changes</summary> <p>This version was pushed to npm by <a href="https://www.npmjs.com/~GitHub%20Actions">GitHub Actions</a>, a new releaser for tsx since your current version.</p> </details> <br /> Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/microsoft/teams-sdk/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [launch-editor](https://github.com/vitejs/launch-editor) from 2.11.1 to 2.14.1. <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/vitejs/launch-editor/commit/3f97c648307a70e7c930ba63f040e6ba8e72bc16"><code>3f97c64</code></a> v2.14.1</li> <li><a href="https://github.com/vitejs/launch-editor/commit/0cc9550e05c35224a1f61914b9731723f78c06a7"><code>0cc9550</code></a> fix: reject UNC paths (<a href="https://redirect.github.com/vitejs/launch-editor/issues/138">#138</a>)</li> <li><a href="https://github.com/vitejs/launch-editor/commit/afd1ab907769adbb0fb76b564551f3cd24822ea6"><code>afd1ab9</code></a> ci: run tests on mac and windows (<a href="https://redirect.github.com/vitejs/launch-editor/issues/136">#136</a>)</li> <li><a href="https://github.com/vitejs/launch-editor/commit/0bfa328e4d2a70d3accd86645efde43a5a8fd931"><code>0bfa328</code></a> test: add some tests for launch-editor package (<a href="https://redirect.github.com/vitejs/launch-editor/issues/135">#135</a>)</li> <li><a href="https://github.com/vitejs/launch-editor/commit/1b006ae00061e83628c884770df4869bac481ed3"><code>1b006ae</code></a> chore: add README (<a href="https://redirect.github.com/vitejs/launch-editor/issues/134">#134</a>)</li> <li><a href="https://github.com/vitejs/launch-editor/commit/383ef26fceaaab75e4f122bf833a8d457e187272"><code>383ef26</code></a> v2.14.0</li> <li><a href="https://github.com/vitejs/launch-editor/commit/6277209316b28bd76b057a97fcdfa42da5adc181"><code>6277209</code></a> ci: harden publish settings</li> <li><a href="https://github.com/vitejs/launch-editor/commit/520b2f787af1bbe3d2333d952547fc90f2c01bb3"><code>520b2f7</code></a> fix(deps): update all non-major dependencies (<a href="https://redirect.github.com/vitejs/launch-editor/issues/129">#129</a>)</li> <li><a href="https://github.com/vitejs/launch-editor/commit/475ac662aeaa40eebe319f76acf7bd7ff2aba5d5"><code>475ac66</code></a> chore(deps): update dependency lint-staged to v17 (<a href="https://redirect.github.com/vitejs/launch-editor/issues/130">#130</a>)</li> <li><a href="https://github.com/vitejs/launch-editor/commit/247bf1dfe2c75efb50f507d33c2c5a3cbf4e20d0"><code>247bf1d</code></a> chore(deps): update dependency yorkie to v2 (<a href="https://redirect.github.com/vitejs/launch-editor/issues/131">#131</a>)</li> <li>Additional commits viewable in <a href="https://github.com/vitejs/launch-editor/compare/v2.11.1...v2.14.1">compare view</a></li> </ul> </details> <details> <summary>Maintainer changes</summary> <p>This version was pushed to npm by <a href="https://www.npmjs.com/~GitHub%20Actions">GitHub Actions</a>, a new releaser for launch-editor since your current version.</p> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/microsoft/teams-sdk/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [js-yaml](https://github.com/nodeca/js-yaml) from 4.1.1 to 4.2.0. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md">js-yaml's changelog</a>.</em></p> <blockquote> <h2>[4.2.0] - 2026-06-01</h2> <h3>Added</h3> <ul> <li>Added <code>docs/safety.md</code> with notes about processing untrusted YAML.</li> <li>Added <code>maxDepth</code> (100) loader option. Not a problem, but gives a better exception instead of RangeError on stack overflow.</li> <li>Added <code>maxMergeSeqLength</code> (20) loader option. Not a problem after <code>merge</code> fix, but an additional restriction for safety.</li> <li>Added sourcemaps to <code>dist/</code> builds.</li> </ul> <h3>Changed</h3> <ul> <li>Stop resolving numbers with underscores as numeric scalars, <a href="https://redirect.github.com/nodeca/js-yaml/issues/627">#627</a>.</li> <li>Switched dev toolchains to Vite / neostandard.</li> <li>Updated demo.</li> <li>Reorganized tests.</li> <li><code>dist/</code> files are no longer kept in the repository.</li> </ul> <h3>Fixed</h3> <ul> <li>Fix parsing of properties on the first implicit block mapping key, <a href="https://redirect.github.com/nodeca/js-yaml/issues/62">#62</a>.</li> <li>Fix trailing whitespace handling when folding flow scalar lines, <a href="https://redirect.github.com/nodeca/js-yaml/issues/307">#307</a>.</li> <li>Reject top-level block scalars without content indentation, <a href="https://redirect.github.com/nodeca/js-yaml/issues/280">#280</a>.</li> <li>Ensure numbers survive round-trip, <a href="https://redirect.github.com/nodeca/js-yaml/issues/737">#737</a>.</li> <li>Fix test coverage for issue <a href="https://redirect.github.com/nodeca/js-yaml/issues/221">#221</a>.</li> <li>Fix flow scalar trailing whitespace folding, <a href="https://redirect.github.com/nodeca/js-yaml/issues/307">#307</a>.</li> <li>Fix digits in YAML named tag handles.</li> </ul> <h3>Security</h3> <ul> <li>Fix potential DoS via quadratic complexity in merge - deduplicate repeated elements (makes sense for malformed files > 10K).</li> </ul> <h2>[3.14.2] - 2025-11-15</h2> <h3>Security</h3> <ul> <li>Backported v4.1.1 fix to v3</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li>See full diff in <a href="https://github.com/nodeca/js-yaml/commits">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/microsoft/teams-sdk/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
## Summary
Adds documentation for handling the original user message after an auto
sign-in flow completes. This is a common scenario where the bot's
sign-in flow consumes the user's initial message, causing a confusing
UX.
