Release 2.0.14: merge main into release#497
Merged
Merged
Conversation
In the previous doc, the instruction was to do main -> release. But since release and main have different histories, there were many merge conflicts that had to be resolved. To do this, we had to use `-s ours` when merging. Since this needs to be done on our machine anyway (and also because version.json also needs to be modified), I updated the doc to just be exact commands that need to be run so agents can help us execute the release workflow quickly.
#454) ## Summary Fix the hatch build plugin so released package versions don't have a trailing `.height` component (we just shipped `2.0.13.4` when we meant `2.0.13`). ## Why I introduced this in PR #445 when migrating off the 3.12-only `nbgv-python` wrapper. The plugin picked nbgv's `CloudBuildNumber` field, which works fine on `main` (`2.0.13-dev.11+eaec265930`) but on `release` it expands to `2.0.13.4` because nbgv appends git height as a 4th version component when `version.json` has a plain three-part version. PyPI then got `microsoft-teams-apps==2.0.13.4` instead of `2.0.13`. ## What changed Field priority is now `SemVer2` → `CloudBuildNumber` → `SimpleVersion`, with a PEP 440 validity check that walks past unparseable fields. End result: - **release**: `SemVer2` is `2.0.13` (plain stable) — picked - **main**: `SemVer2` is `2.0.13-dev.11.geaec265930` (not PEP 440 due to trailing `.gHASH`) — falls through to `CloudBuildNumber` `2.0.13-dev.11+eaec265930` (PEP 440-valid via local-version `+`) ## Reviewer tips Diff is small — just the field list + a try/except in `_select_version`. The comment block explains the rationale so future folks don't reintroduce the bug. ## Testing Verified both code paths locally: ``` # main $ NBGV_REQUIRED=1 uv build --package microsoft-teams-apps --sdist Successfully built dist/microsoft_teams_apps-2.0.13.dev11+eaec265930.tar.gz # release (simulated by checking the field selection logic against # nbgv output captured from the release branch) SemVer2=2.0.13 -> picked, parses as PEP 440 2.0.13 ``` Will be visible end-to-end on the next release (`2.0.14`). --------- Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
## Summary
Replace the BotBuilder plugin with an HTTP adapter so BotBuilder sits at
the inbound HTTP boundary instead of plugin DI.
## Why
This keeps the plugin surface less privileged and avoids passing app
credentials/tokens/client internals into plugins just so BotBuilder can
intercept requests.
## Interesting bits
- Adds `BotBuilderAdapter` and removes `BotBuilderPlugin`.
- Updates the BotBuilder example to use adaptive cards where BotBuilder
handles one Action.Execute and Teams SDK handles the other.
- Cleans up no-longer-used plugin DI entries for raw credentials, bot
token, app id, and raw client.
## Migration
Before:
```python
app = App(
plugins=[BotBuilderPlugin(adapter=adapter, handler=EchoBot())]
)
```
After:
```python
app = App(
http_server_adapter=BotBuilderAdapter(
cloud_adapter=adapter,
handler=EchoBot(),
)
)
```
If you do not already create a BotBuilder `CloudAdapter`,
`BotBuilderAdapter` can create one from explicit `credentials`,
`MicrosoftApp*` environment variables, or the same `CLIENT_ID` /
`CLIENT_SECRET` / `TENANT_ID` vars used by `teams.apps`.
## Reviewer tips
Start with
`packages/botbuilder/src/microsoft_teams/botbuilder/adapter.py`, then
peek at the example to see the migration shape.
## Testing
- `uv run ruff check examples/botbuilder/src/bots/echo_bot.py
packages/botbuilder/src/microsoft_teams/botbuilder/adapter.py
examples/botbuilder/src/main.py
packages/botbuilder/tests/test_botbuilder_adapter.py`
- `uv run pyright
packages/botbuilder/src/microsoft_teams/botbuilder/adapter.py
examples/botbuilder/src/bots/echo_bot.py`
- `uv run pytest packages/botbuilder/tests
packages/apps/tests/test_card_action_routing.py`
- pre-commit on commit: ruff, ruff format, pyright, license header
Cache MSAL clients for federated identity token flow. Why: Recreating the MSAL confidential client every token request means we miss MSAL's internal token cache. Reusing the client lets it do its job and avoids extra token exchanges. Interesting bits: FIC now passes MSAL a lazy client assertion callback, so the managed identity exchange token is only fetched when MSAL actually needs to hit the wire. Also updated the local MSAL stub because 1.34 supports callables even though our stub only allowed strings. Reviewer tips: Start in `packages/apps/src/microsoft_teams/apps/token_manager.py`. The important bit is the new FIC client cache and callback assertion. Testing: - `uv run pytest packages/apps/tests/test_token_manager.py` - `uv run pyright packages/apps/src/microsoft_teams/apps/token_manager.py` - Manual VM test of the FIC token flow
…/tab/Web (#467) Removes [esbuild](https://github.com/evanw/esbuild). It's no longer used after updating ancestor dependencies [esbuild](https://github.com/evanw/esbuild), [@vitejs/plugin-react](https://github.com/vitejs/vite-plugin-react/tree/HEAD/packages/plugin-react) and [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite). These dependencies need to be updated together. Removes `esbuild` Updates `@vitejs/plugin-react` from 4.7.0 to 6.0.2 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/vitejs/vite-plugin-react/releases">@vitejs/plugin-react's releases</a>.</em></p> <blockquote> <h2>plugin-react@6.0.2</h2> <h3>Allow all options in reactCompilerPreset (<a href="https://redirect.github.com/vitejs/vite-plugin-react/pull/1189">#1189</a>)</h3> <p>This is a type only change. Only <code>compilationMode</code> and <code>target</code> options were available for <code>reactCompilerPreset</code>.</p> <h2>plugin-react@6.0.1</h2> <h3>Expand <code>@rolldown/plugin-babel</code> peer dep range (<a href="https://redirect.github.com/vitejs/vite-plugin-react/pull/1146">#1146</a>)</h3> <p>Expanded <code>@rolldown/plugin-babel</code> peer dep range to include <code>^0.2.0</code>.</p> <h2>plugin-react@6.0.0</h2> <h3>Remove Babel Related Features (<a href="https://redirect.github.com/vitejs/vite-plugin-react/pull/1123">#1123</a>)</h3> <p>Vite 8+ can handle React Refresh Transform by Oxc and doesn't need Babel for it. With that, there are no transform applied that requires Babel. To reduce the installation size of this plugin, babel is no longer a dependency of this plugin and the related features are removed.</p> <p>If you are using Babel, you can use <code>@rolldown/plugin-babel</code> together with this plugin:</p> <pre lang="diff"><code> import { defineConfig } from 'vite' import react from '@vitejs/plugin-react' +import babel from '@rolldown/plugin-babel' <p>export default defineConfig({ plugins: [</p> <ul> <li> <pre><code>react({ </code></pre> </li> <li> <pre><code> babel: { </code></pre> </li> <li> <pre><code> plugins: ['@babel/plugin-proposal-throw-expressions'], </code></pre> </li> <li> <pre><code> }, </code></pre> </li> <li> <pre><code>}), </code></pre> </li> </ul> <ul> <li> <pre><code>react(), </code></pre> </li> <li> <pre><code>babel({ </code></pre> </li> <li> <pre><code> plugins: ['@babel/plugin-proposal-throw-expressions'], </code></pre> </li> <li> <pre><code>}), </code></pre> ] }) </code></pre></li> </ul> <p>For React compiler users, you can use <code>reactCompilerPreset</code> for easier setup with preconfigured filter to improve build performance:</p> <pre lang="diff"><code> import { defineConfig } from 'vite' -import react from '@vitejs/plugin-react' +import react, { reactCompilerPreset } from '@vitejs/plugin-react' +import babel from '@rolldown/plugin-babel' <p>export default defineConfig({ plugins: [</p> <ul> <li>react({</li> <li> <pre><code> babel: { </code></pre> </li> <li> <pre><code> plugins: ['babel-plugin-react-compiler'], </code></pre> </li> </ul> <p></tr></table> </code></pre></p> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/vitejs/vite-plugin-react/blob/main/packages/plugin-react/CHANGELOG.md">@vitejs/plugin-react's changelog</a>.</em></p> <blockquote> <h2>6.0.2 (2026-05-14)</h2> <h3>Allow all options in reactCompilerPreset (<a href="https://redirect.github.com/vitejs/vite-plugin-react/pull/1189">#1189</a>)</h3> <p>This is a type only change. Only <code>compilationMode</code> and <code>target</code> options were available for <code>reactCompilerPreset</code>.</p> <h2>6.0.1 (2026-03-13)</h2> <h3>Expand <code>@rolldown/plugin-babel</code> peer dep range (<a href="https://redirect.github.com/vitejs/vite-plugin-react/pull/1146">#1146</a>)</h3> <p>Expanded <code>@rolldown/plugin-babel</code> peer dep range to include <code>^0.2.0</code>.</p> <h2>6.0.0 (2026-03-12)</h2> <h2>6.0.0-beta.0 (2026-03-03)</h2> <h3>Remove Babel Related Features (<a href="https://redirect.github.com/vitejs/vite-plugin-react/pull/1123">#1123</a>)</h3> <p>Vite 8+ can handle React Refresh Transform by Oxc and doesn't need Babel for it. With that, there are no transform applied that requires Babel. To reduce the installation size of this plugin, babel is no longer a dependency of this plugin and the related features are removed.</p> <p>If you are using Babel, you can use <code>@rolldown/plugin-babel</code> together with this plugin:</p> <pre lang="diff"><code> import { defineConfig } from 'vite' import react from '@vitejs/plugin-react' +import babel from '@rolldown/plugin-babel' <p>export default defineConfig({ plugins: [</p> <ul> <li> <pre><code>react({ </code></pre> </li> <li> <pre><code> babel: { </code></pre> </li> <li> <pre><code> plugins: ['@babel/plugin-proposal-throw-expressions'], </code></pre> </li> <li> <pre><code> }, </code></pre> </li> <li> <pre><code>}), </code></pre> </li> </ul> <ul> <li> <pre><code>react(), </code></pre> </li> <li> <pre><code>babel({ </code></pre> </li> <li> <pre><code> plugins: ['@babel/plugin-proposal-throw-expressions'], </code></pre> </li> <li> <pre><code>}), </code></pre> ] }) </code></pre></li> </ul> <p>For React compiler users, you can use <code>reactCompilerPreset</code> for easier setup with preconfigured filter to improve build performance:</p> <pre lang="diff"><code> import { defineConfig } from 'vite' -import react from '@vitejs/plugin-react' +import react, { reactCompilerPreset } from '@vitejs/plugin-react' +import babel from '@rolldown/plugin-babel' <p></tr></table> </code></pre></p> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/vitejs/vite-plugin-react/commit/6535b55e956b425e6650ffc2cc98fd23cca1d231"><code>6535b55</code></a> release: plugin-react@6.0.2</li> <li><a href="https://github.com/vitejs/vite-plugin-react/commit/bf0e43b756e3be81f8572d59727c218311f431ef"><code>bf0e43b</code></a> feat(react): whitelist debugging-options (<a href="https://github.com/vitejs/vite-plugin-react/tree/HEAD/packages/plugin-react/issues/1189">#1189</a>)</li> <li><a href="https://github.com/vitejs/vite-plugin-react/commit/3bd1f08ae0b82ee0e96feb2ff265e61c6fe74b54"><code>3bd1f08</code></a> feat: use carets for rolldown versions (<a href="https://github.com/vitejs/vite-plugin-react/tree/HEAD/packages/plugin-react/issues/1216">#1216</a>)</li> <li><a href="https://github.com/vitejs/vite-plugin-react/commit/2b8df67323265d1ff5ddf47b2db9ab0b9de5c688"><code>2b8df67</code></a> fix(deps): update all non-major dependencies (<a href="https://github.com/vitejs/vite-plugin-react/tree/HEAD/packages/plugin-react/issues/1218">#1218</a>)</li> <li><a href="https://github.com/vitejs/vite-plugin-react/commit/8fa9619e1b1f51b079f4c1df6bcf076dcafc5aed"><code>8fa9619</code></a> fix(deps): update react 19.2.6 (<a href="https://github.com/vitejs/vite-plugin-react/tree/HEAD/packages/plugin-react/issues/1211">#1211</a>)</li> <li><a href="https://github.com/vitejs/vite-plugin-react/commit/a4296ad2995a8d493528b8d5450a1209de2943cb"><code>a4296ad</code></a> fix(deps): update all non-major dependencies (<a href="https://github.com/vitejs/vite-plugin-react/tree/HEAD/packages/plugin-react/issues/1209">#1209</a>)</li> <li><a href="https://github.com/vitejs/vite-plugin-react/commit/323ccd72576be636b50baa7d9ce816cc94d5991e"><code>323ccd7</code></a> fix(deps): update all non-major dependencies (<a href="https://github.com/vitejs/vite-plugin-react/tree/HEAD/packages/plugin-react/issues/1196">#1196</a>)</li> <li><a href="https://github.com/vitejs/vite-plugin-react/commit/a7506e105df00cdadc58c0aecc4512d8cfdd9765"><code>a7506e1</code></a> chore(deps): update vite 8.0.10 (<a href="https://github.com/vitejs/vite-plugin-react/tree/HEAD/packages/plugin-react/issues/1198">#1198</a>)</li> <li><a href="https://github.com/vitejs/vite-plugin-react/commit/02cff2a0cf5c7e9792b1612baa380228f5e4d3c1"><code>02cff2a</code></a> fix(deps): update all non-major dependencies (<a href="https://github.com/vitejs/vite-plugin-react/tree/HEAD/packages/plugin-react/issues/1184">#1184</a>)</li> <li><a href="https://github.com/vitejs/vite-plugin-react/commit/4b9c890cdb21078ac45a86873b24f7e8613b8526"><code>4b9c890</code></a> fix(deps): update react 19.2.5 (<a href="https://github.com/vitejs/vite-plugin-react/tree/HEAD/packages/plugin-react/issues/1181">#1181</a>)</li> <li>Additional commits viewable in <a href="https://github.com/vitejs/vite-plugin-react/commits/plugin-react@6.0.2/packages/plugin-react">compare view</a></li> </ul> </details> <details> <summary>Maintainer changes</summary> <p>This version was pushed to npm by <a href="https://www.npmjs.com/~GitHub%20Actions">GitHub Actions</a>, a new releaser for <code>@vitejs/plugin-react</code> since your current version.</p> </details> <br /> Updates `vite` from 6.4.2 to 8.0.16 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/vitejs/vite/releases">vite's releases</a>.</em></p> <blockquote> <h2>v8.0.16</h2> <p>Please refer to <a href="https://github.com/vitejs/vite/blob/v8.0.16/packages/vite/CHANGELOG.md">CHANGELOG.md</a> for details.</p> <h2>v8.0.15</h2> <p>Please refer to <a href="https://github.com/vitejs/vite/blob/v8.0.15/packages/vite/CHANGELOG.md">CHANGELOG.md</a> for details.</p> <h2>v8.0.14</h2> <p>Please refer to <a href="https://github.com/vitejs/vite/blob/v8.0.14/packages/vite/CHANGELOG.md">CHANGELOG.md</a> for details.</p> <h2>v8.0.13</h2> <p>Please refer to <a href="https://github.com/vitejs/vite/blob/v8.0.13/packages/vite/CHANGELOG.md">CHANGELOG.md</a> for details.</p> <h2>v8.0.12</h2> <p>Please refer to <a href="https://github.com/vitejs/vite/blob/v8.0.12/packages/vite/CHANGELOG.md">CHANGELOG.md</a> for details.</p> <h2>v8.0.11</h2> <p>Please refer to <a href="https://github.com/vitejs/vite/blob/v8.0.11/packages/vite/CHANGELOG.md">CHANGELOG.md</a> for details.</p> <h2>v8.0.10</h2> <p>Please refer to <a href="https://github.com/vitejs/vite/blob/v8.0.10/packages/vite/CHANGELOG.md">CHANGELOG.md</a> for details.</p> <h2>v8.0.9</h2> <p>Please refer to <a href="https://github.com/vitejs/vite/blob/v8.0.9/packages/vite/CHANGELOG.md">CHANGELOG.md</a> for details.</p> <h2>v8.0.8</h2> <p>Please refer to <a href="https://github.com/vitejs/vite/blob/v8.0.8/packages/vite/CHANGELOG.md">CHANGELOG.md</a> for details.</p> <h2>v8.0.7</h2> <p>Please refer to <a href="https://github.com/vitejs/vite/blob/v8.0.7/packages/vite/CHANGELOG.md">CHANGELOG.md</a> for details.</p> <h2>v8.0.6</h2> <p>Please refer to <a href="https://github.com/vitejs/vite/blob/v8.0.6/packages/vite/CHANGELOG.md">CHANGELOG.md</a> for details.</p> <h2>v8.0.5</h2> <p>Please refer to <a href="https://github.com/vitejs/vite/blob/v8.0.5/packages/vite/CHANGELOG.md">CHANGELOG.md</a> for details.</p> <h2>v8.0.4</h2> <p>Please refer to <a href="https://github.com/vitejs/vite/blob/v8.0.4/packages/vite/CHANGELOG.md">CHANGELOG.md</a> for details.</p> <h2>create-vite@8.0.3</h2> <p>Please refer to <a href="https://github.com/vitejs/vite/blob/create-vite@8.0.3/packages/create-vite/CHANGELOG.md">CHANGELOG.md</a> for details.</p> <h2>v8.0.3</h2> <p>Please refer to <a href="https://github.com/vitejs/vite/blob/v8.0.3/packages/vite/CHANGELOG.md">CHANGELOG.md</a> for details.</p> <h2>create-vite@8.0.2</h2> <p>Please refer to <a href="https://github.com/vitejs/vite/blob/create-vite@8.0.2/packages/create-vite/CHANGELOG.md">CHANGELOG.md</a> for details.</p> <h2>v8.0.2</h2> <p>Please refer to <a href="https://github.com/vitejs/vite/blob/v8.0.2/packages/vite/CHANGELOG.md">CHANGELOG.md</a> for details.</p> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/vitejs/vite/blob/main/packages/vite/CHANGELOG.md">vite's changelog</a>.</em></p> <blockquote> <h2><!-- raw HTML omitted --><a href="https://github.com/vitejs/vite/compare/v8.0.15...v8.0.16">8.0.16</a> (2026-06-01)<!-- raw HTML omitted --></h2> <h3>Bug Fixes</h3> <ul> <li><strong>deps:</strong> reject UNC paths for launch-editor-middleware (<a href="https://redirect.github.com/vitejs/vite/issues/22571">#22571</a>) (<a href="https://github.com/vitejs/vite/commit/50b951225bbf6151eb84a3ad5a454908ab4a76c9">50b9512</a>)</li> <li>reject windows alternate paths (<a href="https://redirect.github.com/vitejs/vite/issues/22572">#22572</a>) (<a href="https://github.com/vitejs/vite/commit/dc245c71e5007ea4d891a025e2d69ac96c736546">dc245c7</a>)</li> </ul> <h2><!-- raw HTML omitted --><a href="https://github.com/vitejs/vite/compare/v8.0.14...v8.0.15">8.0.15</a> (2026-06-01)<!-- raw HTML omitted --></h2> <h3>Features</h3> <ul> <li>send 408 on request timeout (<a href="https://redirect.github.com/vitejs/vite/issues/22476">#22476</a>) (<a href="https://github.com/vitejs/vite/commit/c85c9eeb9aaf41f477b48b057146887bd5620797">c85c9ee</a>)</li> <li>update rolldown to 1.0.3 (<a href="https://redirect.github.com/vitejs/vite/issues/22538">#22538</a>) (<a href="https://github.com/vitejs/vite/commit/646dbedd2870f8ec48df0321177d8aa64bbd1575">646dbed</a>)</li> </ul> <h3>Bug Fixes</h3> <ul> <li>capitalize error messages and remove spurious space in parse error (<a href="https://redirect.github.com/vitejs/vite/issues/22488">#22488</a>) (<a href="https://github.com/vitejs/vite/commit/85a0eff1c82bbb7c99a0fe8e63704316578a40d3">85a0eff</a>)</li> <li><strong>deps:</strong> update all non-major dependencies (<a href="https://redirect.github.com/vitejs/vite/issues/22511">#22511</a>) (<a href="https://github.com/vitejs/vite/commit/2686d7d0b722402204d3bcc687a87adea1bcf9fa">2686d7d</a>)</li> <li><strong>dev:</strong> fix html-proxy cache key mismatch for /@fs/ HTML paths (<a href="https://redirect.github.com/vitejs/vite/issues/21762">#21762</a>) (<a href="https://github.com/vitejs/vite/commit/47c4213f134f562c41ed7c031e4788510cf7e31e">47c4213</a>)</li> <li><strong>glob:</strong> error on relative glob in virtual module when no files match (<a href="https://redirect.github.com/vitejs/vite/issues/22497">#22497</a>) (<a href="https://github.com/vitejs/vite/commit/5c8e98f8b584ac5d42f0f9b8580c49792213b13c">5c8e98f</a>)</li> <li><strong>optimizer:</strong> close the rolldown bundle when write() rejects (<a href="https://redirect.github.com/vitejs/vite/issues/22528">#22528</a>) (<a href="https://github.com/vitejs/vite/commit/e3cfb9deecff563550fa1b8abd27656b8b292815">e3cfb9d</a>)</li> <li><strong>resolve:</strong> provide onWarn for viteResolvePlugin in JS plugin containers (<a href="https://redirect.github.com/vitejs/vite/issues/22509">#22509</a>) (<a href="https://github.com/vitejs/vite/commit/40985f1c09b7696e594e6c5695fbc315d2da2c83">40985f1</a>)</li> </ul> <h3>Miscellaneous Chores</h3> <ul> <li><strong>deps:</strong> update rolldown-related dependencies (<a href="https://redirect.github.com/vitejs/vite/issues/22566">#22566</a>) (<a href="https://github.com/vitejs/vite/commit/3052a67d9350f4c5076ab1c222c4a21a589cbcdd">3052a67</a>)</li> </ul> <h3>Code Refactoring</h3> <ul> <li>correct logic in <code>collectAllModules</code> function (<a href="https://redirect.github.com/vitejs/vite/issues/22562">#22562</a>) (<a href="https://github.com/vitejs/vite/commit/6978a9ceb942c4f5e211d52b8a1e569f8a65c80c">6978a9c</a>)</li> </ul> <h2><!