Skip to content

Release 2.0.14: merge main into release#497

Merged
heyitsaamir merged 22 commits into
releasefrom
heyitsaamir-aamirj-release-2-0-14
Jul 7, 2026
Merged

Release 2.0.14: merge main into release#497
heyitsaamir merged 22 commits into
releasefrom
heyitsaamir-aamirj-release-2-0-14

Conversation

@heyitsaamir

Copy link
Copy Markdown
Collaborator

Prepares the 2.0.14 patch release.

This PR brings release up to main and sets the stable version.

Changes

  • Bump version.json from 2.0.13-dev.{height} to 2.0.14 (stable)
  • Merge main into release using -s ours (records release as a parent while keeping main's tree)

Release contents

Includes all commits merged to main since v2.0.13, notably:

After merge

  1. Run the publish pipeline on the release branch with Public publish type
  2. Tag and create the GitHub Release per RELEASE.md

Note: main still reads 2.0.13-dev and should be bumped to 2.0.14-dev (or higher) in a separate follow-up PR to start the next dev cycle.

heyitsaamir and others added 22 commits June 8, 2026 12:08
In the previous doc, the instruction was to do main -> release. But
since release and main have different histories, there were many merge
conflicts that had to be resolved. To do this, we had to use `-s ours`
when merging.
Since this needs to be done on our machine anyway (and also because
version.json also needs to be modified), I updated the doc to just be
exact commands that need to be run so agents can help us execute the
release workflow quickly.
#454)

## Summary

Fix the hatch build plugin so released package versions don't have a
trailing `.height` component (we just shipped `2.0.13.4` when we meant
`2.0.13`).

## Why

I introduced this in PR #445 when migrating off the 3.12-only
`nbgv-python` wrapper. The plugin picked nbgv's `CloudBuildNumber`
field, which works fine on `main` (`2.0.13-dev.11+eaec265930`) but on
`release` it expands to `2.0.13.4` because nbgv appends git height as a
4th version component when `version.json` has a plain three-part
version. PyPI then got `microsoft-teams-apps==2.0.13.4` instead of
`2.0.13`.

## What changed

Field priority is now `SemVer2` → `CloudBuildNumber` → `SimpleVersion`,
with a PEP 440 validity check that walks past unparseable fields. End
result:

- **release**: `SemVer2` is `2.0.13` (plain stable) — picked
- **main**: `SemVer2` is `2.0.13-dev.11.geaec265930` (not PEP 440 due to
trailing `.gHASH`) — falls through to `CloudBuildNumber`
`2.0.13-dev.11+eaec265930` (PEP 440-valid via local-version `+`)

## Reviewer tips

Diff is small — just the field list + a try/except in `_select_version`.
The comment block explains the rationale so future folks don't
reintroduce the bug.

## Testing

Verified both code paths locally:

```
# main
$ NBGV_REQUIRED=1 uv build --package microsoft-teams-apps --sdist
Successfully built dist/microsoft_teams_apps-2.0.13.dev11+eaec265930.tar.gz

# release (simulated by checking the field selection logic against
# nbgv output captured from the release branch)
SemVer2=2.0.13 -> picked, parses as PEP 440 2.0.13
```

Will be visible end-to-end on the next release (`2.0.14`).

---------

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Fixes #414

attachments field was missing from MessageUpdateActivity so
edited messages with attachments silently dropped them. added
the same Optional[List[Attachment]] field that MessageActivity has.

added a regression test.
## Summary
Replace the BotBuilder plugin with an HTTP adapter so BotBuilder sits at
the inbound HTTP boundary instead of plugin DI.

## Why
This keeps the plugin surface less privileged and avoids passing app
credentials/tokens/client internals into plugins just so BotBuilder can
intercept requests.

## Interesting bits
- Adds `BotBuilderAdapter` and removes `BotBuilderPlugin`.
- Updates the BotBuilder example to use adaptive cards where BotBuilder
handles one Action.Execute and Teams SDK handles the other.
- Cleans up no-longer-used plugin DI entries for raw credentials, bot
token, app id, and raw client.

## Migration
Before:
```python
app = App(
    plugins=[BotBuilderPlugin(adapter=adapter, handler=EchoBot())]
)
```

After:
```python
app = App(
    http_server_adapter=BotBuilderAdapter(
        cloud_adapter=adapter,
        handler=EchoBot(),
    )
)
```

If you do not already create a BotBuilder `CloudAdapter`,
`BotBuilderAdapter` can create one from explicit `credentials`,
`MicrosoftApp*` environment variables, or the same `CLIENT_ID` /
`CLIENT_SECRET` / `TENANT_ID` vars used by `teams.apps`.

## Reviewer tips
Start with
`packages/botbuilder/src/microsoft_teams/botbuilder/adapter.py`, then
peek at the example to see the migration shape.

## Testing
- `uv run ruff check examples/botbuilder/src/bots/echo_bot.py
packages/botbuilder/src/microsoft_teams/botbuilder/adapter.py
examples/botbuilder/src/main.py
packages/botbuilder/tests/test_botbuilder_adapter.py`
- `uv run pyright
packages/botbuilder/src/microsoft_teams/botbuilder/adapter.py
examples/botbuilder/src/bots/echo_bot.py`
- `uv run pytest packages/botbuilder/tests
packages/apps/tests/test_card_action_routing.py`
- pre-commit on commit: ruff, ruff format, pyright, license header
Cache MSAL clients for federated identity token flow.

Why:
Recreating the MSAL confidential client every token request means we
miss MSAL's internal token cache. Reusing the client lets it do its job
and avoids extra token exchanges.

Interesting bits:
FIC now passes MSAL a lazy client assertion callback, so the managed
identity exchange token is only fetched when MSAL actually needs to hit
the wire. Also updated the local MSAL stub because 1.34 supports
callables even though our stub only allowed strings.

Reviewer tips:
Start in `packages/apps/src/microsoft_teams/apps/token_manager.py`. The
important bit is the new FIC client cache and callback assertion.

Testing:
- `uv run pytest packages/apps/tests/test_token_manager.py`
- `uv run pyright
packages/apps/src/microsoft_teams/apps/token_manager.py`
- Manual VM test of the FIC token flow
…/tab/Web (#467)

Removes [esbuild](https://github.com/evanw/esbuild). It's no longer used
after updating ancestor dependencies
[esbuild](https://github.com/evanw/esbuild),
[@vitejs/plugin-react](https://github.com/vitejs/vite-plugin-react/tree/HEAD/packages/plugin-react)
and [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite).
These dependencies need to be updated together.

Removes `esbuild`

Updates `@vitejs/plugin-react` from 4.7.0 to 6.0.2
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/vitejs/vite-plugin-react/releases">@​vitejs/plugin-react's
releases</a>.</em></p>
<blockquote>
<h2>plugin-react@6.0.2</h2>
<h3>Allow all options in reactCompilerPreset (<a
href="https://redirect.github.com/vitejs/vite-plugin-react/pull/1189">#1189</a>)</h3>
<p>This is a type only change. Only <code>compilationMode</code> and
<code>target</code> options were available for
<code>reactCompilerPreset</code>.</p>
<h2>plugin-react@6.0.1</h2>
<h3>Expand <code>@rolldown/plugin-babel</code> peer dep range (<a
href="https://redirect.github.com/vitejs/vite-plugin-react/pull/1146">#1146</a>)</h3>
<p>Expanded <code>@rolldown/plugin-babel</code> peer dep range to
include <code>^0.2.0</code>.</p>
<h2>plugin-react@6.0.0</h2>
<h3>Remove Babel Related Features (<a
href="https://redirect.github.com/vitejs/vite-plugin-react/pull/1123">#1123</a>)</h3>
<p>Vite 8+ can handle React Refresh Transform by Oxc and doesn't need
Babel for it. With that, there are no transform applied that requires
Babel. To reduce the installation size of this plugin, babel is no
longer a dependency of this plugin and the related features are
removed.</p>
<p>If you are using Babel, you can use
<code>@rolldown/plugin-babel</code> together with this plugin:</p>
<pre lang="diff"><code> import { defineConfig } from 'vite'
 import react from '@vitejs/plugin-react'
+import babel from '@rolldown/plugin-babel'
<p>export default defineConfig({
plugins: [</p>
<ul>
<li>
<pre><code>react({
</code></pre>
</li>
<li>
<pre><code>  babel: {
</code></pre>
</li>
<li>
<pre><code>    plugins: ['@babel/plugin-proposal-throw-expressions'],
</code></pre>
</li>
<li>
<pre><code>  },
</code></pre>
</li>
<li>
<pre><code>}),
</code></pre>
</li>
</ul>
<ul>
<li>
<pre><code>react(),
</code></pre>
</li>
<li>
<pre><code>babel({
</code></pre>
</li>
<li>
<pre><code>  plugins: ['@babel/plugin-proposal-throw-expressions'],
</code></pre>
</li>
<li>
<pre><code>}),
</code></pre>
]
})
</code></pre></li>
</ul>
<p>For React compiler users, you can use
<code>reactCompilerPreset</code> for easier setup with preconfigured
filter to improve build performance:</p>
<pre lang="diff"><code> import { defineConfig } from 'vite'
-import react from '@vitejs/plugin-react'
+import react, { reactCompilerPreset } from '@vitejs/plugin-react'
+import babel from '@rolldown/plugin-babel'
<p>export default defineConfig({
plugins: [</p>
<ul>
<li>react({</li>
<li>
<pre><code> babel: {
</code></pre>
</li>
<li>
<pre><code>   plugins: ['babel-plugin-react-compiler'],
</code></pre>
</li>
</ul>
<p>&lt;/tr&gt;&lt;/table&gt;
</code></pre></p>
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/vitejs/vite-plugin-react/blob/main/packages/plugin-react/CHANGELOG.md">@​vitejs/plugin-react's
changelog</a>.</em></p>
<blockquote>
<h2>6.0.2 (2026-05-14)</h2>
<h3>Allow all options in reactCompilerPreset (<a
href="https://redirect.github.com/vitejs/vite-plugin-react/pull/1189">#1189</a>)</h3>
<p>This is a type only change. Only <code>compilationMode</code> and
<code>target</code> options were available for
<code>reactCompilerPreset</code>.</p>
<h2>6.0.1 (2026-03-13)</h2>
<h3>Expand <code>@rolldown/plugin-babel</code> peer dep range (<a
href="https://redirect.github.com/vitejs/vite-plugin-react/pull/1146">#1146</a>)</h3>
<p>Expanded <code>@rolldown/plugin-babel</code> peer dep range to
include <code>^0.2.0</code>.</p>
<h2>6.0.0 (2026-03-12)</h2>
<h2>6.0.0-beta.0 (2026-03-03)</h2>
<h3>Remove Babel Related Features (<a
href="https://redirect.github.com/vitejs/vite-plugin-react/pull/1123">#1123</a>)</h3>
<p>Vite 8+ can handle React Refresh Transform by Oxc and doesn't need
Babel for it. With that, there are no transform applied that requires
Babel. To reduce the installation size of this plugin, babel is no
longer a dependency of this plugin and the related features are
removed.</p>
<p>If you are using Babel, you can use
<code>@rolldown/plugin-babel</code> together with this plugin:</p>
<pre lang="diff"><code> import { defineConfig } from 'vite'
 import react from '@vitejs/plugin-react'
+import babel from '@rolldown/plugin-babel'
<p>export default defineConfig({
plugins: [</p>
<ul>
<li>
<pre><code>react({
</code></pre>
</li>
<li>
<pre><code>  babel: {
</code></pre>
</li>
<li>
<pre><code>    plugins: ['@babel/plugin-proposal-throw-expressions'],
</code></pre>
</li>
<li>
<pre><code>  },
</code></pre>
</li>
<li>
<pre><code>}),
</code></pre>
</li>
</ul>
<ul>
<li>
<pre><code>react(),
</code></pre>
</li>
<li>
<pre><code>babel({
</code></pre>
</li>
<li>
<pre><code>  plugins: ['@babel/plugin-proposal-throw-expressions'],
</code></pre>
</li>
<li>
<pre><code>}),
</code></pre>
]
})
</code></pre></li>
</ul>
<p>For React compiler users, you can use
<code>reactCompilerPreset</code> for easier setup with preconfigured
filter to improve build performance:</p>
<pre lang="diff"><code> import { defineConfig } from 'vite'
-import react from '@vitejs/plugin-react'
+import react, { reactCompilerPreset } from '@vitejs/plugin-react'
+import babel from '@rolldown/plugin-babel'
<p>&lt;/tr&gt;&lt;/table&gt;
</code></pre></p>
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/vitejs/vite-plugin-react/commit/6535b55e956b425e6650ffc2cc98fd23cca1d231"><code>6535b55</code></a>
release: plugin-react@6.0.2</li>
<li><a
href="https://github.com/vitejs/vite-plugin-react/commit/bf0e43b756e3be81f8572d59727c218311f431ef"><code>bf0e43b</code></a>
feat(react): whitelist debugging-options (<a
href="https://github.com/vitejs/vite-plugin-react/tree/HEAD/packages/plugin-react/issues/1189">#1189</a>)</li>
<li><a
href="https://github.com/vitejs/vite-plugin-react/commit/3bd1f08ae0b82ee0e96feb2ff265e61c6fe74b54"><code>3bd1f08</code></a>
feat: use carets for rolldown versions (<a
href="https://github.com/vitejs/vite-plugin-react/tree/HEAD/packages/plugin-react/issues/1216">#1216</a>)</li>
<li><a
href="https://github.com/vitejs/vite-plugin-react/commit/2b8df67323265d1ff5ddf47b2db9ab0b9de5c688"><code>2b8df67</code></a>
fix(deps): update all non-major dependencies (<a
href="https://github.com/vitejs/vite-plugin-react/tree/HEAD/packages/plugin-react/issues/1218">#1218</a>)</li>
<li><a
href="https://github.com/vitejs/vite-plugin-react/commit/8fa9619e1b1f51b079f4c1df6bcf076dcafc5aed"><code>8fa9619</code></a>
fix(deps): update react 19.2.6 (<a
href="https://github.com/vitejs/vite-plugin-react/tree/HEAD/packages/plugin-react/issues/1211">#1211</a>)</li>
<li><a
href="https://github.com/vitejs/vite-plugin-react/commit/a4296ad2995a8d493528b8d5450a1209de2943cb"><code>a4296ad</code></a>
fix(deps): update all non-major dependencies (<a
href="https://github.com/vitejs/vite-plugin-react/tree/HEAD/packages/plugin-react/issues/1209">#1209</a>)</li>
<li><a
href="https://github.com/vitejs/vite-plugin-react/commit/323ccd72576be636b50baa7d9ce816cc94d5991e"><code>323ccd7</code></a>
fix(deps): update all non-major dependencies (<a
href="https://github.com/vitejs/vite-plugin-react/tree/HEAD/packages/plugin-react/issues/1196">#1196</a>)</li>
<li><a
href="https://github.com/vitejs/vite-plugin-react/commit/a7506e105df00cdadc58c0aecc4512d8cfdd9765"><code>a7506e1</code></a>
chore(deps): update vite 8.0.10 (<a
href="https://github.com/vitejs/vite-plugin-react/tree/HEAD/packages/plugin-react/issues/1198">#1198</a>)</li>
<li><a
href="https://github.com/vitejs/vite-plugin-react/commit/02cff2a0cf5c7e9792b1612baa380228f5e4d3c1"><code>02cff2a</code></a>
fix(deps): update all non-major dependencies (<a
href="https://github.com/vitejs/vite-plugin-react/tree/HEAD/packages/plugin-react/issues/1184">#1184</a>)</li>
<li><a
href="https://github.com/vitejs/vite-plugin-react/commit/4b9c890cdb21078ac45a86873b24f7e8613b8526"><code>4b9c890</code></a>
fix(deps): update react 19.2.5 (<a
href="https://github.com/vitejs/vite-plugin-react/tree/HEAD/packages/plugin-react/issues/1181">#1181</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/vitejs/vite-plugin-react/commits/plugin-react@6.0.2/packages/plugin-react">compare
view</a></li>
</ul>
</details>
<details>
<summary>Maintainer changes</summary>
<p>This version was pushed to npm by <a
href="https://www.npmjs.com/~GitHub%20Actions">GitHub Actions</a>, a new
releaser for <code>@​vitejs/plugin-react</code> since your current
version.</p>
</details>
<br />

