diff --git a/docs-js/troubleshooting.mdx b/docs-js/troubleshooting.mdx index 5ca61e0d64..f141df02fd 100644 --- a/docs-js/troubleshooting.mdx +++ b/docs-js/troubleshooting.mdx @@ -19,6 +19,68 @@ keywords: import useBaseUrl from '@docusaurus/useBaseUrl'; import ThemedImage from '@theme/ThemedImage'; +## Transitive Dependency Vulnerabilities (CVE) + +Security scanners may flag a vulnerability in a transitive dependency of the SAP Cloud SDK. +This section explains what options you have and what to expect from the SDK team. + +### Can You Fix It Without Waiting for an SDK Update? + +Whether you can resolve the CVE yourself depends on the [semver](https://semver.org/) range the SAP Cloud SDK declares for that dependency. +A caret prefix (`^1.2.3`) allows npm to resolve any compatible version `>=1.2.3 <2.0.0`, so if the patched version is in that range, npm can pick it up automatically. +A tilde prefix (`~1.2.3`) is narrower and only allows patch updates (`>=1.2.3 <1.3.0`). + +If the patched version falls within the declared range, you can resolve the CVE yourself without any SDK changes — see [Updating a Transitive Dependency](#updating-a-transitive-dependency) below. +If the fix requires a new major version (e.g. `1.x` → `2.x`), it is outside the range — see [Overriding a Transitive Dependency Version](#overriding-a-transitive-dependency-version). + +### Updating a Transitive Dependency + +If the fixed version falls within the SDK's declared semver range (i.e., no major version bump), you can update the vulnerable package in your own project: + +``` +# Update a specific transitive dependency to the latest compatible version +npm update PACKAGE_NAME + +# Let npm apply all non-breaking security fixes automatically +npm audit fix +``` + +After running these commands, verify your `package-lock.json` now resolves the package to the patched version: + +``` +npm ls PACKAGE_NAME +``` + +### Overriding a Transitive Dependency Version + +If the security fix was released in a new **major** version of the dependency (e.g., `1.x` → `2.x`), the fix is outside the SAP Cloud SDK's declared semver range. +`npm audit fix` will not apply it automatically because the major version bump may contain breaking changes that affect the SDK. + +In this case you can use [npm overrides](https://docs.npmjs.com/cli/v10/configuring-npm/package-json#overrides) (npm ≥ v8.3) to force a specific version of the transitive dependency in your `package.json`: + +```json +{ + "overrides": { + "": "" + } +} +``` + +:::caution +Forcing a major version upgrade through overrides bypasses the compatibility guarantee that the semver range provides. +Test your application thoroughly after applying an override, as the SDK may not have been tested against the forced version. +::: + +### SAP Cloud SDK Updates + +In most cases you do not need to wait for an SAP Cloud SDK release — the approaches described above are sufficient to resolve a CVE in your project. +The SAP Cloud SDK team monitors security advisories and updates dependencies to the minimal safe version as part of regular releases. +If the fix requires a major version upgrade of the dependency, the SDK team will handle the migration and ship a new SAP Cloud SDK release that is compatible with the updated dependency. + +If you are blocked by a CVE and the steps above are not sufficient, [open a GitHub issue](https://github.com/SAP/cloud-sdk-js/issues/new/choose). +Include the CVE identifier, the affected package, and the resolved version you need. +This helps the team prioritize the update. + ## Cannot find module '@sap-cloud-sdk/http-client' The [SAP Cloud Application Programming Mode (CAP)](https://cap.cloud.sap/docs/) uses the SAP Cloud SDK to execute HTTP requests towards [external services](https://cap.cloud.sap/docs/guides/using-services?q=http-client).