CAP8 with node.js : how to solve dependency issue...

shf · a month ago

Hello,

since I'm using CAP 8 together with node.js, I have switched now to node.js LTS version 22.14.0 and I'm getting a huge list of dependency issues now, see below.
I have already deleted the npm cache, deleted the package-lock.json, executed "npm update" and tried to fix these issues with "npm audit fix" and "npm audit fix --force". But the issues are still there. How should I proceed to get rid of these errors?

Result of "npm ls":

├── -js/cds-typer@0.33.1
├── -js/cds-types@0.9.0
├── -js/sqlite@1.9.0
├── -ux/axios-extension@1.19.1
├── -ux/btp-utils@1.0.2
├── /cds-dk@8.8.2
├── /cds@8.8.3
├── /eslint-plugin-cds@3.2.0
├── /ux-ui5-tooling@1.17.0
├── /xsenv@5.5.0
├── /xssec@4.4.0
├── @types/node@22.13.11
├── axios@1.8.4
├── cds-plugin-ui5@0.12.0
├─┬ config_systemkind@0.0.1 -> .\app\config_systemkind
│ ├── -ux/eslint-plugin-fiori-tools@0.4.2
│ ├── /ux-specification@1.124.12
│ ├── /ux-ui5-tooling@1.13.3
│ ├── /types@1.130.8
│ ├── @typescript-eslint/eslint-plugin@7.18.0
│ ├── @typescript-eslint/parser@7.18.0
│ ├── @ui5/cli@3.11.6
│ ├── typescript@5.8.2 deduped
│ └── ui5-tooling-transpile@3.7.4 deduped
├─┬ config_systemtype@0.0.1 -> .\app\config_systemtype
│ ├── -ux/eslint-plugin-fiori-tools@0.4.2
│ ├── /ux-specification@1.124.12 deduped
│ ├── /ux-ui5-tooling@1.17.0 deduped
│ ├── /types@1.129.2
│ ├── @typescript-eslint/eslint-plugin@7.18.0
│ ├── @typescript-eslint/parser@7.18.0
│ ├── @ui5/cli@3.11.6 deduped
│ ├── typescript@5.8.2 deduped
│ └── ui5-tooling-transpile@3.7.4 deduped
├── eslint@9.23.0
├── express@4.21.2
├── typescript@5.8.2
└── ui5-tooling-transpile@3.7.4

Here the result of "npm version":

{
  paltrcore: '1.0.1',
  npm: '11.2.0',
  node: '22.14.0',
  acorn: '8.14.0',
  ada: '2.9.2',
  amaro: '0.3.0',
  ares: '1.34.4',
  brotli: '1.1.0',
  cjs_module_lexer: '1.4.1',
  cldr: '46.0',
  icu: '76.1',
  llhttp: '9.2.1',
  modules: '127',
  napi: '10',
  nbytes: '0.1.1',
  ncrypto: '0.0.1',
  nghttp2: '1.64.0',
  nghttp3: '1.6.0',
  ngtcp2: '1.10.0',
  openssl: '3.0.15+quic',
  simdjson: '3.10.1',
  simdutf: '6.0.3',
  sqlite: '3.47.2',
  tz: '2024b',
  undici: '6.21.1',
  unicode: '16.0',
  uv: '1.49.2',
  uvwasi: '0.0.21',
  v8: '12.4.254.21-node.22',
  zlib: '1.3.0.1-motley-82a5fec'
}

And finally the error messages with "npm audit":

