Release 2.0.6 by heyitsaamir · Pull Request #485 · microsoft/teams.ts

heyitsaamir · 2026-03-25T00:00:48Z

Summary

Release 2.0.6 — merging main into release
Includes all changes since 2.0.5 (43 commits)

Highlights

Introduce HttpServer and begin deprecating HttpPlugin (Introduce HttpServer (and begin deprecating HttpPlugin) #433)
Simplify HTTP Plugin architecture (Simplify HTTP Plugin architecture #424)
Make messaging endpoint path configurable (Make messaging endpoint path configurable #483)
Implement Reactions following teams.net PR Simplify graph function paramDefs type #335 (Implement Reactions following teams.net PR #335 #452)
Add support for Targeted Messages (Add support for Targeted Messages #443) with API refactoring (Refactor targeted messaging API to consolidate recipient and targeting flags #449) and preview indicators (Add preview indicators to targeted messages and reactions #468)
Create signin/failure invoke activity handling (Create 'signin/failure' invoke activity handling #459)
Fix JWT validator issuer validation and audience matching (Fix JWT validator issuer validation and audience matching #469)
Fix streaming timeout reset for each chunk emit ([Fix] streaming: do not reset timeout for each chunk emit #378)
Fix context merging with Plugin's response to onActivity (Fix context merging with Plugin's response to onActivity #418)
Add option to override base service URL for API Client (Add option to override base service url for our API Client #435)
Move internal workspace packages from peer deps to direct deps (Move internal workspace packages from peer deps to direct deps #474)
Fix objectId to aadObjectId for TeamsChannelAccount (fix: update objectId to aadObjectId for TeamsChannelAccount #475)
Move IsTargeted property from Activity to Account (Move IsTargeted property from Activity to Account #477)
Dependency bumps: express, react, lodash, qs, react-router, @modelcontextprotocol/sdk
CI/CD: ESRP publish pipeline migration, nbgv versioning fixes, ADO approver groups

Post-merge

Trigger publish pipeline with Public publish type from release branch
Bump version.json on main to 2.0.7-preview.{height}

Issue : #374 Main change:: - In emit, instead of cancelling and scheduling a new timeout, - flush immediately if no timeout pending, - else push to queue and wait. - Added tests for streaming https://github.com/user-attachments/assets/d8fc0a16-21f9-4ddc-a681-5db5e200e192 Devtools: Streaming always starts before the full response is received (check with logs, see attached video). Teams: Even though the first chunk is emitted immediately, (sometimes) by the time the stream starts on Teams, the full response is ready. In the second msg, we can see the stream starts a little bit before the full response is printed. --------- Co-authored-by: Mehak Bindra <mehakbindra@microsoft.com>

**Add support for Targeted Messages** This PR introduces support for sending targeted messages - messages delivered privately to a specific recipient within a conversation. Key Updates: Added an isTargeted boolean parameter to the send, update, reply and delete APIs. When enabled, the message is sent privately to the Recipient.Id specified in the activity payload. We append isTargetedActivity=true as a query parameter in API URLs when isTargeted is set, allowing backend services to correctly process these requests.

#427 needs to be reviewed a bit more. Reverts #427

Addresses DoS and source code exposure vulnerabilities in React Server Components ([advisory](https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components)). ## Changes - Bump React and React DOM from `^19.2.1` to `^19.2.2` in: - `examples/tab/package.json` - `packages/devtools/package.json` - npm resolved to 19.2.3 (latest patch satisfying constraint) ## Notes Only two workspaces use React. No code changes required—dependency version bump only.   <details> <summary>Original prompt</summary> > We need to update to react 19.2.2 (and also react dom). Follow patterns in #419. This is because of vulnerabilities listed in https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components </details> skip-test-verification  --- 💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more [Copilot coding agent tips](https://gh.io/copilot-coding-agent-tips) in the docs. --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: heyitsaamir <48929123+heyitsaamir@users.noreply.github.com>

Bumps [react-router](https://github.com/remix-run/react-router/tree/HEAD/packages/react-router) from 7.5.3 to 7.12.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/remix-run/react-router/releases">react-router's releases</a>.</em></p> <blockquote> <h2>v7.12.0</h2> <p>See the changelog for release notes: <a href="https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v7120">https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v7120</a></p> <h2>v7.11.0</h2> <p>See the changelog for release notes: <a href="https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v7110">https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v7110</a></p> <h2>v7.10.1</h2> <p>See the changelog for release notes: <a href="https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v7101">https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v7101</a></p> <h2>v7.10.0</h2> <p>See the changelog for release notes: <a href="https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v7100">https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v7100</a></p> <h2>v7.9.6</h2> <p>See the changelog for release notes: <a href="https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v796">https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v796</a></p> <h2>v7.9.5</h2> <p>See the changelog for release notes: <a href="https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v795">https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v795</a></p> <h2>v7.9.4</h2> <p>See the changelog for release notes: <a href="https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v794">https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v794</a></p> <h2>v7.9.3</h2> <p>See the changelog for release notes: <a href="https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v793">https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v793</a></p> <h2>v7.9.2</h2> <p>See the changelog for release notes: <a href="https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v792">https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v792</a></p> <h2>v7.9.1</h2> <p>See the changelog for release notes: <a href="https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v791">https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v791</a></p> <h2>v7.9.0</h2> <p>See the changelog for release notes: <a href="https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v790">https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v790</a></p> <h2>v7.8.2</h2> <p>See the changelog for release notes: <a href="https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v782">https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v782</a></p> <h2>v7.8.1</h2> <p>See the changelog for release notes: <a href="https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v781">https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v781</a></p> <h2>v7.8.0</h2> <p>See the changelog for release notes: <a href="https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v780">https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v780</a></p> <h2>v7.7.1</h2> <p>See the changelog for release notes: <a href="https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v771">https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v771</a></p> <h2>v7.7.0</h2> <p>See the changelog for release notes: <a href="https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v770">https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v770</a></p> <h2>v7.6.3</h2> <p>See the changelog for release notes: <a href="https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v763">https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v763</a></p>  </blockquote> <p>... (truncated)</p> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/remix-run/react-router/blob/main/packages/react-router/CHANGELOG.md">react-router's changelog</a>.</em></p> <blockquote> <h2>7.12.0</h2> <h3>Minor Changes</h3> <ul> <li>Add additional layer of CSRF protection by rejecting submissions to UI routes from external origins. If you need to permit access to specific external origins, you can specify them in the <code>react-router.config.ts</code> config <code>allowedActionOrigins</code> field. (<a href="https://redirect.github.com/remix-run/react-router/pull/14708">#14708</a>)</li> </ul> <h3>Patch Changes</h3> <ul> <li> <p>Fix <code>generatePath</code> when used with suffixed params (i.e., "/books/:id.json") (<a href="https://redirect.github.com/remix-run/react-router/pull/14269">#14269</a>)</p> </li> <li> <p>Export <code>UNSAFE_createMemoryHistory</code> and <code>UNSAFE_createHashHistory</code> alongside <code>UNSAFE_createBrowserHistory</code> for consistency. These are not intended to be used for new apps but intended to help apps usiong <code>unstable_HistoryRouter</code> migrate from v6->v7 so they can adopt the newer APIs. (<a href="https://redirect.github.com/remix-run/react-router/pull/14663">#14663</a>)</p> </li> <li> <p>Escape HTML in scroll restoration keys (<a href="https://redirect.github.com/remix-run/react-router/pull/14705">#14705</a>)</p> </li> <li> <p>Validate redirect locations (<a href="https://redirect.github.com/remix-run/react-router/pull/14706">#14706</a>)</p> </li> <li> <p>[UNSTABLE] Pass <code><Scripts nonce></code> value through to the underlying <code>importmap</code> <code>script</code> tag when using <code>future.unstable_subResourceIntegrity</code> (<a href="https://redirect.github.com/remix-run/react-router/pull/14675">#14675</a>)</p> </li> <li> <p>[UNSTABLE] Add a new <code>future.unstable_trailingSlashAwareDataRequests</code> flag to provide consistent behavior of <code>request.pathname</code> inside <code>middleware</code>, <code>loader</code>, and <code>action</code> functions on document and data requests when a trailing slash is present in the browser URL. (<a href="https://redirect.github.com/remix-run/react-router/pull/14644">#14644</a>)</p> <p>Currently, your HTTP and <code>request</code> pathnames would be as follows for <code>/a/b/c</code> and <code>/a/b/c/</code></p> <table> <thead> <tr> <th>URL <code>/a/b/c</code></th> <th><strong>HTTP pathname</strong></th> <th><strong><code>request</code> pathname`</strong></th> </tr> </thead> <tbody> <tr> <td><strong>Document</strong></td> <td><code>/a/b/c</code></td> <td><code>/a/b/c</code> ✅</td> </tr> <tr> <td><strong>Data</strong></td> <td><code>/a/b/c.data</code></td> <td><code>/a/b/c</code> ✅</td> </tr> </tbody> </table> <table> <thead> <tr> <th>URL <code>/a/b/c/</code></th> <th><strong>HTTP pathname</strong></th> <th><strong><code>request</code> pathname`</strong></th> </tr> </thead> <tbody> <tr> <td><strong>Document</strong></td> <td><code>/a/b/c/</code></td> <td><code>/a/b/c/</code> ✅</td> </tr> <tr> <td><strong>Data</strong></td> <td><code>/a/b/c.data</code></td> <td><code>/a/b/c</code> ⚠️</td> </tr> </tbody> </table> <p>With this flag enabled, these pathnames will be made consistent though a new <code>_.data</code> format for client-side <code>.data</code> requests:</p> <table> <thead> <tr> <th>URL <code>/a/b/c</code></th> <th><strong>HTTP pathname</strong></th> <th><strong><code>request</code> pathname`</strong></th> </tr> </thead> <tbody> <tr> <td><strong>Document</strong></td> <td><code>/a/b/c</code></td> <td><code>/a/b/c</code> ✅</td> </tr> <tr> <td><strong>Data</strong></td> <td><code>/a/b/c.data</code></td> <td><code>/a/b/c</code> ✅</td> </tr> </tbody> </table> <table> <thead> <tr> <th>URL <code>/a/b/c/</code></th> <th><strong>HTTP pathname</strong></th> <th><strong><code>request</code> pathname`</strong></th> </tr> </thead> <tbody> <tr> <td><strong>Document</strong></td> <td><code>/a/b/c/</code></td> <td><code>/a/b/c/</code> ✅</td> </tr> <tr> <td><strong>Data</strong></td> <td><code>/a/b/c/_.data</code> ⬅️</td> <td><code>/a/b/c/</code> ✅</td> </tr> </tbody> </table> <p>This a bug fix but we are putting it behind an opt-in flag because it has the potential to be a "breaking bug fix" if you are relying on the URL format for any other application or caching logic.