-- raw HTML omitted --><a href="https://github.com/vitejs/vite/compare/v8.0.13...v8.0.14">8.0.14</a> (2026-05-21)<!-- raw HTML omitted --></h2> <h3>Features</h3> <ul> <li>update rolldown to 1.0.2 (<a href="https://redirect.github.com/vitejs/vite/issues/22484">#22484</a>) (<a href="https://github.com/vitejs/vite/commit/96efc88570b6a6ddf1a910f106920cbac07b3cf0">96efc88</a>)</li> </ul> <h3>Bug Fixes</h3> <ul> <li><strong>deps:</strong> update all non-major dependencies (<a href="https://redirect.github.com/vitejs/vite/issues/22471">#22471</a>) (<a href="https://github.com/vitejs/vite/commit/98b81632139d51820f82036e58d6fbbf122b77b3">98b8163</a>)</li> <li><strong>dev:</strong> handle errors when sending messages to vite server (<a href="https://redirect.github.com/vitejs/vite/issues/22450">#22450</a>) (<a href="https://github.com/vitejs/vite/commit/e8e9a34dcf2540139de558a10187630884d10217">e8e9a34</a>)</li> <li><strong>html:</strong> handle trailing slash paths in transformIndexHtml (<a href="https://redirect.github.com/vitejs/vite/issues/22480">#22480</a>) (<a href="https://github.com/vitejs/vite/commit/5d94d1bffdb2a15de9341194d89baec86ce1f693">5d94d1b</a>)</li> <li><strong>optimizer:</strong> pass oxc jsx options to transformSync in dependency scan (<a href="https://redirect.github.com/vitejs/vite/issues/22342">#22342</a>) (<a href="https://github.com/vitejs/vite/commit/b3132dacea9c6e0cf526cd9f0f09d850f577c262">b3132da</a>)</li> </ul> <h3>Miscellaneous Chores</h3> <ul> <li><strong>deps:</strong> update rolldown-related dependencies (<a href="https://redirect.github.com/vitejs/vite/issues/22470">#22470</a>) (<a href="https://github.com/vitejs/vite/commit/7cb728eb629cc677661f1bc52a044ffc0b87fc7f">7cb728e</a>)</li> <li>remove irrelevant commits from changelog (<a href="https://github.com/vitejs/vite/commit/2c69495f250edf01132d4a20128de19dbe836086">2c69495</a>)</li> </ul> <h3>Code Refactoring</h3> <ul> <li><strong>glob:</strong> do not rewrite import path for absolute base (<a href="https://redirect.github.com/vitejs/vite/issues/22310">#22310</a>) (<a href="https://github.com/vitejs/vite/commit/0ae2844ab6d6d1ccf78a2975b8132769fc35b302">0ae2844</a>)</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/vitejs/vite/commit/f94df87ff03b40b65e29bacdc04cc18c7bccaa4a"><code>f94df87</code></a> release: v8.0.16</li> <li><a href="https://github.com/vitejs/vite/commit/dc245c71e5007ea4d891a025e2d69ac96c736546"><code>dc245c7</code></a> fix: reject windows alternate paths (<a href="https://github.com/vitejs/vite/tree/HEAD/packages/vite/issues/22572">#22572</a>)</li> <li><a href="https://github.com/vitejs/vite/commit/50b951225bbf6151eb84a3ad5a454908ab4a76c9"><code>50b9512</code></a> fix(deps): reject UNC paths for launch-editor-middleware (<a href="https://github.com/vitejs/vite/tree/HEAD/packages/vite/issues/22571">#22571</a>)</li> <li><a href="https://github.com/vitejs/vite/commit/8d1b0195fd186d0b3297d7cd17acff6c96797420"><code>8d1b019</code></a> release: v8.0.15</li> <li><a href="https://github.com/vitejs/vite/commit/2686d7d0b722402204d3bcc687a87adea1bcf9fa"><code>2686d7d</code></a> fix(deps): update all non-major dependencies (<a href="https://github.com/vitejs/vite/tree/HEAD/packages/vite/issues/22511">#22511</a>)</li> <li><a href="https://github.com/vitejs/vite/commit/3052a67d9350f4c5076ab1c222c4a21a589cbcdd"><code>3052a67</code></a> chore(deps): update rolldown-related dependencies (<a href="https://github.com/vitejs/vite/tree/HEAD/packages/vite/issues/22566">#22566</a>)</li> <li><a href="https://github.com/vitejs/vite/commit/e3cfb9deecff563550fa1b8abd27656b8b292815"><code>e3cfb9d</code></a> fix(optimizer): close the rolldown bundle when write() rejects (<a href="https://github.com/vitejs/vite/tree/HEAD/packages/vite/issues/22528">#22528</a>)</li> <li><a href="https://github.com/vitejs/vite/commit/6978a9ceb942c4f5e211d52b8a1e569f8a65c80c"><code>6978a9c</code></a> refactor: correct logic in <code>collectAllModules</code> function (<a href="https://github.com/vitejs/vite/tree/HEAD/packages/vite/issues/22562">#22562</a>)</li> <li><a href="https://github.com/vitejs/vite/commit/646dbedd2870f8ec48df0321177d8aa64bbd1575"><code>646dbed</code></a> feat: update rolldown to 1.0.3 (<a href="https://github.com/vitejs/vite/tree/HEAD/packages/vite/issues/22538">#22538</a>)</li> <li><a href="https://github.com/vitejs/vite/commit/85a0eff1c82bbb7c99a0fe8e63704316578a40d3"><code>85a0eff</code></a> fix: capitalize error messages and remove spurious space in parse error (<a href="https://github.com/vitejs/vite/tree/HEAD/packages/vite/issues/22488">#22488</a>)</li> <li>Additional commits viewable in <a href="https://github.com/vitejs/vite/commits/v8.0.16/packages/vite">compare view</a></li> </ul> </details> <br /> Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/microsoft/teams.py/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [pyjwt](https://github.com/jpadilla/pyjwt) from 2.12.1 to 2.13.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/jpadilla/pyjwt/releases">pyjwt's releases</a>.</em></p> <blockquote> <h2>2.13.0</h2> <h1>PyJWT 2.13.0 — Security Release</h1> <p>This release bundles five security fixes plus three additional hardening / spec-compliance changes. We recommend all users upgrade.</p> <h2>Security</h2> <ul> <li> <p><strong><a href="https://github.com/jpadilla/pyjwt/security/advisories/GHSA-xgmm-8j9v-c9wx"><code>GHSA-xgmm-8j9v-c9wx</code></a> — JWK JSON accepted as HMAC secret (algorithm confusion).</strong> <code>HMACAlgorithm.prepare_key</code> previously rejected PEM- and SSH-formatted asymmetric keys but did not catch a JWK passed as a raw JSON string. In a verifier configured with both symmetric and asymmetric algorithms in <code>algorithms=[…]</code> and a raw-JSON JWK as the key, an attacker could forge HS256 tokens using the JWK text as the HMAC secret. The guard has been extended to reject any JWK-shaped JSON. <em>Reported by <a href="https://github.com/aradona91"><code>@aradona91</code></a>.</em></p> </li> <li> <p><strong><a href="https://github.com/jpadilla/pyjwt/security/advisories/GHSA-jq35-7prp-9v3f"><code>GHSA-jq35-7prp-9v3f</code></a> — Algorithm allow-list bypass with <code>PyJWK</code> / <code>PyJWKClient</code>.</strong> When verifying with a <code>PyJWK</code>, the caller's <code>algorithms=[…]</code> allow-list was checked against the token header <code>alg</code> as a string only; actual verification used the algorithm bound to the <code>PyJWK</code>. An attacker who controlled a registered JWKS key could sign with one algorithm and advertise another on the header. PyJWT now requires the token header <code>alg</code> to match the <code>PyJWK</code>'s algorithm before verification. <em>Reported by <a href="https://github.com/sushi-gif"><code>@sushi-gif</code></a>.</em></p> </li> <li> <p><strong><a href="https://github.com/jpadilla/pyjwt/security/advisories/GHSA-w7vc-732c-9m39"><code>GHSA-w7vc-732c-9m39</code></a> — DoS via base64 decode of unused payload segment when <code>b64=false</code>.</strong> For detached-payload JWS (<code>b64=false</code>), the compact-form payload segment was base64-decoded before being discarded in favor of the caller-supplied <code>detached_payload</code>. An attacker could inflate the unused segment to force CPU + memory cost without holding a valid signature. The segment is now required to be empty per RFC 7515 Appendix F, and is no longer decoded. <em>Reported by <a href="https://github.com/thesmartshadow"><code>@thesmartshadow</code></a>.</em></p> </li> <li> <p><strong><a href="https://github.com/jpadilla/pyjwt/security/advisories/GHSA-993g-76c3-p5m4"><code>GHSA-993g-76c3-p5m4</code></a> — <code>PyJWKClient</code> accepts non-HTTP(S) URIs.</strong> <code>PyJWKClient.fetch_data</code> passed its URI to <code>urllib.request.urlopen</code>, which by default also handles <code>file://</code>, <code>ftp://</code>, and <code>data:</code> schemes. An application that fed an attacker-influenced URI into <code>PyJWKClient</code> could be coerced into reading local files or reaching other unintended schemes. <code>PyJWKClient</code> now rejects any URI whose scheme isn't <code>http</code> or <code>https</code>. <em>Reported by <a href="https://github.com/KEIJOT"><code>@KEIJOT</code></a>.