The new section shows a pattern for storing the pending message before
initiating sign-in, then replaying it in the `signin` event handler.
## Changes
- **Template**: Added `## Resuming Pending Messages After Sign-In`
section to the user-authentication in-depth guide (before "Handling
Sign-In Failures")
- **TypeScript fragment**: `pendingMessages` Map + `app.event('signin')`
pattern
- **Python fragment**: `pending_messages` dict + `@app.event("sign_in")`
with `SignInOptions`
- **C# fragment**: `ConcurrentDictionary` + `OAuthFlow.OnSignInComplete`
(with `next/core` disclaimer)
## Context
#885 — workaround discussed in #2091. All code patterns verified against
current SDK source.
Bumps [dompurify](https://github.com/cure53/DOMPurify) from 3.4.0 to 3.4.10. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/cure53/DOMPurify/releases">dompurify's releases</a>.</em></p> <blockquote> <h2>DOMPurify 3.4.10</h2> <ul> <li>Refactored codebase for clarity: extracted the public type declarations into <code>types.ts</code></li> <li>Decomposed the three largest sanitizer functions into focused helpers</li> <li>Removed duplicated defaults and dead branches, consolidated <code>SAFE_FOR_TEMPLATES</code> scrubbing into single shared path</li> <li>Improved per-node performance by hoisting the mXSS probe regexes and testing <code>textContent</code> before <code>innerHTML</code></li> <li>Added a deterministic micro-benchmark harness (<code>npm run bench</code>) with a <code>--compare</code> mode</li> <li>Reduced CI cost by running the full three-engine browser suite once per PR</li> <li>Refreshed the <code>demos/</code> folder so every demo runs again, and added a SVG-via-<code><img></code> demo</li> <li>Documented the bench and <code>test:happydom</code> scripts in the README</li> <li>Completed the Attack Classes & Bypass History wiki page</li> <li>Bumped several dependencies where possible</li> </ul> <h2>DOMPurify 3.4.9</h2> <ul> <li>Further improved the handling of Trusted Types config options, thanks <a href="https://github.com/offset"><code>@offset</code></a></li> <li>Further improved the handling of <code>IN_PLACE</code> sanitization, thanks <a href="https://github.com/mozfreddyb"><code>@mozfreddyb</code></a></li> <li>Added more test coverage for <code>IN_PLACE</code> and Trusted Types related usage</li> <li>Bumped several dependencies where possible</li> <li>Updated README and wiki with more accurate documentation & attack samples</li> </ul> <h2>DOMPurify 3.4.8</h2> <ul> <li>Cleaned up the repository root, renamed some and removed unneeded files</li> <li>Fixed an issue with handling of Trusted Types policies, thanks <a href="https://github.com/fulstadev"><code>@fulstadev</code></a></li> <li>Fixed the node iterator for better template scrubbing, thanks <a href="https://github.com/IamLeandrooooo"><code>@IamLeandrooooo</code></a></li> <li>Included formerly missing LICENSE-MPL in published npm package, thanks <a href="https://github.com/asamuzaK"><code>@asamuzaK</code></a></li> <li>Bumped several dependencies where possible</li> </ul> <h2>DOMPurify 3.4.7</h2> <ul> <li>Hardened the handling of Shadow Roots when using <code>IN_PLACE</code>, thanks <a href="https://github.com/GameZoneHacker"><code>@GameZoneHacker</code></a></li> <li>Removed a problem leading to permanent hook pollution, thanks <a href="https://github.com/offset"><code>@offset</code></a></li> <li>Refactored the test suite and expanded test coverage significantly</li> </ul> <h2>DOMPurify 3.4.6</h2> <ul> <li>Fixed several issues with DOM Clobbering in <code>IN_PLACE</code> mode, thanks <a href="https://github.com/offset"><code>@offset</code></a> & <a href="https://github.com/Bankde"><code>@Bankde</code></a></li> <li>Hardened the checks for cross-realm <code>IN_PLACE</code> and Shadow DOM sanitization, thanks <a href="https://github.com/offset"><code>@offset</code></a> & <a href="https://github.com/Bankde"><code>@Bankde</code></a></li> <li>Added more test coverage for <code>IN_PLACE</code> and general DOM Clobbering attacks</li> <li>Bumped several dependencies where possible</li> </ul> <h2>DOMPurify 3.4.5</h2> <ul> <li>Fixed a bypass caused by the new HTML element <code>selectedcontent</code> added in 3.4.4, thanks <a href="https://github.com/KabirAcharya"><code>@KabirAcharya</code></a></li> </ul> <p><strong>Note that this is a security release for an issue introduced in 3.4.4 and should be upgraded to immediately.