Skip to content

chore: upgrade to CDS 10, patch security vulns#1546

Merged
chgeo merged 5 commits into
SAP-samples:mainfrom
mikicvi-SAP:chore/cds10-security-upgrades
Jul 9, 2026
Merged

chore: upgrade to CDS 10, patch security vulns#1546
chgeo merged 5 commits into
SAP-samples:mainfrom
mikicvi-SAP:chore/cds10-security-upgrades

Conversation

@mikicvi-SAP

@mikicvi-SAP mikicvi-SAP commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Bumps the whole CAP stack to v10 and fixes a batch of npm audit issues. All README commands pass locally (npm ci, cds watch, npm run build:ui,
mbt build, npm test).

CAP stack

  • @sap/cds + @sap/cds-dk → 10
  • @cap-js/hana + @cap-js/sqlite → 3
  • @cap-js/cds-test → 1, @cap-js/cds-typer + @cap-js/cds-types → latest

Security

  • @sap/ux-specification → UI5-1.144 (latest), express → 4.22.2, ui5-middleware-simpleproxy → 3.8.0 — these alone collapse most of the vuln chain
  • @sap/cds-dk → 9.9.3 keeps ws patched; remaining 9 vulns are all @ui5/project → pacote → sigstore (dev toolchain only, no upstream fix available yet)

Test fixes

  • CDS 10 defaults ieee754compatible: true — decimals now serialise as strings (900 → '900.000'). Removed the stale IEEE754Compatible content-type header and updated all numeric assertions to match.
  • Minor type annotations (url: string, expectedValue: string, non-null assertion on travel)

Build fixes

  • @ui5/cli was silently de-hoisted to workspace-local installs, breaking ui5-tooling-transpile during mbt build. Added it to root devDependencies.
  • axios needs to be an explicit dep — @cap-js/cds-types 0.18 references import('axios') for type declarations even though cds-test 1.x emulates it at runtime.

CI fixes (follow-up)

Three failures on the first CI run:

  • Node 20 dropped — CDS 10 requires Node ≥22. Removed 20.x from the matrix, bumped engines.node to >=22, added 24.x to ci matrix
  • karma startup crash on Node 22 — ui5-middleware-simpleproxy 3.8.0 (upgraded for the http-proxy-middleware security fix) pulls in minimatch
    10.x → brace-expansion 5.x which gets hoisted to root. karma → minimatch 3.x then loads brace-expansion as a direct function call — an API that 5.x dropped. Fixed by pinning brace-expansion 1.x and balanced-match 1.x as nested lock entries under karma/minimatch/. Not fixable via overrides since npm won't create 3-level-deep nesting automatically.
  • Java CI npm ci failing with missing @esbuild/linux-* — npm install on macOS only writes the current platform's optional deps to the lockfile.
    Added local .npmrc with os=any cpu=any so every npm install produces a cross-platform lockfile going forward - npmrc is gitignored, so the fix is local only.

@mikicvi-SAP

Copy link
Copy Markdown
Contributor Author

FYI @devinea

@chgeo - could you please review/merge?

@devinea devinea left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

package updates lgtm. Thanks

@chgeo chgeo left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for moving this ahead.
See my comments.

Comment thread test/odata.test.ts Outdated
Comment thread test/odata.test.ts Outdated
Comment thread package.json Outdated
Comment thread package.json Outdated
@mikicvi-SAP

Copy link
Copy Markdown
Contributor Author

@chgeo Could you please merge and edit branch protection rules so that the Node 20 build is no longer required?

@chgeo

chgeo commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

@chgeo Could you please merge and edit branch protection rules so that the Node 20 build is no longer required?

@stewsk would need to do that

@chgeo chgeo merged commit ea74451 into SAP-samples:main Jul 9, 2026
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants