When will botbuilder-core release a new version with relaxed jsonpickle constraint? (PR #2240)

Question

Hi,

We're currently blocked from addressing a critical security vulnerability (CVE-2020-22083) in jsonpickle because botbuilder-core version 4.17.0 constrains it to >=1.2, <1.5.

The fix requires jsonpickle >= 3.3.0, which is incompatible with the current constraint.

I noticed that this PR: https://github.com/microsoft/botbuilder-python/pull/2240 was merged on December 23, 2025, which addresses this issue.

Questions:

1. When is the next botbuilder-core release expected to be published to PyPI?
2. Is there a release schedule or roadmap we can follow?

This is blocking security remediation for multiple services in our organization.

Thank you!

Answer 1

Hi ,

 

Thanks for reaching out to Microsoft Q&A.

• As of now, the latest published version on PyPI is 4.17.0 (May 29, 2025) which still has the old jsonpickle constraint. You will need to watch the GitHub releases/PyPI for the next version bump.
• There is no formal public release schedule or roadmap for the Python Bot Framework SDK indicating when specific PRs will be released. The team typically merges fixes to the main branch and then rolls them into the next SDK version when ready. There is no published cadence or date for the next release.

You may need to either build from the latest main branch or track the next release on the repo releases page. The fix is merged but not yet published to PyPI, and the SDK maintainers have not communicated a fixed release date or schedule that you can follow.

 

Please 'Upvote'(Thumbs-up) and 'Accept' as answer if the reply was helpful. This will be benefitting other community members who face the same issue.