</p> <p>Enabling this flag also changes the format of client side <code>.data</code> requests from <code>/_root.data</code> to <code>/_.data</code> when navigating to <code>/</code> to align with the new format. This does not impact the <code>request</code> pathname which is still <code>/</code> in all cases.</p> </li> <li> <p>Preserve <code>clientLoader.hydrate=true</code> when using <code><HydratedRouter unstable_instrumentations></code> (<a href="https://redirect.github.com/remix-run/react-router/pull/14674">#14674</a>)</p> </li> </ul>  </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/remix-run/react-router/commit/26653a6bcbf8a9c5541f99dcfb526eafadf13434"><code>26653a6</code></a> chore: Update version for release (<a href="https://github.com/remix-run/react-router/tree/HEAD/packages/react-router/issues/14712">#14712</a>)</li> <li><a href="https://github.com/remix-run/react-router/commit/7ac2346873b4bba26d16c88e5cd5c5cb81ce6bb3"><code>7ac2346</code></a> chore: Update version for release (pre) (<a href="https://github.com/remix-run/react-router/tree/HEAD/packages/react-router/issues/14709">#14709</a>)</li> <li><a href="https://github.com/remix-run/react-router/commit/75b1ef50867d8fa3d5ffdab28245d5fec307d6a7"><code>75b1ef5</code></a> Add origin checks for UI route submissions (<a href="https://github.com/remix-run/react-router/tree/HEAD/packages/react-router/issues/14708">#14708</a>)</li> <li><a href="https://github.com/remix-run/react-router/commit/c05ef936fd9334f82aafa7e9087b78a8bf5c745d"><code>c05ef93</code></a> Validate redirect locations (<a href="https://github.com/remix-run/react-router/tree/HEAD/packages/react-router/issues/14706">#14706</a>)</li> <li><a href="https://github.com/remix-run/react-router/commit/c89c32c562a7723c45ee71dab1c892acaf7a608d"><code>c89c32c</code></a> Escape HTML in scroll restoration keys (<a href="https://github.com/remix-run/react-router/tree/HEAD/packages/react-router/issues/14705">#14705</a>)</li> <li><a href="https://github.com/remix-run/react-router/commit/cbcbf3091b55ef0067724fbd744f31c6d85eb1e6"><code>cbcbf30</code></a> fix: pass nonce to importmap script when using subResourceIntegrity (<a href="https://github.com/remix-run/react-router/tree/HEAD/packages/react-router/issues/14675">#14675</a>)</li> <li><a href="https://github.com/remix-run/react-router/commit/30f6c1d8142cbd2c26aef57cb2e12a4a8708eb4f"><code>30f6c1d</code></a> fix(react-router): handle parameters with static suffixes in generatePath (<a href="https://github.com/remix-run/react-router/tree/HEAD/packages/react-router/issues/1">#1</a>...</li> <li><a href="https://github.com/remix-run/react-router/commit/7f140e098ecd83fd183468e0c0acae86589bfd11"><code>7f140e0</code></a> Handle data requests with trailing slash consistently (<a href="https://github.com/remix-run/react-router/tree/HEAD/packages/react-router/issues/14644">#14644</a>)</li> <li><a href="https://github.com/remix-run/react-router/commit/1954af63742be277162f8d5d054ca07e04a4a401"><code>1954af6</code></a> Preserve hydrate property on client loaders during instrumentation (<a href="https://github.com/remix-run/react-router/tree/HEAD/packages/react-router/issues/14674">#14674</a>)</li> <li><a href="https://github.com/remix-run/react-router/commit/5ce5cd4ebfc6959bf8d667075cb5b9ae0a9d5476"><code>5ce5cd4</code></a> chore: format</li> <li>Additional commits viewable in <a href="https://github.com/remix-run/react-router/commits/react-router@7.12.0/packages/react-router">compare view</a></li> </ul> </details> <details> <summary>Maintainer changes</summary> <p>This version was pushed to npm by [GitHub Actions](<a href="https://www.npmjs.com/~GitHub">https://www.npmjs.com/~GitHub</a> Actions), a new releaser for react-router since your current version.</p> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=react-router&package-manager=npm_and_yarn&previous-version=7.5.3&new-version=7.12.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/microsoft/teams.ts/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [qs](https://github.com/ljharb/qs) from 6.14.0 to 6.14.1. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/ljharb/qs/blob/main/CHANGELOG.md">qs's changelog</a>.</em></p> <blockquote> <h2><strong>6.14.1</strong></h2> <ul> <li>[Fix] ensure arrayLength applies to <code>[]</code> notation as well</li> <li>[Fix] <code>parse</code>: when a custom decoder returns <code>null</code> for a key, ignore that key</li> <li>[Refactor] <code>parse</code>: extract key segment splitting helper</li> <li>[meta] add threat model</li> <li>[actions] add workflow permissions</li> <li>[Tests] <code>stringify</code>: increase coverage</li> <li>[Dev Deps] update <code>eslint</code>, <code>@ljharb/eslint-config</code>, <code>npmignore</code>, <code>es-value-fixtures</code>, <code>for-each</code>, <code>object-inspect</code></li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/ljharb/qs/commit/3fa11a5f643c76896387bd2d86904a2d0141fdf7"><code>3fa11a5</code></a> v6.14.1</li> <li><a href="https://github.com/ljharb/qs/commit/a62670423c1ccab0dd83c621bfb98c7c024e314d"><code>a626704</code></a> [Dev Deps] update <code>npmignore</code></li> <li><a href="https://github.com/ljharb/qs/commit/3086902ecf7f088d0d1803887643ac6c03d415b9"><code>3086902</code></a> [Fix] ensure arrayLength applies to <code>[]</code> notation as well</li> <li><a href="https://github.com/ljharb/qs/commit/fc7930e86c2264c1568c9f5606830e19b0bc2af2"><code>fc7930e</code></a> [Dev Deps] update <code>eslint</code>, <code>@ljharb/eslint-config</code></li> <li><a href="https://github.com/ljharb/qs/commit/0b06aac566abee45ef0327667a7cc89e7aed8b58"><code>0b06aac</code></a> [Dev Deps] update <code>@ljharb/eslint-config</code></li> <li><a href="https://github.com/ljharb/qs/commit/64951f6200a1fb72cc003c6e8226dde3d2ef591f"><code>64951f6</code></a> [Refactor] <code>parse</code>: extract key segment splitting helper</li> <li><a href="https://github.com/ljharb/qs/commit/e1bd2599cdff4c936ea52fb1f16f921cbe7aa88c"><code>e1bd259</code></a> [Dev Deps] update <code>@ljharb/eslint-config</code></li> <li><a href="https://github.com/ljharb/qs/commit/f4b3d39709fef6ddbd85128d1ba4c6b566c4902e"><code>f4b3d39</code></a> [eslint] add eslint 9 optional peer dep</li> <li><a href="https://github.com/ljharb/qs/commit/6e94d9596ca50dffafcef40a5f64eca89962cf34"><code>6e94d95</code></a> [Dev Deps] update <code>eslint</code>, <code>@ljharb/eslint-config</code>, <code>npmignore</code></li> <li><a href="https://github.com/ljharb/qs/commit/973dc3c51c86da9f4e30edeb4b1725158d439102"><code>973dc3c</code></a> [actions] add workflow permissions</li> <li>Additional commits viewable in <a href="https://github.com/ljharb/qs/compare/v6.14.0...v6.14.1">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=qs&package-manager=npm_and_yarn&previous-version=6.14.0&new-version=6.14.1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/microsoft/teams.ts/network/alerts). </details> --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: heyitsaamir <ajawaid191@gmail.com>

similiar to: microsoft/teams.net#198 fixes: #406 --------- Co-authored-by: lilydu <lilydu+odspmdb@microsoft.com>

This PR #288 introduces the ability for plugins to provide extra context. Unfortunately, the PR was incomplete, and needed tests. This PR adds tests, and fixes the issues with actually plumbing that value through to the context.

The base url is hard-coded. In this PR, we make it configurable using an environment variable (`SERVICE_URL`) or manually passing it in the App object.

Bumps [lodash](https://github.com/lodash/lodash) from 4.17.21 to 4.17.23. <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/lodash/lodash/commit/dec55b7a3b382da075e2eac90089b4cd00a26cbb"><code>dec55b7</code></a> Bump main to v4.17.23 (<a href="https://redirect.github.com/lodash/lodash/issues/6088">#6088</a>)</li> <li><a href="https://github.com/lodash/lodash/commit/19c9251b3631d7cf220b43bc757eb33f1084f117"><code>19c9251</code></a> fix: setCacheHas JSDoc return type should be boolean (<a href="https://redirect.github.com/lodash/lodash/issues/6071">#6071</a>)</li> <li><a href="https://github.com/lodash/lodash/commit/b5e672995ae26929d111a6e94589f8d03fb8e578"><code>b5e6729</code></a> jsdoc: Add -0 and BigInt zeros to _.compact falsey values list (<a href="https://redirect.github.com/lodash/lodash/issues/6062">#6062</a>)</li> <li><a href="https://github.com/lodash/lodash/commit/edadd452146f7e4bad4ea684e955708931d84d81"><code>edadd45</code></a> Prevent prototype pollution on baseUnset function</li> <li><a href="https://github.com/lodash/lodash/commit/4879a7a7d0a4494b0e83c7fa21bcc9fc6e7f1a6d"><code>4879a7a</code></a> doc: fix autoLink function, conversion of source links (<a href="https://redirect.github.com/lodash/lodash/issues/6056">#6056</a>)</li> <li><a href="https://github.com/lodash/lodash/commit/9648f692b0fc7c2f6a7a763d754377200126c2e8"><code>9648f69</code></a> chore: remove <code>yarn.lock</code> file (<a href="https://redirect.github.com/lodash/lodash/issues/6053">#6053</a>)</li> <li><a href="https://github.com/lodash/lodash/commit/dfa407db0bf5b200f2c7a9e4f06830ceaf074be9"><code>dfa407d</code></a> ci: remove legacy configuration files (<a href="https://redirect.github.com/lodash/lodash/issues/6052">#6052</a>)</li> <li><a href="https://github.com/lodash/lodash/commit/156e1965ae78b121a88f81178ab81632304e8d64"><code>156e196</code></a> feat: add renovate setup (<a href="https://redirect.github.com/lodash/lodash/issues/6039">#6039</a>)</li> <li><a href="https://github.com/lodash/lodash/commit/933e1061b8c344d3fc742cdc400175d5ffc99bce"><code>933e106</code></a> ci: add pipeline for Bun (<a href="https://redirect.github.com/lodash/lodash/issues/6023">#6023</a>)</li> <li><a href="https://github.com/lodash/lodash/commit/072a807ff7ad8ffc7c1d2c3097266e815d138e20"><code>072a807</code></a> docs: update links related to Open JS Foundation (<a href="https://redirect.github.com/lodash/lodash/issues/5968">#5968</a>)</li> <li>Additional commits viewable in <a href="https://github.com/lodash/lodash/compare/4.17.21...4.17.23">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=lodash&package-manager=npm_and_yarn&previous-version=4.17.21&new-version=4.17.23)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/microsoft/teams.ts/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Refactor the C# template by removing the MainController and integrating message handling directly in Program.cs. Upgrade the target framework to net10.0 and update package references accordingly.

Adds support for targeted messages that only a specific recipient can see in a conversation. **Usage** ``` // Target the sender from context await send(new MessageActivity('Only you see this').withTargetedRecipient(true)); // Target a specific user await send(new MessageActivity('Private').withTargetedRecipient('user-id')); ``` **Key Changes** - SDK appends ?isTargetedActivity=true to API calls, so backend services handles the messages accordingly - Supports create, update, delete, and reply operations - Includes tests and example bot

Fixes #447 ## Problem - `MeetingClient.getParticipant` requires `tenantId` to be a url param - URL params need encoding ## Fix 1. Add `tenantId` to `getParticipant` as third parameter and add it as url parameter `?tenantId=${tenantId}` 2. Update `getParticipant` and `getById` with URI encoding 3. Update tests 4. Docs updates TBD in teams.sdk --------- Co-authored-by: Corina Gum <>

We were told to prefer pip over uv as our official tooling for customers. We also remove the `start` option because running all these commands on mac/windows/linux is not trivial to test, and it'll lead to more questions than it's worth.

## Summary - Adds comprehensive `AGENTS.md` guidance file to the TypeScript AI template - Enables AI coding assistants (Claude Code, Copilot, Cursor, etc.) to help developers more effectively - Includes critical setup requirements, Azure Bot registration workflow, and troubleshooting guide ## What's in the AGENTS.md - **Critical Setup Requirements**: Common gotchas that cause bots to fail silently (service principal, credential names, etc.) - **Azure Bot Registration**: Step-by-step CLI commands for registering a bot in Azure - **Teams App Package**: Instructions for creating and sideloading the app manifest - **SDK Patterns**: TypeScript code examples for events, ChatPrompt, streaming, tools, cards, and auth - **Troubleshooting**: Detailed solutions for common issues like 401 errors, missing service principal, etc. - **Quick Start**: Instructions for getting the bot running after provisioning ## Test plan - [ ] Generate a new project with `npx @microsoft/teams.cli new typescript test-bot --template ai` - [ ] Verify `AGENTS.md` is included in the generated project - [ ] Verify the content is accurate and helpful for AI assistants 🤖 Generated with [Claude Code](https://claude.ai/code) CG: skip-test-verification --------- Co-authored-by: siduppal <suppal@microsoft.com> Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>

Bumps [qs](https://github.com/ljharb/qs) from 6.14.1 to 6.14.2. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/ljharb/qs/blob/main/CHANGELOG.md">qs's changelog</a>.</em></p> <blockquote> <h2><strong>6.14.2</strong></h2> <ul> <li>[Fix] <code>parse</code>: mark overflow objects for indexed notation exceeding <code>arrayLimit</code> (<a href="https://redirect.github.com/ljharb/qs/issues/546">#546</a>)</li> <li>[Fix] <code>arrayLimit</code> means max count, not max index, in <code>combine</code>/<code>merge</code>/<code>parseArrayValue</code></li> <li>[Fix] <code>parse</code>: throw on <code>arrayLimit</code> exceeded with indexed notation when <code>throwOnLimitExceeded</code> is true (<a href="https://redirect.github.com/ljharb/qs/issues/529">#529</a>)</li> <li>[Fix] <code>parse</code>: enforce <code>arrayLimit</code> on <code>comma</code>-parsed values</li> <li>[Fix] <code>parse</code>: fix error message to reflect arrayLimit as max index; remove extraneous comments (<a href="https://redirect.github.com/ljharb/qs/issues/545">#545</a>)</li> <li>[Robustness] avoid <code>.push</code>, use <code>void</code></li> <li>[readme] document that <code>addQueryPrefix</code> does not add <code>?</code> to empty output (<a href="https://redirect.github.com/ljharb/qs/issues/418">#418</a>)</li> <li>[readme] clarify <code>parseArrays</code> and <code>arrayLimit</code> documentation (<a href="https://redirect.github.com/ljharb/qs/issues/543">#543</a>)</li> <li>[readme] replace runkit CI badge with shields.io check-runs badge</li> <li>[meta] fix changelog typo (<code>arrayLength</code> → <code>arrayLimit</code>)</li> <li>[actions] fix rebase workflow permissions</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/ljharb/qs/commit/bdcf0c7f82387c18ac8fabfccd2f440645cef47b"><code>bdcf0c7</code></a> v6.14.2</li> <li><a href="https://github.com/ljharb/qs/commit/294db90c812ddbe7d7a35d5687c505fd21a2d6a2"><code>294db90</code></a> [readme] document that <code>addQueryPrefix</code> does not add <code>?</code> to empty output</li> <li><a href="https://github.com/ljharb/qs/commit/5c308e5516c270a78caa6f278465914090f91ec6"><code>5c308e5</code></a> [readme] clarify <code>parseArrays</code> and <code>arrayLimit</code> documentation</li> <li><a href="https://github.com/ljharb/qs/commit/6addf8cf738d529c54d91f6f3ffb6c1be91bbfdc"><code>6addf8c</code></a> [Fix] <code>parse</code>: mark overflow objects for indexed notation exceeding <code>arrayLimit</code></li> <li><a href="https://github.com/ljharb/qs/commit/cfc108f662326d6ab540f3545ef0b832baf83cdf"><code>cfc108f</code></a> [Fix] <code>arrayLimit</code> means max count, not max index, in <code>combine</code>/<code>merge</code>/`pars...</li> <li><a href="https://github.com/ljharb/qs/commit/febb64442a80e49200211fa38d3c96b58024ac77"><code>febb644</code></a> [Fix] <code>parse</code>: throw on <code>arrayLimit</code> exceeded with indexed notation when `thr...</li> <li><a href="https://github.com/ljharb/qs/commit/f6a7abff1f13d644db9b05fe4f2c98ada6bf8482"><code>f6a7abf</code></a> [Fix] <code>parse</code>: enforce <code>arrayLimit</code> on <code>comma</code>-parsed values</li> <li><a href="https://github.com/ljharb/qs/commit/fbc5206c25b4d1851cea683f02c10756c521d15a"><code>fbc5206</code></a> [Fix] <code>parse</code>: fix error message to reflect arrayLimit as max index; remove e...</li> <li><a href="https://github.com/ljharb/qs/commit/1b9a8b4e78c6aff4c22fa559107227f02fd0216a"><code>1b9a8b4</code></a> [actions] fix rebase workflow permissions</li> <li><a href="https://github.com/ljharb/qs/commit/2a35775614e0fb46ac8a3060201a32a7c23a7fda"><code>2a35775</code></a> [meta] fix changelog typo (<code>arrayLength</code> → <code>arrayLimit</code>)</li> <li>Additional commits viewable in <a href="https://github.com/ljharb/qs/compare/v6.14.1...v6.14.2">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=qs&package-manager=npm_and_yarn&previous-version=6.14.1&new-version=6.14.2)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/microsoft/teams.ts/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* We made a decision that we should not check-in versions in the git repo. * In this PR, we replace all the versioning to be 0.0.0 for all packages since versions are now calculated. All workspace dependencies now are using '*' instead of exact versions. That's general convention, but we can also use '0.0.0' if we want. * We have a script to set the version during CI that will basically calculate the version for the given commit, and then set all the versions for all the packages to that version dynamically during CI. * We use [nbgv](https://dotnet.github.io/Nerdbank.GitVersioning/docs/getting-started.html) to do this version calculation. * In our case, `main` and `release` hold special meaning. `main` branches will allow the creation of "preview" releases, whereas `release` will be stable. * We need to create a `release` branch and protect it. skip-test-verification --------- Co-authored-by: Corina Gum <>