# npm audit report

axios  <=1.8.1
Severity: high
Server-Side Request Forgery in axios - https://github.com/advisories/GHSA-8hc4-vh64-cxmj
axios Requests Vulnerable To Possible SSRF and Credential Leakage via Absolute URL - https://github.com/advisories/GHSA-jr5f-v2jv-69x6
No fix available
app/config_systemkind/node_modules/axios
node_modules/@sap-ux/adp-tooling/node_modules/@sap-ux/btp-utils/node_modules/axios
node_modules/@sap-ux/adp-tooling/node_modules/axios
node_modules/@sap-ux/fe-fpm-writer/node_modules/axios
node_modules/@sap-ux/fiori-annotation-api/node_modules/axios
node_modules/@sap-ux/fiori-generator-shared/node_modules/axios
node_modules/@sap-ux/inquirer-common/node_modules/@sap-ux/btp-utils/node_modules/axios
node_modules/@sap-ux/inquirer-common/node_modules/axios
node_modules/@sap-ux/nodejs-utils/node_modules/axios
node_modules/@sap-ux/preview-middleware/node_modules/axios
node_modules/@sap-ux/system-access/node_modules/@sap-ux/btp-utils/node_modules/axios
node_modules/@sap-ux/system-access/node_modules/axios
node_modules/@sap-ux/telemetry/node_modules/@sap-ux/btp-utils/node_modules/axios
node_modules/@sap-ux/telemetry/node_modules/axios
node_modules/@sap-ux/ui5-config/node_modules/axios
node_modules/@sap-ux/ui5-info/node_modules/axios
  -ux/axios-extension  <=1.19.0
  Depends on vulnerable versions of -ux/btp-utils
  Depends on vulnerable versions of axios
  app/config_systemkind/node_modules/@sap-ux/axios-extension
  node_modules/@sap-ux/adp-tooling/node_modules/@sap-ux/axios-extension
  node_modules/@sap-ux/system-access/node_modules/@sap-ux/axios-extension
    -ux/adp-tooling  <=0.13.13
    Depends on vulnerable versions of -ux/axios-extension
    Depends on vulnerable versions of -ux/btp-utils
    Depends on vulnerable versions of -ux/inquirer-common
    Depends on vulnerable versions of -ux/nodejs-utils
    Depends on vulnerable versions of -ux/odata-service-writer
    Depends on vulnerable versions of -ux/project-access
    Depends on vulnerable versions of -ux/system-access
    Depends on vulnerable versions of -ux/ui5-config
    Depends on vulnerable versions of ejs
    app/config_systemkind/node_modules/@sap-ux/adp-tooling
    node_modules/@sap-ux/adp-tooling
      -ux/preview-middleware  <=0.18.14
      Depends on vulnerable versions of -ux/adp-tooling
      Depends on vulnerable versions of -ux/adp-tooling
      Depends on vulnerable versions of -ux/btp-utils
      Depends on vulnerable versions of -ux/project-access
      Depends on vulnerable versions of ejs
      app/config_systemkind/node_modules/@sap-ux/preview-middleware
      node_modules/@sap-ux/preview-middleware
        /ux-ui5-tooling  *
        Depends on vulnerable versions of -ux/preview-middleware
        Depends on vulnerable versions of -ux/preview-middleware
        Depends on vulnerable versions of express
        app/config_systemkind/node_modules/@sap/ux-ui5-tooling
        node_modules/@sap/ux-ui5-tooling
  -ux/btp-utils  <=1.0.1
  Depends on vulnerable versions of axios
  app/config_systemkind/node_modules/@sap-ux/btp-utils
  node_modules/@sap-ux/adp-tooling/node_modules/@sap-ux/btp-utils
  node_modules/@sap-ux/fiori-generator-shared/node_modules/@sap-ux/btp-utils
  node_modules/@sap-ux/inquirer-common/node_modules/@sap-ux/btp-utils
  node_modules/@sap-ux/nodejs-utils/node_modules/@sap-ux/btp-utils
  node_modules/@sap-ux/preview-middleware/node_modules/@sap-ux/btp-utils
  node_modules/@sap-ux/system-access/node_modules/@sap-ux/btp-utils
  node_modules/@sap-ux/telemetry/node_modules/@sap-ux/btp-utils
    -ux/fiori-generator-shared  0.3.14 - 0.9.8
    Depends on vulnerable versions of -ux/btp-utils
    Depends on vulnerable versions of -ux/project-access
    Depends on vulnerable versions of -ux/telemetry
    node_modules/@sap-ux/fiori-generator-shared
    -ux/nodejs-utils  <=0.1.7
    Depends on vulnerable versions of -ux/btp-utils
    node_modules/@sap-ux/nodejs-utils
    -ux/system-access  <=0.5.32
    Depends on vulnerable versions of -ux/axios-extension
    Depends on vulnerable versions of -ux/btp-utils
    app/config_systemkind/node_modules/@sap-ux/system-access
    node_modules/@sap-ux/system-access
  -ux/inquirer-common  <=0.6.28
  Depends on vulnerable versions of -ux/btp-utils
  Depends on vulnerable versions of -ux/fiori-generator-shared
  Depends on vulnerable versions of -ux/telemetry
  Depends on vulnerable versions of -ux/ui5-info
  Depends on vulnerable versions of axios
  node_modules/@sap-ux/inquirer-common
  -ux/telemetry  <=0.5.69
  Depends on vulnerable versions of -ux/btp-utils
  Depends on vulnerable versions of -ux/project-access
  Depends on vulnerable versions of -ux/ui5-config
  Depends on vulnerable versions of axios
  node_modules/@sap-ux/telemetry
  -ux/ui5-config  0.26.1 - 0.26.3
  Depends on vulnerable versions of axios
  node_modules/@sap-ux/fe-fpm-writer/node_modules/@sap-ux/ui5-config
  node_modules/@sap-ux/fiori-annotation-api/node_modules/@sap-ux/ui5-config
  node_modules/@sap-ux/ui5-config
    -ux/mockserver-config-writer  0.7.2 - 0.8.8
    Depends on vulnerable versions of -ux/project-access
    Depends on vulnerable versions of -ux/ui5-config
    node_modules/@sap-ux/mockserver-config-writer
    -ux/odata-service-writer  0.25.4 - 0.26.10
    Depends on vulnerable versions of -ux/mockserver-config-writer
    Depends on vulnerable versions of -ux/project-access
    Depends on vulnerable versions of -ux/ui5-config
    node_modules/@sap-ux/odata-service-writer
    -ux/project-access  1.29.1 - 1.29.15
    Depends on vulnerable versions of -ux/ui5-config
    node_modules/@sap-ux/fe-fpm-writer/node_modules/@sap-ux/project-access
    node_modules/@sap-ux/fiori-annotation-api/node_modules/@sap-ux/project-access
    node_modules/@sap-ux/project-access
      -ux/fe-fpm-writer  0.31.26 - 0.33.15
      Depends on vulnerable versions of -ux/fiori-annotation-api
      Depends on vulnerable versions of -ux/project-access
      node_modules/@sap-ux/fe-fpm-writer
        /ux-specification  1.96.80 - 1.96.82 || 1.108.47 - 1.108.49 || 1.120.28 - 1.120.30 || >=1.124.10
        Depends on vulnerable versions of -ux/fe-fpm-writer
        node_modules/@sap/ux-specification
      -ux/fiori-annotation-api  0.3.7 - 0.4.18
      Depends on vulnerable versions of -ux/project-access
      node_modules/@sap-ux/fiori-annotation-api
  -ux/ui5-info  <=0.9.0
  Depends on vulnerable versions of axios
  node_modules/@sap-ux/ui5-info

