Skip to content

Prepare CLI 3.0.2 release#2909

Merged
heyitsaamir merged 65 commits into
release/v3from
heyitsaamir-prepare-cli-3-0-2-release
Jul 2, 2026
Merged

Prepare CLI 3.0.2 release#2909
heyitsaamir merged 65 commits into
release/v3from
heyitsaamir-prepare-cli-3-0-2-release

Conversation

@heyitsaamir

@heyitsaamir heyitsaamir commented Jul 1, 2026

Copy link
Copy Markdown
Collaborator

Summary

Prepare stable CLI 3.0.2 by merging current main into release/v3 and setting explicit stable release metadata.

CLI package commits since 3.0.1

Validation

  • npx turbo build --filter=@microsoft/teams.cli
  • npm -w @microsoft/teams.cli test

corinagum and others added 30 commits May 7, 2026 10:30
…lifecycle (#2817)

## Summary
- Adds a note to the TS "Self-Managing Your Server" doc clarifying that
plugin `onStart` hooks do not fire when callers skip `app.start()` and
run their own server lifecycle.
- Documents the workaround: invoke the plugin's `onStart` manually after
`await app.initialize()`.

## Why
Surfaced by:
- microsoft/teams.ts#512 - users adopting the
`IHttpServerAdapter` pattern for non-Express frameworks (Fastify,
Restify, etc.) skip `app.start()` and so silently lose any plugin setup
that lives in `onStart`.
- microsoft/teams.ts#544 - concrete repro:
`DevToolsPlugin` registers its router inside `onStart`, so a
self-managed `ExpressAdapter` setup leaves DevTools un-started until the
user manually invokes `devToolsPlugin.onStart({ port })`.

The `IHttpServerAdapter` interface already supports this self-managed
flow; this PR just makes the caveat explicit in the doc.

## Test plan
- [x] Verify the rendered doc page shows the new note in the right
section (after the Express self-managed example, before the "See the
full Express adapter example" link).
- [x] Sanity-check that the suggested `await myPlugin.onStart({ port:
3978 })` call shape matches the plugin lifecycle interface.

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
## Summary

Adds a URL-shareable docs page that helps developers choose
between the **Microsoft 365 Agents SDK** and the **Microsoft Teams SDK**
when building for Microsoft Teams.

The page is structured around the **durable distinction** between the
two SDKs (channel breadth vs Teams-feature depth) rather than
feature-checklist parity, with a **basic vs premier** framing for the
Teams scenario.

## What's in it

- **Architectural diagram** showing the two SDKs target different
backends (Teams Bot Service, Azure Bot Service) but speak the same
Activity Protocol
- **Channel grouping**: purple (reachable from both SDKs) vs amber (M365
Agents SDK optimized path)
- **Feature inventory image** illustrating breadth (M365 Agents SDK) vs
depth (Microsoft Teams SDK)
- **Basic and Premier feature reference tables** for the Teams scenario
- **Bot Framework migration decision table** with paths for both SDKs

## Sidebar visibility

Frontmatter uses `sidebar_class_name: 'sidebar-hidden'` so the page is
reachable by URL but doesn't appear in the left navigation. Intent:
guidance content for developers asking "which SDK?", not a top-level
navigation item.

## Test plan

- [ ] Local Docusaurus dev server renders
`/teams-sdk/teams/choosing-an-sdk` cleanly
- [ ] Mermaid diagram in "How they relate" renders without arrow
crossings or layout glitches
- [ ] `sdk-feature-comparison.png` displays at appropriate size
- [ ] All internal links resolve (e.g. `./enabling-in-copilot`)
- [ ] All external links open correctly (Microsoft Learn, GitHub repos)
- [ ] Page does not appear in the left sidebar (URL-only)

🤖 Generated with [Claude Code](https://claude.com/claude-code)

---------

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
…d Identity" (#2696)

## Update Documentation: User Managed Identity → User Assigned Managed
Identity

- [x] Review all documentation files containing "User Managed Identity"
- [x] Update typescript.incl.md to use "User Assigned Managed Identity"
- [x] Update python.incl.md to use "User Assigned Managed Identity"
- [x] Update app-authentication/README.md to use "User Assigned Managed
Identity"
- [x] Update federated-identity-credentials.md to use "User Assigned
Managed Identity"
- [x] Update user-managed-identity.md content to use "User Assigned
Managed Identity"
- [x] Update app-authentication.mdx to use "User Assigned Managed
Identity"
- [x] Verify all changes are consistent and accurate
- [x] Rebase onto latest main branch and resolve conflicts

<!-- START COPILOT CODING AGENT SUFFIX -->



<!-- START COPILOT ORIGINAL PROMPT -->



<details>

<summary>Original prompt</summary>

> In our docs, we say "User managed identity" when what we really mean
is "User assigned managed identity". Can you update the language please


</details>



<!-- START COPILOT CODING AGENT TIPS -->
---

💬 We'd love your input! Share your thoughts on Copilot coding agent in
our [2 minute survey](https://gh.io/copilot-coding-agent-survey).

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: heyitsaamir <48929123+heyitsaamir@users.noreply.github.com>
## Summary
Product rename: **Teams CLI** → **Teams Developer CLI** across the repo.

What got touched:
- **Package**: `packages/cli/package.json` description + the `Teams
Developer CLI [Beta]` help banner in `packages/cli/src/index.ts`. (The
npm name `@microsoft/teams.cli` is left alone — renaming that is a whole
different beast.)
- **Docs**: every "Teams CLI" mention across `teams.md/docs/**`,
`teams.md/src/**`, and `teams.md/static/llms_docs/**`.
- **Blog**: `2026-04-28-teams-cli-preview/index.md` body. Slug + folder
kept the same to avoid breaking the live URL.
- **Plugin / skill**: `plugins/teams-sdk/**`,
`.claude-plugin/marketplace.json`, root `README.md`,
`packages/cli/README.md`.

Left intentionally untouched:
- Internal identifiers (`teams-cli` keychain serviceName, envPaths,
USER_AGENT, tmpdir prefix, test resource group defaults) — changing
these would invalidate caches/configs.
- Unrelated terms like "Teams client", `@microsoft/teams.client`, "Teams
Developer Portal".
- Generic "the CLI" phrases that read fine in context.

## Test plan
- `npm run build --workspace=@microsoft/teams.cli` — confirm clean build
- Run `node packages/cli/dist/index.js --help` and check the banner says
`Teams Developer CLI [Beta]`
- Skim the docs site preview to confirm headings/links still resolve
Fixes [#565](microsoft/teams.ts#565)

## What

`teams app doctor` was assuming an Azure Bot resource is always named
after its MicrosoftAppId. That's only true for bots this CLI creates —
bots stamped out by Portal/Bicep/Terraform (or our own `migrate
--azure-name foo`) get human-readable names, and doctor would shrug `✗
Azure bot not found` and skip every downstream check.

## How

- **Discovery**: keep the `--name <botId>` fast path, then fall back to
Azure Resource Graph filtering on `properties.msaAppId`. If the graph
extension can't be installed, fall back again to listing bots and
fetching each one's properties in parallel.
- **Resource name plumbing**: `AzureContext` now carries the real Azure
resource name. Doctor uses `azure.name ?? botId` for `az bot show`, `az
bot msteams show`, and the authsetting calls — same shape, just the
right name.
- **Migrate**: new `--azure-name <name>` flag so users can give the
Azure resource a friendly name. Defaults to `botId` so nothing changes
for existing scripts.

## Tests

6 new unit tests covering: fast-path hit, graph fallback, list+show
last-resort fallback, both-empty, no-match, and az exploding.

## Verified e2e

Created a real teams-managed app, migrated to Azure with `--azure-name
migrate-test-renamed`, then ran doctor on the resulting Teams app:

| | Public `teams` CLI | This branch |
|---|---|---|
| Azure bot discovered | ✗ not found | ✔ |
| Endpoint reachable | (skipped) | ✔ |
| Teams channel | (skipped) | ✔ |
| `az bot authsetting list` (SSO path) | `ParentResourceNotFound` | ✔
`[]` |
Bumps [fast-uri](https://github.com/fastify/fast-uri) from 3.0.6 to
3.1.2.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/fastify/fast-uri/releases">fast-uri's
releases</a>.</em></p>
<blockquote>
<h2>v3.1.2</h2>
<h2>⚠️ Security Release</h2>
<ul>
<li>Fix for <a
href="https://github.com/fastify/fast-uri/security/advisories/GHSA-v39h-62p7-jpjc">https://github.com/fastify/fast-uri/security/advisories/GHSA-v39h-62p7-jpjc</a></li>
</ul>
<h2>What's Changed</h2>
<ul>
<li>Handle malformed fragment decoding as a parse error by <a
href="https://github.com/mcollina"><code>@​mcollina</code></a> in <a
href="https://redirect.github.com/fastify/fast-uri/pull/171">fastify/fast-uri#171</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/fastify/fast-uri/compare/v3.1.1...v3.1.2">https://github.com/fastify/fast-uri/compare/v3.1.1...v3.1.2</a></p>
<h2>v3.1.1</h2>
<h2>⚠️ Security Release</h2>
<ul>
<li>Fix for <a
href="https://github.com/fastify/fast-uri/security/advisories/GHSA-q3j6-qgpj-74h6">https://github.com/fastify/fast-uri/security/advisories/GHSA-q3j6-qgpj-74h6</a></li>
</ul>
<h2>What's Changed</h2>
<ul>
<li>build(deps-dev): bump tsd from 0.32.0 to 0.33.0 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/fastify/fast-uri/pull/148">fastify/fast-uri#148</a></li>
<li>build(deps): bump actions/checkout from 4 to 5 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/fastify/fast-uri/pull/149">fastify/fast-uri#149</a></li>
<li>chore(.npmrc): ignore scripts by <a
href="https://github.com/Fdawgs"><code>@​Fdawgs</code></a> in <a
href="https://redirect.github.com/fastify/fast-uri/pull/150">fastify/fast-uri#150</a></li>
<li>build(deps-dev): remove <code>@​fastify/pre-commit</code> by <a
href="https://github.com/Fdawgs"><code>@​Fdawgs</code></a> in <a
href="https://redirect.github.com/fastify/fast-uri/pull/151">fastify/fast-uri#151</a></li>
<li>build(deps): bump actions/setup-node from 4 to 5 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/fastify/fast-uri/pull/152">fastify/fast-uri#152</a></li>
<li>ci(ci): add concurrency config by <a
href="https://github.com/Fdawgs"><code>@​Fdawgs</code></a> in <a
href="https://redirect.github.com/fastify/fast-uri/pull/153">fastify/fast-uri#153</a></li>
<li>build(deps): bump actions/setup-node from 5 to 6 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/fastify/fast-uri/pull/154">fastify/fast-uri#154</a></li>
<li>build(deps): bump actions/checkout from 5 to 6 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/fastify/fast-uri/pull/156">fastify/fast-uri#156</a></li>
<li>chore(license): standardise license notice by <a
href="https://github.com/Fdawgs"><code>@​Fdawgs</code></a> in <a
href="https://redirect.github.com/fastify/fast-uri/pull/159">fastify/fast-uri#159</a></li>
<li>style: remove trailing whitespace by <a
href="https://github.com/Fdawgs"><code>@​Fdawgs</code></a> in <a
href="https://redirect.github.com/fastify/fast-uri/pull/161">fastify/fast-uri#161</a></li>
<li>ci: remove unused github files by <a
href="https://github.com/Tony133"><code>@​Tony133</code></a> in <a
href="https://redirect.github.com/fastify/fast-uri/pull/162">fastify/fast-uri#162</a></li>
<li>chore: update readme by <a
href="https://github.com/Tony133"><code>@​Tony133</code></a> in <a
href="https://redirect.github.com/fastify/fast-uri/pull/164">fastify/fast-uri#164</a></li>
<li>build(deps): bump
fastify/workflows/.github/workflows/plugins-ci-package-manager.yml from
5 to 6 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/fastify/fast-uri/pull/165">fastify/fast-uri#165</a></li>
<li>build(deps): bump fastify/workflows/.github/workflows/plugins-ci.yml
from 5 to 6 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/fastify/fast-uri/pull/166">fastify/fast-uri#166</a></li>
<li>build(deps-dev): bump neostandard from 0.12.2 to 0.13.0 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/fastify/fast-uri/pull/167">fastify/fast-uri#167</a></li>
<li>ci: add lock-threads workflow by <a
href="https://github.com/Fdawgs"><code>@​Fdawgs</code></a> in <a
href="https://redirect.github.com/fastify/fast-uri/pull/169">fastify/fast-uri#169</a></li>
</ul>
<h2>New Contributors</h2>
<ul>
<li><a href="https://github.com/Tony133"><code>@​Tony133</code></a> made
their first contribution in <a
href="https://redirect.github.com/fastify/fast-uri/pull/162">fastify/fast-uri#162</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/fastify/fast-uri/compare/v3.1.0...v3.1.1">https://github.com/fastify/fast-uri/compare/v3.1.0...v3.1.1</a></p>
<h2>v3.1.0</h2>
<h2>What's Changed</h2>
<ul>
<li>ci: remove master branch support by <a
href="https://github.com/Fdawgs"><code>@​Fdawgs</code></a> in <a
href="https://redirect.github.com/fastify/fast-uri/pull/126">fastify/fast-uri#126</a></li>
<li>chore(test) remove .gitkeep by <a
href="https://github.com/Fdawgs"><code>@​Fdawgs</code></a> in <a
href="https://redirect.github.com/fastify/fast-uri/pull/128">fastify/fast-uri#128</a></li>
<li>ci(ci): set job permissions by <a
href="https://github.com/Fdawgs"><code>@​Fdawgs</code></a> in <a
href="https://redirect.github.com/fastify/fast-uri/pull/129">fastify/fast-uri#129</a></li>
<li>ci: set permissions at workflow level by <a
href="https://github.com/Fdawgs"><code>@​Fdawgs</code></a> in <a
href="https://redirect.github.com/fastify/fast-uri/pull/131">fastify/fast-uri#131</a></li>
<li>ci: set workflow permissions to read-only by default by <a
href="https://github.com/Fdawgs"><code>@​Fdawgs</code></a> in <a
href="https://redirect.github.com/fastify/fast-uri/pull/132">fastify/fast-uri#132</a></li>
<li>ci(ci): restore job level permissions by <a
href="https://github.com/Fdawgs"><code>@​Fdawgs</code></a> in <a
href="https://redirect.github.com/fastify/fast-uri/pull/133">fastify/fast-uri#133</a></li>
<li>build(deps-dev): bump tsd from 0.31.2 to 0.32.0 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/fastify/fast-uri/pull/134">fastify/fast-uri#134</a></li>
<li>ci(ci): pin actions to commit-hash by <a
href="https://github.com/Fdawgs"><code>@​Fdawgs</code></a> in <a
href="https://redirect.github.com/fastify/fast-uri/pull/135">fastify/fast-uri#135</a></li>
<li>ci: add node 24 to test matrix by <a
href="https://github.com/Fdawgs"><code>@​Fdawgs</code></a> in <a
href="https://redirect.github.com/fastify/fast-uri/pull/136">fastify/fast-uri#136</a></li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/fastify/fast-uri/commit/919dd8ea7689fcc220d0d9b71307f5095e723ef9"><code>919dd8e</code></a>
Bumped v3.1.2</li>
<li><a
href="https://github.com/fastify/fast-uri/commit/c65ba573714af6b8e19e481d9444c27bc4355d07"><code>c65ba57</code></a>
fixup: linting</li>
<li><a
href="https://github.com/fastify/fast-uri/commit/6c86c17c3d76fb93aa3700ec6c0fa00faeb97293"><code>6c86c17</code></a>
Merge commit from fork</li>
<li><a
href="https://github.com/fastify/fast-uri/commit/a95158ad308df4d92bbde4eba699ce5165e9f796"><code>a95158a</code></a>
Handle malformed fragment decoding without throwing (<a
href="https://redirect.github.com/fastify/fast-uri/issues/171">#171</a>)</li>
<li><a
href="https://github.com/fastify/fast-uri/commit/cea547c91c6aae610041b17b75792ca4aa035a6d"><code>cea547c</code></a>
Bumped v3.1.1</li>
<li><a
href="https://github.com/fastify/fast-uri/commit/876ce79b662c3e5015e4e7dffe6f37752ad34f35"><code>876ce79</code></a>
Merge commit from fork</li>
<li><a
href="https://github.com/fastify/fast-uri/commit/dcdf690b71a7bb3a19887ada65a9ab160d83bcc0"><code>dcdf690</code></a>
ci: add lock-threads workflow (<a
href="https://redirect.github.com/fastify/fast-uri/issues/169">#169</a>)</li>
<li><a
href="https://github.com/fastify/fast-uri/commit/c860e6589b1ac346f66e114b4eadb9613768108c"><code>c860e65</code></a>
build(deps-dev): bump neostandard from 0.12.2 to 0.13.0 (<a
href="https://redirect.github.com/fastify/fast-uri/issues/167">#167</a>)</li>
<li><a
href="https://github.com/fastify/fast-uri/commit/9b4c6dc82fde0ca44e674403ece9185d85bb6d5f"><code>9b4c6dc</code></a>
build(deps): bump fastify/workflows/.github/workflows/plugins-ci.yml (<a
href="https://redirect.github.com/fastify/fast-uri/issues/166">#166</a>)</li>
<li><a
href="https://github.com/fastify/fast-uri/commit/85d09a9f7aa76b32c2bb005a90a71e144c361d24"><code>85d09a9</code></a>
build(deps): bump
fastify/workflows/.github/workflows/plugins-ci-package-mana...</li>
<li>Additional commits viewable in <a
href="https://github.com/fastify/fast-uri/compare/v3.0.6...v3.1.2">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=fast-uri&package-manager=npm_and_yarn&previous-version=3.0.6&new-version=3.1.2)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/microsoft/teams-sdk/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…2824)

