[Snyk] Upgrade botbuilder from 4.22.2 to 4.23.3

[DevangPatelUK]

Snyk has created this PR to upgrade botbuilder from 4.22.2 to 4.23.3.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

• The recommended version is 20 versions ahead of your current version.

• The recommended version was released 5 months ago.

Issues fixed by the recommended upgrade:

	Issue	Score	Exploit Maturity
	Prototype Pollution SNYK-JS-AXIOS-6144788	666	No Known Exploit
	Improper Verification of Cryptographic Signature SNYK-JS-JWS-14188253	666	No Known Exploit
	Improper Verification of Cryptographic Signature SNYK-JS-JWS-14188253	666	No Known Exploit
	Denial of Service (DoS) SNYK-JS-WS-7266574	666	Proof of Concept
	Allocation of Resources Without Limits or Throttling SNYK-JS-AXIOS-12613773	666	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-AXIOS-6124857	666	Proof of Concept
	Server-side Request Forgery (SSRF) SNYK-JS-AXIOS-9292519	666	Proof of Concept
	Server-side Request Forgery (SSRF) SNYK-JS-AXIOS-9403194	666	No Known Exploit
	Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') SNYK-JS-AZUREIDENTITY-7246760	666	No Known Exploit
	Predictable Value Range from Previous Values SNYK-JS-FORMDATA-10841150	666	Proof of Concept

Release notes

Package name: botbuilder

• 4.23.3 - 2025-08-27
  

  Notable in this release

  • Added supporet for TS 5.9

    Note: In order to support new TS version, we had to drop support for TS 4.7 as it is incompatible with the new node/types version.

  • Package updates to resolve security alerts

  What's Changed

  • fix: Remaining CodeQL issues (#4898)
  • bump: [https://github.com/microsoft/botbuilder-js/issues/4894] Add support for typescript 5.9 (#4897)
  • fix: [https://github.com/microsoft/botbuilder-js/issues/4840] The use of the package browserify-sign could violate Microsoft crypto policy (#4875)
  • Mark activity as optional in ConversationParameters (#4873)
  • bump: dependencies to safe versions (#4896)
  • Enable configuration of the OpenIdmetadata's refresh interval (#4877)
  • fix: CodeQL issues with Medium and Error severity (#4893)
  • bump: pbkdf2 from 3.1.1 to 3.1.3 (#4888)
  • port: CQA to support TokenCredential instead of key (#4879)
  • fix: CodeQL issues with severity High (#4892)
  • Bump pbkdf2 version to fix issue (#4891)
  • chore(deps): bump tar-fs from 2.1.1 to 2.1.2 (#4871)
  • fix: Add signInSso cardviewType to SignInCardViewParameters (#4872)
  • Update babel-runtime (#4868)
  • bump: axios from 1.7.7 to 1.8.2 (#4869)
  • Allow null value for Configuration parameter (#4856)
  • fix: [https://github.com/microsoft/botbuilder-js/issues/4853] ConfigurationBotFrameworkAuthentication errors when initialized with process.env (#4857)
  • Update elliptic, esbuild, and serialize-javascript (#4862)
  • refactor: [https://github.com/microsoft/botbuilder-js/issues/4759] Migrate off @ azure/core-http (#4834)
  • chore(deps): bump elliptic from 6.6.0 to 6.6.1 (#4863)
  • fix: Update generators and remove Core Bot templates (#4867)
  • Fix actions/cache deprecation (#4858)

  Full Changelog: 4.23.2...4.23.3

• 4.23.3-dev2 - 2025-02-12
• 4.23.3-dev1 - 2025-02-11
• 4.23.3-dev - 2025-08-19
• 4.23.2 - 2025-02-06
  

  Notable changes in this release

  • Node 22 support
  • Dependency updates for security alerts
  • Federated Credentials for bot-to-channel auth. This is supported for single tenant only.

  What's Changed

  • port: [#4632] Support Federated Identity Credential by @ sw-joelmut in #4765
  • port: [#6841] SkillDialog.InterceptOAuthCardsAsync doesn't support CloudAdapter by @ ceciliaavila in #4766
  • fix: CVE-2024-52798 vulnerability with path-to-regexp by @ JhontSouth in #4817
  • bump: Update d3-format package by @ JhontSouth in #4842
  • fix: Run the coveralls step only for windows by @ ceciliaavila in #4843
  • bump: nanoid from 3.3.6 to 3.3.8 by @ dependabot in #4812
  • feat: Support Sso for SharePoint bot ACEs by @ bentsai10 in #4806
  • port:[#6879] Bot is not accepting v2 tokens from Bot Framework Emulator - Single Tenant Bots by @ JhontSouth in #4847
  • fix: Upgrade path-to-regexp and find-my-way packages to latest version by @ ceciliaavila in #4756
  • bump: http-proxy-middleware from 2.0.6 to 2.0.7 by @ dependabot in #4778
  • bump: [#4684] Upgrade Nighwatch by @ sw-joelmut in #4768
  • bump: elliptic from 6.5.7 to 6.6.0 by @ dependabot in #4780
  • bump: [#4684] Upgrade filenamify using import-sync for esm-only package by @ ceciliaavila in #4782
  • fix: Upgrade cookie dependency to latest version by @ ceciliaavila in #4771
  • bump: [#4684] Replace nanoid with native module crypto by @ ceciliaavila in #4769
  • bump: Update p-map package by @ JhontSouth in #4820
  • Suppress fake secret in unit test. by @ tracyboehrer in #4850
  • bump: Update chai package by @ JhontSouth in #4844
  • refactor: [#4684] Replace browserify with tsup by @ sw-joelmut in #4774
  • port: [#6861]TeamsSSOTokenExchangeMiddleware.DeduplicatedTokenExchangeIdAsync fails on BlobStorage ETag validation by @ ceciliaavila in #4800
  • bump: [#4684] Update nock dependency to latest version by @ ceciliaavila in #4760
  • bump: rollup from 4.21.0 to 4.22.4 by @ dependabot in #4755
  • bump: [#4684] Upgrade rimraf dependency to v5 by @ ceciliaavila in #4761
  • bump: [#4684] Update sinon dependency to latest version by @ ceciliaavila in #4762