</strong></p> <h2>DOMPurify 3.4.4</h2> <ul> <li>Added the <code>selectedcontent</code> element to default allow-list, thanks <a href="https://github.com/lukewarlow"><code>@lukewarlow</code></a></li> <li>Added the <code>command</code> and <code>commandfor</code> attributes to default allowed-list, thanks <a href="https://github.com/lukewarlow"><code>@lukewarlow</code></a></li> <li>Added better template scrubbing for <code>IN_PLACE</code> operations, thanks <a href="https://github.com/DEMON1A"><code>@DEMON1A</code></a></li> <li>Added stronger checks for cross-realm windows, thanks <a href="https://github.com/DEMON1A"><code>@DEMON1A</code></a> & <a href="https://github.com/fg0x0"><code>@fg0x0</code></a></li> <li>Updated demo website and made sure it uses the latest from main</li> <li>Updated existing workflows, fuzzer, dependabot, etc., added more tests</li> <li>Bumped several dependencies where possible</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/cure53/DOMPurify/commit/6ee5716f8336989753611beeca364957c0eb0c3e"><code>6ee5716</code></a> release: 3.4.10 (<a href="https://redirect.github.com/cure53/DOMPurify/issues/1478">#1478</a>)</li> <li><a href="https://github.com/cure53/DOMPurify/commit/52102472d46035857c52df19e44285f8a1e102fc"><code>5210247</code></a> release: 3.4.9 (<a href="https://redirect.github.com/cure53/DOMPurify/issues/1459">#1459</a>)</li> <li><a href="https://github.com/cure53/DOMPurify/commit/bcdd8285412dc9c4c149652aed2d712e790d6ccf"><code>bcdd828</code></a> release: 3.4.8 (<a href="https://redirect.github.com/cure53/DOMPurify/issues/1439">#1439</a>)</li> <li><a href="https://github.com/cure53/DOMPurify/commit/ca30f070c360df162a3e3848e80e6fd3c9e74bff"><code>ca30f07</code></a> release: 3.4.7 (<a href="https://redirect.github.com/cure53/DOMPurify/issues/1414">#1414</a>)</li> <li><a href="https://github.com/cure53/DOMPurify/commit/bb7739e5bccec7e1ab3dae3f3e42d02db3acaaae"><code>bb7739e</code></a> release: 3.4.6 (<a href="https://redirect.github.com/cure53/DOMPurify/issues/1394">#1394</a>)</li> <li><a href="https://github.com/cure53/DOMPurify/commit/011b0c78f2a0f57ee54f5fcccb697a46ca6e63ea"><code>011b0c7</code></a> release: 3.4.5 (<a href="https://redirect.github.com/cure53/DOMPurify/issues/1382">#1382</a>)</li> <li><a href="https://github.com/cure53/DOMPurify/commit/5817ad969c15e67dfcd6cb37248d6e9c1553e7c3"><code>5817ad9</code></a> release: 3.4.4 (<a href="https://redirect.github.com/cure53/DOMPurify/issues/1374">#1374</a>)</li> <li><a href="https://github.com/cure53/DOMPurify/commit/520edb0371a9638f9b51f1798051299a250c686b"><code>520edb0</code></a> release: 3.4.3 (<a href="https://redirect.github.com/cure53/DOMPurify/issues/1352">#1352</a>)</li> <li><a href="https://github.com/cure53/DOMPurify/commit/6f67fd396a7b8c64294343999fe607ca1f5299c0"><code>6f67fd3</code></a> Sync/3.4.2 (<a href="https://redirect.github.com/cure53/DOMPurify/issues/1322">#1322</a>)</li> <li><a href="https://github.com/cure53/DOMPurify/commit/5b0cdbbf52331e854c0a2de875b1a3790ecec2b8"><code>5b0cdbb</code></a> chore: merge main into 3.x for 3.4.1 release (<a href="https://redirect.github.com/cure53/DOMPurify/issues/1301">#1301</a>)</li> <li>Additional commits viewable in <a href="https://github.com/cure53/DOMPurify/compare/3.4.0...3.4.10">compare view</a></li> </ul> </details> <details> <summary>Install script changes</summary> <p>This version adds <code>prepare</code> script that runs during installation. Review the package contents before updating.</p> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/microsoft/teams-sdk/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Renames the tenant audience switch to make the CLI surface more explicit. Why: `single-tenant` and `multi-tenant` are overloaded terms and hid the actual Entra app setting. `--sign-in-audience myOrg|multipleOrgs` maps more directly to the product concept. Interesting bits: - Replaces `--single-tenant` with `--sign-in-audience <audience>`. - Supports `myOrg` and `multipleOrgs`; default is still `multipleOrgs`. - Removes product-specific flag details from `AGENTS.md`. Tips for reviewers: Start in `packages/cli/src/commands/app/create.ts`; the rest is tests/docs. Testing: - `npm -w @microsoft/teams.cli run test -- app-command-validation.test.ts` - `npx turbo build --filter=@microsoft/teams.cli`