Bumps
[@babel/plugin-transform-modules-systemjs](https://github.com/babel/babel/tree/HEAD/packages/babel-plugin-transform-modules-systemjs)
from 7.28.5 to 7.29.4.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/babel/babel/releases">@​babel/plugin-transform-modules-systemjs's
releases</a>.</em></p>
<blockquote>
<h2>v7.29.4 (2026-05-05)</h2>
<h4>:bug: Bug Fix</h4>
<ul>
<li><code>babel-plugin-transform-modules-systemjs</code>
<ul>
<li><a
href="https://redirect.github.com/babel/babel/pull/17974">#17974</a>
[7.x backport]fix(systemjs): improve module string name support (<a
href="https://github.com/JLHwung"><code>@​JLHwung</code></a>)</li>
</ul>
</li>
</ul>
<h4>Committers: 1</h4>
<ul>
<li>Huáng Jùnliàng (<a
href="https://github.com/JLHwung"><code>@​JLHwung</code></a>)</li>
</ul>
<h2>v7.29.3 (2026-04-30)</h2>
<h4>:eyeglasses: Spec Compliance</h4>
<ul>
<li><code>babel-parser</code>
<ul>
<li><a
href="https://redirect.github.com/babel/babel/pull/17923">#17923</a>
Support flow extends bound (<a
href="https://github.com/JLHwung"><code>@​JLHwung</code></a>)</li>
</ul>
</li>
</ul>
<h4>:bug: Bug Fix</h4>
<ul>
<li><code>babel-helper-create-class-features-plugin</code>,
<code>babel-plugin-proposal-decorators</code>
<ul>
<li><a
href="https://redirect.github.com/babel/babel/pull/17931">#17931</a>
fix(decorators): replace super within all removed static elements (<a
href="https://github.com/JLHwung"><code>@​JLHwung</code></a>)</li>
</ul>
</li>
<li><code>babel-register</code>
<ul>
<li><a
href="https://redirect.github.com/babel/babel/pull/17915">#17915</a> Fix
thread synchronization issues in <code>@babel/register</code> (<a
href="https://github.com/liuxingbaoyu"><code>@​liuxingbaoyu</code></a>)</li>
</ul>
</li>
<li><code>babel-compat-data</code>,
<code>babel-plugin-bugfix-safari-rest-destructuring-rhs-array</code>,
<code>babel-preset-env</code>
<ul>
<li><a
href="https://redirect.github.com/babel/babel/pull/17788">#17788</a> Add
bugfix plugin for Safari array rest destructuring bug (<a
href="https://github.com/JLHwung"><code>@​JLHwung</code></a>)</li>
</ul>
</li>
</ul>
<h4>:nail_care: Polish</h4>
<ul>
<li><code>babel-parser</code>
<ul>
<li><a
href="https://redirect.github.com/babel/babel/pull/17782">#17782</a>
Improve trailing comma comment handling (<a
href="https://github.com/JLHwung"><code>@​JLHwung</code></a>)</li>
</ul>
</li>
</ul>
<h4>:memo: Documentation</h4>
<ul>
<li><a
href="https://redirect.github.com/babel/babel/pull/17847">#17847</a>
Replace npmjs.com links with npmx.dev (<a
href="https://github.com/nicolo-ribaudo"><code>@​nicolo-ribaudo</code></a>)</li>
</ul>
<h4>:running_woman: Performance</h4>
<ul>
<li><code>babel-helper-import-to-platform-api</code>,
<code>babel-plugin-proposal-import-wasm-source</code>,
<code>babel-plugin-transform-json-modules</code>
<ul>
<li><a
href="https://redirect.github.com/babel/babel/pull/17818">#17818</a>
Load async Wasm and JSON imports in parallel (<a
href="https://github.com/nicolo-ribaudo"><code>@​nicolo-ribaudo</code></a>)</li>
</ul>
</li>
</ul>
<h4>Committers: 4</h4>
<ul>
<li>Babel Bot (<a
href="https://github.com/babel-bot"><code>@​babel-bot</code></a>)</li>
<li>Huáng Jùnliàng (<a
href="https://github.com/JLHwung"><code>@​JLHwung</code></a>)</li>
<li>Nicolò Ribaudo (<a
href="https://github.com/nicolo-ribaudo"><code>@​nicolo-ribaudo</code></a>)</li>
<li><a
href="https://github.com/liuxingbaoyu"><code>@​liuxingbaoyu</code></a></li>
</ul>
<h2>v7.29.2 (2026-03-16)</h2>
<h4>:eyeglasses: Spec Compliance</h4>
<ul>
<li><code>babel-parser</code>
<ul>
<li><a
href="https://redirect.github.com/babel/babel/pull/17840">#17840</a>
[7.x backport] async x =&gt; {} must be in leading pos (<a
href="https://github.com/JLHwung"><code>@​JLHwung</code></a>)</li>
</ul>
</li>
</ul>
<h4>:bug: Bug Fix</h4>
<ul>
<li><code>babel-helpers</code>,
<code>babel-plugin-transform-async-generator-functions</code>,
<code>babel-preset-env</code>, <code>babel-runtime-corejs3</code>
<ul>
<li><a
href="https://redirect.github.com/babel/babel/pull/17805">#17805</a>
[7.x backport] fix: Properly handle await in finally (<a
href="https://github.com/liuxingbaoyu"><code>@​liuxingbaoyu</code></a>)</li>
</ul>
</li>
<li><code>babel-preset-env</code></li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/babel/babel/commit/a458f66074b97d54773db8159af673d23b26079b"><code>a458f66</code></a>
v7.29.4</li>
<li><a
href="https://github.com/babel/babel/commit/32ebd5aaf2526ddd176fd6a3d1e3dc594abdc8d9"><code>32ebd5a</code></a>
[7.x backport]fix(systemjs): improve module string name support (<a
href="https://github.com/babel/babel/tree/HEAD/packages/babel-plugin-transform-modules-systemjs/issues/17974">#17974</a>)</li>
<li><a
href="https://github.com/babel/babel/commit/aa8394e454337d118ac3d40bfa3ee1a3cb3f3ed2"><code>aa8394e</code></a>
v7.29.0</li>
<li><a
href="https://github.com/babel/babel/commit/0053db620c05acf0036f593b5aaf4e372daa79d0"><code>0053db6</code></a>
Update polyfill packages (<a
href="https://github.com/babel/babel/tree/HEAD/packages/babel-plugin-transform-modules-systemjs/issues/17727">#17727</a>)</li>
<li>See full diff in <a
href="https://github.com/babel/babel/commits/v7.29.4/packages/babel-plugin-transform-modules-systemjs">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=@babel/plugin-transform-modules-systemjs&package-manager=npm_and_yarn&previous-version=7.28.5&new-version=7.29.4)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/microsoft/teams-sdk/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [mermaid](https://github.com/mermaid-js/mermaid) from 11.14.0 to
11.15.0.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/mermaid-js/mermaid/releases">mermaid's
releases</a>.</em></p>
<blockquote>
<h2>mermaid@11.15.0</h2>
<h3>Minor Changes</h3>
<ul>
<li>
<p><a
href="https://redirect.github.com/mermaid-js/mermaid/pull/7174">#7174</a>
<a
href="https://github.com/mermaid-js/mermaid/commit/0aca21739c0d1fcaaa206e04a6cd574ebc415483"><code>0aca217</code></a>
Thanks <a
href="https://github.com/milesspencer35"><code>@​milesspencer35</code></a>!
- feat(sequence): Add support for decimal start and increment values in
the <code>autonumber</code> directive</p>
</li>
<li>
<p><a
href="https://redirect.github.com/mermaid-js/mermaid/pull/7512">#7512</a>
<a
href="https://github.com/mermaid-js/mermaid/commit/8e17492f7365ba50896382feb69a23efd9d8a22d"><code>8e17492</code></a>
Thanks <a
href="https://github.com/aruncveli"><code>@​aruncveli</code></a>! -
feat(flowchart): add datastore shape</p>
<p>In Data flow diagrams, a datastore/warehouse/file/database is used to
represent data persistence. It is denoted by a rectangle with only top
and bottom borders, and can be used in flowcharts with <code>A@{ shape:
datastore, label: &quot;Datastore&quot; }</code>.</p>
</li>
<li>
<p><a
href="https://redirect.github.com/mermaid-js/mermaid/pull/6440">#6440</a>
<a
href="https://github.com/mermaid-js/mermaid/commit/9ad8dde6d049adde85d8ed2d476c09b5820f3f4b"><code>9ad8dde</code></a>
Thanks <a href="https://github.com/yordis"><code>@​yordis</code></a>, <a
href="https://github.com/lgazo"><code>@​lgazo</code></a>! - feat: add
Event Modeling diagram</p>
</li>
<li>
<p><a
href="https://redirect.github.com/mermaid-js/mermaid/pull/7707">#7707</a>
<a
href="https://github.com/mermaid-js/mermaid/commit/27db774627be1cee881961dfd0d2cb21cd01b79d"><code>27db774</code></a>
Thanks <a href="https://github.com/txmxthy"><code>@​txmxthy</code></a>!
- feat(architecture): expose four fcose layout knobs for
<code>architecture-beta</code> diagrams (<code>nodeSeparation</code>,
<code>idealEdgeLengthMultiplier</code>, <code>edgeElasticity</code>,
<code>numIter</code>) so authors can tune layout density and spread
overlapping siblings without changing diagram source</p>
</li>
<li>
<p><a
href="https://redirect.github.com/mermaid-js/mermaid/pull/7604">#7604</a>
<a
href="https://github.com/mermaid-js/mermaid/commit/bf9502fb6012a4b724679b401ac928f5ee55161c"><code>bf9502f</code></a>
Thanks <a href="https://github.com/M-a-c"><code>@​M-a-c</code></a>! -
feat(class): add nested namespace support for class diagrams via dot
notation and syntactic nesting</p>
<p>If you have namespaces in class diagrams that use <code>.</code>s
already and want to render them without nesting (≤v11.14.0 behaviour),
you can use set <code>class.hierarchicalNamespaces=false</code> in your
mermaid config:</p>
<pre lang="yaml"><code>config:
  class:
    hierarchicalNamespaces: false
</code></pre>
</li>
<li>
<p><a
href="https://redirect.github.com/mermaid-js/mermaid/pull/7272">#7272</a>
<a
href="https://github.com/mermaid-js/mermaid/commit/88cdd3dc0aab9577174561b04e14760c565a232b"><code>88cdd3d</code></a>
Thanks <a
href="https://github.com/xinbenlv"><code>@​xinbenlv</code></a>! -
feat(sankey): add outlined label style, configurable
nodeWidth/nodePadding, and custom node colors</p>
</li>
</ul>
<h3>Patch Changes</h3>
<ul>
<li>
<p><a
href="https://redirect.github.com/mermaid-js/mermaid/pull/7737">#7737</a>
<a
href="https://github.com/mermaid-js/mermaid/commit/e9b0f34d8d82a6260077764ee45e1d7d90957a0f"><code>e9b0f34</code></a>
Thanks <a
href="https://github.com/ashishjain0512"><code>@​ashishjain0512</code></a>!
- fix: prevent unbalanced CSS styles in classDefs</p>
</li>
<li>
<p><a
href="https://redirect.github.com/mermaid-js/mermaid/pull/7737">#7737</a>
<a
href="https://github.com/mermaid-js/mermaid/commit/37ff937f1da2e19f882fd1db01235db4d01f4056"><code>37ff937</code></a>
Thanks <a
href="https://github.com/ashishjain0512"><code>@​ashishjain0512</code></a>!
- fix: create CSS styles using the CSSOM</p>
<p>This removes some invalid CSS and normalizes some CSS formatting.</p>
</li>
<li>
<p><a
href="https://redirect.github.com/mermaid-js/mermaid/pull/7508">#7508</a>
<a
href="https://github.com/mermaid-js/mermaid/commit/bfe60cc67b9a6dec64f9161f58e4d24a06c42b65"><code>bfe60cc</code></a>
Thanks <a href="https://github.com/biiab"><code>@​biiab</code></a>! -
fix(stateDiagram): <code>end note</code> now only closes a note when
used on a new line</p>
</li>
<li>
<p><a
href="https://redirect.github.com/mermaid-js/mermaid/pull/7737">#7737</a>
<a
href="https://github.com/mermaid-js/mermaid/commit/faafb5d49106dd32c367f3882505f2dd625aa30e"><code>faafb5d</code></a>
Thanks <a
href="https://github.com/ashishjain0512"><code>@​ashishjain0512</code></a>!
- fix(gantt): add iteration limit for <code>excludes</code> field</p>
</li>
<li>
<p><a
href="https://redirect.github.com/mermaid-js/mermaid/pull/7737">#7737</a>
<a
href="https://github.com/mermaid-js/mermaid/commit/65f8be2a42faf869b811469571983cba7eeeca99"><code>65f8be2</code></a>
Thanks <a
href="https://github.com/ashishjain0512"><code>@​ashishjain0512</code></a>!
- fix: disallow some CSS at-rules in custom CSS</p>
</li>
<li>
<p><a
href="https://redirect.github.com/mermaid-js/mermaid/pull/7726">#7726</a>
<a
href="https://github.com/mermaid-js/mermaid/commit/1502f32f3c5fb944925b0c527fbbde3c4f041824"><code>1502f32</code></a>
Thanks <a
href="https://github.com/aloisklink"><code>@​aloisklink</code></a>! -
fix(wardley): fix unnecessary sanitization of text</p>
</li>
<li>
<p><a
href="https://redirect.github.com/mermaid-js/mermaid/pull/7578">#7578</a>
<a
href="https://github.com/mermaid-js/mermaid/commit/1f98db8e326299ac97a2fa60abfd509d8f5f16e2"><code>1f98db8</code></a>
Thanks <a
href="https://github.com/Gaston202"><code>@​Gaston202</code></a>! -
fix(class): self-referential class multiplicity labels no longer
rendered multiple times</p>
<p>Fixes <a
href="https://redirect.github.com/mermaid-js/mermaid/issues/7560">#7560</a>.
Resolves an issue where cardinality labels on self-referential class
relationships were rendered three times due to edge splitting in the
dagre layout. The fix ensures that each sub-edge only carries its
relevant label positions.</p>
</li>
<li>
<p><a
href="https://redirect.github.com/mermaid-js/mermaid/pull/7592">#7592</a>
<a
href="https://github.com/mermaid-js/mermaid/commit/2343e38498a3b31f8ce5e79f1f009e0b56fbe086"><code>2343e38</code></a>
Thanks <a
href="https://github.com/knsv-bot"><code>@​knsv-bot</code></a>! -
fix(sequence): add background box behind alt/else section title labels
in sequence diagrams</p>
</li>
<li>
<p><a
href="https://redirect.github.com/mermaid-js/mermaid/pull/7589">#7589</a>
<a
href="https://github.com/mermaid-js/mermaid/commit/7fb9509b8b5cb1dc48519dc60cf6cdc6afba0462"><code>7fb9509</code></a>
Thanks <a
href="https://github.com/NYCU-Chung"><code>@​NYCU-Chung</code></a>! -
fix(block): prevent column widths from shrinking when mixing different
column spans</p>
</li>
<li>
<p><a
href="https://redirect.github.com/mermaid-js/mermaid/pull/7632">#7632</a>
<a
href="https://github.com/mermaid-js/mermaid/commit/3f9e0f15bedc1e2c71ddb6b34192d1a21124cfc2"><code>3f9e0f1</code></a>
Thanks <a
href="https://github.com/ekiauhce"><code>@​ekiauhce</code></a>! -
fix(sequence): correct messageAlign label position for right-to-left
arrows in sequence diagrams</p>
</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/mermaid-js/mermaid/commit/41646dfd43ac83f001b03c70605feb036afae46d"><code>41646df</code></a>
Merge pull request <a
href="https://redirect.github.com/mermaid-js/mermaid/issues/7739">#7739</a>
from aloisklink/ci/fix-release</li>
<li><a
href="https://github.com/mermaid-js/mermaid/commit/2671f5c44a1515960ebc41c09a365c41860f95ee"><code>2671f5c</code></a>
docs: fix v11.15.0 release</li>
<li><a
href="https://github.com/mermaid-js/mermaid/commit/f4bf04b5db8bed603e40ed3d5ce5228d6b07754e"><code>f4bf04b</code></a>
Merge pull request <a
href="https://redirect.github.com/mermaid-js/mermaid/issues/7738">#7738</a>
from mermaid-js/changeset-release/master</li>
<li><a
href="https://github.com/mermaid-js/mermaid/commit/abfb563e1dcbd46d617f44a6361bd6d926dc6289"><code>abfb563</code></a>
Version Packages</li>
<li><a
href="https://github.com/mermaid-js/mermaid/commit/60b289f428d0a0832ad95ed4e1fb326344e23532"><code>60b289f</code></a>
Release Candidate 11.15.0 (<a
href="https://redirect.github.com/mermaid-js/mermaid/issues/7737">#7737</a>)</li>
<li><a
href="https://github.com/mermaid-js/mermaid/commit/d37c0db39ca2405b4473361063df2c47109dc2c9"><code>d37c0db</code></a>
Merge pull request <a
href="https://redirect.github.com/mermaid-js/mermaid/issues/7730">#7730</a>
from aloisklink/fix/fix-edgeLabelRightLeft-changes</li>
<li><a
href="https://github.com/mermaid-js/mermaid/commit/5ab5a2895fa8b7e90de85b43a4b99aa50b39b0f1"><code>5ab5a28</code></a>
docs: improve nested namespace changeset</li>
<li><a
href="https://github.com/mermaid-js/mermaid/commit/18f8b4c5bf67aface3485272b48042f2fdd6fad2"><code>18f8b4c</code></a>
fix: revert endEdgeLabelLeft/endEdgeLabelRight change</li>
<li><a
href="https://github.com/mermaid-js/mermaid/commit/504b2eb73d4d827baa817efd47ab6f44ae769b5a"><code>504b2eb</code></a>
Merge pull request <a
href="https://redirect.github.com/mermaid-js/mermaid/issues/7726">#7726</a>
from aloisklink/fix/correct-unnecessary-html-escapes...</li>
<li><a
href="https://github.com/mermaid-js/mermaid/commit/1502f32f3c5fb944925b0c527fbbde3c4f041824"><code>1502f32</code></a>
fix(wardley): fix unnecessary sanitization of text</li>
<li>Additional commits viewable in <a
href="https://github.com/mermaid-js/mermaid/compare/mermaid@11.14.0...mermaid@11.15.0">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=mermaid&package-manager=npm_and_yarn&previous-version=11.14.0&new-version=11.15.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/microsoft/teams-sdk/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Updated the link as per Microsoft guidelines
…2821)