…g flags (#449) use skip-test-verification Applies the targeted messaging API refactor from [microsoft/teams.net#318](microsoft/teams.net#318). The change consolidates `withTargetedRecipient()` into an enhanced `withRecipient()` method, making targeted message creation more explicit and reducing API surface area. ## API Changes **Before:** ```typescript // Implicit recipient inference new MessageActivity('message').withTargetedRecipient(true) // Recipient by ID only new MessageActivity('message').withTargetedRecipient('user-123') ``` **After:** ```typescript // Explicit recipient with targeting flag new MessageActivity('message').withRecipient(activity.from, true) // Full account object new MessageActivity('message').withRecipient( { id: 'user-123', name: 'User', role: 'user' }, true ) ``` ## Implementation - Moved `isTargeted` from `MessageActivity` to base `Activity` class as non-nullable boolean (default `false`) - Enhanced `Activity.withRecipient(account, isTargeted?)` to accept optional targeting flag - Removed `MessageActivity.withTargetedRecipient()` method - Updated interface definitions to reflect property relocation - Updated examples and tests to use new API pattern - Updated validation error messages ## Breaking Changes The `withTargetedRecipient()` method is removed. Callers must migrate to `withRecipient(account, true)`.  --- ✨ Let Copilot coding agent [set things up for you](https://github.com/microsoft/teams.ts/issues/new?title=✨+Set+up+Copilot+instructions&body=Configure%20instructions%20for%20this%20repository%20as%20documented%20in%20%5BBest%20practices%20for%20Copilot%20coding%20agent%20in%20your%20repository%5D%28https://gh.io/copilot-coding-agent-tips%29%2E%0A%0A%3COnboard%20this%20repo%3E&assignees=copilot) — coding agent works faster and does higher quality work when set up for your repo. --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: rido-min <14916339+rido-min@users.noreply.github.com> Co-authored-by: Rido <rido-min@users.noreply.github.com>

## Changes - Add `.azdo/publish.yml` — ESRP publish pipeline migrated from ADO - Pipeline uses `checkout: self` instead of external repo checkout (removes dependency on personal GitHub service connection) - Replaces boolean `Publish` + `UseInternalFeed` parameters with single `publishType` (`Internal` / `Public`) to match C# and PY pattern ## `publish.yml` features - Required `publishType` parameter to select internal vs public publish - Single stage: install dependencies, build, test, stamp versions via nbgv, pack non-private packages, then conditionally publish - Internal: publishes `.tgz` packages to Azure Artifacts `TeamsSDKPreviews` feed - Public: signs and publishes to npm via ESRP - Always resolves dependencies from internal feed (avoids 1ES pool firewall issues) - Depends on nbgv versioning to differentiate between preview (`next` tag) and stable (`latest` tag) releases ## Differences from PY/C# pipeline - No `ExcludePackageFolders` — npm pack already skips `private: true` packages (PY needs it because `uv build --all-packages` builds everything) - No `PublishTestResults` — Jest doesn't produce JUnit XML (PY uses pytest's `--junitxml` flag) - No separate test dependency install step — test frameworks are installed by `npm ci` (PY installs `pytest` separately) - Single parameterized pipeline for both preview and stable (C# has separate `publish.yml` and `publish-preview.yaml`) --------- Co-authored-by: Corina Gum <>

Add fix for scripts with known versioning issue for nbgv Co-authored-by: Corina Gum <>

…457) This pull request makes a small update to the Azure DevOps pipeline configuration file `.azdo/publish.yml`. The main change is renaming the pipeline variable used to store the version number, and removing an unnecessary task related to setting the pipeline version. - Pipeline variable update: * Changed the name of the variable set for the version number from `CUSTOM_VERSION` to `VersionNumber` to standardize variable naming. - Pipeline task cleanup: * Removed the `onebranch.pipeline.version@1` task and its associated inputs, as it is no longer needed for setting the pipeline version.

