How To Know When Azure BotBuilder-Core Will Relax JSONPickle Constraints (PR #2240)

Select Language:

If you’re facing a similar issue where you’re unable to update jsonpickle due to constraints from botbuilder-core, here’s a quick solution to help you move forward.

Currently, the problem is that botbuilder-core version 4.17.0 limits jsonpickle to versions between 1.2 and less than 1.5. However, fixing a known security vulnerability (CVE-2020-22083) in jsonpickle requires using version 3.3.0 or newer. This creates a conflict because the current constraints don’t allow such an update.

Recently, a pull request was merged that addresses this exact problem. The pull request, found here: https://github.com/microsoft/botbuilder-python/pull/2240, was merged on December 23, 2025. It updates the dependencies and should enable the use of newer jsonpickle versions.

To move past this roadblock, you can consider the following steps:

1. Check for an Updated Release:
   Keep an eye on the official botbuilder-core releases. Sometimes, after a pull request is merged, the next release will include these updates.
   You can monitor the PyPI page for botbuilder-core or the project’s GitHub releases section.

2. Build From Source or Install Dependencies Manually:
   If you’re comfortable, you can clone the repository, update the dependency constraints manually in the setup.py or requirements.txt, and build the package yourself. Be aware this might temporarily bypass official packaging and could lead to other compatibility issues.

3. Use a Development Version:
   Some projects publish pre-release versions with the latest updates. Check if such a version of botbuilder-core is available that includes the merged pull request. You can do this by installing directly from GitHub, for example:
   bash
   pip install git+https://github.com/microsoft/botbuilder-python.git@main

   This way, you get access to the latest changes even before an official release.

4. Contact the Maintainers:
   Reach out through GitHub Issues or official channels to ask about the release schedule. Since this security patch is critical, maintaining open communication can help you plan your security updates more effectively.

Addressing this promptly is important for your security and compliance. Stay updated on releases and consider integrating the latest code from the repository if necessary. This approach helps keep your systems safe without waiting for official releases that might be delayed.

ChatGPT Perplexity Gemini AI Grok AI