</em></p> </li> <li> <p><strong><a href="https://github.com/jpadilla/pyjwt/security/advisories/GHSA-fhv5-28vv-h8m8"><code>GHSA-fhv5-28vv-h8m8</code></a> — <code>PyJWKClient</code> cache wiped on fetch error.</strong> A <code>finally</code>-block <code>put(jwk_set=None)</code> cleared the JWK Set cache whenever a fetch raised, turning a transient JWKS-endpoint outage into application-wide auth failure. The cache write was moved into the success path; transient errors no longer evict valid cached keys. <em>Reported by <a href="https://github.com/eddieran"><code>@eddieran</code></a>.</em></p> </li> </ul> <h2>Fixed</h2> <ul> <li>Reject empty HMAC keys outright in <code>HMACAlgorithm.prepare_key</code> with <code>InvalidKeyError</code> instead of accepting them with only a warning. Defends against the <code>os.getenv("JWT_SECRET", "")</code> footgun. <em>Thanks to <a href="https://github.com/SnailSploit"><code>@SnailSploit</code></a> and <a href="https://github.com/spartan8806"><code>@spartan8806</code></a> for the reports.</em></li> <li>Forward per-call <code>options</code> (including <code>enforce_minimum_key_length</code>) from <code>PyJWT.decode</code> through to <code>PyJWS._verify_signature</code>. The option was previously silently dropped between the two layers, so it only took effect when set on the <code>PyJWT</code> instance. <em>Thanks to <a href="https://github.com/WLUB"><code>@WLUB</code></a> for the report.</em></li> <li><strong>RFC 7797 §3 compliance for <code>b64=false</code>:</strong> the encoder now auto-adds <code>"b64"</code> to <code>crit</code>, and the decoder rejects tokens that set <code>b64=false</code> without listing it in <code>crit</code>. <em>Thanks to <a href="https://github.com/MachineLearning-Nerd"><code>@MachineLearning-Nerd</code></a> for the report.</em></li> </ul> <h2>Changed</h2> <ul> <li>Migrate the <code>dev</code>, <code>docs</code>, and <code>tests</code> package extras to dependency groups, by <a href="https://github.com/kurtmckee"><code>@kurtmckee</code></a> in <a href="https://redirect.github.com/jpadilla/pyjwt/pull/1152">#1152</a>.</li> </ul> <h2>Upgrade notes</h2> <p>Most fixes are invisible to correctly-configured callers. A few behavioral changes you may encounter:</p> <ul> <li><strong>Empty HMAC keys now raise.</strong> If your app passed <code>""</code> or <code>b""</code> as a secret (often via a missing env var, e.g. <code>os.getenv("JWT_SECRET", "")</code>), <code>encode</code>/<code>decode</code> will now raise <code>InvalidKeyError</code>. This is the intended behavior — fix the configuration.</li> <li><strong><code>PyJWK</code> decoding now requires the token's <code>alg</code> to match the JWK's algorithm.</strong> Previously a mismatch was silently honored if the header <code>alg</code> appeared in the allow-list. Tokens that relied on this mismatch will now fail with <code>InvalidAlgorithmError</code>.</li> <li><strong><code>PyJWKClient</code> now rejects non-HTTP(S) URIs at construction time.</strong> Tests or dev environments that fetched JWKS from <code>file://</code> URIs need to switch to a local HTTP server or load the JWKS by other means (e.g. construct <code>PyJWKSet.from_dict(...)</code> directly).</li> <li><strong><code>b64=false</code> tokens are now strictly RFC 7515 / 7797 compliant.</strong> Tokens with a non-empty compact-form payload segment, or that omit <code>"b64"</code> from <code>crit</code>, will be rejected. PyJWT-produced tokens always satisfy both invariants, so round-trips through PyJWT are unaffected.</li> <li><strong><code>enforce_minimum_key_length</code> set per-call now takes effect.</strong> Callers who passed <code>options={"enforce_minimum_key_length": True}</code> to <code>jwt.decode()</code> previously got no enforcement; they will now get <code>InvalidKeyError</code> on undersized keys, as documented.</li> </ul> <p><strong>Full changelog:</strong> <a href="https://github.com/jpadilla/pyjwt/compare/2.12.1...2.13.0">https://github.com/jpadilla/pyjwt/compare/2.12.1...2.13.0</a></p> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/jpadilla/pyjwt/blob/master/CHANGELOG.rst">pyjwt's changelog</a>.</em></p> <blockquote> <h2><code>v2.13.0 <https://github.com/jpadilla/pyjwt/compare/2.12.1...2.13.0></code>__</h2> <p>Security</p> <pre><code> - Reject JWK JSON documents passed as raw HMAC secrets in ``HMACAlgorithm.prepare_key`` to close an algorithm-confusion gap that the existing PEM/SSH guard did not cover. Reported by @aradona91 in `GHSA-xgmm-8j9v-c9wx <https://github.com/jpadilla/pyjwt/security/advisories/GHSA-xgmm-8j9v-c9wx>`__. - Bind the JWT header ``alg`` to ``PyJWK.algorithm_name`` during verification so the caller's ``algorithms=[...]`` allow-list cannot be bypassed when decoding with a ``PyJWK`` / ``PyJWKClient`` key. Reported by @sushi-gif in `GHSA-jq35-7prp-9v3f <https://github.com/jpadilla/pyjwt/security/advisories/GHSA-jq35-7prp-9v3f>`__. - Reject non-``http(s)`` URI schemes in ``PyJWKClient`` so attacker- influenced URIs cannot read local files or reach unintended schemes via urllib's default ``file://`` / ``ftp://`` / ``data:`` handlers. Reported by @KEIJOT in `GHSA-993g-76c3-p5m4 <https://github.com/jpadilla/pyjwt/security/advisories/GHSA-993g-76c3-p5m4>`__. - Preserve the cached JWK Set on fetch errors in ``PyJWKClient.fetch_data``. The previous ``finally``-block ``put(None)`` pattern cleared the cache on any transient outage, turning one bad JWKS request into application- wide auth failure. Reported by @eddieran in `GHSA-fhv5-28vv-h8m8 <https://github.com/jpadilla/pyjwt/security/advisories/GHSA-fhv5-28vv-h8m8>`__. - Skip the unconditional base64 decode of the compact-form payload segment when ``b64=false`` is set in the protected header, and require that segment to be empty (RFC 7515 Appendix F detached form). Closes an unauthenticated DoS amplifier. Reported by @thesmartshadow in `GHSA-w7vc-732c-9m39 <https://github.com/jpadilla/pyjwt/security/advisories/GHSA-w7vc-732c-9m39>`__. <p>Fixed</p> <pre><code> - Reject empty HMAC keys outright in ``HMACAlgorithm.prepare_key`` with ``InvalidKeyError`` instead of accepting them with only a warning. Thanks to @SnailSploit and @spartan8806 for independently flagging the footgun. - Forward per-call ``options`` (including ``enforce_minimum_key_length``) from ``PyJWT.decode`` through to ``PyJWS._verify_signature`` so the option actually takes effect when set at the call site rather than only on the ``PyJWT`` instance. Thanks to @WLUB for the report. - RFC 7797 §3 compliance for ``b64=false``: the encoder now auto-adds ``&quot;b64&quot;`` to the ``crit`` header parameter, and the decoder rejects tokens that set ``b64=false`` without listing it in ``crit``. Thanks to @MachineLearning-Nerd for the report. Changed </code></pre> <ul> <li>Migrate the <code>dev</code>, <code>docs</code>, and <code>tests</code> package extras to dependency groups by <a href="https://github.com/kurtmckee"><code>@kurtmckee</code></a> in <code>[#1152](jpadilla/pyjwt#1152) &lt;https://github.com/jpadilla/pyjwt/pull/1152&gt;</code>__ </code></pre></li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/jpadilla/pyjwt/commit/7144e4534c34810f4525dc4578a32addd8212cff"><code>7144e45</code></a> Apply ruff format</li> <li><a href="https://github.com/jpadilla/pyjwt/commit/d2f4bec4963897c0ef96ef64a875894f2c8542ab"><code>d2f4bec</code></a> Restore <code>cast()</code> calls with cross-version <code>type: ignore</code> for <code>prepare_key</code></li> <li><a href="https://github.com/jpadilla/pyjwt/commit/22f478cebddd8294259c30f037ecb92b0b348774"><code>22f478c</code></a> Remove redundant casts in <code>RSAAlgorithm.prepare_key</code> and `ECAlgorithm.prepare...</li> <li><a href="https://github.com/jpadilla/pyjwt/commit/95791b1759b8aa4f2203575d344d5c78564cdc81"><code>95791b1</code></a> Bundle security fixes and hardening into 2.13.0</li> <li><a href="https://github.com/jpadilla/pyjwt/commit/dcc27a9d3182a2349c30b160758785c6ce7a6508"><code>dcc27a9</code></a> [pre-commit.ci] pre-commit autoupdate (<a href="https://redirect.github.com/jpadilla/pyjwt/issues/1155">#1155</a>)</li> <li><a href="https://github.com/jpadilla/pyjwt/commit/9d08a9a1896845ed8eaf88e6f6ac61e5800c3e7a"><code>9d08a9a</code></a> [pre-commit.ci] pre-commit autoupdate (<a href="https://redirect.github.com/jpadilla/pyjwt/issues/1146">#1146</a>)</li> <li><a href="https://github.com/jpadilla/pyjwt/commit/b87c10014d4109f0214fea188d00faaaf8a80e64"><code>b87c100</code></a> Bump codecov/codecov-action from 5 to 6 (<a href="https://redirect.github.com/jpadilla/pyjwt/issues/1154">#1154</a>)</li> <li><a href="https://github.com/jpadilla/pyjwt/commit/40e3147eb5f790d8d041772e5fc00728a176c812"><code>40e3147</code></a> Migrate development extras to dependency groups (<a href="https://redirect.github.com/jpadilla/pyjwt/issues/1152">#1152</a>)</li> <li>See full diff in <a href="https://github.com/jpadilla/pyjwt/compare/2.12.1...2.13.0">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/microsoft/teams.py/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [starlette](https://github.com/Kludex/starlette) from 1.1.0 to 1.3.1. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/Kludex/starlette/releases">starlette's releases</a>.</em></p> <blockquote> <h2>Version 1.3.1</h2> <h2>What's Changed</h2> <ul> <li>Use <code>StarletteDeprecationWarning</code> instead of <code>DeprecationWarning</code> by <a href="https://github.com/Kludex"><code>@Kludex</code></a> in <a href="https://redirect.github.com/Kludex/starlette/pull/3119">Kludex/starlette#3119</a></li> <li>Enforce <code>max_fields</code> and <code>max_part_size</code> in <code>FormParser</code> by <a href="https://github.com/Kludex"><code>@Kludex</code></a> in <a href="https://redirect.github.com/Kludex/starlette/pull/3329">Kludex/starlette#3329</a></li> <li>Enforce <code>FormParser</code> limits in parser callbacks by <a href="https://github.com/Kludex"><code>@Kludex</code></a> in <a href="https://redirect.github.com/Kludex/starlette/pull/3331">Kludex/starlette#3331</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/Kludex/starlette/compare/1.3.0...1.3.1">https://github.com/Kludex/starlette/compare/1.3.0...1.3.1</a></p> <h2>Version 1.3.0</h2> <h2>What's Changed</h2> <ul> <li>Clamp oversized suffix ranges in <code>FileResponse</code> by <a href="https://github.com/jiyujie2006"><code>@jiyujie2006</code></a> in <a href="https://redirect.github.com/Kludex/starlette/pull/3307">Kludex/starlette#3307</a></li> <li>Catch <code>OSError</code> alongside <code>MultiPartException</code> when closing temp files by <a href="https://github.com/N3XT3R1337"><code>@N3XT3R1337</code></a> in <a href="https://redirect.github.com/Kludex/starlette/pull/3191">Kludex/starlette#3191</a></li> <li>Add <code>httpx2</code> to the <code>full</code> extra by <a href="https://github.com/Kludex"><code>@Kludex</code></a> in <a href="https://redirect.github.com/Kludex/starlette/pull/3323">Kludex/starlette#3323</a></li> <li>Adjust testclient typing and warnings by <a href="https://github.com/waketzheng"><code>@waketzheng</code></a> in <a href="https://redirect.github.com/Kludex/starlette/pull/3322">Kludex/starlette#3322</a></li> <li>Fix IndexError in URL.replace() on a URL with no authority by <a href="https://github.com/LeSingh1"><code>@LeSingh1</code></a> in <a href="https://redirect.github.com/Kludex/starlette/pull/3317">Kludex/starlette#3317</a></li> <li>Annotate URLPath protocol parameter with Literal by <a href="https://github.com/Chang-LeHung"><code>@Chang-LeHung</code></a> in <a href="https://redirect.github.com/Kludex/starlette/pull/3285">Kludex/starlette#3285</a></li> <li>avoid collapsing exception groups from user code by <a href="https://github.com/graingert"><code>@graingert</code></a> in <a href="https://redirect.github.com/Kludex/starlette/pull/2830">Kludex/starlette#2830</a></li> <li>Use <code>removeprefix</code> to strip weak ETag indicator in <code>is_not_modified</code> by <a href="https://github.com/gnosyslambda"><code>@gnosyslambda</code></a> in <a href="https://redirect.github.com/Kludex/starlette/pull/3193">Kludex/starlette#3193</a></li> <li>Build <code>request.url</code> from structured components by <a href="https://github.com/Kludex"><code>@Kludex</code></a> in <a href="https://redirect.github.com/Kludex/starlette/pull/3326">Kludex/starlette#3326</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/jiyujie2006"><code>@jiyujie2006</code></a> made their first contribution in <a href="https://redirect.github.com/Kludex/starlette/pull/3307">Kludex/starlette#3307</a></li> <li><a href="https://github.com/N3XT3R1337"><code>@N3XT3R1337</code></a> made their first contribution in <a href="https://redirect.github.com/Kludex/starlette/pull/3191">Kludex/starlette#3191</a></li> <li><a href="https://github.com/leestana01"><code>@leestana01</code></a> made their first contribution in <a href="https://redirect.github.com/Kludex/starlette/pull/3319">Kludex/starlette#3319</a></li> <li><a href="https://github.com/LeSingh1"><code>@LeSingh1</code></a> made their first contribution in <a href="https://redirect.github.com/Kludex/starlette/pull/3317">Kludex/starlette#3317</a></li> <li><a href="https://github.com/EmmanuelNiyonshuti"><code>@EmmanuelNiyonshuti</code></a> made their first contribution in <a href="https://redirect.github.com/Kludex/starlette/pull/3204">Kludex/starlette#3204</a></li> <li><a href="https://github.com/Chang-LeHung"><code>@Chang-LeHung</code></a> made their first contribution in <a href="https://redirect.github.com/Kludex/starlette/pull/3285">Kludex/starlette#3285</a></li> <li><a href="https://github.com/gnosyslambda"><code>@gnosyslambda</code></a> made their first contribution in <a href="https://redirect.github.com/Kludex/starlette/pull/3193">Kludex/starlette#3193</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/Kludex/starlette/compare/1.2.1...1.3.0">https://github.com/Kludex/starlette/compare/1.2.1...1.3.0</a></p> <h2>Version 1.2.1</h2> <h2>What's Changed</h2> <ul> <li>Use <code>httpx2</code> for type checking in the <code>testclient</code> module by <a href="https://github.com/leifwar"><code>@leifwar</code></a> in <a href="https://redirect.github.com/Kludex/starlette/pull/3304">Kludex/starlette#3304</a></li> <li>Add assert error for requires() when request param is not Request type by <a href="https://github.com/KeeganOP"><code>@KeeganOP</code></a> in <a href="https://redirect.github.com/Kludex/starlette/pull/3298">Kludex/starlette#3298</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/leifwar"><code>@leifwar</code></a> made their first contribution in <a href="https://redirect.github.com/Kludex/starlette/pull/3304">Kludex/starlette#3304</a></li> <li><a href="https://github.com/diskeu"><code>@diskeu</code></a> made their first contribution in <a href="https://redirect.github.com/Kludex/starlette/pull/3243">Kludex/starlette#3243</a></li> <li><a href="https://github.com/KeeganOP"><code>@KeeganOP</code></a> made their first contribution in <a href="https://redirect.github.com/Kludex/starlette/pull/3298">Kludex/starlette#3298</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/Kludex/starlette/compare/1.2.0...1.2.1">https://github.com/Kludex/starlette/compare/1.2.0...1.2.1</a></p> <h2>Version 1.2.0</h2> <h2>What's Changed</h2> <ul> <li>Support httpx2 in the test client by <a href="https://github.com/Kludex"><code>@Kludex</code></a> in <a href="https://redirect.github.com/Kludex/starlette/pull/3291">Kludex/starlette#3291</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/Kludex/starlette/compare/1.1.0...1.2.0">https://github.com/Kludex/starlette/compare/1.1.0...1.2.0</a></p> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/Kludex/starlette/blob/main/docs/release-notes.md">starlette's changelog</a>.</em></p> <blockquote> <h2>1.3.1 (June 12, 2026)</h2> <h4>Fixed</h4> <ul> <li>Enforce <code>max_fields</code> and <code>max_part_size</code> in <code>FormParser</code> <a href="https://redirect.github.com/encode/starlette/pull/3329">#3329</a>.</li> <li>Enforce <code>FormParser</code> limits in parser callbacks <a href="https://redirect.github.com/encode/starlette/pull/3331">#3331</a>.</li> </ul> <h2>1.3.0 (June 11, 2026)</h2> <h4>Added</h4> <ul> <li>Add <code>httpx2</code> to the <code>full</code> extra <a href="https://redirect.github.com/encode/starlette/pull/3323">#3323</a>.</li> <li>Annotate the <code>URLPath</code> <code>protocol</code> parameter with <code>Literal</code> <a href="https://redirect.github.com/encode/starlette/pull/3285">#3285</a>.</li> </ul> <h4>Fixed</h4> <ul> <li>Build <code>request.url</code> from structured components <a href="https://redirect.github.com/encode/starlette/pull/3326">#3326</a>.</li> <li>Clamp oversized suffix ranges in <code>FileResponse</code> <a href="https://redirect.github.com/encode/starlette/pull/3307">#3307</a>.</li> <li>Catch <code>OSError</code> alongside <code>MultiPartException</code> when closing temp files <a href="https://redirect.github.com/encode/starlette/pull/3191">#3191</a>.</li> <li>Avoid collapsing exception groups raised from user code <a href="https://redirect.github.com/encode/starlette/pull/2830">#2830</a>.</li> <li>Use <code>removeprefix</code> to strip the weak <code>ETag</code> indicator in <code>is_not_modified</code> <a href="https://redirect.github.com/encode/starlette/pull/3193">#3193</a>.</li> <li>Fix <code>IndexError</code> in <code>URL.replace()</code> on a URL with no authority <a href="https://redirect.github.com/encode/starlette/pull/3317">#3317</a>.</li> <li>Adjust <code>testclient</code> typing and warnings <a href="https://redirect.github.com/encode/starlette/pull/3322">#3322</a>.</li> </ul> <h2>1.2.1 (May 31, 2026)</h2> <h4>Fixed</h4> <ul> <li>Use <code>httpx2</code> for type checking in the <code>testclient</code> module <a href="https://redirect.github.com/encode/starlette/pull/3304">#3304</a>.</li> <li>Add assert error for <code>requires()</code> when the request parameter is not a <code>Request</code> type <a href="https://redirect.github.com/encode/starlette/pull/3298">#3298</a>.</li> </ul> <h2>1.2.0 (May 28, 2026)</h2> <h4>Added</h4> <ul> <li>Support httpx2 in the test client <a href="https://redirect.github.com/encode/starlette/pull/3291">#3291</a>.