- Set upcoming version number to be in ADO build run's title - Remove non-working pathFilters from version.json - Wildcards do not work in glob - Add `main` as allowed release branch - non-allowed release branches will have the suffix, which is why this is necessary. --------- Co-authored-by: Corina Gum <>

- Update Release doc - Update `meetingClient`, `meeting` model, and `MeetingParticipant` docs --------- Co-authored-by: Corina Gum <>

Create and use ADO-managed approver groups for publish Ran into an approver issue. Variable has already been created in ADO. Co-authored-by: Corina Gum <>

Adds reaction management capabilities via the Bot Framework API v3, mirroring the teams.net implementation. ## Changes **ReactionClient** (`/packages/api/src/clients/reaction/`) - `add(conversationId, activityId, reactionType)` - PUT to `/v3/conversations/{conversationId}/activities/{activityId}/reactions/{reactionType}` - `remove(conversationId, activityId, reactionType)` - DELETE to same endpoint - Integrated into main `Client` class as `reactions` property **ReactionType Model** (`/packages/api/src/models/reaction/`) - Type-safe reaction values: `'like' | 'heart' | 'laugh' | 'surprised' | 'sad' | 'angry'` **Breaking Change: MessageReactionActivity** - Removed `addReaction()` and `removeReaction()` helper methods - Reactions should now be managed via `ReactionClient` or set directly on activity properties **Example Application** (`/examples/reactions/`) - Added comprehensive example bot demonstrating ReactionClient usage - Shows how to add/remove reactions programmatically - Demonstrates handling `messageReaction` activity events - Includes interactive commands and detailed documentation ## Usage ```typescript import { Client } from '@microsoft/teams.api'; const client = new Client(serviceUrl); // Add a reaction await client.reactions.add('conversationId', 'activityId', 'like'); // Remove a reaction await client.reactions.remove('conversationId', 'activityId', 'like'); // MessageReactionActivity now requires direct property assignment const activity = new MessageReactionActivity({ reactionsAdded: [{ type: 'like', user: account }], reactionsRemoved: [{ type: 'heart', user: account }], }); ``` See the `examples/reactions` directory for a complete working example.  --- 💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more [Copilot coding agent tips](https://gh.io/copilot-coding-agent-tips) in the docs. --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: rido-min <14916339+rido-min@users.noreply.github.com> Co-authored-by: Rido <rido-min@users.noreply.github.com>

There are failures when running `npm ci && npm build` on Windows. This PR updates the package-lock.json with updated packages

Some of the dependencies in package lock (hono) are not available in the internal feed. This PR fixes those to only include packages already available in the feed.

Resolves #460 Route and handle `signin/failure` invoke activities that Teams sends when SSO token exchange fails. Adds a system default handler that logs actionable warnings and emits error events, plus a signin.failure route for developer overrides. Previously, when Teams sent a `signin/failure` invoke (e.g., due to an SSO misconfiguration), the SDKs silently swallowed the failure with no logging, no error events, and no developer notification. This made SSO configuration issues extremely difficult to diagnose. User: hi (No response from app) ## The Problem When a Teams app uses SSO (Single Sign-On) with a Token Exchange URL configured in the OAuth connection settings, Teams attempts a silent token exchange. If this fails -- for example, because the Entra app registration's "Expose an API" configuration doesn't match the Token Exchange URL -- Teams sends a `signin/failure` invoke activity with details like: ```json { "type": "invoke", "name": "signin/failure", "value": { "code": "resourcematchfailed", "message": "Resource match failed" } } ``` Before this change, none of the three SDKs routed or handled this invoke. The failure was invisible to the user, SDK, and the developer. The user saw no sign-in card, no error message, and no indication of what went wrong. Now, sign in failures with send a warning, emits error event, and return HTTP 200 by default. Developers can also register custom handlers if desired, for example: **TypeScript:** ```typescript app.on('signin.failure', (ctx) => { const { code, message } = ctx.activity.value; console.log(`Sign-in failed: ${code} - ${message}`); return { status: 200 }; }); ``` Example log on `signin/failure`: ``` [WARNING] @teams/app Sign-in failed for user 29:xxxxx in conversation a:1_xxxxx: resourcematchfailed — Resource match failed. If the code is 'resourcematchfailed', verify that your Entra app registration has 'Expose an API' configured with the correct Application ID URI matching your OAuth connection's Token Exchange URL. ``` Note that the default behavior will still appear to fail silently for the user. There will be logs, but it will be up to the developer to determine how the user experiences the sign-in failure. `'resourcematchfailed'` is an example of a setup error, however, and should not be an error that a 'real' user experiences. If desired, we could potentially modify the default behavior to send something to the user, but I'm disinclined to make that decision on the behalf of the developer. Feature work tested and verified in C#, PY, and TS. --------- Co-authored-by: Corina Gum <>

## Summary - Align with updated messaging across SDKs to update sign-in failure example string 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Corina Gum <>

## Summary - **Fix issuer validation bug**: `validateIssuer: { allowedTenantIds: undefined }` was incorrectly treated as configured validation. - **Add `api://botid-{clientId}` to default audience list** for bot token validation since this is a really common, default value of the application id uri. - **Add optional `audience` field** to `IJwtValidationOptions` for custom audience values beyond the defaults (`clientId`, `api://clientId`, `api://botid-clientId`). ## Test plan - [x] Verify tokens with `api://botid-{clientId}` audience are accepted - [x] Verify `createEntraTokenValidator` without explicit `allowedTenantIds` no longer rejects valid tokens - [x] Existing JWT validator tests pass

…blish script (#472) - Add `target: container: host` and release title to ESRP task in publish script Co-authored-by: Corina Gum <>

- Add preview indicators for targeted messages and reactions - Fix up doc strings formatting - Minor verbiage tweaks --------- Co-authored-by: Corina Gum <>

Separate activity sending from HTTP transport layer The previous architecture tightly coupled HTTP transport concerns with activity sending logic: **Previous Architecture:** ``` HttpPlugin (transport) → implements ISender (sending) → has send() method (creates new Client per call) → has createStream() method → knows about Activity protocol details ActivityContext → depends on ISender plugin → cannot work without transport plugin → conflates transport and sending concerns ``` There are a few issues with this: - HttpPlugin created NEW Client instances on every send() call. So there's really no benefit of this logic being in the "httpclient" plugin. - Transport plugins (HttpPlugin) were forced to implement send/createStream. This makes it more cumbersome to build your own HttpPlugin with your own servier. - Users couldn't "bring their own server" without implementing ISender - ActivityContext was tightly coupled to plugin architecture. ("Sender" was coupled with an activity, without any necessary benefits.) ## New Architecture ``` HttpPlugin (transport) → only handles HTTP server/routing/auth → emits ICoreActivity (minimal protocol knowledge) → just passes body payload to app ActivitySender (NEW) → dedicated class for sending activities → receives injected, reusable Client → handles all send/stream logic → private to App class ActivityContext → uses ActivitySender now (which is not a plugin) ``` In this PR, I am mainly decoupling responsibilities of HttpPlugin from being BOTH a listener AND a sender, to being just a listener. The sender bit is now separated to a different `ActivitySender` class. Other than better code organization, the main thing this lets us do is **not require the app to run to be able to send proactive messages**. This is a huge plus point because now the App can be used in scenarios where it doesn't necessarily need to _listen_ to incoming messages (like agentic notifications!) ## Major Decisions ### 1. Created ActivitySender Class - Centralized all activity sending logic - Receives reusable Client in constructor (no per-send instantiation) - Private to App class - internal implementation detail - Provides send() and createStream() methods - **Separate from HttpPlugin** ### 2. Introduced ICoreActivity Interface - Minimal fields transport layer needs: serviceUrl, id, type - Extensible via [key: string]: any for protocol-specific fields - Transport plugins work with this instead of full Activity type. So it's easier to create these. - Parsing to Activity happens in app.process.ts now, NOT in HttpPlugin. ### 3. Removed ISender Interface - No longer needed - plugins don't send activities - Plugins only handle transport (receiving requests) - Breaking change, but simplifies plugin architecture. This pattern wasn't documented (intentionally) because the design was subject to change. So it should be okay hopefully to change this. ## Breaking Changes ### For Plugin Authors: 1. **ISender removed** - Custom plugins should implement IPlugin only 2. **IActivityEvent changed** - Now has body: ICoreActivity instead of activity: Activity #### PR Dependency Tree * **PR #424** 👈 * **PR #433** This tree was auto-generated by [Charcoal](https://github.com/danerwilliams/charcoal) --------- Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>