This pull request introduces major improvements to the Teams SDK documentation and language-specific AI integration guides. The most significant changes are the addition of comprehensive, language-specific guides for building cross-bot handoff and agent-based AI integrations in both Python and TypeScript, as well as a detailed guide on using the Microsoft Agent Framework in Python. Additionally, the documentation build scripts are enhanced to allow language-specific sidebar categories, and a minor correction is made to an internal link. **New AI integration guides:** * Added a detailed guide for building A2A (agent-to-agent) handoff bots in **Python** using `a2a-sdk` and `agent_framework`, including code samples for agent cards, message contracts, handoff logic, and server wiring. (`teams.md/src/components/include/in-depth-guides/ai-integrations/a2a/python.incl.md`) * Added a parallel guide for building A2A handoff bots in **TypeScript** using `@a2a-js/sdk` and the OpenAI SDK, covering similar concepts and implementation details as the Python guide. (`teams.md/src/components/include/in-depth-guides/ai-integrations/a2a/typescript.incl.md`) * Introduced a comprehensive guide for building Teams agents with the **Microsoft Agent Framework (MAF)** in Python, including agent/tool definitions, session management, integration with Teams, and citation middleware. (`teams.md/src/components/include/in-depth-guides/ai-integrations/build-agent/python.incl.md`) **Documentation tooling improvements:** * Enhanced the `copyCategoryFiles` function in `generate-language-docs.ts` to support a `languages` key in category files, allowing sidebar categories to be restricted to specific languages. The `languages` key is stripped from the output to avoid leaking to Docusaurus. (`teams.md/scripts/generate-language-docs.ts`) [[1]](diffhunk://#diff-de76be5412b469e0e370d6f31f30122807fc049e0ceff53ce995ff1392c72cc6R557-R570) [[2]](diffhunk://#diff-de76be5412b469e0e370d6f31f30122807fc049e0ceff53ce995ff1392c72cc6L568-R581) **Documentation content fixes:** * Updated an internal documentation link to reference the correct AI integrations guide. (`teams.md/docs/main/welcome.mdx`)
## Summary Documentation updates driven by customer feedback ([Discussion #2881](#2881), [Issue #2871](#2871)). Fixes #2871 ## SSO Documentation (new content) - **SSO with User-Assigned Managed Identity**: New section in `sso-setup.mdx` explaining how IDs map when the bot uses MI and a separate auth app registration - **Cross-Tenant Considerations**: New section covering tenant requirements for SSO to work silently - **`authrequestfailed` troubleshooting**: New section in `troubleshooting-sso.mdx` for cross-tenant SSO failures - **OAuth card fallback and magic code**: Documents when/why the magic code appears and the `signin()` + `app.event('signin')` pattern ## Preview Status Updates - Targeted messages: "coming soon in May 2026" -> "available in public preview" - Slash commands: same update - Quoted replies: removed "Coming Soon" callout (now GA) - Removed C# experimental note for quoted replies (`ExperimentalTeamsQuotedReplies` being removed in companion PRs) ## Companion PRs - microsoft/teams.ts#621 - microsoft/teams.py#470 - microsoft/teams.net#572 --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Introduce documentation for integrating OpenTelemetry with Teams bots, covering setup, instrumentation, and exporting telemetry to various backends. This addition enhances observability and provides guidance for developers. --------- Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: Corina Gum <14900841+corinagum@users.noreply.github.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…ation (#2894) Same fix as microsoft/teams.ts#625 and microsoft/teams.py#481. Splits the single-job publish pipeline into a separate `publish` stage with two jobs: - `publish_internal` - no release context, publishes to Azure Artifacts - `publish_public` - `type: releaseJob` + `isProduction: true`, publishes via ESRP This fixes the 1ES template error: ``` Change management: no release tasks outside of release jobs in pipeline ``` Also uses `artifactName` (required by 1ES template) for `pipelineArtifact` inputs. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Bumps [undici](https://github.com/nodejs/undici) from 7.25.0 to 7.28.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/nodejs/undici/releases">undici's releases</a>.</em></p> <blockquote> <h2>v7.28.0</h2> <h1>⚠️ Security Release</h1> <p>This release line addresses <strong>7 security advisories</strong>, all shipped in <strong>v7.28.0</strong>.</p> <blockquote> <p><strong>Action required:</strong> Upgrade to <strong>undici 7.28.0</strong> or later.