Usage of a vulnerable package

[guy-microsoft]

The botbuilder-dialogs v4.19.3 package depends on @microsoft/recognizers-text-number which uses lodash.trimend v4.5.1 that includes this vulnerability:
https://nvd.nist.gov/vuln/detail/cve-2020-28500

[tracyboehrer]

This is coming in via the Recognizer Text package. The team is in the process of resolving.

[guy-microsoft]

Hi @tracyboehrer @ceciliaavila , any updates about that?

[ceciliaavila]

Hi @tracyboehrer @ceciliaavila , any updates about that?

Hi @guy-microsoft, we are working on upgrading the recognizers-text packages and analyzing the possible breaking changes this upgrade implies.