## Summary - Run `npm audit fix` to resolve 13 vulnerabilities in transitive dependencies (hono, @hono/node-server, express-rate-limit, flatted, js-yaml, minimatch, tmp) - Change `botbuilder` from 4.23.1 to ^4.23.1 in `packages/botbuilder` and change to 4.23.3 in `examples/botbuilder` to resolve the elliptic vulnerability chain ## Test plan - [x] Tested `examples/mcp` - [x] Tested `examples/mcpclient` - [x] Tested `examples/botbuilder` - [x] `npm audit` returns 0 vulnerabilities --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

In this PR, we introduce a new object called HttpServer and begin to deprecate HttpPlugin. ## Main changes 1. Create `HttpServer` internal class. It accepts an `IHttpServerAdapter` which is the server implementation. 2. Pulled out the express implementation as an `IHttpServerAdapter` 3. Deprecated HttpPlugin, and made it use HttpServer + ExpressAdapter. 4. Changed BotBuilder/A2A/Mcp plugins to depend on HttpServer vs. HttpPlugin. 5. Added examples to show how powerful IHttpServerAdapter can be with different types of servers (hono, fastify). 6. Minor refactor of the jwt middleware such that we can reuse it in HttpServer and app.embed. ## Why: HTTP is a core part of our sdk. Our App object uses HTTP to set up a server, perform auth validations, and pipe the request to the handlers that are attached, and then return the response. Key part is that Http is a *core* part of App, not a plugin, since core functionality is dependent on it. Even inside the App object, we were doing special casing for this Http"Plugin" whereas it should never have really been a plugin to begin with. By making it a plugin, we were exposing many non-plugin essential things to the plugin system in general. So what should it have been? Well, HTTP Plugin had these responsibilities 1. Set up the express server 2. Perform validations if credentials were present 3. Pass the incoming request to App 4. Once App handlers have had a chance to process this incoming request, pass the response back to the server. So, we introduce a new object called `HttpServer` whose responsibilities are essentially that ^. This object is not a plugin, but an object that's created by App itself. ## Customization Now this idealogical shift doesn't really warrant us doing this refactor, but we started seeing requests from folks who wanted to hook Teams functionality into existing servers, or replace the underlying server infra with a non-express server. Our recommendation was to rebuild a new HttpPlugin. But rebuilding this plugin is not simple (since we don't really document it anywhere, and didn't expect folks to build their own). So `HttpServer` exposes an `IHttpServerAdapter` concept. To build the adapter, one simply needs to build out a handler for extracting request data, and a handler for responses. This means that you can build simple custom adapters for your own _existing_ servers. (And if you don't pass one in, we'll build a default express one.) Examples of servers are in the http-adapters folder under examples/. ## Adapter Interface The `IHttpServerAdapter` interface adapters need to implement: ```typescript interface IHttpServerAdapter { registerRoute(method: HttpMethod, path: string, handler: HttpRouteHandler): void; serveStatic?(path: string, directory: string): void; start?(port: number): Promise<void>; stop?(): Promise<void>; } ``` Handlers are pure functions — `({ body, headers }) → { status, body }`. No framework-specific request/response objects leak through the abstraction. ### Why `registerRoute`? Some adapter patterns have the adapter own routing internally and just receive a single callback. But our SDK creates routes dynamically — `app.function('myFunc')` registers `/api/functions/myFunc` at runtime, in addition to the core `/api/messages` endpoint. The adapter needs a `registerRoute` method so that both `HttpServer` and `app.function()` can tell it what paths to listen on. ### Optional methods `start`/`stop` are optional — serverless adapters (Vercel, Lambda) don't need them. `serveStatic` is optional — only needed for tab hosting. `HttpMethod` is currently just `'POST'` (the only method the Teams protocol uses). It may expand to a union if needed. ## Backward Compat We've updated `HttpPlugin` to basically use `HttpServer` with an `ExpressAdapter` internally for backward compat. I don't think this should lead to any breaking changes (even if someone passes in their own `HttpPlugin`). (Tested BotBuilderPlugin, from examples, and it worked without any changes). However, it should be noted that I marked HttpPlugin as deprecated in this PR, so it should be discouraged going forward, and after the next few versions, it'll be removed. ## Testing I tested by running the following examples: 1. Echo bot 2. Devtools 3. BotBuilder 4. HttpPlugin 5. Tabs 6. AI (streaming and regular completions) skip-test-verification (added manifest for tabs) #### PR Dependency Tree * **PR #424** * **PR #433** 👈 * **PR #442** #### PR Dependency Tree * **PR #424** * **PR #433** 👈 This tree was auto-generated by [Charcoal](https://github.com/danerwilliams/charcoal) --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

- property was incorrectly named `objectId` instead of `aadObjectId`, field was being dropped during serialization when the `meetingEnd` event was triggered - schema that we are using: https://learn.microsoft.com/en-us/dotnet/api/microsoft.bot.schema.teams.teamschannelaccount?view=botbuilder-dotnet-stable - equivalent python fix: microsoft/teams.py#300 - dotnet has it correctly set Co-authored-by: lilydu <lilydu+odspmdb@microsoft.com>