</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/Kludex/starlette/commit/8ebffd0678570ddd5d5bb11c6f3c3c7fd4682ab9"><code>8ebffd0</code></a> Version 1.3.1 (<a href="https://redirect.github.com/Kludex/starlette/issues/3330">#3330</a>)</li> <li><a href="https://github.com/Kludex/starlette/commit/25b8e179d8d7ed86769c02f648772dd5fb43dc3c"><code>25b8e17</code></a> Enforce <code>FormParser</code> limits in parser callbacks (<a href="https://redirect.github.com/Kludex/starlette/issues/3331">#3331</a>)</li> <li><a href="https://github.com/Kludex/starlette/commit/dba1c4babc4f99ad2622bb913d87045775dda735"><code>dba1c4b</code></a> Enforce <code>max_fields</code> and <code>max_part_size</code> in <code>FormParser</code> (<a href="https://redirect.github.com/Kludex/starlette/issues/3329">#3329</a>)</li> <li><a href="https://github.com/Kludex/starlette/commit/45e51dcf99f3a270b0bcec1aec5410b4345863a9"><code>45e51dc</code></a> Use <code>StarletteDeprecationWarning</code> instead of <code>DeprecationWarning</code> (<a href="https://redirect.github.com/Kludex/starlette/issues/3119">#3119</a>)</li> <li><a href="https://github.com/Kludex/starlette/commit/5f8610c386e13de1d80d36efa961e1486a1d2d01"><code>5f8610c</code></a> Version 1.3.0 (<a href="https://redirect.github.com/Kludex/starlette/issues/3327">#3327</a>)</li> <li><a href="https://github.com/Kludex/starlette/commit/167b5850e809f38b27fbfed62d58bf6442855975"><code>167b585</code></a> Build <code>request.url</code> from structured components (<a href="https://redirect.github.com/Kludex/starlette/issues/3326">#3326</a>)</li> <li><a href="https://github.com/Kludex/starlette/commit/37309255b4c1b9c381a2d24a1eaf83100984a16a"><code>3730925</code></a> Use <code>removeprefix</code> to strip weak ETag indicator in <code>is_not_modified</code> (<a href="https://redirect.github.com/Kludex/starlette/issues/3193">#3193</a>)</li> <li><a href="https://github.com/Kludex/starlette/commit/e6f7ad1ab85efb27ab7910d8007b3f4531f7b083"><code>e6f7ad1</code></a> avoid collapsing exception groups from user code (<a href="https://redirect.github.com/Kludex/starlette/issues/2830">#2830</a>)</li> <li><a href="https://github.com/Kludex/starlette/commit/115228fcdca0e0ef5bf4a95a40ddce5a9fced428"><code>115228f</code></a> Annotate URLPath protocol parameter with Literal (<a href="https://redirect.github.com/Kludex/starlette/issues/3285">#3285</a>)</li> <li><a href="https://github.com/Kludex/starlette/commit/113f193a34353c9153857028c1074351d22fad07"><code>113f193</code></a> docs: replace inline ASGI server list with link to canonical implemen… (<a href="https://redirect.github.com/Kludex/starlette/issues/3204">#3204</a>)</li> <li>Additional commits viewable in <a href="https://github.com/Kludex/starlette/compare/1.1.0...1.3.1">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/microsoft/teams.py/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
## Changes - Split `publish.yml` into separate build and publish stages - Use `templateContext.type: releaseJob` + `isProduction: true` for ESRP publish job (fixes 1ES PT enforcement error) - Release jobs consume pipeline artifacts via `$(Pipeline.Workspace)/...` instead of source directory This fixes the `isReleaseJob` enforcement warning from 1ES PT and ensures ESRP tasks run in a properly declared release job context. Mirror of the same fix applied to teams.ts. --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Bumps [python-multipart](https://github.com/Kludex/python-multipart) from 0.0.27 to 0.0.31. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/Kludex/python-multipart/releases">python-multipart's releases</a>.</em></p> <blockquote> <h2>Version 0.0.31</h2> <h2>What's Changed</h2> <ul> <li>Speed up multipart header parsing and callback dispatch by <a href="https://github.com/Kludex"><code>@Kludex</code></a> in <a href="https://redirect.github.com/Kludex/python-multipart/pull/295">Kludex/python-multipart#295</a></li> <li>Bound header field name size before validating by <a href="https://github.com/Kludex"><code>@Kludex</code></a> in <a href="https://redirect.github.com/Kludex/python-multipart/pull/296">Kludex/python-multipart#296</a></li> <li>Validate Content-Length is non-negative in parse_form by <a href="https://github.com/Kludex"><code>@Kludex</code></a> in <a href="https://redirect.github.com/Kludex/python-multipart/pull/297">Kludex/python-multipart#297</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/Kludex/python-multipart/compare/0.0.30...0.0.31">https://github.com/Kludex/python-multipart/compare/0.0.30...0.0.31</a></p> <h2>Version 0.0.30</h2> <h2>What's Changed</h2> <ul> <li>Treat only <code>&</code> as the urlencoded field separator by <a href="https://github.com/Kludex"><code>@Kludex</code></a> in <a href="https://redirect.github.com/Kludex/python-multipart/pull/290">Kludex/python-multipart#290</a></li> <li>Ignore RFC 2231 extended parameters in <code>parse_options_header</code> by <a href="https://github.com/Kludex"><code>@Kludex</code></a> in <a href="https://redirect.github.com/Kludex/python-multipart/pull/291">Kludex/python-multipart#291</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/Kludex/python-multipart/compare/0.0.29...0.0.30">https://github.com/Kludex/python-multipart/compare/0.0.29...0.0.30</a></p> <h2>Version 0.0.29</h2> <h2>What's Changed</h2> <ul> <li>Handle malformed RFC 2231 continuations in <code>parse_options_header</code> by <a href="https://github.com/manunio"><code>@manunio</code></a> in <a href="https://redirect.github.com/Kludex/python-multipart/pull/270">Kludex/python-multipart#270</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/Kludex/python-multipart/compare/0.0.28...0.0.29">https://github.com/Kludex/python-multipart/compare/0.0.28...0.0.29</a></p> <h2>Version 0.0.28</h2> <h2>What's Changed</h2> <ul> <li>Speed up partial-boundary tail scan via <code>bytes.find</code> by <a href="https://github.com/Kludex"><code>@Kludex</code></a> in <a href="https://redirect.github.com/Kludex/python-multipart/pull/281">Kludex/python-multipart#281</a></li> <li>Cap multipart boundary length at 256 bytes by <a href="https://github.com/Kludex"><code>@Kludex</code></a> in <a href="https://redirect.github.com/Kludex/python-multipart/pull/282">Kludex/python-multipart#282</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/Kludex/python-multipart/compare/0.0.27...0.0.28">https://github.com/Kludex/python-multipart/compare/0.0.27...0.0.28</a></p> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/Kludex/python-multipart/blob/main/CHANGELOG.md">python-multipart's changelog</a>.</em></p> <blockquote> <h2>0.0.31 (2026-06-04)</h2> <ul> <li>Speed up multipart header parsing and callback dispatch <a href="https://redirect.github.com/Kludex/python-multipart/pull/295">#295</a>.</li> <li>Bound header field name size before validating <a href="https://redirect.github.com/Kludex/python-multipart/pull/296">#296</a>.</li> <li>Validate <code>Content-Length</code> is non-negative in <code>parse_form</code> <a href="https://redirect.github.com/Kludex/python-multipart/pull/297">#297</a>.</li> </ul> <h2>0.0.30 (2026-05-31)</h2> <ul> <li>Parse <code>application/x-www-form-urlencoded</code> bodies per the WHATWG URL standard, treating only <code>&</code> as a field separator <a href="https://redirect.github.com/Kludex/python-multipart/pull/290">#290</a>.</li> <li>Ignore RFC 2231/5987 extended parameters (<code>name*</code>, <code>filename*</code>) in <code>parse_options_header</code>, keeping the plain parameter authoritative per <a href="https://datatracker.ietf.org/doc/html/rfc7578#section-4.2">RFC 7578 §4.2</a> <a href="https://redirect.github.com/Kludex/python-multipart/pull/291">#291</a>.</li> </ul> <h2>0.0.29 (2026-05-17)</h2> <ul> <li>Handle malformed RFC 2231 continuations in <code>parse_options_header</code> <a href="https://redirect.github.com/Kludex/python-multipart/pull/270">#270</a>.</li> </ul> <h2>0.0.28 (2026-05-10)</h2> <ul> <li>Speed up partial-boundary tail scan via <code>bytes.find</code> <a href="https://redirect.github.com/Kludex/python-multipart/pull/281">#281</a>.</li> <li>Cap multipart boundary length at 256 bytes <a href="https://redirect.github.com/Kludex/python-multipart/pull/282">#282</a>.</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/Kludex/python-multipart/commit/4cffc68a165f7a6f6b7756ce006fabf07a05b7a4"><code>4cffc68</code></a> Version 0.0.31 (<a href="https://redirect.github.com/Kludex/python-multipart/issues/298">#298</a>)</li> <li><a href="https://github.com/Kludex/python-multipart/commit/c814948acf509cef7881fa75c969969b19239bbf"><code>c814948</code></a> Reject negative <code>Content-Length</code> in <code>parse_form</code> (<a href="https://redirect.github.com/Kludex/python-multipart/issues/297">#297</a>)</li> <li><a href="https://github.com/Kludex/python-multipart/commit/6b837d47bc68826ed5cbbcb50c6c6a6093444494"><code>6b837d4</code></a> Bound header field name size before validating (<a href="https://redirect.github.com/Kludex/python-multipart/issues/296">#296</a>)</li> <li><a href="https://github.com/Kludex/python-multipart/commit/e0c4f9df2e737d1663fbbdd6563f80613a2089f9"><code>e0c4f9d</code></a> Bump the github-actions group with 3 updates (<a href="https://redirect.github.com/Kludex/python-multipart/issues/294">#294</a>)</li> <li><a href="https://github.com/Kludex/python-multipart/commit/b8a01bb683e8e8675fdb5d831b206a478c8215aa"><code>b8a01bb</code></a> Bump the python-packages group with 3 updates (<a href="https://redirect.github.com/Kludex/python-multipart/issues/293">#293</a>)</li> <li><a href="https://github.com/Kludex/python-multipart/commit/6732164f30c58e28589a1e22213d2f6b8c6bad9f"><code>6732164</code></a> Speed up multipart header parsing and callback dispatch (<a href="https://redirect.github.com/Kludex/python-multipart/issues/295">#295</a>)</li> <li><a href="https://github.com/Kludex/python-multipart/commit/9d3ead568a259f222cff6425262ff63e88d930d4"><code>9d3ead5</code></a> Version 0.0.30 (<a href="https://redirect.github.com/Kludex/python-multipart/issues/292">#292</a>)</li> <li><a href="https://github.com/Kludex/python-multipart/commit/3506c15ce99cb62faf2d5ceb3c4c1e5800cb843d"><code>3506c15</code></a> Ignore RFC 2231 extended parameters in <code>parse_options_header</code> (<a href="https://redirect.github.com/Kludex/python-multipart/issues/291">#291</a>)</li> <li><a href="https://github.com/Kludex/python-multipart/commit/d69df35cd2cad9c72794c2c340db646afae957d8"><code>d69df35</code></a> Treat only <code>&</code> as the urlencoded field separator (<a href="https://redirect.github.com/Kludex/python-multipart/issues/290">#290</a>)</li> <li><a href="https://github.com/Kludex/python-multipart/commit/1e6ff9740b09fb439755f30e2b0e2ada1d297325"><code>1e6ff97</code></a> Bump idna from 3.11 to 3.15 (<a href="https://redirect.github.com/Kludex/python-multipart/issues/289">#289</a>)</li> <li>Additional commits viewable in <a href="https://github.com/Kludex/python-multipart/compare/0.0.27...0.0.31">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/microsoft/teams.py/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [cryptography](https://github.com/pyca/cryptography) from 46.0.7 to 48.0.1. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst">cryptography's changelog</a>.</em></p> <blockquote> <p>48.0.1 - 2026-06-09</p> <pre><code> * Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 4.0.1. <p>.. _v48-0-0:</p> <p>48.0.0 - 2026-05-04<br /> </code></pre></p> <ul> <li> <p><strong>BACKWARDS INCOMPATIBLE:</strong> Support for Python 3.8 has been removed. <code>cryptography</code> now requires Python 3.9 or later.</p> </li> <li> <p><strong>BACKWARDS INCOMPATIBLE:</strong> Loading an X.509 CRL whose inner <code>TBSCertList.signature</code> algorithm does not match the outer <code>signatureAlgorithm</code> now raises <code>ValueError</code>. Previously, such CRLs were parsed successfully and only rejected during signature validation.</p> </li> <li> <p>Added support for :doc:<code>/hazmat/primitives/asymmetric/mlkem</code> and :doc:<code>/hazmat/primitives/asymmetric/mldsa</code> when using OpenSSL 3.5.0 or later, in addition to the existing AWS-LC and BoringSSL support. This means post-quantum algorithms are now available to users of our wheels.</p> <ul> <li><strong>Note:</strong> Going forward, we do not guarantee that all functionality in <code>cryptography</code> will be available when building against OpenSSL. See :doc:<code>/statements/state-of-openssl</code> for more information.</li> </ul> </li> </ul> <p>.. _v47-0-0:</p> <p>47.0.0 - 2026-04-24</p> <pre><code> * Support for Python 3.8 is deprecated and will be removed in the next ``cryptography`` release. * **BACKWARDS INCOMPATIBLE:** Support for binary elliptic curves (``SECT*`` classes) has been removed. These curves are rarely used and have additional security considerations that make them undesirable. * **BACKWARDS INCOMPATIBLE:** Support for OpenSSL 1.1.x has been removed. OpenSSL 3.0.0 or later is now required. LibreSSL, BoringSSL, and AWS-LC continue to be supported. * **BACKWARDS INCOMPATIBLE:** Dropped support for LibreSSL < 4.1. * **BACKWARDS INCOMPATIBLE:** Loading keys with unsupported algorithms or keys with unsupported explicit curve encodings now raises :class:`~cryptography.exceptions.UnsupportedAlgorithm` instead of ``ValueError``. This change affects :func:`~cryptography.hazmat.primitives.serialization.load_pem_private_key`, :func:`~cryptography.hazmat.primitives.serialization.load_der_private_key`, :func:`~cryptography.hazmat.primitives.serialization.load_pem_public_key`, :func:`~cryptography.hazmat.primitives.serialization.load_der_public_key`, and :meth:`~cryptography.x509.Certificate.public_key` when called on certificates with unsupported public key algorithms. </tr></table> </code></pre> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/pyca/cryptography/commit/de987ce48ccfeb1abca41efa23b2bf73ec704f74"><code>de987ce</code></a> 48.0.1 version bump and changelog (<a href="https://redirect.github.com/pyca/cryptography/issues/14996">#14996</a>)</li> <li><a href="https://github.com/pyca/cryptography/commit/8e03e30e3aae01632a697e903e3593c924f0139d"><code>8e03e30</code></a> bump for 48.0.0 release (<a href="https://redirect.github.com/pyca/cryptography/issues/14796">#14796</a>)</li> <li><a href="https://github.com/pyca/cryptography/commit/295e0d254ef31ab864730aa41312ec355416ee71"><code>295e0d2</code></a> Add AGENTS.md with CLAUDE.md symlink (<a href="https://redirect.github.com/pyca/cryptography/issues/14794">#14794</a>)</li> <li><a href="https://github.com/pyca/cryptography/commit/104a2de19e268a433e6da92be9cb872dcf0003c8"><code>104a2de</code></a> Bump BoringSSL, OpenSSL, AWS-LC in CI (<a href="https://redirect.github.com/pyca/cryptography/issues/14793">#14793</a>)</li> <li><a href="https://github.com/pyca/cryptography/commit/67ec1e51988195e17993d2edef5258b27509b926"><code>67ec1e5</code></a> call check_length early on AesSiv::encrypt (<a href="https://redirect.github.com/pyca/cryptography/issues/14792">#14792</a>)</li> <li><a href="https://github.com/pyca/cryptography/commit/b2da57a0d9e4bfd2b95364299091a18f74127b26"><code>b2da57a</code></a> changelog for mldsa/mlkem for openssl (<a href="https://redirect.github.com/pyca/cryptography/issues/14791">#14791</a>)</li> <li><a href="https://github.com/pyca/cryptography/commit/3cf44adee25c368d4a136e072fa9f80465d91eb0"><code>3cf44ad</code></a> ML-KEM OpenSSL support (<a href="https://redirect.github.com/pyca/cryptography/issues/14781">#14781</a>)</li> <li><a href="https://github.com/pyca/cryptography/commit/2e31639666766f846fbab2c605879db0fa64fe83"><code>2e31639</code></a> ML-DSA OpenSSL support (<a href="https://redirect.github.com/pyca/cryptography/issues/14773">#14773</a>)</li> <li><a href="https://github.com/pyca/cryptography/commit/5affe5a286a986fdf512c4a5cb280d28a96c10e3"><code>5affe5a</code></a> fix rust nightly clippy (<a href="https://redirect.github.com/pyca/cryptography/issues/14790">#14790</a>)</li> <li><a href="https://github.com/pyca/cryptography/commit/2e73ca448eaf64b6f0d4ffbb794cf96170cef5ec"><code>2e73ca4</code></a> bump rust-openssl dep and update EcPoint::mul_generator to mul_generator2 (<a href="https://redirect.github.com/pyca/cryptography/issues/1">#1</a>...</li> <li>Additional commits viewable in <a href="https://github.com/pyca/cryptography/compare/46.0.7...48.0.1">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/microsoft/teams.py/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/microsoft/teams.py/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…476) Bumps [form-data](https://github.com/form-data/form-data) from 4.0.5 to 4.0.6. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/form-data/form-data/blob/master/CHANGELOG.md">form-data's changelog</a>.</em></p> <blockquote> <h2><a href="https://github.com/form-data/form-data/compare/v4.0.5...v4.0.6">v4.0.6</a> - 2026-06-12</h2> <h3>Commits</h3> <ul> <li>[Fix] escape CR, LF, and <code>"</code> in field names and filenames <a href="https://github.com/form-data/form-data/commit/8dff42c6da654ed4e7ad4acb7f8ccd3831217c99"><code>8dff42c</code></a></li> <li>[Dev Deps] update <code>@ljharb/eslint-config</code>, <code>auto-changelog</code>, <code>tape</code> <a href="https://github.com/form-data/form-data/commit/f31d21ef10bf46e46344c3ee4f99acbef6be43e1"><code>f31d21e</code></a></li> <li>[Deps] update <code>hasown</code>, <code>mime-types</code> <a href="https://github.com/form-data/form-data/commit/92ae0eb5da94d6f01925d5f4fcffb2a1e50ed7cd"><code>92ae0eb</code></a></li> <li>[Dev Deps] update <code>js-randomness-predictor</code> <a href="https://github.com/form-data/form-data/commit/67b0f65c2e0b065a511d42227d35e4d367644e97"><code>67b0f65</code></a></li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/form-data/form-data/commit/64190db548c0179e37206858e39f27cf513e9435"><code>64190db</code></a> v4.0.6</li> <li><a href="https://github.com/form-data/form-data/commit/92ae0eb5da94d6f01925d5f4fcffb2a1e50ed7cd"><code>92ae0eb</code></a> [Deps] update <code>hasown</code>, <code>mime-types</code></li> <li><a href="https://github.com/form-data/form-data/commit/f31d21ef10bf46e46344c3ee4f99acbef6be43e1"><code>f31d21e</code></a> [Dev Deps] update <code>@ljharb/eslint-config</code>, <code>auto-changelog</code>, <code>tape</code></li> <li><a href="https://github.com/form-data/form-data/commit/8dff42c6da654ed4e7ad4acb7f8ccd3831217c99"><code>8dff42c</code></a> [Fix] escape CR, LF, and <code>"</code> in field names and filenames</li> <li><a href="https://github.com/form-data/form-data/commit/67b0f65c2e0b065a511d42227d35e4d367644e97"><code>67b0f65</code></a> [Dev Deps] update <code>js-randomness-predictor</code></li> <li>See full diff in <a href="https://github.com/form-data/form-data/compare/v4.0.5...v4.0.6">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/microsoft/teams.py/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Quoted replies are now GA. Removes all
`@experimental("ExperimentalTeamsQuotedReplies")` decorators and
diagnostic docstring lines.
## Changes
- `packages/apps/src/microsoft_teams/apps/routing/activity_context.py`
- `packages/api/src/microsoft_teams/api/activities/message/message.py`
-
`packages/api/src/microsoft_teams/api/models/entity/quoted_reply_entity.py`
All tests pass (625/625). Lint and type checks clean.
