From 557e4f4b87fe58511bc8c886155af4104fa9bce1 Mon Sep 17 00:00:00 2001 From: Marika Marszalkowski Date: Fri, 8 May 2026 09:43:07 +0200 Subject: [PATCH 1/5] chore: Create CVE troubleshooting guide --- docs-js/troubleshooting.mdx | 62 +++++++++++++++++++++++++++++++++++++ 1 file changed, 62 insertions(+) diff --git a/docs-js/troubleshooting.mdx b/docs-js/troubleshooting.mdx index 5ca61e0d64d..10247be5821 100644 --- a/docs-js/troubleshooting.mdx +++ b/docs-js/troubleshooting.mdx @@ -19,6 +19,68 @@ keywords: import useBaseUrl from '@docusaurus/useBaseUrl'; import ThemedImage from '@theme/ThemedImage'; +## Dependency Vulnerabilities (CVE) + +Security scanners may flag a vulnerability in a transitive dependency of the SAP Cloud SDK. +This section explains what options you have and what to expect from the SDK team. + +### Can You Fix It Without Waiting for an SDK Update? + +Whether you can resolve the CVE yourself depends on the [semver](https://semver.org/) range the SAP Cloud SDK declares for that dependency. +A caret prefix (`^1.2.3`) allows npm to resolve any compatible version `>=1.2.3 <2.0.0`, so if the patched version is in that range, npm can pick it up automatically. +A tilde prefix (`~1.2.3`) is narrower and only allows patch updates (`>=1.2.3 <1.3.0`). + +If the patched version falls within the declared range, you can resolve the CVE yourself without any SDK changes — see [Updating a Transitive Dependency](#updating-a-transitive-dependency) below. +If the fix requires a new major version (e.g. `1.x` → `2.x`), it is outside the range — see [Overriding a Transitive Dependency Version](#overriding-a-transitive-dependency-version). + +### Updating a Transitive Dependency + +If the fixed version falls within the SDK's declared semver range (i.e., no major version bump), you can update the vulnerable package in your own project: + +``` +# Update a specific transitive dependency to the latest compatible version +npm update + +# Let npm apply all non-breaking security fixes automatically +npm audit fix +``` + +After running these commands, verify your `package-lock.json` now resolves the package to the patched version: + +``` +npm ls +``` + +### Overriding a Transitive Dependency Version + +If the security fix was released in a new **major** version of the dependency (e.g., `1.x` → `2.x`), the fix is outside the SAP Cloud SDK's declared semver range. +`npm audit fix` will not apply it automatically because the major version bump may contain breaking changes that affect the SDK. + +In this case you can use [npm overrides](https://docs.npmjs.com/cli/v10/configuring-npm/package-json#overrides) (npm ≥ v8.3) or [yarn resolutions](https://classic.yarnpkg.com/en/docs/selective-version-resolutions/) to force a specific version of the transitive dependency in your `package.json`: + +```json +{ + "overrides": { + "": "" + } +} +``` + +:::caution +Forcing a major version upgrade through overrides bypasses the compatibility guarantee that the semver range provides. +Test your application thoroughly after applying an override, as the SDK may not have been tested against the forced version. +::: + +### SAP Cloud SDK Updates + +In most cases you do not need to wait for an SAP Cloud SDK release — the approaches described above are sufficient to resolve a CVE in your project. +The SAP Cloud SDK team monitors security advisories and updates dependencies to the minimal safe version as part of regular releases. +If the fix requires a major version upgrade of the dependency, the SDK team will handle the migration and ship a new SAP Cloud SDK release that is compatible with the updated dependency. + +If you are blocked by a CVE and the steps above are not sufficient, [open a GitHub issue](https://github.com/SAP/cloud-sdk-js/issues/new/choose). +Include the CVE identifier, the affected package, and the resolved version you need. +This helps the team prioritize the update. + ## Cannot find module '@sap-cloud-sdk/http-client' The [SAP Cloud Application Programming Mode (CAP)](https://cap.cloud.sap/docs/) uses the SAP Cloud SDK to execute HTTP requests towards [external services](https://cap.cloud.sap/docs/guides/using-services?q=http-client). From 582b0221ca70fc020e2e0d89c001137bed082f5b Mon Sep 17 00:00:00 2001 From: Marika Marszalkowski Date: Fri, 8 May 2026 09:58:38 +0200 Subject: [PATCH 2/5] Apply suggestion from @marikaner --- docs-js/troubleshooting.