</p> <pre lang="sh"><code>npm install undici@^7.28.0 </code></pre> </blockquote> <p>The v7 line is <strong>not</strong> affected by GHSA-38rv-x7px-6hhq (CVE-2026-9675), which is an 8.x-only regression.</p> <blockquote> <p><strong>Note on GHSA-hm92-r4w5-c3mj:</strong> this fix shipped in <strong>v7.28.0</strong>, not the earlier 7.2x line — the vulnerable single-pool code was still present through <code>v7.27.2</code>. The per-origin pool fix is <a href="https://github.com/nodejs/undici/commit/3805b8f8"><code>3805b8f8</code></a> (<a href="https://redirect.github.com/nodejs/undici/pull/5041">#5041</a>).</p> </blockquote> <h2>Summary</h2> <table> <thead> <tr> <th>Advisory</th> <th>CVE</th> <th>Severity (CVSS)</th> <th>Fixed in</th> <th>Fix commit</th> </tr> </thead> <tbody> <tr> <td><a href="https://github.com/nodejs/undici/security/advisories/GHSA-vxpw-j846-p89q">GHSA-vxpw-j846-p89q</a></td> <td>CVE-2026-12151</td> <td>High (7.5)</td> <td>7.28.0</td> <td><a href="https://github.com/nodejs/undici/commit/8cb10f98"><code>8cb10f98</code></a></td> </tr> <tr> <td><a href="https://github.com/nodejs/undici/security/advisories/GHSA-vmh5-mc38-953g">GHSA-vmh5-mc38-953g</a></td> <td>CVE-2026-9697</td> <td>High (7.4)</td> <td>7.28.0</td> <td><a href="https://github.com/nodejs/undici/commit/04201f89"><code>04201f89</code></a></td> </tr> <tr> <td><a href="https://github.com/nodejs/undici/security/advisories/GHSA-hm92-r4w5-c3mj">GHSA-hm92-r4w5-c3mj</a></td> <td>CVE-2026-6734</td> <td>High (7.5)</td> <td>7.28.0</td> <td><a href="https://github.com/nodejs/undici/commit/3805b8f8"><code>3805b8f8</code></a></td> </tr> <tr> <td><a href="https://github.com/nodejs/undici/security/advisories/GHSA-pr7r-676h-xcf6">GHSA-pr7r-676h-xcf6</a></td> <td>CVE-2026-9678</td> <td>Moderate (5.9)</td> <td>7.28.0</td> <td><a href="https://github.com/nodejs/undici/commit/85a24055"><code>85a24055</code></a></td> </tr> <tr> <td><a href="https://github.com/nodejs/undici/security/advisories/GHSA-p88m-4jfj-68fv">GHSA-p88m-4jfj-68fv</a></td> <td>CVE-2026-9679</td> <td>Moderate (5.9)</td> <td>7.28.0</td> <td><a href="https://github.com/nodejs/undici/commit/d0574cc4"><code>d0574cc4</code></a></td> </tr> <tr> <td><a href="https://github.com/nodejs/undici/security/advisories/GHSA-g8m3-5g58-fq7m">GHSA-g8m3-5g58-fq7m</a></td> <td>CVE-2026-11525</td> <td>Low (3.7)</td> <td>7.28.0</td> <td><a href="https://github.com/nodejs/undici/commit/d0574cc4"><code>d0574cc4</code></a></td> </tr> <tr> <td><a href="https://github.com/nodejs/undici/security/advisories/GHSA-35p6-xmwp-9g52">GHSA-35p6-xmwp-9g52</a></td> <td>CVE-2026-6733</td> <td>Low (3.7)</td> <td>7.28.0</td> <td><a href="https://github.com/nodejs/undici/commit/ea8930cf"><code>ea8930cf</code></a></td> </tr> </tbody> </table> <hr /> <h2>High severity</h2> <h3>WebSocket DoS via fragment count bypass — CVE-2026-12151</h3> <p><strong><a href="https://github.com/nodejs/undici/security/advisories/GHSA-vxpw-j846-p89q">GHSA-vxpw-j846-p89q</a></strong> · CWE-400, CWE-770 <strong>Fix:</strong> <a href="https://github.com/nodejs/undici/commit/8cb10f98"><code>8cb10f98</code></a> <em>websocket: limit the number of fragments in a message</em> (part of backport <a href="https://github.com/nodejs/undici/commit/a027a4a0"><code>a027a4a0</code></a> <em>Backport WebSocket maxPayloadSize fixes to v7.x</em>, <a href="https://redirect.github.com/nodejs/undici/pull/5423">#5423</a>)</p> <p>A malicious WebSocket server can stream a large number of small or empty continuation frames. Undici enforced a limit on cumulative payload size but did not limit the <em>number</em> of fragments per message, leading to unbounded memory growth and denial of service.</p> <ul> <li><strong>Affected:</strong> applications using <code>new WebSocket(...)</code> or <code>WebSocketStream</code> against untrusted endpoints.</li> <li><strong>Workaround:</strong> none — upgrade is required.