## Summary

The Step 3 and Step 4 `oauth2PermissionScopes` payloads in
`sso-setup.mdx` were missing two fields:

- `userConsentDescription`
- `userConsentDisplayName`

When the scope is `type: "User"` (which it is here), these fields are
what end users see at the consent prompt. Without them, the prompt falls
back to the admin text or default strings — a degraded UX.

This PR also expands `adminConsentDescription` from `"Access as user"`
(which was identical to the display name) to an actual descriptive
sentence.

## Context

[PR #2705](#2705) opened by
@hggzm originally added these fields against the pre-rewrite
`sso-setup.md`. That file was renamed to `sso-setup.mdx` and
substantially rewritten in #2719, leaving #2705 with an unresolvable
rebase conflict (modify/delete). This PR re-applies the contribution
against the current file. Closes the gap; #2705 can be closed as
superseded.

Refs: #2670, #2705

Co-authored-by: Hugo Gonzalez <hugogonzalez@microsoft.com>
## Summary
- make `teams self-update` use the package manager that owns the current
install (before it would just `npm`.)
- refuse to self-update source/local installs instead of updating some
random global package, spooky stuff avoided
- share update version checks, handle prereleases properly, and wire up
`--disable-auto-update`

## Test plan
- npm -w @microsoft/teams.cli run check-types
- npm -w @microsoft/teams.cli test
- npm -w @microsoft/teams.cli run build
- tested npm self-update: installed internal
`@microsoft/teams.cli@2.10.0` globally with npm, then `teams
self-update` updated it to `3.0.0-preview.5`
- tested pnpm self-update: installed internal
`@microsoft/teams.cli@2.11.0` globally with pnpm, then `teams
self-update` updated it to `3.0.0-preview.5`
- tested bun self-update: installed internal
`@microsoft/teams.cli@2.10.0` globally with bun, then `teams
self-update` updated it to `3.0.0-preview.5`

---------

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Fixes #2830.

`discoverAzureBot` and its helpers collapsed every az failure into
`null`, indistinguishable from a real "bot not found." `app update
--json` then returned a misleading `NOT_FOUND_AZURE_BOT`; under `--yes`,
an agent could try to recreate a bot that already exists but couldn't be
read.

Rebased on top of #2825's fallback chain. Only the bug-shaped catches
are removed; the two structural ones are kept:

- `findBotByName` outer catch — **removed** (pure suppression).
- `findBotByMsaAppIdViaList` outer catch — **removed** (pure
suppression).
- `findBotByMsaAppIdViaList` per-bot catch — **kept** (per-element
resilience inside `Promise.all`).
- `findBotByMsaAppIdViaGraph` outer catch — **kept** (intentional
fallback signal: routes "graph extension unavailable" to the list path;
pinned by #2825's tests).

`discoverAzureBot` rewraps the surviving catch as
`CliError('API_ARM_ERROR', 'Failed to discover Azure bot: <stderr>')` —
preferring `error.stderr` over `error.message` so the real az diagnostic
surfaces instead of `Command failed: cmd /c az.cmd ...`. `app doctor`
wraps the call so a throw becomes a `fail` entry instead of terminating
the report.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Update docs to include updated quoted replies examples

---------

Co-authored-by: Corina Gum <>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
## Summary
- Adds an external-redirect entry for [Python support for the Microsoft
Teams SDK is now generally
available](https://devblogs.microsoft.com/microsoft365dev/python-support-for-the-microsoft-teams-sdk-is-now-generally-available/)
so it shows up in the docs blog listing
- Mirrors the format used by the existing Nov 18 entry and follows
`BLOGGING.md`
- The auto-sync script (`scripts/sync-devblogs.ts`) didn't catch this
post because it isn't tagged `teams-ai-library` on devblogs

## Test plan
- [ ] `npm run docs:dev` shows the post in `/teams-sdk/blog`
- [ ] Clicking through redirects to the devblogs URL
- [ ] `npx tsx scripts/sync-devblogs.ts --dry-run` reports no new posts
to add (i.e. no duplicate would be created on next sync)

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
## Summary

Adds an in-depth guide for message reactions covering outbound
add/remove and inbound `messageReaction` handling, plus links the
existing "Reactions" section in the Sending Messages essentials page to
the new guide.

## What's covered in the guide

- Public-developer-preview banner
- Adding and removing reactions (`api.reactions.add` /
`api.reactions.delete` / `Reactions.AddAsync` / `Reactions.DeleteAsync`)
- Receiving reactions: `messageReaction` activity handlers across all
three SDKs, plus the .NET-only `OnMessageReactionAdded` /
`OnMessageReactionRemoved` sub-handlers
- Available reaction types — the modern set of 6 (`like`, `heart`,
`1f440_eyes`, `2705_whiteheavycheckmark`, `launch`, `1f4cc_pushpin`)
- Skin tone variants (`-tone1` … `-tone5`)
- Rate limits (2 reactions/sec, 429 + Retry-After)
- Best practices and differences from Feedback

## What's intentionally omitted

- **Custom reactions section** — aligned with the Microsoft Learn agent
reactions PR
([msteams-docs#13991](MicrosoftDocs/msteams-docs#13991)),
which is omitting custom reaction examples due to a known client-side
rendering issue. A commented-out link to the Learn reactions reference
remains in the source for restoration once that PR lands.
- **Advanced API client usage** — the previous draft's example
referenced an `ApiClient` constructor that doesn't exist in the current
SDK; removed rather than rewritten.

## Coordination

- C# samples follow the project convention from #2735 (cancellationToken
in handler signatures, threaded through `Send`, `Task.Delay`, and
reaction API calls).
- The TypeScript include uses `api.reactions.delete()` ahead of
[microsoft/teams.ts#567](microsoft/teams.ts#567),
which renames `remove()` → `delete()` to align with teams.py and
teams.net.

## Test plan

- [x] `npm start` regenerates docs cleanly with no content gaps
- [x] Per-language renders (TS / Python / C#) verified in the dev server
- [x] Cross-link from `essentials/sending-messages` → in-depth guide
resolves correctly
- [ ] Visual review on the deployed preview

---------

Co-authored-by: Corina Gum <14900841+corinagum@users.noreply.github.com>
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
## Summary

Removes the `:::tip[.NET]` callout block from the reactions in-depth
guide's C# include. The block instructed readers to suppress
`ExperimentalTeamsReactions` via `#pragma` or `<NoWarn>` — that's no
longer applicable now that the `[Experimental]` attribute is being
removed from teams.net (sibling PR).

## Cross-SDK coordination

Part of the cross-SDK Reactions-GA pass. Sibling PRs:
- microsoft/teams.ts#575 — Mark reactions API as GA
- microsoft/teams.py#427 — Mark reactions API as GA
- microsoft/teams.net#509 — Mark reactions API as GA (Libraries + core)

## Test plan

- [x] `npm start` regenerates docs cleanly with no content gaps
- [x] C# in-depth guide renders without the opt-in callout (verified in
local dev server)

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Adding Teams Reaction Reference page from learn so developers can use
any emojiID for reactions.

---------

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
## Summary
- Stop inserting dots into C# project names during scaffold
- Add tests so `PmAgent` stays `PmAgent` instead of becoming `Pm.Agent`
- Historically, it looks like this was accidentally added.


Fixes microsoft/teams.ts#137
Fixes microsoft/teams.ts#371

## Test plan
- `npm --prefix packages/cli test -- project-new-csharp.test.ts`
- `npm --prefix packages/cli run check-types`
- Manually scaffolded `project new csharp PmAgent --template echo
--json`
## Summary
- Let the full description prompt accept empty input during app create,
so it can fall back to the short description
- Show the reinstall hint after RSC permission updates when the app
version auto-bumps
- Include `needsReinstall` in RSC JSON output when relevant

## Test plan
- npm -w @microsoft/teams.cli test -- manifest-builder-icons.test.ts
rsc-set.test.ts rsc-web-app-info.test.ts
- npm -w @microsoft/teams.cli run check-types
Add preview slash command documentation to the On Activity page,
including behavior notes and language-specific examples for TypeScript,
C#, and Python.
## Summary

- Consolidated the three separate blog posts (announcement, agentic
identity, Bot Framework migration) into a single comprehensive
announcement post
- Added a "Migration from Teams SDK 2.0" section summarizing
backward-compatible APIs, breaking changes, and removed packages
- Fixed "Agents 365" → "Agent 365" naming and updated links to
`learn.microsoft.com/microsoft-agent-365/`
- Updated publish date to 5/19

## Test plan

- [ ] Verify the blog post renders correctly with `npm start` in the
`teams.md` directory
- [ ] Confirm all internal anchor links (`#agentic-identity`,
`#migration-from-bot-framework-v4`, `#migration-from-teams-sdk-20`,
etc.) resolve correctly
- [ ] Verify the Tabs/TabItem MDX components render properly in the MSAL
Authentication section
- [ ] Confirm SVG diagrams display correctly in both light and dark
themes

---------

Co-authored-by: Umang <3513186+umangsehgal@users.noreply.github.com>
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Co-authored-by: Nick Walker <nickwalk@microsoft.com>
New blog for agent sending reactions.

---------

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Nick Walker <nickwalk@microsoft.com>
fixing broken image link

---------

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Nick Walker <nickwalk@microsoft.com>
## Summary
- point CLI update checks and self-update installs at npm `latest`
- update self-update expectations for npm/pnpm installs

This lets the final preview bridge and stable v3 both move users onto
the stable CLI channel. Tiny but important.

## Validation
- `npm -w @microsoft/teams.cli test -- self-update.test.ts
update-info.test.ts`
- `npm -w @microsoft/teams.cli run build`
Bumps [qs](https://github.com/ljharb/qs) and
[express](https://github.com/expressjs/express). These dependencies
needed to be updated together.
Updates `qs` from 6.14.2 to 6.15.2
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/ljharb/qs/blob/main/CHANGELOG.md">qs's
changelog</a>.</em></p>
<blockquote>
<h2><strong>6.15.2</strong></h2>
<ul>
<li>[Fix] <code>stringify</code>: skip null/undefined entries in
<code>arrayFormat: 'comma'</code> + <code>encodeValuesOnly</code>
instead of crashing in <code>encoder</code></li>
<li>[Fix] <code>stringify</code>: use configured <code>delimiter</code>
after <code>charsetSentinel</code> (<a
href="https://redirect.github.com/ljharb/qs/issues/555">#555</a>)</li>
<li>[Fix] <code>stringify</code>: apply <code>formatter</code> to
encoded key under <code>strictNullHandling</code> (<a
href="https://redirect.github.com/ljharb/qs/issues/554">#554</a>)</li>
<li>[Fix] <code>stringify</code>: skip null/undefined filter-array
entries instead of crashing in <code>encoder</code> (<a
href="https://redirect.github.com/ljharb/qs/issues/551">#551</a>)</li>
<li>[Fix] <code>parse</code>: handle nested bracket groups and add
regression tests (<a
href="https://redirect.github.com/ljharb/qs/issues/530">#530</a>)</li>
<li>[readme] fix grammar (<a
href="https://redirect.github.com/ljharb/qs/issues/550">#550</a>)</li>
<li>[Dev Deps] update <code>@ljharb/eslint-config</code></li>
<li>[Tests] add regression tests for keys containing percent-encoded
bracket text</li>
</ul>
<h2><strong>6.15.1</strong></h2>
<ul>
<li>[Fix] <code>parse</code>: <code>parameterLimit: Infinity</code> with
<code>throwOnLimitExceeded: true</code> silently drops all
parameters</li>
<li>[Deps] update <code>@ljharb/eslint-config</code></li>
<li>[Dev Deps] update <code>@ljharb/eslint-config</code>,
<code>iconv-lite</code></li>
<li>[Tests] increase coverage</li>
</ul>
<h2><strong>6.15.0</strong></h2>
<ul>
<li>[New] <code>parse</code>: add <code>strictMerge</code> option to
wrap object/primitive conflicts in an array (<a
href="https://redirect.github.com/ljharb/qs/issues/425">#425</a>, <a
href="https://redirect.github.com/ljharb/qs/issues/122">#122</a>)</li>
<li>[Fix] <code>duplicates</code> option should not apply to bracket
notation keys (<a
href="https://redirect.github.com/ljharb/qs/issues/514">#514</a>)</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/ljharb/qs/commit/9aca4076fe788338c67cf7e115f0be6bc58d85a8"><code>9aca407</code></a>
v6.15.2</li>
<li><a
href="https://github.com/ljharb/qs/commit/5e33d33447ed0bf1ddab9abc41d27dea4687d992"><code>5e33d33</code></a>
[Dev Deps] update <code>@ljharb/eslint-config</code></li>
<li><a
href="https://github.com/ljharb/qs/commit/21f80b33e5c8b3f7eba1034fff0da4a4a37a1d41"><code>21f80b3</code></a>
[Fix] <code>stringify</code>: skip null/undefined entries in
<code>arrayFormat: 'comma'</code> + `e...</li>
<li><a
href="https://github.com/ljharb/qs/commit/a0a81ea2071acce3eff41a040f719ac8f5c4f64c"><code>a0a81ea</code></a>
[Fix] <code>stringify</code>: use configured <code>delimiter</code>
after <code>charsetSentinel</code></li>
<li><a
href="https://github.com/ljharb/qs/commit/e3062f78f5233b338ceeb8e8dfa5a07dea4b32a8"><code>e3062f7</code></a>
[Fix] <code>stringify</code>: apply <code>formatter</code> to encoded
key under <code>strictNullHandling</code></li>
<li><a
href="https://github.com/ljharb/qs/commit/0c180a40adb8c6703fffc85b2ff06ca209f5c1e0"><code>0c180a4</code></a>
[Fix] <code>stringify</code>: skip null/undefined filter-array entries
instead of crashi...</li>
<li><a
href="https://github.com/ljharb/qs/commit/3a8b94aec19bd664720f6f6b1e66c4a0dfe4b656"><code>3a8b94a</code></a>
[Tests] add regression tests for keys containing percent-encoded bracket
text</li>
<li><a
href="https://github.com/ljharb/qs/commit/96755abd357c0e534dd3442a84a04d08864bfe0d"><code>96755ab</code></a>
[readme] fix grammar</li>
<li><a
href="https://github.com/ljharb/qs/commit/a419ce5bbfcdb98a299f1a0bb47ea055baef20e6"><code>a419ce5</code></a>
[Fix] <code>parse</code>: handle nested bracket groups and add
regression tests</li>
<li><a
href="https://github.com/ljharb/qs/commit/3f5e1c528c967d915096787efbffa73cf6044170"><code>3f5e1c5</code></a>
v6.15.1</li>
<li>Additional commits viewable in <a
href="https://github.com/ljharb/qs/compare/v6.14.2...v6.15.2">compare
view</a></li>
</ul>
</details>
<br />

Updates `express` from 4.22.1 to 4.22.2
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/expressjs/express/releases">express's
releases</a>.</em></p>
<blockquote>
<h2>v4.22.2</h2>
<h2>What's Changed</h2>
<ul>
<li>fix: restore &gt;20 array parsing for <code>req.query</code>
repeated keys (<a
href="https://github.com/expressjs/express/commit/8d09bfe6d88983da5c3e12cfdd54782c4dc675db"><code>8d09bfe6</code></a>)
<ul>
<li>This also unifies array-cap behavior across notations. Indexed
notation (<code>a[0]=...</code>) was historically capped at qs's default
<code>arrayLimit</code> of 20 even in older qs versions; after this
change it also allows up to 1000 items.</li>
</ul>
</li>
<li>deps: qs@~6.15.1</li>
<li>deps: body-parser@~1.20.5</li>
</ul>
<h2>New Contributors</h2>
<ul>
<li><a
href="https://github.com/suuuuuuminnnnnn"><code>@​suuuuuuminnnnnn</code></a>
made their first contribution in <a
href="https://redirect.github.com/expressjs/express/pull/7021">expressjs/express#7021</a></li>
<li><a href="https://github.com/SAY-5"><code>@​SAY-5</code></a> made
their first contribution in <a
href="https://redirect.github.com/expressjs/express/pull/7181">expressjs/express#7181</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/expressjs/express/compare/v4.22.1...v4.22.2">https://github.com/expressjs/express/compare/v4.22.1...v4.22.2</a></p>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/expressjs/express/blob/v4.22.2/History.md">express's
changelog</a>.</em></p>
<blockquote>
<h1>4.22.2 / 2026-05-011</h1>
<ul>
<li>fix: restore &gt;20 array parsing for <code>req.query</code>
repeated keys (<a
href="https://github.com/expressjs/express/commit/8d09bfe6d88983da5c3e12cfdd54782c4dc675db"><code>8d09bfe6</code></a>)
<ul>
<li>This also unifies array-cap behavior across notations. Indexed
notation (<code>a[0]=...</code>) was historically capped at qs's default
<code>arrayLimit</code> of 20 even in older qs versions; after this
change it also allows up to 1000 items.</li>
</ul>
</li>
<li>deps: qs@~6.15.1</li>
<li>deps: body-parser@~1.20.5</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/expressjs/express/commit/df0abc9333a3398b97b71f6ea7cd77d5ea3e9f97"><code>df0abc9</code></a>
4.22.2</li>
<li><a
href="https://github.com/expressjs/express/commit/836d36668ea750f78b4373b4de79bbd22634e6ec"><code>836d366</code></a>
<code>4.x</code> update qs to 6.15.1, body-parser 1.20.5 (<a
href="https://redirect.github.com/expressjs/express/issues/7224">#7224</a>)</li>
<li><a
href="https://github.com/expressjs/express/commit/8d09bfe6d88983da5c3e12cfdd54782c4dc675db"><code>8d09bfe</code></a>
fix: restore array parsing for req.query repeated keys (<a
href="https://redirect.github.com/expressjs/express/issues/7181">#7181</a>)</li>
<li><a
href="https://github.com/expressjs/express/commit/d39e8ad1778a0b8a606a5a7b17096d0cc5ec722d"><code>d39e8ad</code></a>
deps: body-parser@~1.20.4 (<a
href="https://redirect.github.com/expressjs/express/issues/7021">#7021</a>)</li>
<li><a
href="https://github.com/expressjs/express/commit/efe85d9fdc9e3a62f7a1121b4f5f484862298b48"><code>efe85d9</code></a>
deps: qs@^6.14.1 (<a
href="https://redirect.github.com/expressjs/express/issues/6972">#6972</a>)</li>
<li><a
href="https://github.com/expressjs/express/commit/f62378e1bc776259c0a471476c2dc043a02ac762"><code>f62378e</code></a>
📝 add note to history</li>
<li>See full diff in <a
href="https://github.com/expressjs/express/compare/v4.22.1...v4.22.2">compare
view</a></li>
</ul>
</details>
<br />


Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/microsoft/teams-sdk/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
## Summary
- move CLI versioning/package metadata to stable v3
- update CLI docs, README install snippets, and teams-dev skill guidance
for stable installs
- refresh RELEASE.md with stable, preview bridge, and npm tag steps

This is stacked on #2841 so the stable release also keeps self-update on
npm `latest`.

## Validation
- `npm -w @microsoft/teams.cli test -- self-update.test.ts
update-info.test.ts`
- `npm -w @microsoft/teams.cli run build`
- `npm -w teams-md run build`
Showed the post to Erika, who works on the A365 docs, and she suggested
replacement targets for a couple of links.

Suggestion only, you are free to take it or leave it 😄
## Summary

Adds a Trust Model page under Essentials → App Configuration documenting
the layered authentication model the SDK uses for inbound JSON Web
Tokens.

## Why

A scanner flagged the SDK's `JsonWebToken` accessor class because it
does not perform signature verification at the point of token parsing. A
cross-SDK audit confirmed this is intentional architecture: signature
verification runs at the HTTP boundary (via the activity pipeline's
token validator), and the accessor class is a typed view over
already-validated payloads. Every consumer of decoded claims is
downstream of a validator pass.

This page makes the architectural invariant explicit for SDK consumers,
reviewers, and future contributors.

## What's covered

- What the SDK validates automatically on `/api/messages` (signature,
issuer, audience, lifetime, algorithm)
- What downstream code can rely on (typed accessors over validated
tokens)
- How to add custom authentication to non-default surfaces (MCP,
callbacks, webhooks) — references the `requireAuth` hook recently added
in microsoft/teams.ts#540 / microsoft/teams.net#448
- Anti-patterns to avoid (constructing the accessor from untrusted input
as a basis for authorization decisions)

## Build verified

`npm run build` clean.

## Related PRs

- TypeScript: microsoft/teams.ts#586
- Python: microsoft/teams.py#432
- .NET: microsoft/teams.net#517

---------

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
)

## Summary

- **New page**: `developer-tools/agents-playground/` with install,
launch, common flags, migration-from-DevTools section, and a link out to
the Microsoft Learn guide. Anonymous mode is positioned as the
recommended migration path; `skipAuth: true` is documented as an
alternative.
- **Deprecation banners** added to the 4 retained DevTools pages
(`developer-tools/devtools/README.md`, `chat.md`, `cards.md`,
`inspect.md`). Each banner links to the new Agents Playground page and
to the Microsoft Learn guide.
- **Trimmed the deprecated DevTools pages** from 249 lines down to 54
lines total. Removed how-to content and external GitHub-blob screenshot
references that no one new should be learning from. Kept frontmatter,
H1, banner, and one summary paragraph per page.
- **Migrated 15+ mdx files** under TS/C#/Python getting-started and MCP
guides to point at Microsoft 365 Agents Playground. Python
getting-started sections that were `N/A` now have real content.
- **Renamed stale section markers**: `devtools-tip` → `inspector-tip`,
`devtools-gif` → `inspector-image`, `devtools-resource-link` →
`local-test-link`, `devtools-monitoring-tip` → `local-test-tip`,
`devtools-plugin-example` → `local-test-note`. Touched 16 source files
(templates + includes); regenerated all `docs/main/**` outputs.
- **Replaced 3 screenshots** captured against the actual Agents
Playground UI (`agents-playground-blank.png`,
`agents-playground-echo-chat.png`,
`agents-playground-mcp-client-pokemon.png`). Deleted 4 stale files
(`devtools-echo-chat.png`, `devtools-blank.png`, `mcp-devtools.gif`,
`mcp-client-pokemon.gif`).
- **Kept**: `mcp-inspector.gif` (the canonical external MCP testing
tool, unrelated to DevTools deprecation).

## Why

DevTools is being replaced by Microsoft 365 Agents Playground. The docs
needed to:

1. Stop teaching new users to wire up DevTools.
2. Give existing DevTools users a clear migration path.
3. Make the Agents Playground story discoverable in the same place they
used to find DevTools.

The migration section explicitly tells customers they can remove
`@microsoft/teams.dev` (and the .NET equivalent) from their dependencies
after deleting `DevtoolsPlugin`, since Playground is a standalone CLI
tool and not a project dependency.

## Test plan

- [x] `npm run generate:docs` (regenerates 64 templates across 3
languages)
- [x] `npm run generate:llms` (regenerates llms.txt files)
- [x] `npm run build` (succeeded; the 3 broken-anchor warnings are
pre-existing sso-troubleshooting refs unrelated to this change)
- [x] Walked the docs site in a browser via chrome-devtools MCP:
agents-playground page renders, deprecation banner shows on the devtools
pages, TS / Python / C# quickstarts show the new install + launch
instructions
- [ ] Reviewer to scan for any DevTools references that slipped through

## Related work

PRs in the SDK repos:
- teams.ts: deprecate `DevtoolsPlugin`, anonymous warning, samples
cleanup
- teams.py: anonymous warning
- teams.net: `[Obsolete]` on DevTools (Libraries 2.0), samples cleanup,
anonymous warning, package metadata

🤖 Generated with [Claude Code](https://claude.com/claude-code)

---------

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Bumps [ws](https://github.com/websockets/ws) from 8.18.3 to 8.21.0.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/websockets/ws/releases">ws's
releases</a>.</em></p>
<blockquote>
<h2>8.21.0</h2>
<h1>Features</h1>
<ul>
<li>Introduced the <code>maxBufferedChunks</code> and
<code>maxFragments</code> options (2b2abd45).</li>
</ul>
<h1>Bug fixes</h1>
<ul>
<li>Fixed a remote memory exhaustion DoS vulnerability (2b2abd45).</li>
</ul>
<p>A high volume of tiny fragments and data chunks could be sent by a
peer, using
modest network traffic, to crash a <code>ws</code> server or client due
to OOM.</p>
<pre lang="js"><code>import { WebSocket, WebSocketServer } from 'ws';
<p>const wss = new WebSocketServer({ port: 0 }, function () {
const data = Buffer.alloc(1);
const options = { fin: false };
const { port } = wss.address();
const ws = new WebSocket(<code>ws://localhost:${port}</code>);</p>
<p>ws.on('open', function () {
(function send() {
ws.send(data, options, function (err) {
if (err) return;
send();
});
})();
});</p>
<p>ws.on('error', console.error);
ws.on('close', function (code, reason) {
console.log(<code>client close - code: ${code} reason:
${reason.toString()}</code>);
});
});</p>
<p>wss.on('connection', function (ws) {
ws.on('error', console.error);
ws.on('close', function (code, reason) {
console.log(<code>server close - code: ${code} reason:
${reason.toString()}</code>);
});
});
</code></pre></p>
<p>The vulnerability was responsibly disclosed and fixed by <a
href="https://github.com/Nadav0077">Nadav Magier</a>.</p>
<p>In vulnerable versions, the issue can be mitigated by lowering the
value of the
<code>maxPayload</code> option if possible.</p>
<h2>8.20.1</h2>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/websockets/ws/commit/bca91adf15677e47dbe4f959653452727be28b94"><code>bca91ad</code></a>
[dist] 8.21.0</li>
<li><a
href="https://github.com/websockets/ws/commit/2b2abd458a1b647d0b6033bd62a619c36189839a"><code>2b2abd4</code></a>
[security] Limit retained message parts</li>
<li><a
href="https://github.com/websockets/ws/commit/78eabe2a6677b231bf9c82601bde86ff91639490"><code>78eabe2</code></a>
[security] Add latest vulnerability to SECURITY.md</li>
<li><a
href="https://github.com/websockets/ws/commit/5d9b316230ea931532a6671cc450f18c11edd02f"><code>5d9b316</code></a>
[dist] 8.20.1</li>
<li><a
href="https://github.com/websockets/ws/commit/c0327ec15a54d701eb6ccefaa8bef328cfc03086"><code>c0327ec</code></a>
[security] Fix uninitialized memory disclosure in
<code>websocket.close()</code></li>
<li><a
href="https://github.com/websockets/ws/commit/ce2a3d62437995a47e6056d485a33d21b6a8f867"><code>ce2a3d6</code></a>
[ci] Test on node 26</li>
<li><a
href="https://github.com/websockets/ws/commit/58e45b872bb0f35a3edd553c27e105300a4f5bd0"><code>58e45b8</code></a>
[ci] Do not test on node 25</li>
<li><a
href="https://github.com/websockets/ws/commit/5f26c245231a4b018479a9269e8c3da4773fe42f"><code>5f26c24</code></a>
[ci] Run the lint step on node 24</li>
<li><a
href="https://github.com/websockets/ws/commit/843925544e2f4cffe445e0179947f56d6c5b608f"><code>8439255</code></a>
[dist] 8.20.0</li>
<li><a
href="https://github.com/websockets/ws/commit/d3503c1fd36a310985108f62b343bae18346ab67"><code>d3503c1</code></a>
[minor] Export the <code>PerMessageDeflate</code> class and header
utils</li>
<li>Additional commits viewable in <a
href="https://github.com/websockets/ws/compare/8.18.3...8.21.0">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=ws&package-manager=npm_and_yarn&previous-version=8.18.3&new-version=8.21.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/microsoft/teams-sdk/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
ShanmathiMayuramKrithivasan and others added 21 commits June 8, 2026 09:06
Adds docs for prompt preview feature across C#, TypeScript, and Python.

<img width="996" height="812" alt="image"
src="https://github.com/user-attachments/assets/b390471e-5d51-4fb1-b519-1ca7640e5201"
/>
Bumps [shell-quote](https://github.com/ljharb/shell-quote) to 1.8.4 and
updates ancestor dependency
[concurrently](https://github.com/open-cli-tools/concurrently). These
dependencies need to be updated together.