Updates `vite` from 6.4.2 to 8.0.16
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/vitejs/vite/releases">vite's
releases</a>.</em></p>
<blockquote>
<h2>v8.0.16</h2>
<p>Please refer to <a
href="https://github.com/vitejs/vite/blob/v8.0.16/packages/vite/CHANGELOG.md">CHANGELOG.md</a>
for details.</p>
<h2>v8.0.15</h2>
<p>Please refer to <a
href="https://github.com/vitejs/vite/blob/v8.0.15/packages/vite/CHANGELOG.md">CHANGELOG.md</a>
for details.</p>
<h2>v8.0.14</h2>
<p>Please refer to <a
href="https://github.com/vitejs/vite/blob/v8.0.14/packages/vite/CHANGELOG.md">CHANGELOG.md</a>
for details.</p>
<h2>v8.0.13</h2>
<p>Please refer to <a
href="https://github.com/vitejs/vite/blob/v8.0.13/packages/vite/CHANGELOG.md">CHANGELOG.md</a>
for details.</p>
<h2>v8.0.12</h2>
<p>Please refer to <a
href="https://github.com/vitejs/vite/blob/v8.0.12/packages/vite/CHANGELOG.md">CHANGELOG.md</a>
for details.</p>
<h2>v8.0.11</h2>
<p>Please refer to <a
href="https://github.com/vitejs/vite/blob/v8.0.11/packages/vite/CHANGELOG.md">CHANGELOG.md</a>
for details.</p>
<h2>v8.0.10</h2>
<p>Please refer to <a
href="https://github.com/vitejs/vite/blob/v8.0.10/packages/vite/CHANGELOG.md">CHANGELOG.md</a>
for details.</p>
<h2>v8.0.9</h2>
<p>Please refer to <a
href="https://github.com/vitejs/vite/blob/v8.0.9/packages/vite/CHANGELOG.md">CHANGELOG.md</a>
for details.</p>
<h2>v8.0.8</h2>
<p>Please refer to <a
href="https://github.com/vitejs/vite/blob/v8.0.8/packages/vite/CHANGELOG.md">CHANGELOG.md</a>
for details.</p>
<h2>v8.0.7</h2>
<p>Please refer to <a
href="https://github.com/vitejs/vite/blob/v8.0.7/packages/vite/CHANGELOG.md">CHANGELOG.md</a>
for details.</p>
<h2>v8.0.6</h2>
<p>Please refer to <a
href="https://github.com/vitejs/vite/blob/v8.0.6/packages/vite/CHANGELOG.md">CHANGELOG.md</a>
for details.</p>
<h2>v8.0.5</h2>
<p>Please refer to <a
href="https://github.com/vitejs/vite/blob/v8.0.5/packages/vite/CHANGELOG.md">CHANGELOG.md</a>
for details.</p>
<h2>v8.0.4</h2>
<p>Please refer to <a
href="https://github.com/vitejs/vite/blob/v8.0.4/packages/vite/CHANGELOG.md">CHANGELOG.md</a>
for details.</p>
<h2>create-vite@8.0.3</h2>
<p>Please refer to <a
href="https://github.com/vitejs/vite/blob/create-vite@8.0.3/packages/create-vite/CHANGELOG.md">CHANGELOG.md</a>
for details.</p>
<h2>v8.0.3</h2>
<p>Please refer to <a
href="https://github.com/vitejs/vite/blob/v8.0.3/packages/vite/CHANGELOG.md">CHANGELOG.md</a>
for details.</p>
<h2>create-vite@8.0.2</h2>
<p>Please refer to <a
href="https://github.com/vitejs/vite/blob/create-vite@8.0.2/packages/create-vite/CHANGELOG.md">CHANGELOG.md</a>
for details.</p>
<h2>v8.0.2</h2>
<p>Please refer to <a
href="https://github.com/vitejs/vite/blob/v8.0.2/packages/vite/CHANGELOG.md">CHANGELOG.md</a>
for details.</p>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/vitejs/vite/blob/main/packages/vite/CHANGELOG.md">vite's
changelog</a>.</em></p>
<blockquote>
<h2><!-- raw HTML omitted --><a
href="https://github.com/vitejs/vite/compare/v8.0.15...v8.0.16">8.0.16</a>
(2026-06-01)<!-- raw HTML omitted --></h2>
<h3>Bug Fixes</h3>
<ul>
<li><strong>deps:</strong> reject UNC paths for launch-editor-middleware
(<a
href="https://redirect.github.com/vitejs/vite/issues/22571">#22571</a>)
(<a
href="https://github.com/vitejs/vite/commit/50b951225bbf6151eb84a3ad5a454908ab4a76c9">50b9512</a>)</li>
<li>reject windows alternate paths (<a
href="https://redirect.github.com/vitejs/vite/issues/22572">#22572</a>)
(<a
href="https://github.com/vitejs/vite/commit/dc245c71e5007ea4d891a025e2d69ac96c736546">dc245c7</a>)</li>
</ul>
<h2><!-- raw HTML omitted --><a
href="https://github.com/vitejs/vite/compare/v8.0.14...v8.0.15">8.0.15</a>
(2026-06-01)<!-- raw HTML omitted --></h2>
<h3>Features</h3>
<ul>
<li>send 408 on request timeout (<a
href="https://redirect.github.com/vitejs/vite/issues/22476">#22476</a>)
(<a
href="https://github.com/vitejs/vite/commit/c85c9eeb9aaf41f477b48b057146887bd5620797">c85c9ee</a>)</li>
<li>update rolldown to 1.0.3 (<a
href="https://redirect.github.com/vitejs/vite/issues/22538">#22538</a>)
(<a
href="https://github.com/vitejs/vite/commit/646dbedd2870f8ec48df0321177d8aa64bbd1575">646dbed</a>)</li>
</ul>
<h3>Bug Fixes</h3>
<ul>
<li>capitalize error messages and remove spurious space in parse error
(<a
href="https://redirect.github.com/vitejs/vite/issues/22488">#22488</a>)
(<a
href="https://github.com/vitejs/vite/commit/85a0eff1c82bbb7c99a0fe8e63704316578a40d3">85a0eff</a>)</li>
<li><strong>deps:</strong> update all non-major dependencies (<a
href="https://redirect.github.com/vitejs/vite/issues/22511">#22511</a>)
(<a
href="https://github.com/vitejs/vite/commit/2686d7d0b722402204d3bcc687a87adea1bcf9fa">2686d7d</a>)</li>
<li><strong>dev:</strong> fix html-proxy cache key mismatch for /@fs/
HTML paths (<a
href="https://redirect.github.com/vitejs/vite/issues/21762">#21762</a>)
(<a
href="https://github.com/vitejs/vite/commit/47c4213f134f562c41ed7c031e4788510cf7e31e">47c4213</a>)</li>
<li><strong>glob:</strong> error on relative glob in virtual module when
no files match (<a
href="https://redirect.github.com/vitejs/vite/issues/22497">#22497</a>)
(<a
href="https://github.com/vitejs/vite/commit/5c8e98f8b584ac5d42f0f9b8580c49792213b13c">5c8e98f</a>)</li>
<li><strong>optimizer:</strong> close the rolldown bundle when write()
rejects (<a
href="https://redirect.github.com/vitejs/vite/issues/22528">#22528</a>)
(<a
href="https://github.com/vitejs/vite/commit/e3cfb9deecff563550fa1b8abd27656b8b292815">e3cfb9d</a>)</li>
<li><strong>resolve:</strong> provide onWarn for viteResolvePlugin in JS
plugin containers (<a
href="https://redirect.github.com/vitejs/vite/issues/22509">#22509</a>)
(<a
href="https://github.com/vitejs/vite/commit/40985f1c09b7696e594e6c5695fbc315d2da2c83">40985f1</a>)</li>
</ul>
<h3>Miscellaneous Chores</h3>
<ul>
<li><strong>deps:</strong> update rolldown-related dependencies (<a
href="https://redirect.github.com/vitejs/vite/issues/22566">#22566</a>)
(<a
href="https://github.com/vitejs/vite/commit/3052a67d9350f4c5076ab1c222c4a21a589cbcdd">3052a67</a>)</li>
</ul>
<h3>Code Refactoring</h3>
<ul>
<li>correct logic in <code>collectAllModules</code> function (<a
href="https://redirect.github.com/vitejs/vite/issues/22562">#22562</a>)
(<a
href="https://github.com/vitejs/vite/commit/6978a9ceb942c4f5e211d52b8a1e569f8a65c80c">6978a9c</a>)</li>
</ul>
<h2><!-- raw HTML omitted --><a
href="https://github.com/vitejs/vite/compare/v8.0.13...v8.0.14">8.0.14</a>
(2026-05-21)<!-- raw HTML omitted --></h2>
<h3>Features</h3>
<ul>
<li>update rolldown to 1.0.2 (<a
href="https://redirect.github.com/vitejs/vite/issues/22484">#22484</a>)
(<a
href="https://github.com/vitejs/vite/commit/96efc88570b6a6ddf1a910f106920cbac07b3cf0">96efc88</a>)</li>
</ul>
<h3>Bug Fixes</h3>
<ul>
<li><strong>deps:</strong> update all non-major dependencies (<a
href="https://redirect.github.com/vitejs/vite/issues/22471">#22471</a>)
(<a
href="https://github.com/vitejs/vite/commit/98b81632139d51820f82036e58d6fbbf122b77b3">98b8163</a>)</li>
<li><strong>dev:</strong> handle errors when sending messages to vite
server (<a
href="https://redirect.github.com/vitejs/vite/issues/22450">#22450</a>)
(<a
href="https://github.com/vitejs/vite/commit/e8e9a34dcf2540139de558a10187630884d10217">e8e9a34</a>)</li>
<li><strong>html:</strong> handle trailing slash paths in
transformIndexHtml (<a
href="https://redirect.github.com/vitejs/vite/issues/22480">#22480</a>)
(<a
href="https://github.com/vitejs/vite/commit/5d94d1bffdb2a15de9341194d89baec86ce1f693">5d94d1b</a>)</li>
<li><strong>optimizer:</strong> pass oxc jsx options to transformSync in
dependency scan (<a
href="https://redirect.github.com/vitejs/vite/issues/22342">#22342</a>)
(<a
href="https://github.com/vitejs/vite/commit/b3132dacea9c6e0cf526cd9f0f09d850f577c262">b3132da</a>)</li>
</ul>
<h3>Miscellaneous Chores</h3>
<ul>
<li><strong>deps:</strong> update rolldown-related dependencies (<a
href="https://redirect.github.com/vitejs/vite/issues/22470">#22470</a>)
(<a
href="https://github.com/vitejs/vite/commit/7cb728eb629cc677661f1bc52a044ffc0b87fc7f">7cb728e</a>)</li>
<li>remove irrelevant commits from changelog (<a
href="https://github.com/vitejs/vite/commit/2c69495f250edf01132d4a20128de19dbe836086">2c69495</a>)</li>
</ul>
<h3>Code Refactoring</h3>
<ul>
<li><strong>glob:</strong> do not rewrite import path for absolute base
(<a
href="https://redirect.github.com/vitejs/vite/issues/22310">#22310</a>)
(<a
href="https://github.com/vitejs/vite/commit/0ae2844ab6d6d1ccf78a2975b8132769fc35b302">0ae2844</a>)</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/vitejs/vite/commit/f94df87ff03b40b65e29bacdc04cc18c7bccaa4a"><code>f94df87</code></a>
release: v8.0.16</li>
<li><a
href="https://github.com/vitejs/vite/commit/dc245c71e5007ea4d891a025e2d69ac96c736546"><code>dc245c7</code></a>
fix: reject windows alternate paths (<a
href="https://github.com/vitejs/vite/tree/HEAD/packages/vite/issues/22572">#22572</a>)</li>
<li><a
href="https://github.com/vitejs/vite/commit/50b951225bbf6151eb84a3ad5a454908ab4a76c9"><code>50b9512</code></a>
fix(deps): reject UNC paths for launch-editor-middleware (<a
href="https://github.com/vitejs/vite/tree/HEAD/packages/vite/issues/22571">#22571</a>)</li>
<li><a
href="https://github.com/vitejs/vite/commit/8d1b0195fd186d0b3297d7cd17acff6c96797420"><code>8d1b019</code></a>
release: v8.0.15</li>
<li><a
href="https://github.com/vitejs/vite/commit/2686d7d0b722402204d3bcc687a87adea1bcf9fa"><code>2686d7d</code></a>
fix(deps): update all non-major dependencies (<a
href="https://github.com/vitejs/vite/tree/HEAD/packages/vite/issues/22511">#22511</a>)</li>
<li><a
href="https://github.com/vitejs/vite/commit/3052a67d9350f4c5076ab1c222c4a21a589cbcdd"><code>3052a67</code></a>
chore(deps): update rolldown-related dependencies (<a
href="https://github.com/vitejs/vite/tree/HEAD/packages/vite/issues/22566">#22566</a>)</li>
<li><a
href="https://github.com/vitejs/vite/commit/e3cfb9deecff563550fa1b8abd27656b8b292815"><code>e3cfb9d</code></a>
fix(optimizer): close the rolldown bundle when write() rejects (<a
href="https://github.com/vitejs/vite/tree/HEAD/packages/vite/issues/22528">#22528</a>)</li>
<li><a
href="https://github.com/vitejs/vite/commit/6978a9ceb942c4f5e211d52b8a1e569f8a65c80c"><code>6978a9c</code></a>
refactor: correct logic in <code>collectAllModules</code> function (<a
href="https://github.com/vitejs/vite/tree/HEAD/packages/vite/issues/22562">#22562</a>)</li>
<li><a
href="https://github.com/vitejs/vite/commit/646dbedd2870f8ec48df0321177d8aa64bbd1575"><code>646dbed</code></a>
feat: update rolldown to 1.0.3 (<a
href="https://github.com/vitejs/vite/tree/HEAD/packages/vite/issues/22538">#22538</a>)</li>
<li><a
href="https://github.com/vitejs/vite/commit/85a0eff1c82bbb7c99a0fe8e63704316578a40d3"><code>85a0eff</code></a>
fix: capitalize error messages and remove spurious space in parse error
(<a
href="https://github.com/vitejs/vite/tree/HEAD/packages/vite/issues/22488">#22488</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/vitejs/vite/commits/v8.0.16/packages/vite">compare
view</a></li>
</ul>
</details>
<br />


Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/microsoft/teams.py/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [pyjwt](https://github.com/jpadilla/pyjwt) from 2.12.1 to 2.13.0.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/jpadilla/pyjwt/releases">pyjwt's
releases</a>.</em></p>
<blockquote>
<h2>2.13.0</h2>
<h1>PyJWT 2.13.0 — Security Release</h1>
<p>This release bundles five security fixes plus three additional
hardening / spec-compliance changes. We recommend all users upgrade.</p>
<h2>Security</h2>
<ul>
<li>
<p><strong><a
href="https://github.com/jpadilla/pyjwt/security/advisories/GHSA-xgmm-8j9v-c9wx"><code>GHSA-xgmm-8j9v-c9wx</code></a>
— JWK JSON accepted as HMAC secret (algorithm confusion).</strong>
<code>HMACAlgorithm.prepare_key</code> previously rejected PEM- and
SSH-formatted asymmetric keys but did not catch a JWK passed as a raw
JSON string. In a verifier configured with both symmetric and asymmetric
algorithms in <code>algorithms=[…]</code> and a raw-JSON JWK as the key,
an attacker could forge HS256 tokens using the JWK text as the HMAC
secret. The guard has been extended to reject any JWK-shaped JSON.
<em>Reported by <a
href="https://github.com/aradona91"><code>@​aradona91</code></a>.</em></p>
</li>
<li>
<p><strong><a
href="https://github.com/jpadilla/pyjwt/security/advisories/GHSA-jq35-7prp-9v3f"><code>GHSA-jq35-7prp-9v3f</code></a>
— Algorithm allow-list bypass with <code>PyJWK</code> /
<code>PyJWKClient</code>.</strong> When verifying with a
<code>PyJWK</code>, the caller's <code>algorithms=[…]</code> allow-list
was checked against the token header <code>alg</code> as a string only;
actual verification used the algorithm bound to the <code>PyJWK</code>.
An attacker who controlled a registered JWKS key could sign with one
algorithm and advertise another on the header. PyJWT now requires the
token header <code>alg</code> to match the <code>PyJWK</code>'s
algorithm before verification. <em>Reported by <a
href="https://github.com/sushi-gif"><code>@​sushi-gif</code></a>.</em></p>
</li>
<li>
<p><strong><a
href="https://github.com/jpadilla/pyjwt/security/advisories/GHSA-w7vc-732c-9m39"><code>GHSA-w7vc-732c-9m39</code></a>
— DoS via base64 decode of unused payload segment when
<code>b64=false</code>.</strong> For detached-payload JWS
(<code>b64=false</code>), the compact-form payload segment was
base64-decoded before being discarded in favor of the caller-supplied
<code>detached_payload</code>. An attacker could inflate the unused
segment to force CPU + memory cost without holding a valid signature.
The segment is now required to be empty per RFC 7515 Appendix F, and is
no longer decoded. <em>Reported by <a
href="https://github.com/thesmartshadow"><code>@​thesmartshadow</code></a>.</em></p>
</li>
<li>
<p><strong><a
href="https://github.com/jpadilla/pyjwt/security/advisories/GHSA-993g-76c3-p5m4"><code>GHSA-993g-76c3-p5m4</code></a>
— <code>PyJWKClient</code> accepts non-HTTP(S) URIs.</strong>
<code>PyJWKClient.fetch_data</code> passed its URI to
<code>urllib.request.urlopen</code>, which by default also handles
<code>file://</code>, <code>ftp://</code>, and <code>data:</code>
schemes. An application that fed an attacker-influenced URI into
<code>PyJWKClient</code> could be coerced into reading local files or
reaching other unintended schemes. <code>PyJWKClient</code> now rejects
any URI whose scheme isn't <code>http</code> or <code>https</code>.
<em>Reported by <a
href="https://github.com/KEIJOT"><code>@​KEIJOT</code></a>.</em></p>
</li>
<li>
<p><strong><a
href="https://github.com/jpadilla/pyjwt/security/advisories/GHSA-fhv5-28vv-h8m8"><code>GHSA-fhv5-28vv-h8m8</code></a>
— <code>PyJWKClient</code> cache wiped on fetch error.</strong> A
<code>finally</code>-block <code>put(jwk_set=None)</code> cleared the
JWK Set cache whenever a fetch raised, turning a transient JWKS-endpoint
outage into application-wide auth failure. The cache write was moved
into the success path; transient errors no longer evict valid cached
keys. <em>Reported by <a
href="https://github.com/eddieran"><code>@​eddieran</code></a>.</em></p>
</li>
</ul>
<h2>Fixed</h2>
<ul>
<li>Reject empty HMAC keys outright in
<code>HMACAlgorithm.prepare_key</code> with <code>InvalidKeyError</code>
instead of accepting them with only a warning. Defends against the
<code>os.getenv(&quot;JWT_SECRET&quot;, &quot;&quot;)</code> footgun.
<em>Thanks to <a
href="https://github.com/SnailSploit"><code>@​SnailSploit</code></a> and
<a href="https://github.com/spartan8806"><code>@​spartan8806</code></a>
for the reports.</em></li>
<li>Forward per-call <code>options</code> (including
<code>enforce_minimum_key_length</code>) from <code>PyJWT.decode</code>
through to <code>PyJWS._verify_signature</code>. The option was
previously silently dropped between the two layers, so it only took
effect when set on the <code>PyJWT</code> instance. <em>Thanks to <a
href="https://github.com/WLUB"><code>@​WLUB</code></a> for the
report.</em></li>
<li><strong>RFC 7797 §3 compliance for <code>b64=false</code>:</strong>
the encoder now auto-adds <code>&quot;b64&quot;</code> to
<code>crit</code>, and the decoder rejects tokens that set
<code>b64=false</code> without listing it in <code>crit</code>.
<em>Thanks to <a
href="https://github.com/MachineLearning-Nerd"><code>@​MachineLearning-Nerd</code></a>
for the report.</em></li>
</ul>
<h2>Changed</h2>
<ul>
<li>Migrate the <code>dev</code>, <code>docs</code>, and
<code>tests</code> package extras to dependency groups, by <a
href="https://github.com/kurtmckee"><code>@​kurtmckee</code></a> in <a
href="https://redirect.github.com/jpadilla/pyjwt/pull/1152">#1152</a>.</li>
</ul>
<h2>Upgrade notes</h2>
<p>Most fixes are invisible to correctly-configured callers. A few
behavioral changes you may encounter:</p>
<ul>
<li><strong>Empty HMAC keys now raise.</strong> If your app passed
<code>&quot;&quot;</code> or <code>b&quot;&quot;</code> as a secret
(often via a missing env var, e.g.
<code>os.getenv(&quot;JWT_SECRET&quot;, &quot;&quot;)</code>),
<code>encode</code>/<code>decode</code> will now raise
<code>InvalidKeyError</code>. This is the intended behavior — fix the
configuration.</li>
<li><strong><code>PyJWK</code> decoding now requires the token's
<code>alg</code> to match the JWK's algorithm.</strong> Previously a
mismatch was silently honored if the header <code>alg</code> appeared in
the allow-list. Tokens that relied on this mismatch will now fail with
<code>InvalidAlgorithmError</code>.</li>
<li><strong><code>PyJWKClient</code> now rejects non-HTTP(S) URIs at
construction time.</strong> Tests or dev environments that fetched JWKS
from <code>file://</code> URIs need to switch to a local HTTP server or
load the JWKS by other means (e.g. construct
<code>PyJWKSet.from_dict(...)</code> directly).</li>
<li><strong><code>b64=false</code> tokens are now strictly RFC 7515 /
7797 compliant.</strong> Tokens with a non-empty compact-form payload
segment, or that omit <code>&quot;b64&quot;</code> from
<code>crit</code>, will be rejected. PyJWT-produced tokens always
satisfy both invariants, so round-trips through PyJWT are
unaffected.</li>
<li><strong><code>enforce_minimum_key_length</code> set per-call now
takes effect.</strong> Callers who passed
<code>options={&quot;enforce_minimum_key_length&quot;: True}</code> to
<code>jwt.decode()</code> previously got no enforcement; they will now
get <code>InvalidKeyError</code> on undersized keys, as documented.</li>
</ul>
<p><strong>Full changelog:</strong> <a
href="https://github.com/jpadilla/pyjwt/compare/2.12.1...2.13.0">https://github.com/jpadilla/pyjwt/compare/2.12.1...2.13.0</a></p>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/jpadilla/pyjwt/blob/master/CHANGELOG.rst">pyjwt's
changelog</a>.</em></p>
<blockquote>
<h2><code>v2.13.0
&lt;https://github.com/jpadilla/pyjwt/compare/2.12.1...2.13.0&gt;</code>__</h2>
<p>Security</p>
<pre><code>
- Reject JWK JSON documents passed as raw HMAC secrets in
  ``HMACAlgorithm.prepare_key`` to close an algorithm-confusion gap that
  the existing PEM/SSH guard did not cover. Reported by @aradona91 in
`GHSA-xgmm-8j9v-c9wx
&lt;https://github.com/jpadilla/pyjwt/security/advisories/GHSA-xgmm-8j9v-c9wx&gt;`__.
- Bind the JWT header ``alg`` to ``PyJWK.algorithm_name`` during
  verification so the caller's ``algorithms=[...]`` allow-list cannot be
bypassed when decoding with a ``PyJWK`` / ``PyJWKClient`` key. Reported
by @sushi-gif in `GHSA-jq35-7prp-9v3f
&lt;https://github.com/jpadilla/pyjwt/security/advisories/GHSA-jq35-7prp-9v3f&gt;`__.
- Reject non-``http(s)`` URI schemes in ``PyJWKClient`` so attacker-
influenced URIs cannot read local files or reach unintended schemes via
urllib's default ``file://`` / ``ftp://`` / ``data:`` handlers. Reported
by @KEIJOT in `GHSA-993g-76c3-p5m4
&lt;https://github.com/jpadilla/pyjwt/security/advisories/GHSA-993g-76c3-p5m4&gt;`__.
- Preserve the cached JWK Set on fetch errors in
``PyJWKClient.fetch_data``.
  The previous ``finally``-block ``put(None)`` pattern cleared the cache
on any transient outage, turning one bad JWKS request into application-
wide auth failure. Reported by @eddieran in `GHSA-fhv5-28vv-h8m8
&lt;https://github.com/jpadilla/pyjwt/security/advisories/GHSA-fhv5-28vv-h8m8&gt;`__.
- Skip the unconditional base64 decode of the compact-form payload
segment
  when ``b64=false`` is set in the protected header, and require that
  segment to be empty (RFC 7515 Appendix F detached form). Closes an
  unauthenticated DoS amplifier. Reported by @thesmartshadow in
`GHSA-w7vc-732c-9m39
&lt;https://github.com/jpadilla/pyjwt/security/advisories/GHSA-w7vc-732c-9m39&gt;`__.
<p>Fixed</p>
<pre><code>
- Reject empty HMAC keys outright in ``HMACAlgorithm.prepare_key`` with
  ``InvalidKeyError`` instead of accepting them with only a warning.
  Thanks to @SnailSploit and @spartan8806 for independently flagging the
  footgun.
- Forward per-call ``options`` (including
``enforce_minimum_key_length``)
  from ``PyJWT.decode`` through to ``PyJWS._verify_signature`` so the
option actually takes effect when set at the call site rather than only
  on the ``PyJWT`` instance. Thanks to @WLUB for the report.
- RFC 7797 §3 compliance for ``b64=false``: the encoder now auto-adds
``&amp;quot;b64&amp;quot;`` to the ``crit`` header parameter, and the
decoder rejects
tokens that set ``b64=false`` without listing it in ``crit``. Thanks to
  @MachineLearning-Nerd for the report.