</li> </ul> <h3>TLS certificate validation bypass in SOCKS5 ProxyAgent — CVE-2026-9697</h3> <p><strong><a href="https://github.com/nodejs/undici/security/advisories/GHSA-vmh5-mc38-953g">GHSA-vmh5-mc38-953g</a></strong> · CWE-295</p> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/nodejs/undici/commit/f9eba0ad9134e1c0977848476bba9d49734696e4"><code>f9eba0a</code></a> Bumped v7.28.0 (<a href="https://redirect.github.com/nodejs/undici/issues/5430">#5430</a>)</li> <li><a href="https://github.com/nodejs/undici/commit/a027a4a04c6c055877d1abaf5f60ee4917e7e01f"><code>a027a4a</code></a> Backport WebSocket maxPayloadSize fixes to v7.x (<a href="https://redirect.github.com/nodejs/undici/issues/5423">#5423</a>)</li> <li><a href="https://github.com/nodejs/undici/commit/8cb10f983eb6005dd53f3744d95d3b6d7dbcee0f"><code>8cb10f9</code></a> websocket: limit the number of fragments in a message</li> <li><a href="https://github.com/nodejs/undici/commit/04201f8947041f0f4f2ac865dbdb1677e46a8844"><code>04201f8</code></a> fix: honor requestTls when proxy is SOCKS5</li> <li><a href="https://github.com/nodejs/undici/commit/fcd642ff613ea9030dec87cf622e68d4b1ae9847"><code>fcd642f</code></a> fix(socks5): preserve dispatch backpressure return value (<a href="https://redirect.github.com/nodejs/undici/issues/5166">#5166</a>)</li> <li><a href="https://github.com/nodejs/undici/commit/bc98c97906abf26fa1e959b2f6111b53ade0e18f"><code>bc98c97</code></a> fix(socks5): use configured connector in Socks5ProxyAgent (<a href="https://redirect.github.com/nodejs/undici/issues/5168">#5168</a>)</li> <li><a href="https://github.com/nodejs/undici/commit/9e1c74372a2b27cacd92d27c13a83a6d84f10e0e"><code>9e1c743</code></a> fix(socks5): encode embedded IPv4 tails in IPv6 literals correctly (<a href="https://redirect.github.com/nodejs/undici/issues/5099">#5099</a>)</li> <li><a href="https://github.com/nodejs/undici/commit/376c8be27cb40cc17ccaad6b6ebb317fa7148d65"><code>376c8be</code></a> fix(socks5): enforce authenticated state before CONNECT (<a href="https://redirect.github.com/nodejs/undici/issues/5097">#5097</a>)</li> <li><a href="https://github.com/nodejs/undici/commit/3805b8f8518882991044048c256e005dc3c10a85"><code>3805b8f</code></a> fix(socks5-proxy-agent): use per-origin pools to prevent cross-origin routing...</li> <li><a href="https://github.com/nodejs/undici/commit/85a240551c9feb8b8a0ecc56c84b2b3015add8a9"><code>85a2405</code></a> fix(cache): trim qualified field names</li> <li>Additional commits viewable in <a href="https://github.com/nodejs/undici/compare/v7.25.0...v7.28.0">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/microsoft/teams-sdk/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [dompurify](https://github.com/cure53/DOMPurify) from 3.4.10 to 3.4.11. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/cure53/DOMPurify/releases">dompurify's releases</a>.</em></p> <blockquote> <h2>DOMPurify 3.4.11</h2> <ul> <li>Fixed an issue with a leaky config for hooks via <code>setConfig</code>, thanks <a href="https://github.com/trace37labs"><code>@trace37labs</code></a></li> <li>Bumped vulnerable development dependencies to arrive at plain 0 with <code>npm audit</code></li> <li>Updated the <code>osv-scanner</code> suppression list as no vulnerable dependencies are left for now</li> <li>Updated up the linting tool-chain and removed now-redundant lint directives</li> <li>Updated the documentation is several spots, README, wiki, etc.</li> <li>Bumped several dependencies where possible</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/cure53/DOMPurify/commit/0cae5187403132f96a6d357649e4b15633fc210a"><code>0cae518</code></a> release: 3.4.11 (<a href="https://redirect.github.com/cure53/DOMPurify/issues/1494">#1494</a>)</li> <li>See full diff in <a href="https://github.com/cure53/DOMPurify/compare/3.4.10...3.4.11">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/microsoft/teams-sdk/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
This pull request adds a comprehensive blog post announcing the deprecation and removal of built-in AI libraries from the Teams SDK, guiding developers to migrate to dedicated agent frameworks for advanced AI and agentic scenarios. The article details what's changing, why the shift is happening, and provides migration guidance and resources for TypeScript, .NET, and Python developers. Key changes in this update: **Deprecation and Migration Guidance:** * Announces the deprecation (and for Python, removal) of Teams SDK AI libraries across TypeScript, .NET, and Python, listing affected packages and providing links to framework-based replacements and migration samples. * Offers a detailed migration walkthrough, showing how to replace Teams AI helpers with dedicated agent frameworks, including code examples for model setup, tool registration, streaming, and session management. **Comparison and Rationale:** * Provides a feature comparison table illustrating the gaps between Teams AI libraries and dedicated frameworks, highlighting improvements in tool calling, retries, observability, session management, and multi-agent support. * Explains how to choose the right approach (SDK vs. framework) based on bot complexity, with recommendations for each language stack. **Future Direction and Timeline:** * Outlines ongoing investments in Teams SDK for clean framework integration, session/context management, and observability, clarifying the division of responsibilities between SDK and frameworks