Updates `shell-quote` from 1.8.3 to 1.8.4
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/ljharb/shell-quote/blob/main/CHANGELOG.md">shell-quote's
changelog</a>.</em></p>
<blockquote>
<h2><a
href="https://github.com/ljharb/shell-quote/compare/v1.8.3...v1.8.4">v1.8.4</a>
- 2026-05-22</h2>
<h3>Commits</h3>
<ul>
<li>[Fix] <code>quote</code>: validate object-token shapes <a
href="https://github.com/ljharb/shell-quote/commit/4378a6e613db5948168684864e49b42b83134d2d"><code>4378a6e</code></a></li>
<li>[Dev Deps] update <code>@ljharb/eslint-config</code>,
<code>auto-changelog</code>, <code>eslint</code>, <code>npmignore</code>
<a
href="https://github.com/ljharb/shell-quote/commit/22ebec04349065a45ad8afc8cc8d53c4624634a6"><code>22ebec0</code></a></li>
<li>[Tests] increase coverage <a
href="https://github.com/ljharb/shell-quote/commit/9f3caa31900cc6ee64858b31134144c648ce206d"><code>9f3caa3</code></a></li>
<li>[readme] replace runkit CI badge with shields.io check-runs badge <a
href="https://github.com/ljharb/shell-quote/commit/3344a047dd1e95f71c4ca27522cbfd05c56277e0"><code>3344a04</code></a></li>
<li>[Dev Deps] update <code>@ljharb/eslint-config</code> <a
href="https://github.com/ljharb/shell-quote/commit/699c5113d135f4d4591574bebf173334ffa453d4"><code>699c511</code></a></li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/ljharb/shell-quote/commit/ff166e2b63eb5f932bd131a8886a99e9afdf45ae"><code>ff166e2</code></a>
v1.8.4</li>
<li><a
href="https://github.com/ljharb/shell-quote/commit/4378a6e613db5948168684864e49b42b83134d2d"><code>4378a6e</code></a>
[Fix] <code>quote</code>: validate object-token shapes</li>
<li><a
href="https://github.com/ljharb/shell-quote/commit/22ebec04349065a45ad8afc8cc8d53c4624634a6"><code>22ebec0</code></a>
[Dev Deps] update <code>@ljharb/eslint-config</code>,
<code>auto-changelog</code>, <code>eslint</code>, `npmig...</li>
<li><a
href="https://github.com/ljharb/shell-quote/commit/9f3caa31900cc6ee64858b31134144c648ce206d"><code>9f3caa3</code></a>
[Tests] increase coverage</li>
<li><a
href="https://github.com/ljharb/shell-quote/commit/3344a047dd1e95f71c4ca27522cbfd05c56277e0"><code>3344a04</code></a>
[readme] replace runkit CI badge with shields.io check-runs badge</li>
<li><a
href="https://github.com/ljharb/shell-quote/commit/699c5113d135f4d4591574bebf173334ffa453d4"><code>699c511</code></a>
[Dev Deps] update <code>@ljharb/eslint-config</code></li>
<li>See full diff in <a
href="https://github.com/ljharb/shell-quote/compare/v1.8.3...v1.8.4">compare
view</a></li>
</ul>
</details>
<br />

Updates `concurrently` from 9.2.1 to 10.0.3
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/open-cli-tools/concurrently/releases">concurrently's
releases</a>.</em></p>
<blockquote>
<h2>v10.0.3</h2>
<p>Republish of <a
href="https://github.com/open-cli-tools/concurrently/releases/tag/v10.0.1">https://github.com/open-cli-tools/concurrently/releases/tag/v10.0.1</a>
with Trusted Publishing enabled (see <a
href="https://redirect.github.com/open-cli-tools/concurrently/issues/595">#595</a>)</p>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/open-cli-tools/concurrently/compare/v10.0.2...v10.0.3">https://github.com/open-cli-tools/concurrently/compare/v10.0.2...v10.0.3</a></p>
<h2>v10.0.2</h2>
<p>Test version to restore Trusted Publishing. Not published to npm.</p>
<h2>v10.0.1</h2>
<ul>
<li>Ensure <code>FlowController</code> type is exported - <a
href="https://redirect.github.com/open-cli-tools/concurrently/issues/594">#594</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/open-cli-tools/concurrently/compare/v10.0.0...v10.0.1">https://github.com/open-cli-tools/concurrently/compare/v10.0.0...v10.0.1</a></p>
<h2>v10.0.0</h2>
<h2>💥 Breaking Changes</h2>
<ul>
<li><strong>Dropped support for Node.js &lt;22.0.0.</strong>
Older Node.js version have reached end-of-life, and certain features
require new-ish JS APIs.</li>
<li><strong>concurrently is now ESM-only.</strong>
It's now possible to <code>require(esm)</code>. See <a
href="https://socket.dev/blog/require-esm-backported-to-node-js-20">here
for interoperability</a>.</li>
<li><strong>Prefix colors now default to automatic</strong> - <a
href="https://redirect.github.com/open-cli-tools/concurrently/issues/581">#581</a>
The colors used to default to <code>reset</code> (which does nothing).
Concurrently now automatically selects a color, out of the box.
The list of colors used is not jarring nor carries semantic meaning, and
reads well in both dark and light terminal backgrounds.</li>
<li><strong>Removed deprecated flags and options</strong>
<ul>
<li>CLI flag <code>--name-separator</code>: use commas instead.</li>
<li>API option <code>killOthers</code>: use <code>killOthersOn</code>
instead.</li>
</ul>
</li>
</ul>
<h2>✨ New Features</h2>
<ul>
<li>Support applying modifiers to hex prefix colors (e.g.
<code>#ff0000.bold</code>) - <a
href="https://redirect.github.com/open-cli-tools/concurrently/issues/450">#450</a></li>
<li>Support chalk's color functions in prefixes (e.g.
<code>rgb()</code>, <code>hex()</code>, <code>bgRgb()</code>, etc) - <a
href="https://redirect.github.com/open-cli-tools/concurrently/issues/578">#578</a></li>
<li>Set prefix background color via <code>bg#RRGGBB</code> - <a
href="https://redirect.github.com/open-cli-tools/concurrently/issues/578">#578</a></li>
<li>Allow shell override via <code>--shell</code> CLI
flag/<code>shell</code> API option - <a
href="https://redirect.github.com/open-cli-tools/concurrently/issues/288">#288</a>,
<a
href="https://redirect.github.com/open-cli-tools/concurrently/issues/589">#589</a>,
<a
href="https://redirect.github.com/open-cli-tools/concurrently/issues/556">#556</a>
concurrently distinguishes between cmd.exe, powershell, and POSIX-based
shells.</li>
<li>Manual prefix coloring in templates e.g.
<code>[{color}{name}{/color}]</code> - <a
href="https://redirect.github.com/open-cli-tools/concurrently/issues/583">#583</a>,
<a
href="https://redirect.github.com/open-cli-tools/concurrently/issues/587">#587</a></li>
</ul>
<h2>🐛 Bug fixes</h2>
<ul>
<li>Scope quote normalization to CLI input - <a
href="https://redirect.github.com/open-cli-tools/concurrently/issues/582">#582</a>,
<a
href="https://redirect.github.com/open-cli-tools/concurrently/issues/585">#585</a>
It should now also be possible to run commands like
<code>&quot;/some/command&quot; foo bar&quot;</code></li>
<li>Don't throw when color doesn't exist - <a
href="https://redirect.github.com/open-cli-tools/concurrently/issues/580">#580</a></li>
</ul>
<h2>🔐 Security</h2>
<ul>
<li>Address <a
href="https://app.snyk.io/vuln/SNYK-JS-SHELLQUOTE-16799355">vulnerability
in <code>shellquote</code></a> - <a
href="https://redirect.github.com/open-cli-tools/concurrently/issues/591">#591</a></li>
</ul>
<h2>Other changes</h2>
<ul>
<li>Warn about running on Snap - <a
href="https://redirect.github.com/open-cli-tools/concurrently/issues/584">#584</a></li>
</ul>
<h2>New Contributors</h2>
<ul>
<li><a href="https://github.com/philfreo"><code>@​philfreo</code></a>
made their first contribution in <a
href="https://redirect.github.com/open-cli-tools/concurrently/pull/566">open-cli-tools/concurrently#566</a></li>
<li><a href="https://github.com/garretmh"><code>@​garretmh</code></a>
made their first contribution in <a
href="https://redirect.github.com/open-cli-tools/concurrently/pull/450">open-cli-tools/concurrently#450</a></li>
<li><a href="https://github.com/CodeF53"><code>@​CodeF53</code></a> made
their first contribution in <a
href="https://redirect.github.com/open-cli-tools/concurrently/pull/574">open-cli-tools/concurrently#574</a></li>
<li><a href="https://github.com/nkappler"><code>@​nkappler</code></a>
made their first contribution in <a
href="https://redirect.github.com/open-cli-tools/concurrently/pull/577">open-cli-tools/concurrently#577</a></li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/open-cli-tools/concurrently/commit/435f61b5c5611daa25b9d7e97dded2e1a370201e"><code>435f61b</code></a>
10.0.3</li>
<li><a
href="https://github.com/open-cli-tools/concurrently/commit/5ea69c6432de4ba4ff27d2f43a9970b8760213f8"><code>5ea69c6</code></a>
ci: use node 24 in the release workflow</li>
<li><a
href="https://github.com/open-cli-tools/concurrently/commit/18e1281879125e9a0de76ec329cbb657e10cfcde"><code>18e1281</code></a>
10.0.2</li>
<li><a
href="https://github.com/open-cli-tools/concurrently/commit/e70686fdd0ccad95466cc99c3e7fdc7fcde16487"><code>e70686f</code></a>
10.0.1</li>
<li><a
href="https://github.com/open-cli-tools/concurrently/commit/a95bcebd7bfc559e1b27ec9673d71ea6200bb344"><code>a95bceb</code></a>
Rename flow-controller{.d -&gt; }.ts</li>
<li><a
href="https://github.com/open-cli-tools/concurrently/commit/ced4245a9a6739b43afbc8ae63565bd83a5a54c7"><code>ced4245</code></a>
ci: configure trusted publisher flow</li>
<li><a
href="https://github.com/open-cli-tools/concurrently/commit/cf2eaa2b0fd36cc9f1eaf1f8c56de8d21bd0a42c"><code>cf2eaa2</code></a>
10.0.0</li>
<li><a
href="https://github.com/open-cli-tools/concurrently/commit/1b9bae47a9d966cc13c3da4a4dab5d0c40a16ded"><code>1b9bae4</code></a>
deps: upgrade yargs to v18 (<a
href="https://redirect.github.com/open-cli-tools/concurrently/issues/593">#593</a>)</li>
<li><a
href="https://github.com/open-cli-tools/concurrently/commit/b05ee750cafde7b10b544c0153ad56c53571b422"><code>b05ee75</code></a>
Bump min Node.js version to v22</li>
<li><a
href="https://github.com/open-cli-tools/concurrently/commit/ae60bc4ef10d4292b44af42f26d1ab20bad2484c"><code>ae60bc4</code></a>
Scope quote normalization to CLI input (<a
href="https://redirect.github.com/open-cli-tools/concurrently/issues/585">#585</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/open-cli-tools/concurrently/compare/v9.2.1...v10.0.3">compare
view</a></li>
</ul>
</details>
<details>
<summary>Maintainer changes</summary>
<p>This version was pushed to npm by <a
href="https://www.npmjs.com/~GitHub%20Actions">GitHub Actions</a>, a new
releaser for concurrently since your current version.</p>
</details>
<br />


Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/microsoft/teams-sdk/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [esbuild](https://github.com/evanw/esbuild) to 0.28.1 and updates
ancestor dependency [tsx](https://github.com/privatenumber/tsx). These
dependencies need to be updated together.

Updates `esbuild` from 0.28.0 to 0.28.1
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/evanw/esbuild/releases">esbuild's
releases</a>.</em></p>
<blockquote>
<h2>v0.28.1</h2>
<ul>
<li>
<p>Disallow <code>\</code> in local development server HTTP requests (<a
href="https://github.com/evanw/esbuild/security/advisories/GHSA-g7r4-m6w7-qqqr">GHSA-g7r4-m6w7-qqqr</a>)</p>
<p>This release fixes a security issue where HTTP requests to esbuild's
local development server could traverse outside of the serve directory
on Windows using a <code>\</code> backslash character. It happened due
to the use of Go's <code>path.Clean()</code> function, which only
handles Unix-style <code>/</code> characters. HTTP requests with paths
containing <code>\</code> are no longer allowed.</p>
<p>Thanks to <a
href="https://github.com/dellalibera"><code>@​dellalibera</code></a> for
reporting this issue.</p>
</li>
<li>
<p>Add integrity checks to the Deno API (<a
href="https://github.com/evanw/esbuild/security/advisories/GHSA-gv7w-rqvm-qjhr">GHSA-gv7w-rqvm-qjhr</a>)</p>
<p>The previous release of esbuild added integrity checks to esbuild's
npm install script. This release also adds integrity checks to esbuild's
Deno install script. Now esbuild's Deno API will also fail with an error
if the downloaded esbuild binary contains something other than the
expected content.</p>
<p>Note that esbuild's Deno API installs from
<code>registry.npmjs.org</code> by default, but allows the
<code>NPM_CONFIG_REGISTRY</code> environment variable to override this
with a custom package registry. This change means that the esbuild
executable served by <code>NPM_CONFIG_REGISTRY</code> must now match the
expected content.</p>
<p>Thanks to <a
href="https://github.com/sondt99"><code>@​sondt99</code></a> for
reporting this issue.</p>
</li>
<li>
<p>Avoid inlining <code>using</code> and <code>await using</code>
declarations (<a
href="https://redirect.github.com/evanw/esbuild/issues/4482">#4482</a>)</p>
<p>Previously esbuild's minifier sometimes incorrectly inlined
<code>using</code> and <code>await using</code> declarations into
subsequent uses of that declaration, which then fails to dispose of the
resource correctly. This bug happened because inlining was done for
<code>let</code> and <code>const</code> declarations by avoiding doing
it for <code>var</code> declarations, which no longer worked when more
declaration types were added. Here's an example:</p>
<pre lang="js"><code>// Original code
{
  using x = new Resource()
  x.activate()
}
<p>// Old output (with --minify)<br />
new Resource().activate();</p>
<p>// New output (with --minify)<br />
{using e=new Resource;e.activate()}<br />
</code></pre></p>
</li>
<li>
<p>Fix module evaluation when an error is thrown (<a
href="https://redirect.github.com/evanw/esbuild/issues/4461">#4461</a>,
<a
href="https://redirect.github.com/evanw/esbuild/pull/4467">#4467</a>)</p>
<p>If an error is thrown during module evaluation, esbuild previously
didn't preserve the state of the module for subsequent module
references. This was observable if <code>import()</code> or
<code>require()</code> is used to import a module multiple times. The
thrown error is supposed to be thrown by every call to
<code>import()</code> or <code>require()</code>, not just the first.
With this release, esbuild will now throw the same error every time you
call <code>import()</code> or <code>require()</code> on a module that
throws during its evaluation.</p>
</li>
<li>
<p>Fix some edge cases around the <code>new</code> operator (<a
href="https://redirect.github.com/evanw/esbuild/issues/4477">#4477</a>)</p>
<p>Previously esbuild incorrectly printed certain edge cases involving
complex expressions inside the target of a <code>new</code> expression
(specifically an optional chain and/or a tagged template literal). The
generated code for the <code>new</code> target was not correctly wrapped
with parentheses, and either contained a syntax error or had different
semantics. These edge cases have been fixed so that they now correctly
wrap the <code>new</code> target in parentheses. Here is an example of
some affected code:</p>
<pre lang="js"><code>// Original code
new (foo()`bar`)()
new (foo()?.bar)()
<p>// Old output<br />
new foo()<code>bar</code>();<br />
new (foo())?.bar();</p>
<p></code></pre></p>
</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/evanw/esbuild/blob/main/CHANGELOG.md">esbuild's
changelog</a>.</em></p>
<blockquote>
<h2>0.28.1</h2>
<ul>
<li>
<p>Disallow <code>\</code> in local development server HTTP requests (<a
href="https://github.com/evanw/esbuild/security/advisories/GHSA-g7r4-m6w7-qqqr">GHSA-g7r4-m6w7-qqqr</a>)</p>
<p>This release fixes a security issue where HTTP requests to esbuild's
local development server could traverse outside of the serve directory
on Windows using a <code>\</code> backslash character. It happened due
to the use of Go's <code>path.Clean()</code> function, which only
handles Unix-style <code>/</code> characters. HTTP requests with paths
containing <code>\</code> are no longer allowed.</p>
<p>Thanks to <a
href="https://github.com/dellalibera"><code>@​dellalibera</code></a> for
reporting this issue.</p>
</li>
<li>
<p>Add integrity checks to the Deno API (<a
href="https://github.com/evanw/esbuild/security/advisories/GHSA-gv7w-rqvm-qjhr">GHSA-gv7w-rqvm-qjhr</a>)</p>
<p>The previous release of esbuild added integrity checks to esbuild's
npm install script. This release also adds integrity checks to esbuild's
Deno install script. Now esbuild's Deno API will also fail with an error
if the downloaded esbuild binary contains something other than the
expected content.</p>
<p>Note that esbuild's Deno API installs from
<code>registry.npmjs.org</code> by default, but allows the
<code>NPM_CONFIG_REGISTRY</code> environment variable to override this
with a custom package registry. This change means that the esbuild
executable served by <code>NPM_CONFIG_REGISTRY</code> must now match the
expected content.</p>
<p>Thanks to <a
href="https://github.com/sondt99"><code>@​sondt99</code></a> for
reporting this issue.</p>
</li>
<li>
<p>Avoid inlining <code>using</code> and <code>await using</code>
declarations (<a
href="https://redirect.github.com/evanw/esbuild/issues/4482">#4482</a>)</p>
<p>Previously esbuild's minifier sometimes incorrectly inlined
<code>using</code> and <code>await using</code> declarations into
subsequent uses of that declaration, which then fails to dispose of the
resource correctly. This bug happened because inlining was done for
<code>let</code> and <code>const</code> declarations by avoiding doing
it for <code>var</code> declarations, which no longer worked when more
declaration types were added. Here's an example:</p>
<pre lang="js"><code>// Original code
{
  using x = new Resource()
  x.activate()
}
<p>// Old output (with --minify)<br />
new Resource().activate();</p>
<p>// New output (with --minify)<br />
{using e=new Resource;e.activate()}<br />
</code></pre></p>
</li>
<li>
<p>Fix module evaluation when an error is thrown (<a
href="https://redirect.github.com/evanw/esbuild/issues/4461">#4461</a>,
<a
href="https://redirect.github.com/evanw/esbuild/pull/4467">#4467</a>)</p>
<p>If an error is thrown during module evaluation, esbuild previously
didn't preserve the state of the module for subsequent module
references. This was observable if <code>import()</code> or
<code>require()</code> is used to import a module multiple times. The
thrown error is supposed to be thrown by every call to
<code>import()</code> or <code>require()</code>, not just the first.
With this release, esbuild will now throw the same error every time you
call <code>import()</code> or <code>require()</code> on a module that
throws during its evaluation.</p>
</li>
<li>
<p>Fix some edge cases around the <code>new</code> operator (<a
href="https://redirect.github.com/evanw/esbuild/issues/4477">#4477</a>)</p>
<p>Previously esbuild incorrectly printed certain edge cases involving
complex expressions inside the target of a <code>new</code> expression
(specifically an optional chain and/or a tagged template literal). The
generated code for the <code>new</code> target was not correctly wrapped
with parentheses, and either contained a syntax error or had different
semantics. These edge cases have been fixed so that they now correctly
wrap the <code>new</code> target in parentheses. Here is an example of
some affected code:</p>
<pre lang="js"><code>// Original code
new (foo()`bar`)()
new (foo()?.bar)()
<p>// Old output<br />
new foo()<code>bar</code>();<br />
new (foo())?.bar();<br />
</code></pre></p>
</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/evanw/esbuild/commit/bb9db84c02433fbe37b3509f53f9f3e3cc48725e"><code>bb9db84</code></a>
publish 0.28.1 to npm</li>
<li><a
href="https://github.com/evanw/esbuild/commit/9ff053e53b8eeb990f59355dbea365277ac45ee2"><code>9ff053e</code></a>
security: add integrity checks to the Deno API</li>
<li><a
href="https://github.com/evanw/esbuild/commit/0a9bf2135b67c7e28989a5ba19f0f000805a5ab5"><code>0a9bf21</code></a>
enforce non-negative size in gzip parser</li>
<li><a
href="https://github.com/evanw/esbuild/commit/e2a1a7132058ee067fe736eac15f695861b8654e"><code>e2a1a71</code></a>
security: forbid <code>\\</code> in local dev server requests</li>
<li><a
href="https://github.com/evanw/esbuild/commit/83a2cbfc35809f4fd5152da59572d7bed7739d78"><code>83a2cbf</code></a>
fix <a
href="https://redirect.github.com/evanw/esbuild/issues/4482">#4482</a>:
don't inline <code>using</code> declarations</li>
<li><a
href="https://github.com/evanw/esbuild/commit/308ad745d824c77bc607603451b257d0f2fd9a38"><code>308ad74</code></a>
fix <a
href="https://redirect.github.com/evanw/esbuild/issues/4471">#4471</a>:
renaming of nested <code>var</code> declarations</li>
<li><a
href="https://github.com/evanw/esbuild/commit/f013f5f99a015bce92ec48d49181d4ad3177b29b"><code>f013f5f</code></a>
fix some typos</li>
<li><a
href="https://github.com/evanw/esbuild/commit/aafd6e48b1088336a5f5a17e930be7e840d43d8c"><code>aafd6e4</code></a>
chore: fix some minor issues in comments (<a
href="https://redirect.github.com/evanw/esbuild/issues/4462">#4462</a>)</li>
<li><a
href="https://github.com/evanw/esbuild/commit/15300c30b5e22f7cfcbed850c246d35095658386"><code>15300c3</code></a>
follow up: cjs evaluation fixes</li>
<li><a
href="https://github.com/evanw/esbuild/commit/1bda0c31d7697c0af44b3ab39b81e599e559a395"><code>1bda0c3</code></a>
fix <a
href="https://redirect.github.com/evanw/esbuild/issues/4461">#4461</a>,
fix <a
href="https://redirect.github.com/evanw/esbuild/issues/4467">#4467</a>:
esm evaluation fixes</li>
<li>Additional commits viewable in <a
href="https://github.com/evanw/esbuild/compare/v0.28.0...v0.28.1">compare
view</a></li>
</ul>
</details>
<br />

Updates `tsx` from 4.20.6 to 4.22.4
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/privatenumber/tsx/releases">tsx's
releases</a>.</em></p>
<blockquote>
<h2>v4.22.4</h2>
<h2><a
href="https://github.com/privatenumber/tsx/compare/v4.22.3...v4.22.4">4.22.4</a>
(2026-05-31)</h2>
<h3>Bug Fixes</h3>
<ul>
<li>resolve CommonJS directory requires inside dependencies (<a
href="https://redirect.github.com/privatenumber/tsx/issues/803">#803</a>)
(<a
href="https://github.com/privatenumber/tsx/commit/1ce846335b7c445a3328c7d27f06424949356d97">1ce8463</a>)</li>
</ul>
<hr />
<p>This release is also available on:</p>
<ul>
<li><a href="https://www.npmjs.com/package/tsx/v/4.22.4"><code>npm
package (@​latest dist-tag)</code></a></li>
</ul>
<h2>v4.22.3</h2>
<h2><a
href="https://github.com/privatenumber/tsx/compare/v4.22.2...v4.22.3">4.22.3</a>
(2026-05-19)</h2>
<h3>Bug Fixes</h3>
<ul>
<li>decode typed loader source (<a
href="https://github.com/privatenumber/tsx/commit/dce02fc3b8b64a58d24560714902b16f89332f1f">dce02fc</a>)</li>
<li>preserve entrypoint with TypeScript preload hooks (<a
href="https://github.com/privatenumber/tsx/commit/68f72f3304d8c3ff7048bde8571af9c163fcefa2">68f72f3</a>)</li>
</ul>
<hr />
<p>This release is also available on:</p>
<ul>
<li><a href="https://www.npmjs.com/package/tsx/v/4.22.3"><code>npm
package (@​latest dist-tag)</code></a></li>
</ul>
<h2>v4.22.2</h2>
<h2><a
href="https://github.com/privatenumber/tsx/compare/v4.22.1...v4.22.2">4.22.2</a>
(2026-05-18)</h2>
<h3>Bug Fixes</h3>
<ul>
<li>preserve CJS JSON require in ESM hooks (<a
href="https://github.com/privatenumber/tsx/commit/35b700bd8620696df03827068af29dcd0d091a60">35b700b</a>)</li>
<li>preserve named exports from CommonJS TypeScript (<a
href="https://github.com/privatenumber/tsx/commit/11de737dae1fb9dae28db3716df5b1a7e1a6a089">11de737</a>)</li>
<li>support module.exports require(esm) interop (<a
href="https://github.com/privatenumber/tsx/commit/cf8f19918e4e0a0dc5ee5c52d8cc15e5e22d7c49">cf8f199</a>)</li>
</ul>
<hr />
<p>This release is also available on:</p>
<ul>
<li><a href="https://www.npmjs.com/package/tsx/v/4.22.2"><code>npm
package (@​latest dist-tag)</code></a></li>
</ul>
<h2>v4.22.1</h2>
<h2><a
href="https://github.com/privatenumber/tsx/compare/v4.22.0...v4.22.1">4.22.1</a>
(2026-05-17)</h2>
<h3>Bug Fixes</h3>
<ul>
<li>resolve tsconfig path aliases containing a colon (<a
href="https://redirect.github.com/privatenumber/tsx/issues/780">#780</a>)
(<a
href="https://github.com/privatenumber/tsx/commit/6979f28810829dc79ec9baf406e162a18b65ab4b">6979f28</a>)</li>
</ul>
<hr />
<p>This release is also available on:</p>
<ul>
<li><a href="https://www.npmjs.com/package/tsx/v/4.22.1"><code>npm
package (@​latest dist-tag)</code></a></li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/privatenumber/tsx/commit/1ce846335b7c445a3328c7d27f06424949356d97"><code>1ce8463</code></a>
fix: resolve CommonJS directory requires inside dependencies (<a
href="https://redirect.github.com/privatenumber/tsx/issues/803">#803</a>)</li>
<li><a
href="https://github.com/privatenumber/tsx/commit/dce02fc3b8b64a58d24560714902b16f89332f1f"><code>dce02fc</code></a>
fix: decode typed loader source</li>
<li><a
href="https://github.com/privatenumber/tsx/commit/68f72f3304d8c3ff7048bde8571af9c163fcefa2"><code>68f72f3</code></a>
fix: preserve entrypoint with TypeScript preload hooks</li>
<li><a
href="https://github.com/privatenumber/tsx/commit/69455cfefbfe71100a3c58d3ce7cea42445d9113"><code>69455cf</code></a>
test: cover package exports for ambiguous ESM reexports</li>
<li><a
href="https://github.com/privatenumber/tsx/commit/35b700bd8620696df03827068af29dcd0d091a60"><code>35b700b</code></a>
fix: preserve CJS JSON require in ESM hooks</li>
<li><a
href="https://github.com/privatenumber/tsx/commit/ef807dba6832260fb4cafd78d81f5469a733966b"><code>ef807db</code></a>
chore: update testing dependencies</li>
<li><a
href="https://github.com/privatenumber/tsx/commit/3917090d4f61863ea6ea16e4a9a3722a112cc3f7"><code>3917090</code></a>
test: document compatibility test taxonomy</li>
<li><a
href="https://github.com/privatenumber/tsx/commit/de8113ffa8edbcd4e05fa218324c3e8c2a4afdbe"><code>de8113f</code></a>
refactor: centralize Node capability facts</li>
<li><a
href="https://github.com/privatenumber/tsx/commit/c1f62db45ada60b24ceb3dfdf7f64173d9a15396"><code>c1f62db</code></a>
test: consolidate tsconfig path edge coverage</li>
<li><a
href="https://github.com/privatenumber/tsx/commit/4e08174ec10276ac71c9a69eb28426ad702d0c76"><code>4e08174</code></a>
test: consolidate loader hook coverage</li>
<li>Additional commits viewable in <a
href="https://github.com/privatenumber/tsx/compare/v4.20.6...v4.22.4">compare
view</a></li>
</ul>
</details>
<details>
<summary>Maintainer changes</summary>
<p>This version was pushed to npm by <a
href="https://www.npmjs.com/~GitHub%20Actions">GitHub Actions</a>, a new
releaser for tsx since your current version.</p>
</details>
<br />


Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/microsoft/teams-sdk/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [launch-editor](https://github.com/vitejs/launch-editor) from
2.11.1 to 2.14.1.
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/vitejs/launch-editor/commit/3f97c648307a70e7c930ba63f040e6ba8e72bc16"><code>3f97c64</code></a>
v2.14.1</li>
<li><a
href="https://github.com/vitejs/launch-editor/commit/0cc9550e05c35224a1f61914b9731723f78c06a7"><code>0cc9550</code></a>
fix: reject UNC paths (<a
href="https://redirect.github.com/vitejs/launch-editor/issues/138">#138</a>)</li>
<li><a
href="https://github.com/vitejs/launch-editor/commit/afd1ab907769adbb0fb76b564551f3cd24822ea6"><code>afd1ab9</code></a>
ci: run tests on mac and windows (<a
href="https://redirect.github.com/vitejs/launch-editor/issues/136">#136</a>)</li>
<li><a
href="https://github.com/vitejs/launch-editor/commit/0bfa328e4d2a70d3accd86645efde43a5a8fd931"><code>0bfa328</code></a>
test: add some tests for launch-editor package (<a
href="https://redirect.github.com/vitejs/launch-editor/issues/135">#135</a>)</li>
<li><a
href="https://github.com/vitejs/launch-editor/commit/1b006ae00061e83628c884770df4869bac481ed3"><code>1b006ae</code></a>
chore: add README (<a
href="https://redirect.github.com/vitejs/launch-editor/issues/134">#134</a>)</li>
<li><a
href="https://github.com/vitejs/launch-editor/commit/383ef26fceaaab75e4f122bf833a8d457e187272"><code>383ef26</code></a>
v2.14.0</li>
<li><a
href="https://github.com/vitejs/launch-editor/commit/6277209316b28bd76b057a97fcdfa42da5adc181"><code>6277209</code></a>
ci: harden publish settings</li>
<li><a
href="https://github.com/vitejs/launch-editor/commit/520b2f787af1bbe3d2333d952547fc90f2c01bb3"><code>520b2f7</code></a>
fix(deps): update all non-major dependencies (<a
href="https://redirect.github.com/vitejs/launch-editor/issues/129">#129</a>)</li>
<li><a
href="https://github.com/vitejs/launch-editor/commit/475ac662aeaa40eebe319f76acf7bd7ff2aba5d5"><code>475ac66</code></a>
chore(deps): update dependency lint-staged to v17 (<a
href="https://redirect.github.com/vitejs/launch-editor/issues/130">#130</a>)</li>
<li><a
href="https://github.com/vitejs/launch-editor/commit/247bf1dfe2c75efb50f507d33c2c5a3cbf4e20d0"><code>247bf1d</code></a>
chore(deps): update dependency yorkie to v2 (<a
href="https://redirect.github.com/vitejs/launch-editor/issues/131">#131</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/vitejs/launch-editor/compare/v2.11.1...v2.14.1">compare
view</a></li>
</ul>
</details>
<details>
<summary>Maintainer changes</summary>
<p>This version was pushed to npm by <a
href="https://www.npmjs.com/~GitHub%20Actions">GitHub Actions</a>, a new
releaser for launch-editor since your current version.</p>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=launch-editor&package-manager=npm_and_yarn&previous-version=2.11.1&new-version=2.14.1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/microsoft/teams-sdk/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [js-yaml](https://github.com/nodeca/js-yaml) from 4.1.1 to 4.2.0.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md">js-yaml's
changelog</a>.</em></p>
<blockquote>
<h2>[4.2.0] - 2026-06-01</h2>
<h3>Added</h3>
<ul>
<li>Added <code>docs/safety.md</code> with notes about processing
untrusted YAML.</li>
<li>Added <code>maxDepth</code> (100) loader option. Not a problem, but
gives a better
exception instead of RangeError on stack overflow.</li>
<li>Added <code>maxMergeSeqLength</code> (20) loader option. Not a
problem after <code>merge</code> fix,
but an additional restriction for safety.</li>
<li>Added sourcemaps to <code>dist/</code> builds.</li>
</ul>
<h3>Changed</h3>
<ul>
<li>Stop resolving numbers with underscores as numeric scalars, <a
href="https://redirect.github.com/nodeca/js-yaml/issues/627">#627</a>.</li>
<li>Switched dev toolchains to Vite / neostandard.</li>
<li>Updated demo.</li>
<li>Reorganized tests.</li>
<li><code>dist/</code> files are no longer kept in the repository.</li>
</ul>
<h3>Fixed</h3>
<ul>
<li>Fix parsing of properties on the first implicit block mapping key,
<a
href="https://redirect.github.com/nodeca/js-yaml/issues/62">#62</a>.</li>
<li>Fix trailing whitespace handling when folding flow scalar lines, <a
href="https://redirect.github.com/nodeca/js-yaml/issues/307">#307</a>.</li>
<li>Reject top-level block scalars without content indentation, <a
href="https://redirect.github.com/nodeca/js-yaml/issues/280">#280</a>.</li>
<li>Ensure numbers survive round-trip, <a
href="https://redirect.github.com/nodeca/js-yaml/issues/737">#737</a>.</li>
<li>Fix test coverage for issue <a
href="https://redirect.github.com/nodeca/js-yaml/issues/221">#221</a>.</li>
<li>Fix flow scalar trailing whitespace folding, <a
href="https://redirect.github.com/nodeca/js-yaml/issues/307">#307</a>.</li>
<li>Fix digits in YAML named tag handles.</li>
</ul>
<h3>Security</h3>
<ul>
<li>Fix potential DoS via quadratic complexity in merge - deduplicate
repeated
elements (makes sense for malformed files &gt; 10K).</li>
</ul>
<h2>[3.14.2] - 2025-11-15</h2>
<h3>Security</h3>
<ul>
<li>Backported v4.1.1 fix to v3</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li>See full diff in <a
href="https://github.com/nodeca/js-yaml/commits">compare view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=js-yaml&package-manager=npm_and_yarn&previous-version=4.1.1&new-version=4.2.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/microsoft/teams-sdk/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
## Summary

Adds documentation for handling the original user message after an auto
sign-in flow completes. This is a common scenario where the bot's
sign-in flow consumes the user's initial message, causing a confusing
UX.

The new section shows a pattern for storing the pending message before
initiating sign-in, then replaying it in the `signin` event handler.