body-parser  <1.20.3
Severity: high
body-parser vulnerable to denial of service when url encoding is enabled - https://github.com/advisories/GHSA-qwcr-r2fm-qrc7
No fix available
app/config_systemkind/node_modules/body-parser
  express  <=4.21.1 || 5.0.0-alpha.1 - 5.0.0
  Depends on vulnerable versions of body-parser
  Depends on vulnerable versions of cookie
  Depends on vulnerable versions of path-to-regexp
  Depends on vulnerable versions of send
  Depends on vulnerable versions of serve-static
  app/config_systemkind/node_modules/express

cookie  <0.7.0
cookie accepts cookie name, path, and domain with out of bounds characters - https://github.com/advisories/GHSA-pxg6-pf52-xh8x
No fix available
app/config_systemkind/node_modules/cookie

ejs  <3.1.10
Severity: moderate
ejs lacks certain pollution protection - https://github.com/advisories/GHSA-ghr5-ch3p-vcr6
No fix available
app/config_systemkind/node_modules/ejs


path-to-regexp  <=0.1.11
Severity: high
Unpatched `path-to-regexp` ReDoS in 0.1.x - https://github.com/advisories/GHSA-rhx6-c78j-4q9w
path-to-regexp outputs backtracking regular expressions - https://github.com/advisories/GHSA-9wv6-86v2-598j
No fix available
app/config_systemkind/node_modules/path-to-regexp

send  <0.19.0
send vulnerable to template injection that can lead to XSS - https://github.com/advisories/GHSA-m6fv-jmcg-4jfg
No fix available
app/config_systemkind/node_modules/send
  serve-static  <=1.16.0
  Depends on vulnerable versions of send
  app/config_systemkind/node_modules/serve-static


26 vulnerabilities (3 low, 1 moderate, 22 high)

main package.json:

{
  "name": "paltrcore",
  "version": "1.0.1",
  "description": "Test",
  "repository": "<Add your repository here>",
  "license": "Test",
  "private": true,
  "dependencies": {
    "@sap-ux/axios-extension": "^1.19.1",
    "@sap-ux/btp-utils": "^1.0.2",
    "@sap/cds": "^8",
    "@sap/cds-dk": "^8.8.2",
    "@sap/ux-ui5-tooling": "^1.17.0",
    "@sap/xsenv": "^5.5.0",
    "@sap/xssec": "^4.2.8",
    "axios": "^1.8.4",
    "express": "^4"
  },
  "devDependencies": {
    "@cap-js/cds-typer": "^0.33.1",
    "@cap-js/cds-types": "^0.9.0",
    "@cap-js/sqlite": "^1",
    "@sap/eslint-plugin-cds": "^3.2.0",
    "@types/node": "^22.13.11",
    "cds-plugin-ui5": "^0.12.0",
    "eslint": "^9.23.0",
    "typescript": "^5",
    "ui5-tooling-transpile": "^3.7.4"
  },
  "scripts": {
    "start": "cds-tsx w",
    "watch": "cds-tsx w",
    "watch-config_systemtype": "cds watch --open config_systemtype/webapp/index.html?sap-ui-xx-viewCache=false",
    "watch-config_systemkind": "cds watch --open config_systemkind/webapp/index.html?sap-ui-xx-viewCache=false"
  },
  "cds": {
    "requires": {
      "db": {
        "kind": "sqlite",
        "credentials": {
          "url": "db.sqlite"
        }
      }
    },
    "typer": {
      "log_level": "DEBUG"
    },
    "i18n": {
      "for_sqlite": [
        "en",
        "de"
      ]
    }
  },
  "imports": {
    "#cds-models/*": "./@cds-models/*/index.js"
  },
  "workspaces": [
    "app/*"
  ],
  "sapux": [
    "app/systemtype",
    "app/config_systemtype",
    "app/config_systemkind"
  ]
}

package.json of config_systemkind app:

{
  "name": "config_systemkind",
  "version": "0.0.1",
  "description": "Administration of system kinds",
  "keywords": [
    "ui5",
    "openui5",
    "sapui5"
  ],
  "main": "webapp/index.html",
  "devDependencies": {
    "@sap-ux/eslint-plugin-fiori-tools": "^0.4.0",
    "@sap/ux-specification": "^1.124.9",
    "@sap/ux-ui5-tooling": "1.13.3",
    "@sapui5/types": "~1.130.0",
    "@typescript-eslint/eslint-plugin": "^7.1.1",
    "@typescript-eslint/parser": "^7.1.1",
    "@ui5/cli": "^3.0.0",
    "typescript": "^5.1.6",
    "ui5-tooling-transpile": "^3.7.2"
  },
  "scripts": {
    "deploy-config": "npx -p /ux-ui5-tooling fiori add deploy-config cf"
  }
}

Willem_Pardaens

Focussing on your main package.json you can see the issues all relate to a single vulnerability in axios. There have been some issues lately with that package and every new version 1.8.1 > 1.8.2 > 1.8.3 seem to have new/recurring issues. At this point in time 1.8.4 is the good one, and the sap/ux-ui5-tooling team is patching to this version. But they have been chasing each of the above versions, so it takes some time.

What you can do in the meantime is 'override' the sap/ux-ui5-tooling versions with the correct axios version. Not by adding it as a direct dependency of your own project, but by specifying it as an override.

  "dependencies": {
    ...
    (remove your axios entry)
  },
  "devDependencies": {
    ...
  },
  "overrides": {
    "axios": "1.8.4"
  }

I would also to advice you to minimize the number of (dev)dependencies you include in your project and only keep those which are really required. Also, have a look if some of these can be moved to devDependencies if they are only used during development/tooling and not in production.

You can approach the other package.json files similarly.

CAP8 with node.js : how to solve dependency issues

Know the answer?

Need more details?

Accepted Solutions (0)

Answers (1)

Answers (1)

Re: Unexpected Credit Check Error During PGI Witho...

Re: Using a Function Module in SAP RAP managed

Re: How to properly Bind SAPUI5 SmartTable in CAP ...

Re: In my BTP trial account trust configuration op...

Re: Renewed Server Certificate - SQLA Client fails...