## Why Internal `@microsoft/teams.*` packages were declared as peer dependencies of each other, forcing consumers to manually install packages like `teams.api`, `teams.common`, `teams.graph`, and `teams.cards` even though they had no version choice — all packages are lockstep-versioned and released together. This added DX friction without any architectural benefit. This was fine when agents were being created from scratch (users would scaffold a project and install everything at once). That's no longer the case — users are integrating the SDK into existing projects, and having to figure out which internal plumbing packages to install is unnecessary. Peer deps are meant for plugin/host relationships and external SDKs where the consumer provides their own version, not for tightly-coupled internal packages. ## Summary - Converted internal `@microsoft/teams.*` peer dependencies to real dependencies across all packages. Consumers now only install the packages they consciously choose (`teams.apps`, `teams.dev`, `teams.ai`, etc.) and internal plumbing comes in transitively. - Plugin packages (`botbuilder`, `dev`, `mcp`, `a2a`, `mcpclient`) correctly peer on their host (`teams.apps` or `teams.ai`) while keeping directly-imported internals as real deps. External third-party peers (`botbuilder`, `openai`, `@microsoft/teams-js`, `@modelcontextprotocol/sdk`, `@a2a-js/sdk`) remain as peer deps. - Cleaned up examples and CLI templates to only declare dependencies they actually import — removed ~16 redundant deps across examples and ~8 across CLI templates. - Removed `@microsoft/teams.dev` dependency from `teams.mcp` (and associated `DevtoolsPlugin` code) - This requires a dependency on dev, which is not right. Users should be able to run this plugin without installing dev since dev is an optional plugin. ## Dependency principles applied 1. **dependencies** = anything your code directly imports 2. **peerDependencies** = the host/platform your package is a plugin for, plus external SDKs the consumer provides 3. Don't declare what you don't import; don't omit what you do ## Test plan - [x] Full monorepo build passes (33/33 tasks) - [x] Verify examples still run locally - [x] Verify CLI `teams new` scaffolds correct deps skip-test-verification --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com> Co-authored-by: Lily Du <lilyyduu@gmail.com> Co-authored-by: lilydu <lilydu+odspmdb@microsoft.com>

## Summary - Run `npm audit fix` to resolve 13 of 20 vulnerabilities (12 low, 1 moderate, 7 high → 7 low remaining) - Updated `hono`, `@hono/node-server`, `express-rate-limit`, `flatted`, `serve-handler`, `ip-address`, and `@turbo/gen` to patched versions - Removed 71 unused transitive dependencies (node-plop, inquirer, globby, etc.) ### Vulnerabilities fixed | Package | Fix | Issue | |---|---|---| | `hono` | 4.12.2 → 4.12.9 | Cookie injection, SSE injection, file access, prototype pollution | | `@hono/node-server` | 1.19.9 → 1.19.11 | Auth bypass via encoded slashes | | `express-rate-limit` | 8.2.1 → 8.3.1 | IPv4-mapped IPv6 rate limit bypass | | `flatted` | 3.3.3 → 3.4.2 | Unbounded recursion DoS, prototype pollution | | `serve-handler` | 6.1.6 → 6.1.7 | ReDoS via minimatch | | `@turbo/gen` | 2.8.11 → 2.8.20 | Removes vulnerable tmp/inquirer/node-plop chain | ### Remaining (not fixed) 7 low-severity `elliptic` issues in `@examples/botbuilder` via `botbuilder` → `botframework-connector` → `crypto-browserify`. Fixing requires `--force` which would downgrade `botbuilder` outside its stated dependency range. Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

Moved IsTargeted from Activity to Account Updated routing logic to read from Recipient.IsTargeted instead of Activity.IsTargeted

- Currently `/api/messages` is hardcoded as the messaging endpoint path. This might not be always what a developer wants. - Adds `messagingEndpoint` option to `AppOptions` (defaults to `/api/messages`) - `App` is the source of truth for the default; `HttpServer` requires it explicitly - `BotBuilderPlugin` reads the path from `httpServer.messagingEndpoint` instead of hardcoding Tested with `/my-endpoint` and it worked. --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com> Co-authored-by: Corina <14900841+corinagum@users.noreply.github.com>

MehakBindra and others added 30 commits December 24, 2025 14:01

Revert "Add support for Targeted Messages" (#429)

9d8250f

#427 needs to be reviewed a bit more. Reverts #427

add meetings sample and update events to pascal casing (#434)

440ed02

similiar to: microsoft/teams.net#198 fixes: #406 --------- Co-authored-by: lilydu <lilydu+odspmdb@microsoft.com>

Add option to override base service url for our API Client (#435)

02fe092

The base url is hard-coded. In this PR, we make it configurable using an environment variable (`SERVICE_URL`) or manually passing it in the App object.

Refactor C# template and update .NET target framework (#437)

0eebe84

Refactor the C# template by removing the MainController and integrating message handling directly in Program.cs. Upgrade the target framework to net10.0 and update package references accordingly.

Fix versioning issues with nbgv (#456)

a9bf4d4

Add fix for scripts with known versioning issue for nbgv Co-authored-by: Corina Gum <>

Update docs for Release and Meeting API (#455)

644aac3

- Update Release doc - Update `meetingClient`, `meeting` model, and `MeetingParticipant` docs --------- Co-authored-by: Corina Gum <>

Create and use ADO-managed approver groups for publish (#461)

9a5adfe

Create and use ADO-managed approver groups for publish Ran into an approver issue. Variable has already been created in ADO. Co-authored-by: Corina Gum <>

Update node version publish.yml for Azure Pipelines

4fdb54b

Fix package-lock with rollup for windows (#466)

6313f7e

There are failures when running `npm ci && npm build` on Windows. This PR updates the package-lock.json with updated packages

Fix package-lock json (#467)

0115a37

Some of the dependencies in package lock (hono) are not available in the internal feed. This PR fixes those to only include packages already available in the feed.

corinagum and others added 13 commits March 5, 2026 13:10

Update sign-in failure example string (#470)

1a9159d

## Summary - Align with updated messaging across SDKs to update sign-in failure example string 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Corina Gum <>

Update target: container: host in each step and release title to pu…

1ccc238

…blish script (#472) - Add `target: container: host` and release title to ESRP task in publish script Co-authored-by: Corina Gum <>

Add preview indicators to targeted messages and reactions (#468)

f1b133c

- Add preview indicators for targeted messages and reactions - Fix up doc strings formatting - Minor verbiage tweaks --------- Co-authored-by: Corina Gum <>

Move IsTargeted property from Activity to Account (#477)

2ddb91f

Moved IsTargeted from Activity to Account Updated routing logic to read from Recipient.IsTargeted instead of Activity.IsTargeted

heyitsaamir requested review from Jesperholmbergmsft, corinagum, dclaux and ydogandjiev as code owners March 25, 2026 00:00

heyitsaamir merged commit dd12f32 into release Mar 25, 2026
11 checks passed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Release 2.0.6#485

Release 2.0.6#485
heyitsaamir merged 43 commits intoreleasefrom
main

heyitsaamir commented Mar 25, 2026 •

edited

Loading

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

8 participants

Conversation

heyitsaamir commented Mar 25, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Summary

Highlights

Post-merge

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

8 participants

heyitsaamir commented Mar 25, 2026 •

edited

Loading