Changed
</code></pre>
<ul>
<li>Migrate the <code>dev</code>, <code>docs</code>, and
<code>tests</code> package extras to dependency groups by <a
href="https://github.com/kurtmckee"><code>@​kurtmckee</code></a> in
<code>[#1152](jpadilla/pyjwt#1152)
&amp;lt;https://github.com/jpadilla/pyjwt/pull/1152&amp;gt;</code>__
</code></pre></li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/jpadilla/pyjwt/commit/7144e4534c34810f4525dc4578a32addd8212cff"><code>7144e45</code></a>
Apply ruff format</li>
<li><a
href="https://github.com/jpadilla/pyjwt/commit/d2f4bec4963897c0ef96ef64a875894f2c8542ab"><code>d2f4bec</code></a>
Restore <code>cast()</code> calls with cross-version <code>type:
ignore</code> for <code>prepare_key</code></li>
<li><a
href="https://github.com/jpadilla/pyjwt/commit/22f478cebddd8294259c30f037ecb92b0b348774"><code>22f478c</code></a>
Remove redundant casts in <code>RSAAlgorithm.prepare_key</code> and
`ECAlgorithm.prepare...</li>
<li><a
href="https://github.com/jpadilla/pyjwt/commit/95791b1759b8aa4f2203575d344d5c78564cdc81"><code>95791b1</code></a>
Bundle security fixes and hardening into 2.13.0</li>
<li><a
href="https://github.com/jpadilla/pyjwt/commit/dcc27a9d3182a2349c30b160758785c6ce7a6508"><code>dcc27a9</code></a>
[pre-commit.ci] pre-commit autoupdate (<a
href="https://redirect.github.com/jpadilla/pyjwt/issues/1155">#1155</a>)</li>
<li><a
href="https://github.com/jpadilla/pyjwt/commit/9d08a9a1896845ed8eaf88e6f6ac61e5800c3e7a"><code>9d08a9a</code></a>
[pre-commit.ci] pre-commit autoupdate (<a
href="https://redirect.github.com/jpadilla/pyjwt/issues/1146">#1146</a>)</li>
<li><a
href="https://github.com/jpadilla/pyjwt/commit/b87c10014d4109f0214fea188d00faaaf8a80e64"><code>b87c100</code></a>
Bump codecov/codecov-action from 5 to 6 (<a
href="https://redirect.github.com/jpadilla/pyjwt/issues/1154">#1154</a>)</li>
<li><a
href="https://github.com/jpadilla/pyjwt/commit/40e3147eb5f790d8d041772e5fc00728a176c812"><code>40e3147</code></a>
Migrate development extras to dependency groups (<a
href="https://redirect.github.com/jpadilla/pyjwt/issues/1152">#1152</a>)</li>
<li>See full diff in <a
href="https://github.com/jpadilla/pyjwt/compare/2.12.1...2.13.0">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=pyjwt&package-manager=uv&previous-version=2.12.1&new-version=2.13.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/microsoft/teams.py/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [starlette](https://github.com/Kludex/starlette) from 1.1.0 to
1.3.1.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/Kludex/starlette/releases">starlette's
releases</a>.</em></p>
<blockquote>
<h2>Version 1.3.1</h2>
<h2>What's Changed</h2>
<ul>
<li>Use <code>StarletteDeprecationWarning</code> instead of
<code>DeprecationWarning</code> by <a
href="https://github.com/Kludex"><code>@​Kludex</code></a> in <a
href="https://redirect.github.com/Kludex/starlette/pull/3119">Kludex/starlette#3119</a></li>
<li>Enforce <code>max_fields</code> and <code>max_part_size</code> in
<code>FormParser</code> by <a
href="https://github.com/Kludex"><code>@​Kludex</code></a> in <a
href="https://redirect.github.com/Kludex/starlette/pull/3329">Kludex/starlette#3329</a></li>
<li>Enforce <code>FormParser</code> limits in parser callbacks by <a
href="https://github.com/Kludex"><code>@​Kludex</code></a> in <a
href="https://redirect.github.com/Kludex/starlette/pull/3331">Kludex/starlette#3331</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/Kludex/starlette/compare/1.3.0...1.3.1">https://github.com/Kludex/starlette/compare/1.3.0...1.3.1</a></p>
<h2>Version 1.3.0</h2>
<h2>What's Changed</h2>
<ul>
<li>Clamp oversized suffix ranges in <code>FileResponse</code> by <a
href="https://github.com/jiyujie2006"><code>@​jiyujie2006</code></a> in
<a
href="https://redirect.github.com/Kludex/starlette/pull/3307">Kludex/starlette#3307</a></li>
<li>Catch <code>OSError</code> alongside <code>MultiPartException</code>
when closing temp files by <a
href="https://github.com/N3XT3R1337"><code>@​N3XT3R1337</code></a> in <a
href="https://redirect.github.com/Kludex/starlette/pull/3191">Kludex/starlette#3191</a></li>
<li>Add <code>httpx2</code> to the <code>full</code> extra by <a
href="https://github.com/Kludex"><code>@​Kludex</code></a> in <a
href="https://redirect.github.com/Kludex/starlette/pull/3323">Kludex/starlette#3323</a></li>
<li>Adjust testclient typing and warnings by <a
href="https://github.com/waketzheng"><code>@​waketzheng</code></a> in <a
href="https://redirect.github.com/Kludex/starlette/pull/3322">Kludex/starlette#3322</a></li>
<li>Fix IndexError in URL.replace() on a URL with no authority by <a
href="https://github.com/LeSingh1"><code>@​LeSingh1</code></a> in <a
href="https://redirect.github.com/Kludex/starlette/pull/3317">Kludex/starlette#3317</a></li>
<li>Annotate URLPath protocol parameter with Literal by <a
href="https://github.com/Chang-LeHung"><code>@​Chang-LeHung</code></a>
in <a
href="https://redirect.github.com/Kludex/starlette/pull/3285">Kludex/starlette#3285</a></li>
<li>avoid collapsing exception groups from user code by <a
href="https://github.com/graingert"><code>@​graingert</code></a> in <a
href="https://redirect.github.com/Kludex/starlette/pull/2830">Kludex/starlette#2830</a></li>
<li>Use <code>removeprefix</code> to strip weak ETag indicator in
<code>is_not_modified</code> by <a
href="https://github.com/gnosyslambda"><code>@​gnosyslambda</code></a>
in <a
href="https://redirect.github.com/Kludex/starlette/pull/3193">Kludex/starlette#3193</a></li>
<li>Build <code>request.url</code> from structured components by <a
href="https://github.com/Kludex"><code>@​Kludex</code></a> in <a
href="https://redirect.github.com/Kludex/starlette/pull/3326">Kludex/starlette#3326</a></li>
</ul>
<h2>New Contributors</h2>
<ul>
<li><a
href="https://github.com/jiyujie2006"><code>@​jiyujie2006</code></a>
made their first contribution in <a
href="https://redirect.github.com/Kludex/starlette/pull/3307">Kludex/starlette#3307</a></li>
<li><a
href="https://github.com/N3XT3R1337"><code>@​N3XT3R1337</code></a> made
their first contribution in <a
href="https://redirect.github.com/Kludex/starlette/pull/3191">Kludex/starlette#3191</a></li>
<li><a
href="https://github.com/leestana01"><code>@​leestana01</code></a> made
their first contribution in <a
href="https://redirect.github.com/Kludex/starlette/pull/3319">Kludex/starlette#3319</a></li>
<li><a href="https://github.com/LeSingh1"><code>@​LeSingh1</code></a>
made their first contribution in <a
href="https://redirect.github.com/Kludex/starlette/pull/3317">Kludex/starlette#3317</a></li>
<li><a
href="https://github.com/EmmanuelNiyonshuti"><code>@​EmmanuelNiyonshuti</code></a>
made their first contribution in <a
href="https://redirect.github.com/Kludex/starlette/pull/3204">Kludex/starlette#3204</a></li>
<li><a
href="https://github.com/Chang-LeHung"><code>@​Chang-LeHung</code></a>
made their first contribution in <a
href="https://redirect.github.com/Kludex/starlette/pull/3285">Kludex/starlette#3285</a></li>
<li><a
href="https://github.com/gnosyslambda"><code>@​gnosyslambda</code></a>
made their first contribution in <a
href="https://redirect.github.com/Kludex/starlette/pull/3193">Kludex/starlette#3193</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/Kludex/starlette/compare/1.2.1...1.3.0">https://github.com/Kludex/starlette/compare/1.2.1...1.3.0</a></p>
