open-ux-tools icon indicating copy to clipboard operation
open-ux-tools copied to clipboard
verified publisher icon SAP

BUG - @sap/ux-ui5-tooling reports multiple moderate vulnerabilities

Open huulanka opened this issue 2 months ago • 1 comments

Description

Running npm install / npm audit in a consumer project that uses @sap/ux-ui5-tooling reports multiple moderate vulnerabilities due to a vulnerable js-yaml dependency pulled in transitively via the Open UX Tools packages. The recommended fix from npm audit would require a breaking upgrade of @sap/ux-ui5-tooling, which cannot be done safely by consumers on their own.

Steps to Reproduce

Steps to reproduce the behavior:

  1. Create or open a CAP / UI5 project that uses @sap/ux-ui5-tooling as a devDependency (for example via SAP Fiori tools).
  2. Run npm install in the project.
  3. Run npm audit (or npm audit fix).
  4. See the reported vulnerabilities for js-yaml and related @sap-ux/* packages coming from Open UX Tools.

Expected results

  • npm audit should not report vulnerabilities originating from js-yaml in the Open UX Tools dependency tree.
  • No need for consumers to run npm audit fix --force or perform breaking upgrades on their own to mitigate these issues.

Actual results

  • npm install prints a deprecation warning for [email protected].
  • npm audit reports 12 moderate vulnerabilities related to js-yaml < 4.1.1 (prototype pollution in merge (<<)), referenced via @sap-ux/ui5-config, @sap-ux/adp-tooling, @sap-ux/preview-middleware, @sap-ux/project-access, @sap-ux/odata-service-writer, @sap-ux/project-input-validator, @sap-ux/mockserver-config-writer, @sap-ux/fiori-generator-shared, and @sap-ux/telemetry.
  • npm audit recommends npm audit fix --force, which would install a newer @sap/ux-ui5-tooling version (>= 1.19.1 / >= 1.19.3) and is flagged as a breaking change.

Version/Components/Environment

  • Consumer project: CAP / UI5 project using @sap/[email protected] (as an example)
  • Open UX Tools packages involved: @sap-ux/ui5-config, @sap-ux/adp-tooling, @sap-ux/preview-middleware, @sap-ux/project-access, @sap-ux/odata-service-writer, @sap-ux/project-input-validator, @sap-ux/mockserver-config-writer, @sap-ux/fiori-generator-shared, @sap-ux/telemetry
  • OS:
    • [ ] Mac OS
    • [ ] Windows
    • [x] Other (Linux)

Additional context:

  • npm audit output references advisory GHSA-mh29-5h37-fv8m for js-yaml.
  • There is already a related PR in this repository: https://github.com/SAP/open-ux-tools/pull/3840
# npm audit report

js-yaml  <4.1.1
Severity: moderate
js-yaml has prototype pollution in merge (<<) - https://github.com/advisories/GHSA-mh29-5h37-fv8m
fix available via `npm audit fix --force`
Will install @sap/[email protected], which is a breaking change
node_modules/@sap/cds-dk/node_modules/js-yaml
node_modules/js-yaml
  @sap-ux/adp-tooling  >=0.12.113
  Depends on vulnerable versions of @sap-ux/inquirer-common
  Depends on vulnerable versions of @sap-ux/odata-service-writer
  Depends on vulnerable versions of @sap-ux/project-access
  Depends on vulnerable versions of @sap-ux/project-input-validator
  Depends on vulnerable versions of @sap-ux/ui5-config
  Depends on vulnerable versions of js-yaml
  node_modules/@sap-ux/adp-tooling
    @sap-ux/preview-middleware  >=0.17.1
    Depends on vulnerable versions of @sap-ux/adp-tooling
    Depends on vulnerable versions of @sap-ux/project-access
    node_modules/@sap-ux/preview-middleware
      @sap/ux-ui5-tooling  >=1.19.3
      Depends on vulnerable versions of @sap-ux/preview-middleware
      node_modules/@sap/ux-ui5-tooling
  @sap-ux/ui5-config  >=0.26.1
  Depends on vulnerable versions of js-yaml
  node_modules/@sap-ux/ui5-config
    @sap-ux/mockserver-config-writer  >=0.7.2
    Depends on vulnerable versions of @sap-ux/project-access
    Depends on vulnerable versions of @sap-ux/ui5-config
    node_modules/@sap-ux/mockserver-config-writer
    @sap-ux/odata-service-writer  >=0.25.4
    Depends on vulnerable versions of @sap-ux/mockserver-config-writer
    Depends on vulnerable versions of @sap-ux/project-access
    Depends on vulnerable versions of @sap-ux/ui5-config
    node_modules/@sap-ux/odata-service-writer
    @sap-ux/project-access  >=1.29.1
    Depends on vulnerable versions of @sap-ux/ui5-config
    node_modules/@sap-ux/project-access
      @sap-ux/fiori-generator-shared  >=0.7.20
      Depends on vulnerable versions of @sap-ux/project-access
      Depends on vulnerable versions of @sap-ux/telemetry
      node_modules/@sap-ux/fiori-generator-shared
      @sap-ux/project-input-validator  >=0.4.0
      Depends on vulnerable versions of @sap-ux/project-access
      node_modules/@sap-ux/project-input-validator
    @sap-ux/telemetry  >=0.5.52
    Depends on vulnerable versions of @sap-ux/project-access
    Depends on vulnerable versions of @sap-ux/ui5-config
    node_modules/@sap-ux/telemetry
      @sap-ux/inquirer-common  >=0.6.6
      Depends on vulnerable versions of @sap-ux/fiori-generator-shared
      Depends on vulnerable versions of @sap-ux/telemetry
      node_modules/@sap-ux/inquirer-common

12 moderate severity vulnerabilities

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

Root Cause Analysis

Problem

{describe the problem}

Fix

{describe the fix}

Why was it missed

{Some explanation why this issue might have been missed during normal development/testing cycle}

How can we avoid this

{if we don’t want to see this type of issues anymore what we should do to prevent}

huulanka avatar Nov 17 '25 09:11 huulanka

Upgrade is being worked on as it causes changes to the test snapshots with the yaml change.

donal-tobin-sap avatar Nov 20 '25 15:11 donal-tobin-sap