## Summary - Renames the `2026-06-16-ai-libs-to-agent-frameworks` blog title from "Unbundling AI from the Teams SDK: A Cleaner Path to Agents" to "Teams SDK + Agent Frameworks: Better Together" - Slug, URL, and content unchanged ## Test plan - [ ] Verify blog renders with new title at `/blog/ai-libraries-to-agent-frameworks` - [ ] Confirm blog index/listing reflects the new title 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
## Summary Adds process-scoped in-memory caching to eliminate redundant TDP (Teams Developer Portal) network reads within a single `teams` CLI invocation. Started with app-detail reads (the worst hotspot) and extended to bot reads, with a small reusable caching layer shared by both. Caches are process-scoped (one CLI invocation = one process), `Map`-backed, and clone-on-read/write (`structuredClone`) so callers can't corrupt cached objects. Writes refresh the cache from authoritative POST responses; mutations that bypass the normal path explicitly invalidate. ## What changed - **Reusable layer** — `src/utils/resource-cache.ts`: generic `createResourceCache<T>()` with clone-safe `get`/`set`/`invalidate`. - **App details** (`hotspot #1`) — `fetchAppDetailsV2` is now cache-first with a `{ force }` opt-out; `updateAppDetails` write-refreshes from its POST response (so `uploadIcon` benefits); `importAppPackage` invalidates. This collapses the ~7–9 `GET /appdefinitions/v2/{id}` reads per `teams app update` (read-modify-write) down to 1. - **Bot reads** (`hotspot #2`) — `fetchBot` and `getBotLocation` now share a single `GET /botframework/{botId}` round-trip via one `readBotResource()` classifier (200 → Teams-managed with details, 404 → Azure). Only those two meaningful outcomes are cached; other statuses throw uncached so transient failures still retry. `updateBot` refreshes; `deleteBot`/`registerBot` invalidate. - **Spinner** — `fetchAppDetail` keeps its spinner silent when both underlying reads are already warm (fixes the duplicate spinner seen on App → details → back → details). ## Tests - Unit tests written first (TDD, red→green): `app-details-cache.test.ts`, `bot-cache.test.ts`. - Gated live timing integration test (`RUN_INTEGRATION=1`) demonstrating the saved round-trips. - Full suite: **206 passed / 34 skipped**, `tsc --noEmit` and `npm run build` clean. ## Notes - No TTL — caches live only for the duration of a single command, so staleness across invocations is impossible by construction. - Within an invocation, every mutation point (`update.ts`, `doctor.ts`, `bot/migrate.ts`, `bot-handler.ts`) was traced for read-after-write staleness; all refresh or invalidate correctly. --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Bumps [webpack-dev-server](https://github.com/webpack/webpack-dev-server) from 5.2.4 to 5.2.5. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/webpack/webpack-dev-server/releases">webpack-dev-server's releases</a>.</em></p> <blockquote> <h2>v5.2.5</h2> <h3>Patch Changes</h3> <ul> <li>Skip the HMR WebSocket path when forwarding upgrade requests to user-defined proxies, so custom proxy WebSocket upgrades are no longer intercepted by the dev server. (by <a href="https://github.com/bjohansebas"><code>@bjohansebas</code></a> in <a href="https://redirect.github.com/webpack/webpack-dev-server/pull/5680">#5680</a>)</li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/webpack/webpack-dev-server/blob/main/CHANGELOG.md">webpack-dev-server's changelog</a>.</em></p> <blockquote> <h2>5.2.5</h2> <h3>Patch Changes</h3> <ul> <li>Skip the HMR WebSocket path when forwarding upgrade requests to user-defined proxies, so custom proxy WebSocket upgrades are no longer intercepted by the dev server. (by <a href="https://github.com/bjohansebas"><code>@bjohansebas</code></a> in <a href="https://redirect.github.com/webpack/webpack-dev-server/pull/5680">#5680</a>)</li> </ul> <p>All notable changes to this project will be documented in this file. See <a href="https://github.com/conventional-changelog/standard-version">standard-version</a> for commit guidelines.