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs-js/troubleshooting.mdx b/docs-js/troubleshooting.mdx index 10247be5821..4501832b562 100644 --- a/docs-js/troubleshooting.mdx +++ b/docs-js/troubleshooting.mdx @@ -56,7 +56,7 @@ npm ls If the security fix was released in a new **major** version of the dependency (e.g., `1.x` → `2.x`), the fix is outside the SAP Cloud SDK's declared semver range. `npm audit fix` will not apply it automatically because the major version bump may contain breaking changes that affect the SDK. -In this case you can use [npm overrides](https://docs.npmjs.com/cli/v10/configuring-npm/package-json#overrides) (npm ≥ v8.3) or [yarn resolutions](https://classic.yarnpkg.com/en/docs/selective-version-resolutions/) to force a specific version of the transitive dependency in your `package.json`: +In this case you can use [npm overrides](https://docs.npmjs.com/cli/v10/configuring-npm/package-json#overrides) (npm ≥ v8.3) to force a specific version of the transitive dependency in your `package.json`: ```json { From c9320869a51ac5dfadf36aec4b3888f1820ec525 Mon Sep 17 00:00:00 2001 From: Marika Marszalkowski Date: Fri, 8 May 2026 11:51:02 +0200 Subject: [PATCH 3/5] Update docs-js/troubleshooting.mdx Co-authored-by: David Knaack --- docs-js/troubleshooting.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs-js/troubleshooting.mdx b/docs-js/troubleshooting.mdx index 4501832b562..ae26c87ba06 100644 --- a/docs-js/troubleshooting.mdx +++ b/docs-js/troubleshooting.mdx @@ -19,7 +19,7 @@ keywords: import useBaseUrl from '@docusaurus/useBaseUrl'; import ThemedImage from '@theme/ThemedImage'; -## Dependency Vulnerabilities (CVE) +## Transitive Dependency Vulnerabilities (CVE) Security scanners may flag a vulnerability in a transitive dependency of the SAP Cloud SDK. This section explains what options you have and what to expect from the SDK team. From 8bc563ef0d10217f31f03360a15386c9c6de9f41 Mon Sep 17 00:00:00 2001 From: Marika Marszalkowski Date: Fri, 8 May 2026 11:52:56 +0200 Subject: [PATCH 4/5] Apply suggestion from @marikaner --- docs-js/troubleshooting.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs-js/troubleshooting.mdx b/docs-js/troubleshooting.mdx index ae26c87ba06..d67437b20f3 100644 --- a/docs-js/troubleshooting.mdx +++ b/docs-js/troubleshooting.mdx @@ -39,7 +39,7 @@ If the fixed version falls within the SDK's declared semver range (i.e., no majo ``` # Update a specific transitive dependency to the latest compatible version -npm update +npm update PACKAGE_NAME # Let npm apply all non-breaking security fixes automatically npm audit fix From 9a2856be4c714cc1ad6bc211961d9d2164da66c3 Mon Sep 17 00:00:00 2001 From: Marika Marszalkowski Date: Fri, 8 May 2026 11:53:23 +0200 Subject: [PATCH 5/5] Apply suggestion from @marikaner --- docs-js/troubleshooting.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs-js/troubleshooting.mdx b/docs-js/troubleshooting.mdx index d67437b20f3..f141df02fd6 100644 --- a/docs-js/troubleshooting.mdx +++ b/docs-js/troubleshooting.mdx @@ -48,7 +48,7 @@ npm audit fix After running these commands, verify your `package-lock.json` now resolves the package to the patched version: ``` -npm ls +npm ls PACKAGE_NAME ``` ### Overriding a Transitive Dependency Version