The library crypto-browserify which is a dependency in the newest version of botframework-connector uses browserify-sign which uses another package elliptic which, in turn uses hash.js. The use of the package hash.js violates Microsoft policy for the use approved crypto libraries.

We have received a security alert for having this module in our package-lock, and after investigating, it turns out that we get it from botframework-connector. We kindly ask that this module is either removed or that an investigation is opened to verify that no code flows into any of the functionality of hash.js.