</p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/webpack/webpack-dev-server/commit/c3ee325819f64ceb77f85dcf727b6b5ede85cbc4"><code>c3ee325</code></a> chore(release): new release (<a href="https://redirect.github.com/webpack/webpack-dev-server/issues/5682">#5682</a>)</li> <li><a href="https://github.com/webpack/webpack-dev-server/commit/60173be90873b187b41fc2009a4de253732988a1"><code>60173be</code></a> feat: add changeset validation and release workflow (<a href="https://redirect.github.com/webpack/webpack-dev-server/issues/5680">#5680</a>)</li> <li><a href="https://github.com/webpack/webpack-dev-server/commit/948d5e6089bebcd801dac2cbe3ed4f80b64f117a"><code>948d5e6</code></a> fix(proxy): match the HMR upgrade path exactly like the ws server (<a href="https://redirect.github.com/webpack/webpack-dev-server/issues/5678">#5678</a>)</li> <li><a href="https://github.com/webpack/webpack-dev-server/commit/93e8996124332a6c94c4d3e0f8e5f2cf95321c67"><code>93e8996</code></a> fix: skip HMR websocket path when forwarding upgrades to user-defined proxies...</li> <li>See full diff in <a href="https://github.com/webpack/webpack-dev-server/compare/v5.2.4...v5.2.5">compare view</a></li> </ul> </details> <details> <summary>Maintainer changes</summary> <p>This version was pushed to npm by <a href="https://www.npmjs.com/~GitHub%20Actions">GitHub Actions</a>, a new releaser for webpack-dev-server since your current version.</p> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/microsoft/teams-sdk/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
## Summary Review of the CLI scaffolding templates surfaced several issues. This PR removes three problematic templates and fixes the rest. ### Removed templates - **`typescript/ai`** — its `AGENTS.md` linked to a dead URL (`microsoft/teams.ts/main/AGENTS_TEMPLATE.md` returns 404). - **`typescript/mcp`** — its `package.json.hbs` `inspect` script contained a literal newline, making the generated `package.json` invalid JSON (every npm command in a scaffolded project would break). - **`typescript/mcpclient`** — removed alongside the MCP set. ### Fixes to remaining templates - **graph (TS)** — declared missing `@microsoft/teams.api` dependency (imported for `MessageActivity`). - **tab (TS)** — declared missing `@microsoft/teams-js` and `@microsoft/teams.common` dependencies; renamed leftover internal `@tests/tab` logger names to `tab`; awaited the `reply()` call in the echo handler. - **graph (Python)** — fixed a possibly-unbound `me` (now initialized to `None` before the `if graph:` block) so pyright and runtime don't fail when `user_graph` is `None`; aligned the `dotenv` pin with the echo template. - **Python READMEs** — removed reference to a nonexistent `apppackage/` directory. - **menu-loop test** — updated the `listTemplates` mock to `['echo', 'graph', 'tab']`. Template names are discovered dynamically from the filesystem via `listTemplates()`, so removing the directories is sufficient — no command code references them by name. ### Validation - All remaining `package.json.hbs` files are valid JSON; every import is now a declared dependency. - `npm run build` passes. - All 206 tests pass. --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
## Summary - Add an explicit confirmation prompt before uploading interactive RSC permission edits - Show a concise add/remove summary before confirmation - Respect `--yes` by bypassing the prompt ## Validation - `npm -w @microsoft/teams.cli test -- rsc-set.test.ts rsc-web-app-info.test.ts` - `npx turbo build --filter=@microsoft/teams.cli` --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
21a2e7e to
51a4da9
Compare
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
51a4da9 to
082e798
Compare
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
singhk97
approved these changes
Jul 2, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Prepare stable CLI 3.0.2 by merging current
mainintorelease/v3and setting explicit stable release metadata.CLI package commits since 3.0.1
1f11cdaf1perf(cli): add in-memory caching for redundant TDP reads (perf(cli): add in-memory caching for redundant TDP reads #2902)2a969dd29Fix CLI template issues and remove AI/MCP/MCPClient templates (Fix CLI template issues and remove AI/MCP/MCPClient templates #2904)553685c6bConfirm interactive RSC permission updates (Confirm interactive RSC permission updates #2906)082e79830Merge main into release/v3 for CLI 3.0.217d2170a6Prepare CLI 3.0.2 releaseValidation
npx turbo build --filter=@microsoft/teams.clinpm -w @microsoft/teams.cli test