<h2>Version 1.2.1</h2>
<h2>What's Changed</h2>
<ul>
<li>Use <code>httpx2</code> for type checking in the
<code>testclient</code> module by <a
href="https://github.com/leifwar"><code>@​leifwar</code></a> in <a
href="https://redirect.github.com/Kludex/starlette/pull/3304">Kludex/starlette#3304</a></li>
<li>Add assert error for requires() when request param is not Request
type by <a
href="https://github.com/KeeganOP"><code>@​KeeganOP</code></a> in <a
href="https://redirect.github.com/Kludex/starlette/pull/3298">Kludex/starlette#3298</a></li>
</ul>
<h2>New Contributors</h2>
<ul>
<li><a href="https://github.com/leifwar"><code>@​leifwar</code></a> made
their first contribution in <a
href="https://redirect.github.com/Kludex/starlette/pull/3304">Kludex/starlette#3304</a></li>
<li><a href="https://github.com/diskeu"><code>@​diskeu</code></a> made
their first contribution in <a
href="https://redirect.github.com/Kludex/starlette/pull/3243">Kludex/starlette#3243</a></li>
<li><a href="https://github.com/KeeganOP"><code>@​KeeganOP</code></a>
made their first contribution in <a
href="https://redirect.github.com/Kludex/starlette/pull/3298">Kludex/starlette#3298</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/Kludex/starlette/compare/1.2.0...1.2.1">https://github.com/Kludex/starlette/compare/1.2.0...1.2.1</a></p>
<h2>Version 1.2.0</h2>
<h2>What's Changed</h2>
<ul>
<li>Support httpx2 in the test client by <a
href="https://github.com/Kludex"><code>@​Kludex</code></a> in <a
href="https://redirect.github.com/Kludex/starlette/pull/3291">Kludex/starlette#3291</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/Kludex/starlette/compare/1.1.0...1.2.0">https://github.com/Kludex/starlette/compare/1.1.0...1.2.0</a></p>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/Kludex/starlette/blob/main/docs/release-notes.md">starlette's
changelog</a>.</em></p>
<blockquote>
<h2>1.3.1 (June 12, 2026)</h2>
<h4>Fixed</h4>
<ul>
<li>Enforce <code>max_fields</code> and <code>max_part_size</code> in
<code>FormParser</code> <a
href="https://redirect.github.com/encode/starlette/pull/3329">#3329</a>.</li>
<li>Enforce <code>FormParser</code> limits in parser callbacks <a
href="https://redirect.github.com/encode/starlette/pull/3331">#3331</a>.</li>
</ul>
<h2>1.3.0 (June 11, 2026)</h2>
<h4>Added</h4>
<ul>
<li>Add <code>httpx2</code> to the <code>full</code> extra <a
href="https://redirect.github.com/encode/starlette/pull/3323">#3323</a>.</li>
<li>Annotate the <code>URLPath</code> <code>protocol</code> parameter
with <code>Literal</code> <a
href="https://redirect.github.com/encode/starlette/pull/3285">#3285</a>.</li>
</ul>
<h4>Fixed</h4>
<ul>
<li>Build <code>request.url</code> from structured components <a
href="https://redirect.github.com/encode/starlette/pull/3326">#3326</a>.</li>
<li>Clamp oversized suffix ranges in <code>FileResponse</code> <a
href="https://redirect.github.com/encode/starlette/pull/3307">#3307</a>.</li>
<li>Catch <code>OSError</code> alongside <code>MultiPartException</code>
when closing temp files <a
href="https://redirect.github.com/encode/starlette/pull/3191">#3191</a>.</li>
<li>Avoid collapsing exception groups raised from user code <a
href="https://redirect.github.com/encode/starlette/pull/2830">#2830</a>.</li>
<li>Use <code>removeprefix</code> to strip the weak <code>ETag</code>
indicator in <code>is_not_modified</code> <a
href="https://redirect.github.com/encode/starlette/pull/3193">#3193</a>.</li>
<li>Fix <code>IndexError</code> in <code>URL.replace()</code> on a URL
with no authority <a
href="https://redirect.github.com/encode/starlette/pull/3317">#3317</a>.</li>
<li>Adjust <code>testclient</code> typing and warnings <a
href="https://redirect.github.com/encode/starlette/pull/3322">#3322</a>.</li>
</ul>
<h2>1.2.1 (May 31, 2026)</h2>
<h4>Fixed</h4>
<ul>
<li>Use <code>httpx2</code> for type checking in the
<code>testclient</code> module <a
href="https://redirect.github.com/encode/starlette/pull/3304">#3304</a>.</li>
<li>Add assert error for <code>requires()</code> when the request
parameter is not a <code>Request</code> type <a
href="https://redirect.github.com/encode/starlette/pull/3298">#3298</a>.</li>
</ul>
<h2>1.2.0 (May 28, 2026)</h2>
<h4>Added</h4>
<ul>
<li>Support httpx2 in the test client <a
href="https://redirect.github.com/encode/starlette/pull/3291">#3291</a>.</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/Kludex/starlette/commit/8ebffd0678570ddd5d5bb11c6f3c3c7fd4682ab9"><code>8ebffd0</code></a>
Version 1.3.1 (<a
href="https://redirect.github.com/Kludex/starlette/issues/3330">#3330</a>)</li>
<li><a
href="https://github.com/Kludex/starlette/commit/25b8e179d8d7ed86769c02f648772dd5fb43dc3c"><code>25b8e17</code></a>
Enforce <code>FormParser</code> limits in parser callbacks (<a
href="https://redirect.github.com/Kludex/starlette/issues/3331">#3331</a>)</li>
<li><a
href="https://github.com/Kludex/starlette/commit/dba1c4babc4f99ad2622bb913d87045775dda735"><code>dba1c4b</code></a>
Enforce <code>max_fields</code> and <code>max_part_size</code> in
<code>FormParser</code> (<a
href="https://redirect.github.com/Kludex/starlette/issues/3329">#3329</a>)</li>
<li><a
href="https://github.com/Kludex/starlette/commit/45e51dcf99f3a270b0bcec1aec5410b4345863a9"><code>45e51dc</code></a>
Use <code>StarletteDeprecationWarning</code> instead of
<code>DeprecationWarning</code> (<a
href="https://redirect.github.com/Kludex/starlette/issues/3119">#3119</a>)</li>
<li><a
href="https://github.com/Kludex/starlette/commit/5f8610c386e13de1d80d36efa961e1486a1d2d01"><code>5f8610c</code></a>
Version 1.3.0 (<a
href="https://redirect.github.com/Kludex/starlette/issues/3327">#3327</a>)</li>
<li><a
href="https://github.com/Kludex/starlette/commit/167b5850e809f38b27fbfed62d58bf6442855975"><code>167b585</code></a>
Build <code>request.url</code> from structured components (<a
href="https://redirect.github.com/Kludex/starlette/issues/3326">#3326</a>)</li>
<li><a
href="https://github.com/Kludex/starlette/commit/37309255b4c1b9c381a2d24a1eaf83100984a16a"><code>3730925</code></a>
Use <code>removeprefix</code> to strip weak ETag indicator in
<code>is_not_modified</code> (<a
href="https://redirect.github.com/Kludex/starlette/issues/3193">#3193</a>)</li>
<li><a
href="https://github.com/Kludex/starlette/commit/e6f7ad1ab85efb27ab7910d8007b3f4531f7b083"><code>e6f7ad1</code></a>
avoid collapsing exception groups from user code (<a
href="https://redirect.github.com/Kludex/starlette/issues/2830">#2830</a>)</li>
<li><a
href="https://github.com/Kludex/starlette/commit/115228fcdca0e0ef5bf4a95a40ddce5a9fced428"><code>115228f</code></a>
Annotate URLPath protocol parameter with Literal (<a
href="https://redirect.github.com/Kludex/starlette/issues/3285">#3285</a>)</li>
<li><a
href="https://github.com/Kludex/starlette/commit/113f193a34353c9153857028c1074351d22fad07"><code>113f193</code></a>
docs: replace inline ASGI server list with link to canonical implemen…
(<a
href="https://redirect.github.com/Kludex/starlette/issues/3204">#3204</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/Kludex/starlette/compare/1.1.0...1.3.1">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=starlette&package-manager=uv&previous-version=1.1.0&new-version=1.3.1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/microsoft/teams.py/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
## Changes

- Split `publish.yml` into separate build and publish stages
- Use `templateContext.type: releaseJob` + `isProduction: true` for ESRP
publish job (fixes 1ES PT enforcement error)
- Release jobs consume pipeline artifacts via
`$(Pipeline.Workspace)/...` instead of source directory

This fixes the `isReleaseJob` enforcement warning from 1ES PT and
ensures ESRP tasks run in a properly declared release job context.

Mirror of the same fix applied to teams.ts.

---------

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Bumps [python-multipart](https://github.com/Kludex/python-multipart)
from 0.0.27 to 0.0.31.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/Kludex/python-multipart/releases">python-multipart's
releases</a>.</em></p>
<blockquote>
<h2>Version 0.0.31</h2>
<h2>What's Changed</h2>
<ul>
<li>Speed up multipart header parsing and callback dispatch by <a
href="https://github.com/Kludex"><code>@​Kludex</code></a> in <a
href="https://redirect.github.com/Kludex/python-multipart/pull/295">Kludex/python-multipart#295</a></li>
<li>Bound header field name size before validating by <a
href="https://github.com/Kludex"><code>@​Kludex</code></a> in <a
href="https://redirect.github.com/Kludex/python-multipart/pull/296">Kludex/python-multipart#296</a></li>
<li>Validate Content-Length is non-negative in parse_form by <a
href="https://github.com/Kludex"><code>@​Kludex</code></a> in <a
href="https://redirect.github.com/Kludex/python-multipart/pull/297">Kludex/python-multipart#297</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/Kludex/python-multipart/compare/0.0.30...0.0.31">https://github.com/Kludex/python-multipart/compare/0.0.30...0.0.31</a></p>
<h2>Version 0.0.30</h2>
<h2>What's Changed</h2>
<ul>
<li>Treat only <code>&amp;</code> as the urlencoded field separator by
<a href="https://github.com/Kludex"><code>@​Kludex</code></a> in <a
href="https://redirect.github.com/Kludex/python-multipart/pull/290">Kludex/python-multipart#290</a></li>
<li>Ignore RFC 2231 extended parameters in
<code>parse_options_header</code> by <a
href="https://github.com/Kludex"><code>@​Kludex</code></a> in <a
href="https://redirect.github.com/Kludex/python-multipart/pull/291">Kludex/python-multipart#291</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/Kludex/python-multipart/compare/0.0.29...0.0.30">https://github.com/Kludex/python-multipart/compare/0.0.29...0.0.30</a></p>
<h2>Version 0.0.29</h2>
<h2>What's Changed</h2>
<ul>
<li>Handle malformed RFC 2231 continuations in
<code>parse_options_header</code> by <a
href="https://github.com/manunio"><code>@​manunio</code></a> in <a
href="https://redirect.github.com/Kludex/python-multipart/pull/270">Kludex/python-multipart#270</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/Kludex/python-multipart/compare/0.0.28...0.0.29">https://github.com/Kludex/python-multipart/compare/0.0.28...0.0.29</a></p>
<h2>Version 0.0.28</h2>
<h2>What's Changed</h2>
<ul>
<li>Speed up partial-boundary tail scan via <code>bytes.find</code> by
<a href="https://github.com/Kludex"><code>@​Kludex</code></a> in <a
href="https://redirect.github.com/Kludex/python-multipart/pull/281">Kludex/python-multipart#281</a></li>
<li>Cap multipart boundary length at 256 bytes by <a
href="https://github.com/Kludex"><code>@​Kludex</code></a> in <a
href="https://redirect.github.com/Kludex/python-multipart/pull/282">Kludex/python-multipart#282</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/Kludex/python-multipart/compare/0.0.27...0.0.28">https://github.com/Kludex/python-multipart/compare/0.0.27...0.0.28</a></p>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/Kludex/python-multipart/blob/main/CHANGELOG.md">python-multipart's
changelog</a>.</em></p>
<blockquote>
<h2>0.0.31 (2026-06-04)</h2>
<ul>
<li>Speed up multipart header parsing and callback dispatch <a
href="https://redirect.github.com/Kludex/python-multipart/pull/295">#295</a>.</li>
<li>Bound header field name size before validating <a
href="https://redirect.github.com/Kludex/python-multipart/pull/296">#296</a>.</li>
<li>Validate <code>Content-Length</code> is non-negative in
<code>parse_form</code> <a
href="https://redirect.github.com/Kludex/python-multipart/pull/297">#297</a>.</li>
</ul>
<h2>0.0.30 (2026-05-31)</h2>
<ul>
<li>Parse <code>application/x-www-form-urlencoded</code> bodies per the
WHATWG URL standard, treating only <code>&amp;</code> as a field
separator <a
href="https://redirect.github.com/Kludex/python-multipart/pull/290">#290</a>.</li>
<li>Ignore RFC 2231/5987 extended parameters (<code>name*</code>,
<code>filename*</code>) in <code>parse_options_header</code>, keeping
the plain parameter authoritative per <a
href="https://datatracker.ietf.org/doc/html/rfc7578#section-4.2">RFC
7578 §4.2</a> <a
href="https://redirect.github.com/Kludex/python-multipart/pull/291">#291</a>.</li>
</ul>
<h2>0.0.29 (2026-05-17)</h2>
<ul>
<li>Handle malformed RFC 2231 continuations in
<code>parse_options_header</code> <a
href="https://redirect.github.com/Kludex/python-multipart/pull/270">#270</a>.</li>
</ul>
<h2>0.0.28 (2026-05-10)</h2>
<ul>
<li>Speed up partial-boundary tail scan via <code>bytes.find</code> <a
href="https://redirect.github.com/Kludex/python-multipart/pull/281">#281</a>.</li>
<li>Cap multipart boundary length at 256 bytes <a
href="https://redirect.github.com/Kludex/python-multipart/pull/282">#282</a>.</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/Kludex/python-multipart/commit/4cffc68a165f7a6f6b7756ce006fabf07a05b7a4"><code>4cffc68</code></a>
Version 0.0.31 (<a
href="https://redirect.github.com/Kludex/python-multipart/issues/298">#298</a>)</li>
<li><a
href="https://github.com/Kludex/python-multipart/commit/c814948acf509cef7881fa75c969969b19239bbf"><code>c814948</code></a>
Reject negative <code>Content-Length</code> in <code>parse_form</code>
(<a
href="https://redirect.github.com/Kludex/python-multipart/issues/297">#297</a>)</li>
<li><a
href="https://github.com/Kludex/python-multipart/commit/6b837d47bc68826ed5cbbcb50c6c6a6093444494"><code>6b837d4</code></a>
Bound header field name size before validating (<a
href="https://redirect.github.com/Kludex/python-multipart/issues/296">#296</a>)</li>
<li><a
href="https://github.com/Kludex/python-multipart/commit/e0c4f9df2e737d1663fbbdd6563f80613a2089f9"><code>e0c4f9d</code></a>
Bump the github-actions group with 3 updates (<a
href="https://redirect.github.com/Kludex/python-multipart/issues/294">#294</a>)</li>
<li><a
href="https://github.com/Kludex/python-multipart/commit/b8a01bb683e8e8675fdb5d831b206a478c8215aa"><code>b8a01bb</code></a>
Bump the python-packages group with 3 updates (<a
href="https://redirect.github.com/Kludex/python-multipart/issues/293">#293</a>)</li>
<li><a
href="https://github.com/Kludex/python-multipart/commit/6732164f30c58e28589a1e22213d2f6b8c6bad9f"><code>6732164</code></a>
Speed up multipart header parsing and callback dispatch (<a
href="https://redirect.github.com/Kludex/python-multipart/issues/295">#295</a>)</li>
<li><a
href="https://github.com/Kludex/python-multipart/commit/9d3ead568a259f222cff6425262ff63e88d930d4"><code>9d3ead5</code></a>
Version 0.0.30 (<a
href="https://redirect.github.com/Kludex/python-multipart/issues/292">#292</a>)</li>
<li><a
href="https://github.com/Kludex/python-multipart/commit/3506c15ce99cb62faf2d5ceb3c4c1e5800cb843d"><code>3506c15</code></a>
Ignore RFC 2231 extended parameters in <code>parse_options_header</code>
(<a
href="https://redirect.github.com/Kludex/python-multipart/issues/291">#291</a>)</li>
<li><a
href="https://github.com/Kludex/python-multipart/commit/d69df35cd2cad9c72794c2c340db646afae957d8"><code>d69df35</code></a>
Treat only <code>&amp;</code> as the urlencoded field separator (<a
href="https://redirect.github.com/Kludex/python-multipart/issues/290">#290</a>)</li>
<li><a
href="https://github.com/Kludex/python-multipart/commit/1e6ff9740b09fb439755f30e2b0e2ada1d297325"><code>1e6ff97</code></a>
Bump idna from 3.11 to 3.15 (<a
href="https://redirect.github.com/Kludex/python-multipart/issues/289">#289</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/Kludex/python-multipart/compare/0.0.27...0.0.31">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=python-multipart&package-manager=uv&previous-version=0.0.27&new-version=0.0.31)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/microsoft/teams.py/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [cryptography](https://github.com/pyca/cryptography) from 46.0.7
to 48.0.1.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst">cryptography's
changelog</a>.</em></p>
<blockquote>
<p>48.0.1 - 2026-06-09</p>
<pre><code>
* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL
4.0.1.
<p>.. _v48-0-0:</p>
<p>48.0.0 - 2026-05-04<br />
</code></pre></p>
<ul>
<li>
<p><strong>BACKWARDS INCOMPATIBLE:</strong> Support for Python 3.8 has
been removed.
<code>cryptography</code> now requires Python 3.9 or later.</p>
</li>
<li>
<p><strong>BACKWARDS INCOMPATIBLE:</strong> Loading an X.509 CRL whose
inner
<code>TBSCertList.signature</code> algorithm does not match the outer
<code>signatureAlgorithm</code> now raises <code>ValueError</code>.
Previously, such CRLs
were parsed successfully and only rejected during signature
validation.</p>
</li>
<li>
<p>Added support for
:doc:<code>/hazmat/primitives/asymmetric/mlkem</code> and
:doc:<code>/hazmat/primitives/asymmetric/mldsa</code> when using OpenSSL
3.5.0 or
later, in addition to the existing AWS-LC and BoringSSL support. This
means
post-quantum algorithms are now available to users of our wheels.</p>
<ul>
<li><strong>Note:</strong> Going forward, we do not guarantee that all
functionality
in <code>cryptography</code> will be available when building against
OpenSSL. See :doc:<code>/statements/state-of-openssl</code> for more
information.</li>
</ul>
</li>
</ul>
<p>.. _v47-0-0:</p>
<p>47.0.0 - 2026-04-24</p>
<pre><code>
* Support for Python 3.8 is deprecated and will be removed in the next
  ``cryptography`` release.
* **BACKWARDS INCOMPATIBLE:** Support for binary elliptic curves
  (``SECT*`` classes) has been removed. These curves are rarely used and
  have additional security considerations that make them undesirable.
* **BACKWARDS INCOMPATIBLE:** Support for OpenSSL 1.1.x has been
removed.
OpenSSL 3.0.0 or later is now required. LibreSSL, BoringSSL, and AWS-LC
  continue to be supported.
* **BACKWARDS INCOMPATIBLE:** Dropped support for LibreSSL &lt; 4.1.
* **BACKWARDS INCOMPATIBLE:** Loading keys with unsupported algorithms
or
  keys with unsupported explicit curve encodings now raises
  :class:`~cryptography.exceptions.UnsupportedAlgorithm` instead of
  ``ValueError``. This change affects

:func:`~cryptography.hazmat.primitives.serialization.load_pem_private_key`,

:func:`~cryptography.hazmat.primitives.serialization.load_der_private_key`,

:func:`~cryptography.hazmat.primitives.serialization.load_pem_public_key`,

:func:`~cryptography.hazmat.primitives.serialization.load_der_public_key`,
  and :meth:`~cryptography.x509.Certificate.public_key` when called on
  certificates with unsupported public key algorithms.
&lt;/tr&gt;&lt;/table&gt; 
</code></pre>
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/pyca/cryptography/commit/de987ce48ccfeb1abca41efa23b2bf73ec704f74"><code>de987ce</code></a>
48.0.1 version bump and changelog (<a
href="https://redirect.github.com/pyca/cryptography/issues/14996">#14996</a>)</li>
<li><a
href="https://github.com/pyca/cryptography/commit/8e03e30e3aae01632a697e903e3593c924f0139d"><code>8e03e30</code></a>
bump for 48.0.0 release (<a
href="https://redirect.github.com/pyca/cryptography/issues/14796">#14796</a>)</li>
<li><a
href="https://github.com/pyca/cryptography/commit/295e0d254ef31ab864730aa41312ec355416ee71"><code>295e0d2</code></a>
Add AGENTS.md with CLAUDE.md symlink (<a
href="https://redirect.github.com/pyca/cryptography/issues/14794">#14794</a>)</li>
<li><a
href="https://github.com/pyca/cryptography/commit/104a2de19e268a433e6da92be9cb872dcf0003c8"><code>104a2de</code></a>
Bump BoringSSL, OpenSSL, AWS-LC in CI (<a
href="https://redirect.github.com/pyca/cryptography/issues/14793">#14793</a>)</li>
<li><a
href="https://github.com/pyca/cryptography/commit/67ec1e51988195e17993d2edef5258b27509b926"><code>67ec1e5</code></a>
call check_length early on AesSiv::encrypt (<a
href="https://redirect.github.com/pyca/cryptography/issues/14792">#14792</a>)</li>
<li><a
href="https://github.com/pyca/cryptography/commit/b2da57a0d9e4bfd2b95364299091a18f74127b26"><code>b2da57a</code></a>
changelog for mldsa/mlkem for openssl (<a
href="https://redirect.github.com/pyca/cryptography/issues/14791">#14791</a>)</li>
<li><a
href="https://github.com/pyca/cryptography/commit/3cf44adee25c368d4a136e072fa9f80465d91eb0"><code>3cf44ad</code></a>
ML-KEM OpenSSL support (<a
href="https://redirect.github.com/pyca/cryptography/issues/14781">#14781</a>)</li>
<li><a
href="https://github.com/pyca/cryptography/commit/2e31639666766f846fbab2c605879db0fa64fe83"><code>2e31639</code></a>
ML-DSA OpenSSL support (<a
href="https://redirect.github.com/pyca/cryptography/issues/14773">#14773</a>)</li>
<li><a
href="https://github.com/pyca/cryptography/commit/5affe5a286a986fdf512c4a5cb280d28a96c10e3"><code>5affe5a</code></a>
fix rust nightly clippy (<a
href="https://redirect.github.com/pyca/cryptography/issues/14790">#14790</a>)</li>
<li><a
href="https://github.com/pyca/cryptography/commit/2e73ca448eaf64b6f0d4ffbb794cf96170cef5ec"><code>2e73ca4</code></a>
bump rust-openssl dep and update EcPoint::mul_generator to
mul_generator2 (<a
href="https://redirect.github.com/pyca/cryptography/issues/1">#1</a>...</li>
<li>Additional commits viewable in <a
href="https://github.com/pyca/cryptography/compare/46.0.7...48.0.1">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=cryptography&package-manager=uv&previous-version=46.0.7&new-version=48.0.1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/microsoft/teams.py/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=aiohttp&package-manager=uv&previous-version=3.14.0&new-version=3.14.1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/microsoft/teams.py/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…476)

Bumps [form-data](https://github.com/form-data/form-data) from 4.0.5 to
4.0.6.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/form-data/form-data/blob/master/CHANGELOG.md">form-data's
changelog</a>.</em></p>
<blockquote>
<h2><a
href="https://github.com/form-data/form-data/compare/v4.0.5...v4.0.6">v4.0.6</a>
- 2026-06-12</h2>
<h3>Commits</h3>
<ul>
<li>[Fix] escape CR, LF, and <code>&quot;</code> in field names and
filenames <a
href="https://github.com/form-data/form-data/commit/8dff42c6da654ed4e7ad4acb7f8ccd3831217c99"><code>8dff42c</code></a></li>
<li>[Dev Deps] update <code>@ljharb/eslint-config</code>,
<code>auto-changelog</code>, <code>tape</code> <a
href="https://github.com/form-data/form-data/commit/f31d21ef10bf46e46344c3ee4f99acbef6be43e1"><code>f31d21e</code></a></li>
<li>[Deps] update <code>hasown</code>, <code>mime-types</code> <a
href="https://github.com/form-data/form-data/commit/92ae0eb5da94d6f01925d5f4fcffb2a1e50ed7cd"><code>92ae0eb</code></a></li>
<li>[Dev Deps] update <code>js-randomness-predictor</code> <a
href="https://github.com/form-data/form-data/commit/67b0f65c2e0b065a511d42227d35e4d367644e97"><code>67b0f65</code></a></li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/form-data/form-data/commit/64190db548c0179e37206858e39f27cf513e9435"><code>64190db</code></a>
v4.0.6</li>
<li><a
href="https://github.com/form-data/form-data/commit/92ae0eb5da94d6f01925d5f4fcffb2a1e50ed7cd"><code>92ae0eb</code></a>
[Deps] update <code>hasown</code>, <code>mime-types</code></li>
<li><a
href="https://github.com/form-data/form-data/commit/f31d21ef10bf46e46344c3ee4f99acbef6be43e1"><code>f31d21e</code></a>
[Dev Deps] update <code>@ljharb/eslint-config</code>,
<code>auto-changelog</code>, <code>tape</code></li>
<li><a
href="https://github.com/form-data/form-data/commit/8dff42c6da654ed4e7ad4acb7f8ccd3831217c99"><code>8dff42c</code></a>
[Fix] escape CR, LF, and <code>&quot;</code> in field names and
filenames</li>
<li><a
href="https://github.com/form-data/form-data/commit/67b0f65c2e0b065a511d42227d35e4d367644e97"><code>67b0f65</code></a>
[Dev Deps] update <code>js-randomness-predictor</code></li>
<li>See full diff in <a
href="https://github.com/form-data/form-data/compare/v4.0.5...v4.0.6">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=form-data&package-manager=npm_and_yarn&previous-version=4.0.5&new-version=4.0.6)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/microsoft/teams.py/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Quoted replies are now GA. Removes all
`@experimental("ExperimentalTeamsQuotedReplies")` decorators and
diagnostic docstring lines.

## Changes
- `packages/apps/src/microsoft_teams/apps/routing/activity_context.py`
- `packages/api/src/microsoft_teams/api/activities/message/message.py`
-
`packages/api/src/microsoft_teams/api/models/entity/quoted_reply_entity.py`

All tests pass (625/625). Lint and type checks clean.
Adds 12 integration tests that make real API calls against the Teams Bot
Framework service.

**Tests:**
- Activities: create, update, reply, delete (4)
- Members: get all, get by ID, get paged (3)
- Conversations: create 1:1, create group (2)
- Teams: get details, get channels (2)
- Reactions: add and delete (1)

**Also fixes:**
- `TeamDetails.type` was incorrectly marked as required — service
doesn't always return it. Now `Optional`.

**Setup:**
```bash
uv sync --all-packages --group dev --group integration
export $(cat tests/integration/.env.botid-prod | xargs)
pytest tests/integration -v
```

See [cross-SDK
runbook](https://github.com/microsoft/teams-sdk/blob/main/INTEGRATION-TESTS.md)
for provisioning and troubleshooting.

---------

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…#481)

The 1ES template requires `artifactName` (not `artifact`) for
`pipelineArtifact` input declarations in `templateContext`. This was
causing:

```
Unexpected value 'artifactName is a required argument for pipelineArtifact input and 1ES.DownloadPipelineArtifact@1 task'
```

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
## Summary
- Adds `"extendedmarkdown"` to the `TextFormat` Literal type for rich
content rendering (GFM tables, LaTeX math)
- Updates docstrings on `text_format` field and `with_text_format()`
method
- Adds unit test with markdown content verification
- Adds new `formatted-messaging` sample demonstrating all text formats:
markdown, extendedmarkdown, xml, and plain

## Test plan
- [x] Unit tests pass (`test_message_activities.py` — 62/62)
- [x] `formatted-messaging` sample syntax and imports verified
- [x] E2E validated in Teams

## Screenshots


<img width="363" height="125" alt="image"
src="https://github.com/user-attachments/assets/7b2ed266-c3b0-4be9-b336-cc03a0957b05"
/>

<img width="344" height="266" alt="image"
src="https://github.com/user-attachments/assets/d39f3614-dbc3-4050-9ab9-a1e105da68d3"
/>

<img width="413" height="191" alt="image"
src="https://github.com/user-attachments/assets/5b208d10-5d67-4c0d-b61c-69e7bdf073a7"
/>

<img width="630" height="297" alt="image"
src="https://github.com/user-attachments/assets/ad193b43-115f-409d-9925-a5953804e064"
/>

---------

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…ntent stream not allowed (#453)

PR has evolved due to a number of raised issues wrt streaming error
handling. This PR solely focuses on handling the 403 for the 2-minute
timeout, and surfacing the "Content stream is not allowed" error.

This table highlights all the different error codes, we are concerned
with the 403s:

https://learn.microsoft.com/en-us/microsoftteams/platform/bots/streaming-ux?tabs=csharp#error-codes

1) Content stream is not allowed -> Error is surfaced, not as a
cancelled error
2) Content stream is not allowed on an already completed streamed
message -> Not possible with the SDK
3) Content stream finished due to exceeded streaming time. -> Handled in
this PR. A new regular message is sent instead.
4) Content stream was canceled by user -> Already handled today
5) Request streamed content should contain the previously streamed
content -> Not possible with the SDK

**TO BE DISCUSSED:**
1) Bursty informative updates - continued discussion in #452 to reach an
ideal solution
2) Message size too large -> To be discussed in #488

---
OLD DESCRIPTION:

Fixes #452

## Problem

`HttpStream` can send streaming activities faster than the Teams 1
request/second
per-stream limit. Teams then throttles the stream and returns
`403 ContentStreamNotAllowed`, which `_send` converts to
`StreamCancelledError`
and the user sees as a red error toast.

Two causes in `http_stream.py`:

1. `_flush()` sent every queued informative update back to back, then
the text
chunk. A burst of `update()` calls became a burst of POSTs in one flush.
2. The only pacing was a `call_later(0.5, ...)` reschedule, armed only
when a
backlog survived a flush. Once the queue drained, `_timeout` was `None`,
so the
   next `emit()` fired an immediate flush with no pacing.

## Fix

A per-stream leaky-slot limiter (`make_limiter` in `utils/limiter.py`),
gating
every chunk send in `_send_activity`. Its `next_slot` is instance state
shared
across flushes, so it paces both the in-flush burst and the next
`emit()` after
the queue drains. The first send is not delayed, so the progress bar
still
appears promptly.

- `min_send_interval` on `HttpStream.__init__` (default 1.0s) lets
callers buffer
  toward the docs' 1.5 to 2s advice.
- `coalesce_informative_updates` defaults to `True`: a burst of
informative
  updates in one flush collapses to the latest, matching the docs' "one
informative message, reused for each update". Set it `False` to pace out
every
  update at 1 req/s instead (see Notes).

## Tests

Limiter spacing and input validation; rapid `update()` burst coalesces
to the
latest by default; with `coalesce_informative_updates=False` every
update is sent
in order, none dropped, paced at the interval; emits are paced across
flushes (the
post-drain case); the interval is configurable; the flag never drops
text.
Existing `test_http_stream.py` behaviour is unchanged. Full
`packages/apps` suite
passes, ruff and pyright clean.

## Notes

- The limiter is acquired in `_send`, so every HTTP attempt is paced:
retries and
`close()`'s final send included. `acquire()` only waits when a send
would
actually be too soon, so close pays no latency unless it lands within
the
interval of the last chunk. Pass `min_send_interval=0` to disable
pacing.
- With `coalesce_informative_updates=False`, `_flush` holds its lock
across the
paced sleeps, so a very long informative burst could keep the lock long
enough
  that `close()` times out. The default (coalesce on) avoids this.
- The same gap likely exists in the sibling TS and .NET SDKs; not
addressed here.

---------

Co-authored-by: WERCK Ayrton <9287010+Athosone@users.noreply.github.com>
Co-authored-by: lilyydu <lilydu@microsoft.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: lilyydu <54044854+lilyydu@users.noreply.github.com>
Co-authored-by: heyitsaamir <ajawaid191@gmail.com>
## Summary

- make `HttpStream` reusable after close: a later `emit()` or `update()`
starts a new streamed message cycle on the same stream instance
- keep repeated `close()` calls idempotent until another emit/update
occurs
- update the stream example with a `multi-stream` flow that emits an
Adaptive Card in the first stream final message, closes, then reuses
`ctx.stream` for a second streamed segment
- add coverage for close idempotency followed by emit-driven stream
reopening
- refresh `uv.lock` to include the missing `formatted-messaging`
workspace member and dependency metadata

## Context

This addresses the scenario in #489 where a handler needs to:

1. stream part of a response,
2. include a normal message or card in the flow,
3. continue with another streamed response.

Before this change, the only way to do that was to close `ctx.stream`
and then reach into the private
`ctx._activity_sender.create_stream(...)` API to create another stream.

## Motivation

This is useful for conversational AI and tool-using bot flows where a
response is not always one uninterrupted text stream.

For example, a bot may need to stream an explanation while it reasons or
searches, include a structured checkpoint message, approval prompt, or
card, and then continue streaming the final answer after that
intermediate interaction.

Without a public lifecycle API, developers either have to avoid
streaming for these richer flows or access private SDK internals to
create a fresh stream. Reopening the stream on the next emit gives them
a supported way to split one handler's response into multiple sequential
streamed messages while keeping the SDK's one-stream-object model.

## Alternatives considered

### `ctx.new_stream()`

We first considered adding a public `ctx.new_stream()` method that would
create and return another stream object.

That solves the private API issue, but it makes the model feel like a
handler can manage multiple stream objects at once. In practice, Teams
appears to behave more reliably when there is only one active stream at
a time. Multiple stream objects also complicate ownership, finalization,
event handler registration, and retry behavior.

### Context-managed multiple streams

We also considered having `ActivityContext` track all streams created
during a handler and close them all at the end.

That keeps cleanup centralized, but it still encourages multiple open
streams during one handler. It also makes ordering less explicit: a
stream could remain active while a normal message or a second stream is
sent, which is exactly the behavior that seemed risky.

### `close(reset=True)`

We also tried an explicit `close(reset=True)` option. It worked, but it
made the API more awkward and introduced a flag for what is conceptually
the next stream cycle.

The approach in this PR keeps `close()` simple: it finalizes the current
streamed message. Repeated `close()` calls remain idempotent. If the
caller later emits or updates, the stream starts a new cycle
automatically.

## Example

The stream example now includes a `multi-stream` path:



https://github.com/user-attachments/assets/91021174-fd9d-43c4-acb0-e38348ef6d12



```python
ctx.stream.emit("[stream 1] Starting the first streamed response.")
ctx.stream.emit(MessageActivityInput(text="...").add_card(card))
await ctx.stream.close()

ctx.stream.emit("[stream 2] Reusing ctx.stream after close().")
```

This demonstrates the intended lifecycle: one streamed message is
finalized, and the same `ctx.stream` instance is reused for the next
streamed message when the handler emits again.

Addresses #489

---------

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings July 7, 2026 23:36
@heyitsaamir heyitsaamir changed the base branch from main to release July 7, 2026 23:37

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR prepares the 2.0.14 patch release by syncing release to main, setting the stable version, and bringing in the accumulated SDK changes (streaming lifecycle/error handling improvements, BotBuilder integration refactor, and new integration test scaffolding).

Changes:

  • Bump version.json to 2.0.14 and update release workflow documentation/pipeline wiring.
  • Improve streaming behavior (reusable HttpStream after close, 403 error classification, non-retryable terminal stream errors) and related unit tests.
  • Refactor BotBuilder integration from a plugin to an HTTP-boundary adapter; add integration test harness/docs and small model/type additions.

Reviewed changes

Copilot reviewed 47 out of 50 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
version.json Set stable release version to 2.0.14
tools/hatch-teams-build/src/hatch_teams_build/version_source.py Prefer PEP 440-compatible nbgv fields
tests/integration/test_teams_and_reactions.py Add integration coverage for teams/reactions
tests/integration/test_members.py Add integration coverage for members APIs
tests/integration/test_conversations.py Add integration coverage for conversation creation
tests/integration/test_activities.py Add integration coverage for activity CRUD
tests/integration/README.md Document integration test setup/run
tests/integration/pytest.ini Set asyncio mode for integration tests
tests/integration/conftest.py Shared integration fixture + caching
tests/integration/.env.example Template env file for integration tests
stubs/msal/init.pyi Update MSAL stub for callable assertions
RELEASE.md Update release workflow/runbook
pyproject.toml Add integration dependency group
packages/botbuilder/tests/test_botbuilder_plugin.py Remove plugin tests (plugin removed)
packages/botbuilder/tests/test_botbuilder_adapter.py Add adapter tests
packages/botbuilder/src/microsoft_teams/botbuilder/botbuilder_plugin.py Remove BotBuilderPlugin implementation
packages/botbuilder/src/microsoft_teams/botbuilder/adapter.py Add BotBuilderAdapter implementation
packages/botbuilder/src/microsoft_teams/botbuilder/init.py Export adapter instead of plugin
packages/botbuilder/pyproject.toml Update package description to adapter
packages/apps/tests/test_token_manager.py Update/add tests for FIC caching + lazy assertion
packages/apps/tests/test_http_stream.py Expand streaming tests for 403 mapping/timeout/reopen
packages/apps/src/microsoft_teams/apps/utils/retry.py Add non_retryable to retry helper
packages/apps/src/microsoft_teams/apps/token_manager.py Cache MSAL clients; lazy client assertion
packages/apps/src/microsoft_teams/apps/routing/activity_context.py Remove quoted-reply experimental annotation
packages/apps/src/microsoft_teams/apps/plugins/streamer.py Add terminal stream error types + doc updates
packages/apps/src/microsoft_teams/apps/plugins/metadata.py Remove unused dependency option types
packages/apps/src/microsoft_teams/apps/plugins/init.py Export new stream error types
packages/apps/src/microsoft_teams/apps/http_stream.py Stream reuse after close + 403 mapping + timeout behavior
packages/apps/src/microsoft_teams/apps/app.py Remove no-longer-used container providers
packages/api/tests/unit/test_message_activities.py Add tests for extendedmarkdown + messageUpdate attachments
packages/api/src/microsoft_teams/api/models/text_format.py Add extendedmarkdown literal
packages/api/src/microsoft_teams/api/models/team_details.py Make type optional in TeamDetails
packages/api/src/microsoft_teams/api/models/entity/quoted_reply_entity.py Remove quoted-reply experimental annotation
packages/api/src/microsoft_teams/api/activities/message/message.py Update text format docs; remove experimental annotation on quoting APIs
packages/api/src/microsoft_teams/api/activities/message/message_update.py Add attachments + attachment_layout to MessageUpdateActivity
examples/tab/Web/package.json Bump Vite/plugin versions
examples/tab/Web/package-lock.json Lockfile refresh for Vite/plugin bumps
examples/stream/src/main.py Add multi-stream + adaptive card streaming demo
examples/stream/README.md Document new stream demo commands
examples/formatted-messaging/src/main.py New sample demonstrating text formats
examples/formatted-messaging/README.md Document formatted-messaging sample
examples/formatted-messaging/pyproject.toml Add formatted-messaging example project metadata
examples/botbuilder/src/main.py Migrate example to BotBuilderAdapter + card routing demo
examples/botbuilder/src/bots/echo_bot.py Handle adaptiveCard/action invoke in BotBuilder path
examples/botbuilder/README.md Update docs from plugin → adapter
examples/botbuilder/pyproject.toml Add cards dependency for updated example
CONTRIBUTING.md Add integration test guidance
.gitignore Ignore .env.* while keeping .env.example
.azdo/publish.yml Publish pipeline artifacts + staged publish jobs
Files not reviewed (1)
  • examples/tab/Web/package-lock.json: Generated file

Comment thread packages/apps/src/microsoft_teams/apps/http_stream.py
@heyitsaamir heyitsaamir merged commit 15fd07e into release Jul 7, 2026
5 checks passed
@heyitsaamir heyitsaamir deleted the heyitsaamir-aamirj-release-2-0-14 branch July 7, 2026 23:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

7 participants