Adds 12 integration tests that make real API calls against the Teams Bot Framework service. **Tests:** - Activities: create, update, reply, delete (4) - Members: get all, get by ID, get paged (3) - Conversations: create 1:1, create group (2) - Teams: get details, get channels (2) - Reactions: add and delete (1) **Also fixes:** - `TeamDetails.type` was incorrectly marked as required — service doesn't always return it. Now `Optional`. **Setup:** ```bash uv sync --all-packages --group dev --group integration export $(cat tests/integration/.env.botid-prod | xargs) pytest tests/integration -v ``` See [cross-SDK runbook](https://github.com/microsoft/teams-sdk/blob/main/INTEGRATION-TESTS.md) for provisioning and troubleshooting. --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…#481) The 1ES template requires `artifactName` (not `artifact`) for `pipelineArtifact` input declarations in `templateContext`. This was causing: ``` Unexpected value 'artifactName is a required argument for pipelineArtifact input and 1ES.DownloadPipelineArtifact@1 task' ``` Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
## Summary - Adds `"extendedmarkdown"` to the `TextFormat` Literal type for rich content rendering (GFM tables, LaTeX math) - Updates docstrings on `text_format` field and `with_text_format()` method - Adds unit test with markdown content verification - Adds new `formatted-messaging` sample demonstrating all text formats: markdown, extendedmarkdown, xml, and plain ## Test plan - [x] Unit tests pass (`test_message_activities.py` — 62/62) - [x] `formatted-messaging` sample syntax and imports verified - [x] E2E validated in Teams ## Screenshots <img width="363" height="125" alt="image" src="https://github.com/user-attachments/assets/7b2ed266-c3b0-4be9-b336-cc03a0957b05" /> <img width="344" height="266" alt="image" src="https://github.com/user-attachments/assets/d39f3614-dbc3-4050-9ab9-a1e105da68d3" /> <img width="413" height="191" alt="image" src="https://github.com/user-attachments/assets/5b208d10-5d67-4c0d-b61c-69e7bdf073a7" /> <img width="630" height="297" alt="image" src="https://github.com/user-attachments/assets/ad193b43-115f-409d-9925-a5953804e064" /> --------- Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…ntent stream not allowed (#453) PR has evolved due to a number of raised issues wrt streaming error handling. This PR solely focuses on handling the 403 for the 2-minute timeout, and surfacing the "Content stream is not allowed" error. This table highlights all the different error codes, we are concerned with the 403s: https://learn.microsoft.com/en-us/microsoftteams/platform/bots/streaming-ux?tabs=csharp#error-codes 1) Content stream is not allowed -> Error is surfaced, not as a cancelled error 2) Content stream is not allowed on an already completed streamed message -> Not possible with the SDK 3) Content stream finished due to exceeded streaming time. -> Handled in this PR. A new regular message is sent instead. 4) Content stream was canceled by user -> Already handled today 5) Request streamed content should contain the previously streamed content -> Not possible with the SDK **TO BE DISCUSSED:** 1) Bursty informative updates - continued discussion in #452 to reach an ideal solution 2) Message size too large -> To be discussed in #488 --- OLD DESCRIPTION: Fixes #452 ## Problem `HttpStream` can send streaming activities faster than the Teams 1 request/second per-stream limit. Teams then throttles the stream and returns `403 ContentStreamNotAllowed`, which `_send` converts to `StreamCancelledError` and the user sees as a red error toast. Two causes in `http_stream.py`: 1. `_flush()` sent every queued informative update back to back, then the text chunk. A burst of `update()` calls became a burst of POSTs in one flush. 2. The only pacing was a `call_later(0.5, ...)` reschedule, armed only when a backlog survived a flush. Once the queue drained, `_timeout` was `None`, so the next `emit()` fired an immediate flush with no pacing. ## Fix A per-stream leaky-slot limiter (`make_limiter` in `utils/limiter.py`), gating every chunk send in `_send_activity`. Its `next_slot` is instance state shared across flushes, so it paces both the in-flush burst and the next `emit()` after the queue drains. The first send is not delayed, so the progress bar still appears promptly. - `min_send_interval` on `HttpStream.__init__` (default 1.0s) lets callers buffer toward the docs' 1.5 to 2s advice. - `coalesce_informative_updates` defaults to `True`: a burst of informative updates in one flush collapses to the latest, matching the docs' "one informative message, reused for each update". Set it `False` to pace out every update at 1 req/s instead (see Notes). ## Tests Limiter spacing and input validation; rapid `update()` burst coalesces to the latest by default; with `coalesce_informative_updates=False` every update is sent in order, none dropped, paced at the interval; emits are paced across flushes (the post-drain case); the interval is configurable; the flag never drops text. Existing `test_http_stream.py` behaviour is unchanged. Full `packages/apps` suite passes, ruff and pyright clean. ## Notes - The limiter is acquired in `_send`, so every HTTP attempt is paced: retries and `close()`'s final send included. `acquire()` only waits when a send would actually be too soon, so close pays no latency unless it lands within the interval of the last chunk. Pass `min_send_interval=0` to disable pacing. - With `coalesce_informative_updates=False`, `_flush` holds its lock across the paced sleeps, so a very long informative burst could keep the lock long enough that `close()` times out. The default (coalesce on) avoids this. - The same gap likely exists in the sibling TS and .NET SDKs; not addressed here. --------- Co-authored-by: WERCK Ayrton <9287010+Athosone@users.noreply.github.com> Co-authored-by: lilyydu <lilydu@microsoft.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Co-authored-by: lilyydu <54044854+lilyydu@users.noreply.github.com> Co-authored-by: heyitsaamir <ajawaid191@gmail.com>
## Summary - make `HttpStream` reusable after close: a later `emit()` or `update()` starts a new streamed message cycle on the same stream instance - keep repeated `close()` calls idempotent until another emit/update occurs - update the stream example with a `multi-stream` flow that emits an Adaptive Card in the first stream final message, closes, then reuses `ctx.stream` for a second streamed segment - add coverage for close idempotency followed by emit-driven stream reopening - refresh `uv.lock` to include the missing `formatted-messaging` workspace member and dependency metadata ## Context This addresses the scenario in #489 where a handler needs to: 1. stream part of a response, 2. include a normal message or card in the flow, 3. continue with another streamed response. Before this change, the only way to do that was to close `ctx.stream` and then reach into the private `ctx._activity_sender.create_stream(...)` API to create another stream. ## Motivation This is useful for conversational AI and tool-using bot flows where a response is not always one uninterrupted text stream. For example, a bot may need to stream an explanation while it reasons or searches, include a structured checkpoint message, approval prompt, or card, and then continue streaming the final answer after that intermediate interaction. Without a public lifecycle API, developers either have to avoid streaming for these richer flows or access private SDK internals to create a fresh stream. Reopening the stream on the next emit gives them a supported way to split one handler's response into multiple sequential streamed messages while keeping the SDK's one-stream-object model. ## Alternatives considered ### `ctx.new_stream()` We first considered adding a public `ctx.new_stream()` method that would create and return another stream object. That solves the private API issue, but it makes the model feel like a handler can manage multiple stream objects at once. In practice, Teams appears to behave more reliably when there is only one active stream at a time. Multiple stream objects also complicate ownership, finalization, event handler registration, and retry behavior. ### Context-managed multiple streams We also considered having `ActivityContext` track all streams created during a handler and close them all at the end. That keeps cleanup centralized, but it still encourages multiple open streams during one handler. It also makes ordering less explicit: a stream could remain active while a normal message or a second stream is sent, which is exactly the behavior that seemed risky. ### `close(reset=True)` We also tried an explicit `close(reset=True)` option. It worked, but it made the API more awkward and introduced a flag for what is conceptually the next stream cycle. The approach in this PR keeps `close()` simple: it finalizes the current streamed message. Repeated `close()` calls remain idempotent. If the caller later emits or updates, the stream starts a new cycle automatically. ## Example The stream example now includes a `multi-stream` path: https://github.com/user-attachments/assets/91021174-fd9d-43c4-acb0-e38348ef6d12 ```python ctx.stream.emit("[stream 1] Starting the first streamed response.") ctx.stream.emit(MessageActivityInput(text="...").add_card(card)) await ctx.stream.close() ctx.stream.emit("[stream 2] Reusing ctx.stream after close().") ``` This demonstrates the intended lifecycle: one streamed message is finalized, and the same `ctx.stream` instance is reused for the next streamed message when the handler emits again. Addresses #489 --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Contributor
There was a problem hiding this comment.
Pull request overview
This PR prepares the 2.0.14 patch release by syncing release to main, setting the stable version, and bringing in the accumulated SDK changes (streaming lifecycle/error handling improvements, BotBuilder integration refactor, and new integration test scaffolding).
Changes:
- Bump
version.jsonto 2.0.14 and update release workflow documentation/pipeline wiring. - Improve streaming behavior (reusable
HttpStreamafter close, 403 error classification, non-retryable terminal stream errors) and related unit tests. - Refactor BotBuilder integration from a plugin to an HTTP-boundary adapter; add integration test harness/docs and small model/type additions.
Reviewed changes
Copilot reviewed 47 out of 50 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| version.json | Set stable release version to 2.0.14 |
| tools/hatch-teams-build/src/hatch_teams_build/version_source.py | Prefer PEP 440-compatible nbgv fields |
| tests/integration/test_teams_and_reactions.py | Add integration coverage for teams/reactions |
| tests/integration/test_members.py | Add integration coverage for members APIs |
| tests/integration/test_conversations.py | Add integration coverage for conversation creation |
| tests/integration/test_activities.py | Add integration coverage for activity CRUD |
| tests/integration/README.md | Document integration test setup/run |
| tests/integration/pytest.ini | Set asyncio mode for integration tests |
| tests/integration/conftest.py | Shared integration fixture + caching |
| tests/integration/.env.example | Template env file for integration tests |
| stubs/msal/init.pyi | Update MSAL stub for callable assertions |
| RELEASE.md | Update release workflow/runbook |
| pyproject.toml | Add integration dependency group |
| packages/botbuilder/tests/test_botbuilder_plugin.py | Remove plugin tests (plugin removed) |
| packages/botbuilder/tests/test_botbuilder_adapter.py | Add adapter tests |
| packages/botbuilder/src/microsoft_teams/botbuilder/botbuilder_plugin.py | Remove BotBuilderPlugin implementation |
| packages/botbuilder/src/microsoft_teams/botbuilder/adapter.py | Add BotBuilderAdapter implementation |
| packages/botbuilder/src/microsoft_teams/botbuilder/init.py | Export adapter instead of plugin |
| packages/botbuilder/pyproject.toml | Update package description to adapter |
| packages/apps/tests/test_token_manager.py | Update/add tests for FIC caching + lazy assertion |
| packages/apps/tests/test_http_stream.py | Expand streaming tests for 403 mapping/timeout/reopen |
| packages/apps/src/microsoft_teams/apps/utils/retry.py | Add non_retryable to retry helper |
| packages/apps/src/microsoft_teams/apps/token_manager.py | Cache MSAL clients; lazy client assertion |
| packages/apps/src/microsoft_teams/apps/routing/activity_context.py | Remove quoted-reply experimental annotation |
| packages/apps/src/microsoft_teams/apps/plugins/streamer.py | Add terminal stream error types + doc updates |
| packages/apps/src/microsoft_teams/apps/plugins/metadata.py | Remove unused dependency option types |
| packages/apps/src/microsoft_teams/apps/plugins/init.py | Export new stream error types |
| packages/apps/src/microsoft_teams/apps/http_stream.py | Stream reuse after close + 403 mapping + timeout behavior |
| packages/apps/src/microsoft_teams/apps/app.py | Remove no-longer-used container providers |
| packages/api/tests/unit/test_message_activities.py | Add tests for extendedmarkdown + messageUpdate attachments |
| packages/api/src/microsoft_teams/api/models/text_format.py | Add extendedmarkdown literal |
| packages/api/src/microsoft_teams/api/models/team_details.py | Make type optional in TeamDetails |
| packages/api/src/microsoft_teams/api/models/entity/quoted_reply_entity.py | Remove quoted-reply experimental annotation |
| packages/api/src/microsoft_teams/api/activities/message/message.py | Update text format docs; remove experimental annotation on quoting APIs |
| packages/api/src/microsoft_teams/api/activities/message/message_update.py | Add attachments + attachment_layout to MessageUpdateActivity |
| examples/tab/Web/package.json | Bump Vite/plugin versions |
| examples/tab/Web/package-lock.json | Lockfile refresh for Vite/plugin bumps |
| examples/stream/src/main.py | Add multi-stream + adaptive card streaming demo |
| examples/stream/README.md | Document new stream demo commands |
| examples/formatted-messaging/src/main.py | New sample demonstrating text formats |
| examples/formatted-messaging/README.md | Document formatted-messaging sample |
| examples/formatted-messaging/pyproject.toml | Add formatted-messaging example project metadata |
| examples/botbuilder/src/main.py | Migrate example to BotBuilderAdapter + card routing demo |
| examples/botbuilder/src/bots/echo_bot.py | Handle adaptiveCard/action invoke in BotBuilder path |
| examples/botbuilder/README.md | Update docs from plugin → adapter |
| examples/botbuilder/pyproject.toml | Add cards dependency for updated example |
| CONTRIBUTING.md | Add integration test guidance |
| .gitignore | Ignore .env.* while keeping .env.example |
| .azdo/publish.yml | Publish pipeline artifacts + staged publish jobs |
Files not reviewed (1)
- examples/tab/Web/package-lock.json: Generated file
lilyydu
approved these changes
Jul 7, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Prepares the 2.0.14 patch release.
This PR brings
releaseup tomainand sets the stable version.Changes
version.jsonfrom2.0.13-dev.{height}to2.0.14(stable)mainintoreleaseusing-s ours(recordsreleaseas a parent while keepingmain's tree)Release contents
Includes all commits merged to
mainsince v2.0.13, notably:After merge
releasebranch with Public publish typeRELEASE.md