## Changes

- **Template**: Added `## Resuming Pending Messages After Sign-In`
section to the user-authentication in-depth guide (before "Handling
Sign-In Failures")
- **TypeScript fragment**: `pendingMessages` Map + `app.event('signin')`
pattern
- **Python fragment**: `pending_messages` dict + `@app.event("sign_in")`
with `SignInOptions`
- **C# fragment**: `ConcurrentDictionary` + `OAuthFlow.OnSignInComplete`
(with `next/core` disclaimer)

## Context

#885 — workaround discussed in #2091. All code patterns verified against
current SDK source.
Bumps [dompurify](https://github.com/cure53/DOMPurify) from 3.4.0 to
3.4.10.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/cure53/DOMPurify/releases">dompurify's
releases</a>.</em></p>
<blockquote>
<h2>DOMPurify 3.4.10</h2>
<ul>
<li>Refactored codebase for clarity: extracted the public type
declarations into <code>types.ts</code></li>
<li>Decomposed the three largest sanitizer functions into focused
helpers</li>
<li>Removed duplicated defaults and dead branches, consolidated
<code>SAFE_FOR_TEMPLATES</code> scrubbing into single shared path</li>
<li>Improved per-node performance by hoisting the mXSS probe regexes and
testing <code>textContent</code> before <code>innerHTML</code></li>
<li>Added a deterministic micro-benchmark harness (<code>npm run
bench</code>) with a <code>--compare</code> mode</li>
<li>Reduced CI cost by running the full three-engine browser suite once
per PR</li>
<li>Refreshed the <code>demos/</code> folder so every demo runs again,
and added a SVG-via-<code>&lt;img&gt;</code> demo</li>
<li>Documented the bench and <code>test:happydom</code> scripts in the
README</li>
<li>Completed the Attack Classes &amp; Bypass History wiki page</li>
<li>Bumped several dependencies where possible</li>
</ul>
<h2>DOMPurify 3.4.9</h2>
<ul>
<li>Further improved the handling of Trusted Types config options,
thanks <a
href="https://github.com/offset"><code>@​offset</code></a></li>
<li>Further improved the handling of <code>IN_PLACE</code> sanitization,
thanks <a
href="https://github.com/mozfreddyb"><code>@​mozfreddyb</code></a></li>
<li>Added more test coverage for <code>IN_PLACE</code> and Trusted Types
related usage</li>
<li>Bumped several dependencies where possible</li>
<li>Updated README and wiki with more accurate documentation &amp;
attack samples</li>
</ul>
<h2>DOMPurify 3.4.8</h2>
<ul>
<li>Cleaned up the repository root, renamed some and removed unneeded
files</li>
<li>Fixed an issue with handling of Trusted Types policies, thanks <a
href="https://github.com/fulstadev"><code>@​fulstadev</code></a></li>
<li>Fixed the node iterator for better template scrubbing, thanks <a
href="https://github.com/IamLeandrooooo"><code>@​IamLeandrooooo</code></a></li>
<li>Included formerly missing LICENSE-MPL in published npm package,
thanks <a
href="https://github.com/asamuzaK"><code>@​asamuzaK</code></a></li>
<li>Bumped several dependencies where possible</li>
</ul>
<h2>DOMPurify 3.4.7</h2>
<ul>
<li>Hardened the handling of Shadow Roots when using
<code>IN_PLACE</code>, thanks <a
href="https://github.com/GameZoneHacker"><code>@​GameZoneHacker</code></a></li>
<li>Removed a problem leading to permanent hook pollution, thanks <a
href="https://github.com/offset"><code>@​offset</code></a></li>
<li>Refactored the test suite and expanded test coverage
significantly</li>
</ul>
<h2>DOMPurify 3.4.6</h2>
<ul>
<li>Fixed several issues with DOM Clobbering in <code>IN_PLACE</code>
mode, thanks <a
href="https://github.com/offset"><code>@​offset</code></a> &amp; <a
href="https://github.com/Bankde"><code>@​Bankde</code></a></li>
<li>Hardened the checks for cross-realm <code>IN_PLACE</code> and Shadow
DOM sanitization, thanks <a
href="https://github.com/offset"><code>@​offset</code></a> &amp; <a
href="https://github.com/Bankde"><code>@​Bankde</code></a></li>
<li>Added more test coverage for <code>IN_PLACE</code> and general DOM
Clobbering attacks</li>
<li>Bumped several dependencies where possible</li>
</ul>
<h2>DOMPurify 3.4.5</h2>
<ul>
<li>Fixed a bypass caused by the new HTML element
<code>selectedcontent</code> added in 3.4.4, thanks <a
href="https://github.com/KabirAcharya"><code>@​KabirAcharya</code></a></li>
</ul>
<p><strong>Note that this is a security release for an issue introduced
in 3.4.4 and should be upgraded to immediately.</strong></p>
<h2>DOMPurify 3.4.4</h2>
<ul>
<li>Added the <code>selectedcontent</code> element to default
allow-list, thanks <a
href="https://github.com/lukewarlow"><code>@​lukewarlow</code></a></li>
<li>Added the <code>command</code> and <code>commandfor</code>
attributes to default allowed-list, thanks <a
href="https://github.com/lukewarlow"><code>@​lukewarlow</code></a></li>
<li>Added better template scrubbing for <code>IN_PLACE</code>
operations, thanks <a
href="https://github.com/DEMON1A"><code>@​DEMON1A</code></a></li>
<li>Added stronger checks for cross-realm windows, thanks <a
href="https://github.com/DEMON1A"><code>@​DEMON1A</code></a> &amp; <a
href="https://github.com/fg0x0"><code>@​fg0x0</code></a></li>
<li>Updated demo website and made sure it uses the latest from main</li>
<li>Updated existing workflows, fuzzer, dependabot, etc., added more
tests</li>
<li>Bumped several dependencies where possible</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/cure53/DOMPurify/commit/6ee5716f8336989753611beeca364957c0eb0c3e"><code>6ee5716</code></a>
release: 3.4.10 (<a
href="https://redirect.github.com/cure53/DOMPurify/issues/1478">#1478</a>)</li>
<li><a
href="https://github.com/cure53/DOMPurify/commit/52102472d46035857c52df19e44285f8a1e102fc"><code>5210247</code></a>
release: 3.4.9 (<a
href="https://redirect.github.com/cure53/DOMPurify/issues/1459">#1459</a>)</li>
<li><a
href="https://github.com/cure53/DOMPurify/commit/bcdd8285412dc9c4c149652aed2d712e790d6ccf"><code>bcdd828</code></a>
release: 3.4.8 (<a
href="https://redirect.github.com/cure53/DOMPurify/issues/1439">#1439</a>)</li>
<li><a
href="https://github.com/cure53/DOMPurify/commit/ca30f070c360df162a3e3848e80e6fd3c9e74bff"><code>ca30f07</code></a>
release: 3.4.7 (<a
href="https://redirect.github.com/cure53/DOMPurify/issues/1414">#1414</a>)</li>
<li><a
href="https://github.com/cure53/DOMPurify/commit/bb7739e5bccec7e1ab3dae3f3e42d02db3acaaae"><code>bb7739e</code></a>
release: 3.4.6 (<a
href="https://redirect.github.com/cure53/DOMPurify/issues/1394">#1394</a>)</li>
<li><a
href="https://github.com/cure53/DOMPurify/commit/011b0c78f2a0f57ee54f5fcccb697a46ca6e63ea"><code>011b0c7</code></a>
release: 3.4.5 (<a
href="https://redirect.github.com/cure53/DOMPurify/issues/1382">#1382</a>)</li>
<li><a
href="https://github.com/cure53/DOMPurify/commit/5817ad969c15e67dfcd6cb37248d6e9c1553e7c3"><code>5817ad9</code></a>
release: 3.4.4 (<a
href="https://redirect.github.com/cure53/DOMPurify/issues/1374">#1374</a>)</li>
<li><a
href="https://github.com/cure53/DOMPurify/commit/520edb0371a9638f9b51f1798051299a250c686b"><code>520edb0</code></a>
release: 3.4.3 (<a
href="https://redirect.github.com/cure53/DOMPurify/issues/1352">#1352</a>)</li>
<li><a
href="https://github.com/cure53/DOMPurify/commit/6f67fd396a7b8c64294343999fe607ca1f5299c0"><code>6f67fd3</code></a>
Sync/3.4.2 (<a
href="https://redirect.github.com/cure53/DOMPurify/issues/1322">#1322</a>)</li>
<li><a
href="https://github.com/cure53/DOMPurify/commit/5b0cdbbf52331e854c0a2de875b1a3790ecec2b8"><code>5b0cdbb</code></a>
chore: merge main into 3.x for 3.4.1 release (<a
href="https://redirect.github.com/cure53/DOMPurify/issues/1301">#1301</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/cure53/DOMPurify/compare/3.4.0...3.4.10">compare
view</a></li>
</ul>
</details>
<details>
<summary>Install script changes</summary>
<p>This version adds <code>prepare</code> script that runs during
installation. Review the package contents before updating.</p>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=dompurify&package-manager=npm_and_yarn&previous-version=3.4.0&new-version=3.4.10)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/microsoft/teams-sdk/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Renames the tenant audience switch to make the CLI surface more
explicit.

Why:
`single-tenant` and `multi-tenant` are overloaded terms and hid the
actual Entra app setting. `--sign-in-audience myOrg|multipleOrgs` maps
more directly to the product concept.

Interesting bits:
- Replaces `--single-tenant` with `--sign-in-audience <audience>`.
- Supports `myOrg` and `multipleOrgs`; default is still `multipleOrgs`.
- Removes product-specific flag details from `AGENTS.md`.

Tips for reviewers:
Start in `packages/cli/src/commands/app/create.ts`; the rest is
tests/docs.

Testing:
- `npm -w @microsoft/teams.cli run test --
app-command-validation.test.ts`
- `npx turbo build --filter=@microsoft/teams.cli`
This pull request introduces major improvements to the Teams SDK
documentation and language-specific AI integration guides. The most
significant changes are the addition of comprehensive, language-specific
guides for building cross-bot handoff and agent-based AI integrations in
both Python and TypeScript, as well as a detailed guide on using the
Microsoft Agent Framework in Python. Additionally, the documentation
build scripts are enhanced to allow language-specific sidebar
categories, and a minor correction is made to an internal link.

**New AI integration guides:**

* Added a detailed guide for building A2A (agent-to-agent) handoff bots
in **Python** using `a2a-sdk` and `agent_framework`, including code
samples for agent cards, message contracts, handoff logic, and server
wiring.
(`teams.md/src/components/include/in-depth-guides/ai-integrations/a2a/python.incl.md`)
* Added a parallel guide for building A2A handoff bots in **TypeScript**
using `@a2a-js/sdk` and the OpenAI SDK, covering similar concepts and
implementation details as the Python guide.
(`teams.md/src/components/include/in-depth-guides/ai-integrations/a2a/typescript.incl.md`)
* Introduced a comprehensive guide for building Teams agents with the
**Microsoft Agent Framework (MAF)** in Python, including agent/tool
definitions, session management, integration with Teams, and citation
middleware.
(`teams.md/src/components/include/in-depth-guides/ai-integrations/build-agent/python.incl.md`)

**Documentation tooling improvements:**

* Enhanced the `copyCategoryFiles` function in
`generate-language-docs.ts` to support a `languages` key in category
files, allowing sidebar categories to be restricted to specific
languages. The `languages` key is stripped from the output to avoid
leaking to Docusaurus. (`teams.md/scripts/generate-language-docs.ts`)
[[1]](diffhunk://#diff-de76be5412b469e0e370d6f31f30122807fc049e0ceff53ce995ff1392c72cc6R557-R570)
[[2]](diffhunk://#diff-de76be5412b469e0e370d6f31f30122807fc049e0ceff53ce995ff1392c72cc6L568-R581)

**Documentation content fixes:**

* Updated an internal documentation link to reference the correct AI
integrations guide. (`teams.md/docs/main/welcome.mdx`)
## Summary

Documentation updates driven by customer feedback ([Discussion
#2881](#2881), [Issue
#2871](#2871)).
Fixes #2871 

## SSO Documentation (new content)

- **SSO with User-Assigned Managed Identity**: New section in
`sso-setup.mdx` explaining how IDs map when the bot uses MI and a
separate auth app registration
- **Cross-Tenant Considerations**: New section covering tenant
requirements for SSO to work silently
- **`authrequestfailed` troubleshooting**: New section in
`troubleshooting-sso.mdx` for cross-tenant SSO failures
- **OAuth card fallback and magic code**: Documents when/why the magic
code appears and the `signin()` + `app.event('signin')` pattern

## Preview Status Updates

- Targeted messages: "coming soon in May 2026" -> "available in public
preview"
- Slash commands: same update
- Quoted replies: removed "Coming Soon" callout (now GA)
- Removed C# experimental note for quoted replies
(`ExperimentalTeamsQuotedReplies` being removed in companion PRs)

## Companion PRs
- microsoft/teams.ts#621
- microsoft/teams.py#470
- microsoft/teams.net#572

---------

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Introduce documentation for integrating OpenTelemetry with Teams bots,
covering setup, instrumentation, and exporting telemetry to various
backends. This addition enhances observability and provides guidance for
developers.

---------

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-authored-by: Corina Gum <14900841+corinagum@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…ation (#2894)

Same fix as microsoft/teams.ts#625 and microsoft/teams.py#481.

Splits the single-job publish pipeline into a separate `publish` stage
with two jobs:
- `publish_internal` - no release context, publishes to Azure Artifacts
- `publish_public` - `type: releaseJob` + `isProduction: true`,
publishes via ESRP

This fixes the 1ES template error:
```
Change management: no release tasks outside of release jobs in pipeline
```