  Other

  • bump: [#4684] Update applicationinsights dependency to version 2.x by @ ceciliaavila in #4758
  • fix: [#4746] Fix INodeBuffer in TypeScript 5.6 and ESNext target by @ sw-joelmut in #4757
  • feat: Add TS 5.6 and ESNext target support by @ sw-joelmut in #4763
  • feat: [#4684] Consolidate and update browser-echo-bot dependencies by @ sw-joelmut in #4764
  • fix: Workspaces for update-versions script by @ sw-joelmut in #4783
  • port: Add dataset to SearchInvokeValue by @ sw-joelmut in #4777
  • bump: Update ESLint packages and migrate to eslint.config.cjs files by @ JhontSouth in #4776
  • fix: [#4684] Update INodeSocket type by @ sw-joelmut in #4767
  • Caret ranges for generator SDK version (any v4) by @ tracyboehrer in #4787
  • fix: Upgrade cross-spawn dependency to latest version by @ sw-joelmut in #4798
  • feat: Update versions for generators by @ ceciliaavila in #4796
  • refactor: Fix test:consumer pipeline randomly failing by @ sw-joelmut in #4793
  • fix: [#4684] ESLint issues in botbuilder-ai by @ ceciliaavila in #4790
  • fix: Update Generators versions: Add missing directory to workspaces by @ ceciliaavila in #4801
  • fix: [#4684] ESLint issues in botbuilder-azure-blobs by @ ceciliaavila in #4802
  • fix: [#4684] ESLint issues in botbuilder-lg by @ ceciliaavila in #4803
  • fix: [#4684] ESLint issues in botbuilder-applicationinsights by @ ceciliaavila in #4804
  • feat: Add support for Node 22 by @ ceciliaavila in #4808
  • fix: [#4684] ESLint issues in botbuilder-dialogs-adaptive-runtime-core by @ ceciliaavila in #4809
  • fix: [#4684] ESLint issues in botbuilder-dialogs-adaptive-runtime by @ ceciliaavila in #4810
  • fix: [#4684] ESLint issues in botbuilder-dialogs-adaptive-runtime-integration libraries by @ ceciliaavila in #4811
  • fix: [#4684] ESLint issues in botbuilder-dialogs-adaptive-testing by @ sw-joelmut in #4821
  • fix: [#4684] ESLint issues in botframework-connector by @ sw-joelmut in #4822
  • fix: [#4684] ESLint issues in botbuilder-testing by @ sw-joelmut in #4823
  • fix: [#4684] ESLint issues in botbuilder-dialogs-declarative by @ ceciliaavila in #4813
  • fix: [#4684] ESLint issues in botbuilder-stdlib by @ ceciliaavila in #4814
  • fix: [#4684] ESLint issues in botframework-config by @ ceciliaavila in #4815
  • fix: [#4684] ESLint issues in botbuilder-ai-luis by @ sw-joelmut in #4824
  • fix: [#4684] ESLint issues in botframework-streaming by @ sw-joelmut in #4825
  • fix: [#4684] ESLint issues in botbuilder-dialogs-adaptive by @ sw-joelmut in #4826
  • fix: [#4684] ESLint issues in botbuilder-azure by @ sw-joelmut in #4828
  • fix: ESLint issues in bobuilder-core by @ JhontSouth in #4827
  • fix: Remove ESLint config file in bobuilder-ai-qna by @ JhontSouth in #4829
  • fix: ESLint issues in botbuilder by @ JhontSouth in #4830
  • fix: ESLint issues in botbuilder-azure-queues by @ JhontSouth in #4831
  • fix: ESLint issues in botbuilder-dialogs by @ JhontSouth in #4832
  • fix: ESLint issues in adaptive-expressions by @ JhontSouth in #4833
  • fix: [#4684] ESLint issues in adaptive-expressions-ie11 by @ JhontSouth in #4835
  • fix: ESLint issues in botframework-schema by @ JhontSouth in #4836
  • fix: ESLint issues in bobuilder-ai-orchestrator by @ JhontSouth in #4837
  • fix: ESLint issues in botbuilder-repo-utils by @ JhontSouth in #4838
  • fix: Remove unused resolutions by @ JhontSouth in #4816
  • fix: Remaining ESLint issues by @ sw-joelmut in #4846
  • port: [#6882] Mock expired token for 'throws exception on expired token' unit test by @ JhontSouth in #4848
• 4.23.2-rc2 - 2025-02-03
• 4.23.2-dev1 - 2024-12-10
• 4.23.1 - 2024-09-23
  

  What's Changed

  • bump: micromatch from 4.0.7 to 4.0.8 in /testing/browser-functional/browser-echo-bot by @ dependabot in #4732
  • bump: micromatch from 4.0.2 to 4.0.8 by @ dependabot in #4733
  • bump: [#4684] Update multiple dependencies inside public libraries to latest version by @ sw-joelmut in #4739
  • bump: webpack from 5.92.0 to 5.94.0 in /testing/browser-functional/browser-echo-bot by