Commit ea74451
authored
chore: upgrade to CDS 10, patch security vulns (#1546)
Bumps the whole CAP stack to v10 and fixes a batch of npm audit issues.
All README commands pass locally (npm ci, cds watch, npm run build:ui,
mbt build, npm test).
CAP stack
- @sap/cds + @sap/cds-dk → 10
- @cap-js/hana + @cap-js/sqlite → 3
- @cap-js/cds-test → 1, @cap-js/cds-typer + @cap-js/cds-types → latest
Security
- @sap/ux-specification → UI5-1.144 (latest), express → 4.22.2,
ui5-middleware-simpleproxy → 3.8.0 — these alone collapse most of the
vuln chain
- @sap/cds-dk → 9.9.3 keeps ws patched; remaining 9 vulns are all
@ui5/project → pacote → sigstore (dev toolchain only, no upstream fix
available yet)
Test fixes
- CDS 10 defaults ieee754compatible: true — decimals now serialise as
strings (900 → '900.000'). Removed the stale IEEE754Compatible
content-type header and updated all numeric assertions to match.
- Minor type annotations (url: string, expectedValue: string, non-null
assertion on travel)
Build fixes
- @ui5/cli was silently de-hoisted to workspace-local installs, breaking
ui5-tooling-transpile during mbt build. Added it to root
devDependencies.
- axios needs to be an explicit dep — @cap-js/cds-types 0.18 references
import('axios') for type declarations even though cds-test 1.x emulates
it at runtime.
CI fixes (follow-up)
Three failures on the first CI run:
- Node 20 dropped — CDS 10 requires Node ≥22. Removed 20.x from the
matrix, bumped engines.node to >=22, added 24.x to ci matrix
- karma startup crash on Node 22 — ui5-middleware-simpleproxy 3.8.0
(upgraded for the http-proxy-middleware security fix) pulls in minimatch
10.x → brace-expansion 5.x which gets hoisted to root. karma → minimatch
3.x then loads brace-expansion as a direct function call — an API that
5.x dropped. Fixed by pinning brace-expansion 1.x and balanced-match 1.x
as nested lock entries under karma/minimatch/. Not fixable via overrides
since npm won't create 3-level-deep nesting automatically.
- Java CI npm ci failing with missing @esbuild/linux-* — npm install on
macOS only writes the current platform's optional deps to the lockfile.
Added local .npmrc with os=any cpu=any so every npm install produces a
cross-platform lockfile going forward - npmrc is gitignored, so the fix
is local only.1 parent 347ee7b commit ea74451
5 files changed
Lines changed: 2587 additions & 11193 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
6 | 6 | | |
7 | 7 | | |
8 | 8 | | |
9 | | - | |
| 9 | + | |
10 | 10 | | |
11 | | - | |
12 | | - | |
| 11 | + | |
| 12 | + | |
13 | 13 | | |
14 | 14 | | |
15 | 15 | | |
| |||
22 | 22 | | |
23 | 23 | | |
24 | 24 | | |
25 | | - | |
| 25 | + | |
26 | 26 | | |
27 | 27 | | |
28 | | - | |
29 | | - | |
30 | | - | |
31 | | - | |
32 | | - | |
33 | | - | |
34 | | - | |
35 | | - | |
36 | | - | |
37 | | - | |
38 | | - | |
39 | | - | |
| 28 | + | |
| 29 | + | |
| 30 | + | |
| 31 | + | |
| 32 | + | |
| 33 | + | |
| 34 | + | |
| 35 | + | |
| 36 | + | |
| 37 | + | |
| 38 | + | |
| 39 | + | |
40 | 40 | | |
41 | | - | |
42 | | - | |
43 | | - | |
44 | | - | |
| 41 | + | |
| 42 | + | |
| 43 | + | |
| 44 | + | |
45 | 45 | | |
46 | | - | |
47 | | - | |
48 | | - | |
49 | | - | |
| 46 | + | |
| 47 | + | |
| 48 | + | |
| 49 | + | |
50 | 50 | | |
51 | 51 | | |
52 | 52 | | |
| |||
0 commit comments