Also uses `artifactName` (required by 1ES template) for
`pipelineArtifact` inputs.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Bumps [undici](https://github.com/nodejs/undici) from 7.25.0 to 7.28.0.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/nodejs/undici/releases">undici's
releases</a>.</em></p>
<blockquote>
<h2>v7.28.0</h2>
<h1>⚠️ Security Release</h1>
<p>This release line addresses <strong>7 security advisories</strong>,
all shipped in <strong>v7.28.0</strong>.</p>
<blockquote>
<p><strong>Action required:</strong> Upgrade to <strong>undici
7.28.0</strong> or later.</p>
<pre lang="sh"><code>npm install undici@^7.28.0
</code></pre>
</blockquote>
<p>The v7 line is <strong>not</strong> affected by GHSA-38rv-x7px-6hhq
(CVE-2026-9675), which is
an 8.x-only regression.</p>
<blockquote>
<p><strong>Note on GHSA-hm92-r4w5-c3mj:</strong> this fix shipped in
<strong>v7.28.0</strong>, not the
earlier 7.2x line — the vulnerable single-pool code was still present
through
<code>v7.27.2</code>. The per-origin pool fix is
<a
href="https://github.com/nodejs/undici/commit/3805b8f8"><code>3805b8f8</code></a>
(<a
href="https://redirect.github.com/nodejs/undici/pull/5041">#5041</a>).</p>
</blockquote>
<h2>Summary</h2>
<table>
<thead>
<tr>
<th>Advisory</th>
<th>CVE</th>
<th>Severity (CVSS)</th>
<th>Fixed in</th>
<th>Fix commit</th>
</tr>
</thead>
<tbody>
<tr>
<td><a
href="https://github.com/nodejs/undici/security/advisories/GHSA-vxpw-j846-p89q">GHSA-vxpw-j846-p89q</a></td>
<td>CVE-2026-12151</td>
<td>High (7.5)</td>
<td>7.28.0</td>
<td><a
href="https://github.com/nodejs/undici/commit/8cb10f98"><code>8cb10f98</code></a></td>
</tr>
<tr>
<td><a
href="https://github.com/nodejs/undici/security/advisories/GHSA-vmh5-mc38-953g">GHSA-vmh5-mc38-953g</a></td>
<td>CVE-2026-9697</td>
<td>High (7.4)</td>
<td>7.28.0</td>
<td><a
href="https://github.com/nodejs/undici/commit/04201f89"><code>04201f89</code></a></td>
</tr>
<tr>
<td><a
href="https://github.com/nodejs/undici/security/advisories/GHSA-hm92-r4w5-c3mj">GHSA-hm92-r4w5-c3mj</a></td>
<td>CVE-2026-6734</td>
<td>High (7.5)</td>
<td>7.28.0</td>
<td><a
href="https://github.com/nodejs/undici/commit/3805b8f8"><code>3805b8f8</code></a></td>
</tr>
<tr>
<td><a
href="https://github.com/nodejs/undici/security/advisories/GHSA-pr7r-676h-xcf6">GHSA-pr7r-676h-xcf6</a></td>
<td>CVE-2026-9678</td>
<td>Moderate (5.9)</td>
<td>7.28.0</td>
<td><a
href="https://github.com/nodejs/undici/commit/85a24055"><code>85a24055</code></a></td>
</tr>
<tr>
<td><a
href="https://github.com/nodejs/undici/security/advisories/GHSA-p88m-4jfj-68fv">GHSA-p88m-4jfj-68fv</a></td>
<td>CVE-2026-9679</td>
<td>Moderate (5.9)</td>
<td>7.28.0</td>
<td><a
href="https://github.com/nodejs/undici/commit/d0574cc4"><code>d0574cc4</code></a></td>
</tr>
<tr>
<td><a
href="https://github.com/nodejs/undici/security/advisories/GHSA-g8m3-5g58-fq7m">GHSA-g8m3-5g58-fq7m</a></td>
<td>CVE-2026-11525</td>
<td>Low (3.7)</td>
<td>7.28.0</td>
<td><a
href="https://github.com/nodejs/undici/commit/d0574cc4"><code>d0574cc4</code></a></td>
</tr>
<tr>
<td><a
href="https://github.com/nodejs/undici/security/advisories/GHSA-35p6-xmwp-9g52">GHSA-35p6-xmwp-9g52</a></td>
<td>CVE-2026-6733</td>
<td>Low (3.7)</td>
<td>7.28.0</td>
<td><a
href="https://github.com/nodejs/undici/commit/ea8930cf"><code>ea8930cf</code></a></td>
</tr>
</tbody>
</table>
<hr />
<h2>High severity</h2>
<h3>WebSocket DoS via fragment count bypass — CVE-2026-12151</h3>
<p><strong><a
href="https://github.com/nodejs/undici/security/advisories/GHSA-vxpw-j846-p89q">GHSA-vxpw-j846-p89q</a></strong>
· CWE-400, CWE-770
<strong>Fix:</strong> <a
href="https://github.com/nodejs/undici/commit/8cb10f98"><code>8cb10f98</code></a>
<em>websocket: limit the number of fragments in a message</em> (part of
backport <a
href="https://github.com/nodejs/undici/commit/a027a4a0"><code>a027a4a0</code></a>
<em>Backport WebSocket maxPayloadSize fixes to v7.x</em>, <a
href="https://redirect.github.com/nodejs/undici/pull/5423">#5423</a>)</p>
<p>A malicious WebSocket server can stream a large number of small or
empty
continuation frames. Undici enforced a limit on cumulative payload size
but did
not limit the <em>number</em> of fragments per message, leading to
unbounded memory
growth and denial of service.</p>
<ul>
<li><strong>Affected:</strong> applications using <code>new
WebSocket(...)</code> or <code>WebSocketStream</code>
against untrusted endpoints.</li>
<li><strong>Workaround:</strong> none — upgrade is required.</li>
</ul>
<h3>TLS certificate validation bypass in SOCKS5 ProxyAgent —
CVE-2026-9697</h3>
<p><strong><a
href="https://github.com/nodejs/undici/security/advisories/GHSA-vmh5-mc38-953g">GHSA-vmh5-mc38-953g</a></strong>
· CWE-295</p>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/nodejs/undici/commit/f9eba0ad9134e1c0977848476bba9d49734696e4"><code>f9eba0a</code></a>
Bumped v7.28.0 (<a
href="https://redirect.github.com/nodejs/undici/issues/5430">#5430</a>)</li>
<li><a
href="https://github.com/nodejs/undici/commit/a027a4a04c6c055877d1abaf5f60ee4917e7e01f"><code>a027a4a</code></a>
Backport WebSocket maxPayloadSize fixes to v7.x (<a
href="https://redirect.github.com/nodejs/undici/issues/5423">#5423</a>)</li>
<li><a
href="https://github.com/nodejs/undici/commit/8cb10f983eb6005dd53f3744d95d3b6d7dbcee0f"><code>8cb10f9</code></a>
websocket: limit the number of fragments in a message</li>
<li><a
href="https://github.com/nodejs/undici/commit/04201f8947041f0f4f2ac865dbdb1677e46a8844"><code>04201f8</code></a>
fix: honor requestTls when proxy is SOCKS5</li>
<li><a
href="https://github.com/nodejs/undici/commit/fcd642ff613ea9030dec87cf622e68d4b1ae9847"><code>fcd642f</code></a>
fix(socks5): preserve dispatch backpressure return value (<a
href="https://redirect.github.com/nodejs/undici/issues/5166">#5166</a>)</li>
<li><a
href="https://github.com/nodejs/undici/commit/bc98c97906abf26fa1e959b2f6111b53ade0e18f"><code>bc98c97</code></a>
fix(socks5): use configured connector in Socks5ProxyAgent (<a
href="https://redirect.github.com/nodejs/undici/issues/5168">#5168</a>)</li>
<li><a
href="https://github.com/nodejs/undici/commit/9e1c74372a2b27cacd92d27c13a83a6d84f10e0e"><code>9e1c743</code></a>
fix(socks5): encode embedded IPv4 tails in IPv6 literals correctly (<a
href="https://redirect.github.com/nodejs/undici/issues/5099">#5099</a>)</li>
<li><a
href="https://github.com/nodejs/undici/commit/376c8be27cb40cc17ccaad6b6ebb317fa7148d65"><code>376c8be</code></a>
fix(socks5): enforce authenticated state before CONNECT (<a
href="https://redirect.github.com/nodejs/undici/issues/5097">#5097</a>)</li>
<li><a
href="https://github.com/nodejs/undici/commit/3805b8f8518882991044048c256e005dc3c10a85"><code>3805b8f</code></a>
fix(socks5-proxy-agent): use per-origin pools to prevent cross-origin
routing...</li>
<li><a
href="https://github.com/nodejs/undici/commit/85a240551c9feb8b8a0ecc56c84b2b3015add8a9"><code>85a2405</code></a>
fix(cache): trim qualified field names</li>
<li>Additional commits viewable in <a
href="https://github.com/nodejs/undici/compare/v7.25.0...v7.28.0">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=undici&package-manager=npm_and_yarn&previous-version=7.25.0&new-version=7.28.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/microsoft/teams-sdk/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [dompurify](https://github.com/cure53/DOMPurify) from 3.4.10 to
3.4.11.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/cure53/DOMPurify/releases">dompurify's
releases</a>.</em></p>
<blockquote>
<h2>DOMPurify 3.4.11</h2>
<ul>
<li>Fixed an issue with a leaky config for hooks via
<code>setConfig</code>, thanks <a
href="https://github.com/trace37labs"><code>@​trace37labs</code></a></li>
<li>Bumped vulnerable development dependencies to arrive at plain 0 with
<code>npm audit</code></li>
<li>Updated the <code>osv-scanner</code> suppression list as no
vulnerable dependencies are left for now</li>
<li>Updated up the linting tool-chain and removed now-redundant lint
directives</li>
<li>Updated the documentation is several spots, README, wiki, etc.</li>
<li>Bumped several dependencies where possible</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/cure53/DOMPurify/commit/0cae5187403132f96a6d357649e4b15633fc210a"><code>0cae518</code></a>
release: 3.4.11 (<a
href="https://redirect.github.com/cure53/DOMPurify/issues/1494">#1494</a>)</li>
<li>See full diff in <a
href="https://github.com/cure53/DOMPurify/compare/3.4.10...3.4.11">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=dompurify&package-manager=npm_and_yarn&previous-version=3.4.10&new-version=3.4.11)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/microsoft/teams-sdk/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
This pull request adds a comprehensive blog post announcing the
deprecation and removal of built-in AI libraries from the Teams SDK,
guiding developers to migrate to dedicated agent frameworks for advanced
AI and agentic scenarios. The article details what's changing, why the
shift is happening, and provides migration guidance and resources for
TypeScript, .NET, and Python developers.

Key changes in this update:

**Deprecation and Migration Guidance:**
* Announces the deprecation (and for Python, removal) of Teams SDK AI
libraries across TypeScript, .NET, and Python, listing affected packages
and providing links to framework-based replacements and migration
samples.
* Offers a detailed migration walkthrough, showing how to replace Teams
AI helpers with dedicated agent frameworks, including code examples for
model setup, tool registration, streaming, and session management.

**Comparison and Rationale:**
* Provides a feature comparison table illustrating the gaps between
Teams AI libraries and dedicated frameworks, highlighting improvements
in tool calling, retries, observability, session management, and
multi-agent support.
* Explains how to choose the right approach (SDK vs. framework) based on
bot complexity, with recommendations for each language stack.

**Future Direction and Timeline:**
* Outlines ongoing investments in Teams SDK for clean framework
integration, session/context management, and observability, clarifying
the division of responsibilities between SDK and frameworks
## Summary
- Renames the `2026-06-16-ai-libs-to-agent-frameworks` blog title from
"Unbundling AI from the Teams SDK: A Cleaner Path to Agents" to "Teams
SDK + Agent Frameworks: Better Together"
- Slug, URL, and content unchanged

## Test plan
- [ ] Verify blog renders with new title at
`/blog/ai-libraries-to-agent-frameworks`
- [ ] Confirm blog index/listing reflects the new title

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
## Summary

Adds process-scoped in-memory caching to eliminate redundant TDP (Teams
Developer Portal) network reads within a single `teams` CLI invocation.
Started with app-detail reads (the worst hotspot) and extended to bot
reads, with a small reusable caching layer shared by both.

Caches are process-scoped (one CLI invocation = one process),
`Map`-backed, and clone-on-read/write (`structuredClone`) so callers
can't corrupt cached objects. Writes refresh the cache from
authoritative POST responses; mutations that bypass the normal path
explicitly invalidate.

## What changed

- **Reusable layer** — `src/utils/resource-cache.ts`: generic
`createResourceCache<T>()` with clone-safe `get`/`set`/`invalidate`.
- **App details** (`hotspot #1`) — `fetchAppDetailsV2` is now
cache-first with a `{ force }` opt-out; `updateAppDetails`
write-refreshes from its POST response (so `uploadIcon` benefits);
`importAppPackage` invalidates. This collapses the ~7–9 `GET
/appdefinitions/v2/{id}` reads per `teams app update`
(read-modify-write) down to 1.
- **Bot reads** (`hotspot #2`) — `fetchBot` and `getBotLocation` now
share a single `GET /botframework/{botId}` round-trip via one
`readBotResource()` classifier (200 → Teams-managed with details, 404 →
Azure). Only those two meaningful outcomes are cached; other statuses
throw uncached so transient failures still retry. `updateBot` refreshes;
`deleteBot`/`registerBot` invalidate.
- **Spinner** — `fetchAppDetail` keeps its spinner silent when both
underlying reads are already warm (fixes the duplicate spinner seen on
App → details → back → details).

## Tests

- Unit tests written first (TDD, red→green):
`app-details-cache.test.ts`, `bot-cache.test.ts`.
- Gated live timing integration test (`RUN_INTEGRATION=1`) demonstrating
the saved round-trips.
- Full suite: **206 passed / 34 skipped**, `tsc --noEmit` and `npm run
build` clean.

## Notes

- No TTL — caches live only for the duration of a single command, so
staleness across invocations is impossible by construction.
- Within an invocation, every mutation point (`update.ts`, `doctor.ts`,
`bot/migrate.ts`, `bot-handler.ts`) was traced for read-after-write
staleness; all refresh or invalidate correctly.

---------

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Bumps
[webpack-dev-server](https://github.com/webpack/webpack-dev-server) from
5.2.4 to 5.2.5.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/webpack/webpack-dev-server/releases">webpack-dev-server's
releases</a>.</em></p>
<blockquote>
<h2>v5.2.5</h2>
<h3>Patch Changes</h3>
<ul>
<li>Skip the HMR WebSocket path when forwarding upgrade requests to
user-defined proxies, so custom proxy WebSocket upgrades are no longer
intercepted by the dev server. (by <a
href="https://github.com/bjohansebas"><code>@​bjohansebas</code></a> in
<a
href="https://redirect.github.com/webpack/webpack-dev-server/pull/5680">#5680</a>)</li>
</ul>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/webpack/webpack-dev-server/blob/main/CHANGELOG.md">webpack-dev-server's
changelog</a>.</em></p>
<blockquote>
<h2>5.2.5</h2>
<h3>Patch Changes</h3>
<ul>
<li>Skip the HMR WebSocket path when forwarding upgrade requests to
user-defined proxies, so custom proxy WebSocket upgrades are no longer
intercepted by the dev server. (by <a
href="https://github.com/bjohansebas"><code>@​bjohansebas</code></a> in
<a
href="https://redirect.github.com/webpack/webpack-dev-server/pull/5680">#5680</a>)</li>
</ul>
<p>All notable changes to this project will be documented in this file.
See <a
href="https://github.com/conventional-changelog/standard-version">standard-version</a>
for commit guidelines.</p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/webpack/webpack-dev-server/commit/c3ee325819f64ceb77f85dcf727b6b5ede85cbc4"><code>c3ee325</code></a>
chore(release): new release (<a
href="https://redirect.github.com/webpack/webpack-dev-server/issues/5682">#5682</a>)</li>
<li><a
href="https://github.com/webpack/webpack-dev-server/commit/60173be90873b187b41fc2009a4de253732988a1"><code>60173be</code></a>
feat: add changeset validation and release workflow (<a
href="https://redirect.github.com/webpack/webpack-dev-server/issues/5680">#5680</a>)</li>
<li><a
href="https://github.com/webpack/webpack-dev-server/commit/948d5e6089bebcd801dac2cbe3ed4f80b64f117a"><code>948d5e6</code></a>
fix(proxy): match the HMR upgrade path exactly like the ws server (<a
href="https://redirect.github.com/webpack/webpack-dev-server/issues/5678">#5678</a>)</li>
<li><a
href="https://github.com/webpack/webpack-dev-server/commit/93e8996124332a6c94c4d3e0f8e5f2cf95321c67"><code>93e8996</code></a>
fix: skip HMR websocket path when forwarding upgrades to user-defined
proxies...</li>
<li>See full diff in <a
href="https://github.com/webpack/webpack-dev-server/compare/v5.2.4...v5.2.5">compare
view</a></li>
</ul>
</details>
<details>
<summary>Maintainer changes</summary>
<p>This version was pushed to npm by <a
href="https://www.npmjs.com/~GitHub%20Actions">GitHub Actions</a>, a new
releaser for webpack-dev-server since your current version.</p>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=webpack-dev-server&package-manager=npm_and_yarn&previous-version=5.2.4&new-version=5.2.5)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/microsoft/teams-sdk/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
## Summary

Review of the CLI scaffolding templates surfaced several issues. This PR
removes three problematic templates and fixes the rest.

### Removed templates
- **`typescript/ai`** — its `AGENTS.md` linked to a dead URL
(`microsoft/teams.ts/main/AGENTS_TEMPLATE.md` returns 404).
- **`typescript/mcp`** — its `package.json.hbs` `inspect` script
contained a literal newline, making the generated `package.json` invalid
JSON (every npm command in a scaffolded project would break).
- **`typescript/mcpclient`** — removed alongside the MCP set.

### Fixes to remaining templates
- **graph (TS)** — declared missing `@microsoft/teams.api` dependency
(imported for `MessageActivity`).
- **tab (TS)** — declared missing `@microsoft/teams-js` and
`@microsoft/teams.common` dependencies; renamed leftover internal
`@tests/tab` logger names to `tab`; awaited the `reply()` call in the
echo handler.
- **graph (Python)** — fixed a possibly-unbound `me` (now initialized to
`None` before the `if graph:` block) so pyright and runtime don't fail
when `user_graph` is `None`; aligned the `dotenv` pin with the echo
template.
- **Python READMEs** — removed reference to a nonexistent `apppackage/`
directory.
- **menu-loop test** — updated the `listTemplates` mock to `['echo',
'graph', 'tab']`.

Template names are discovered dynamically from the filesystem via
`listTemplates()`, so removing the directories is sufficient — no
command code references them by name.

### Validation
- All remaining `package.json.hbs` files are valid JSON; every import is
now a declared dependency.
- `npm run build` passes.
- All 206 tests pass.

---------

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
## Summary
- Add an explicit confirmation prompt before uploading interactive RSC
permission edits
- Show a concise add/remove summary before confirmation
- Respect `--yes` by bypassing the prompt

## Validation
- `npm -w @microsoft/teams.cli test -- rsc-set.test.ts
rsc-web-app-info.test.ts`
- `npx turbo build --filter=@microsoft/teams.cli`

---------

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@heyitsaamir heyitsaamir force-pushed the heyitsaamir-prepare-cli-3-0-2-release branch 3 times, most recently from 21a2e7e to 51a4da9 Compare July 1, 2026 20:24
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@heyitsaamir heyitsaamir force-pushed the heyitsaamir-prepare-cli-3-0-2-release branch from 51a4da9 to 082e798 Compare July 1, 2026 20:34
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@heyitsaamir heyitsaamir merged commit d661635 into release/v3 Jul 2, 2026
1 check passed
@heyitsaamir heyitsaamir deleted the heyitsaamir-prepare-cli-3-0-2-release branch July 2, 2026 19:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.