Bump to [email protected]#1558
Merged
compulim merged 11 commits intomicrosoft:masterfrom Jan 8, 2019
Merged
Conversation
compulim
requested review from
a-b-r-o-w-n,
corinagum,
cwhitten,
justinwilaby and
tonyanziano
a-b-r-o-w-n
approved these changes
Jan 8, 2019
cwhitten
reviewed
Jan 8, 2019
Pull Request Test Coverage Report for Build 699
💛 - Coveralls |
a-b-r-o-w-n
approved these changes
Jan 8, 2019
corinagum
approved these changes
Jan 8, 2019
compulim
added a commit
to compulim/BotFramework-WebChat
that referenced
this pull request
Jan 10, 2019
* Bump to Adaptive Cards 1.1.2 * Move to onProcessMarkdown handler * Update package-lock.json * Bump [email protected] on bundle * Fix column width * Bump to [email protected] in playground * Update package-lock.json * Use percentage column width * Handle no Markdown case * Update CHANGELOG.md * Lock adaptivecards on minor version
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Background
Due to a security vulnerability issue found recently, we are bumping to
[email protected].Web Chat has 2 bundles: minimal and full. Minimal bundle does not include Adaptive Cards. And the full bundle have Adaptive Cards pre-configured with Markdown-It engine.
The security vulnerability only affect users who is using Adaptive Cards without any Markdown engine. By default, Web Chat ship and pre-configured with Adaptive Cards and Markdown-It, thus, the security vulnerability does not affect our default configurations. Only advanced users who manually configure Adaptive Cards explicitly without Markdown is affected.
Changelog
Changed
*: Bump to[email protected], in #1558Design considerations
Inclusion of
css-loaderandstyle-loaderAdaptive Cards 1.1.2 requires
css-loader. The code here readimport "./adaptivecards-default.css";. Thus, in order to pack Adaptive Cards inside Web Chat, we have to addcss-loaderandstyle-loaderin our pipeline.Web Chat prefer bundler-independent:
windowobject and corresponding functions to load different assets into memory)But since Adaptive Cards 1.1.2 requires
css-loaderandstyle-loader, we have to give up our bundler-independent flexibility. We have filed bug #2279 to Adaptive Cards team and see if they could remove the CSS or pre-compile it into JavaScript code before publishing their project to NPM to preserve their purity.