Hi Team,
We are running Black Duck scans on our CAP Java project (portal-common-User-Management) and have identified 122 npm transitive
dependencies from @sap/cds-dk (version 9.9.0, installed via cds-maven-plugin at build time) that violate the OutdatedFOSSLibraries
policy rule (Operational Risk - HIGH).
Among these, the following are unmaintained/deprecated and should be prioritized:
||Package||Version||Status||
|extsprintf|1.4.1|Unmaintained since 2021|
|verror|1.10.1|Unmaintained since 2016, deprecated|
|xml-js|1.6.11|Unmaintained since 2019|
|source-map|0.6.1|v0.6.x EOL, v0.8+ is active|
|core-util-is|1.0.2|Unmaintained since 2019|
|tunnel-agent|0.6.0|Unmaintained/deprecated|
|mkdirp-classic|0.5.3|Unmaintained|
Full list of 122 affected npm packages (all transitive from @sap/cds-dk):
||#||Package||Version||
|1|@cap-js/asyncapi|1.0.3|
|2|array-flatten|1.1.1|
|3|async|3.2.6|
|4|base64-js|1.5.1|
|5|bl|4.1.0|
|6|pluralize|8.0.0|
|7|buffer|5.7.1|
|8|bytes|3.1.2|
|9|call-bind-apply-helpers|1.0.2|
|10|call-bound|1.0.4|
|11|chownr|1.1.4|
|12|clone|2.1.2|
|13|content-disposition|0.5.4|
|14|core-util-is|1.0.2|
|15|debug|2.6.9|
|16|debug|3.1.0|
|17|debug|4.4.3|
|18|decompress-response|6.0.0|
|19|deep-extend|0.6.0|
|20|destroy|1.2.0|
|21|rc|1.2.8|
|22|dunder-proto|1.0.1|
|23|ee-first|1.1.1|
|24|encodeurl|2.0.0|
|25|es-define-property|1.0.1|
|26|es-errors|1.3.0|
|27|es-object-atoms|1.1.1|
|28|escape-html|1.0.3|
|29|etag|1.8.1|
|30|expand-template|2.0.3|
|31|accepts|1.3.8|
|32|accepts|2.0.0|
|33|extsprintf|1.4.1|
|34|file-uri-to-path|1.0.0|
|35|fill-range|7.1.1|
|36|forwarded|0.2.0|
|37|fs-constants|1.0.0|
|38|function-bind|1.1.2|
|39|get-intrinsic|1.3.0|
|40|get-proto|1.0.1|
|41|github-from-package|0.0.0|
|42|gopd|1.2.0|
|43|has-symbols|1.1.0|
|44|hasown|2.0.2|
|45|http-errors|2.0.1|
|46|iconv-lite|0.4.24|
|47|ieee754|1.2.1|
|48|inherits|2.0.4|
|49|is-number|7.0.0|
|50|once|1.4.0|
|51|is-promise|4.0.0|
|52|content-type|1.0.5|
|53|fresh|0.5.2|
|54|fresh|2.0.0|
|55|negotiator|0.6.3|
|56|negotiator|1.0.0|
|57|mime-types|2.1.35|
|58|livereload-js|4.0.2|
|59|lz4-wasm-nodejs|0.9.2|
|60|math-intrinsics|1.1.0|
|61|media-typer|0.3.0|
|62|media-typer|1.1.0|
|63|merge-descriptors|1.0.3|
|64|merge-descriptors|2.0.0|
|65|methods|1.1.2|
|66|micromatch|4.0.8|
|67|braces|3.0.3|
|68|mime|1.6.0|
|69|mime-db|1.52.0|
|70|mime-db|1.54.0|
|71|mimic-response|3.1.0|
|72|minimist|1.2.8|
|73|mkdirp-classic|0.5.3|
|74|ms|2.0.0|
|75|ms|2.1.3|
|76|mustache|4.2.0|
|77|napi-build-utils|2.0.0|
|78|neo-async|2.6.2|
|79|assert-plus|1.0.0|
|80|bindings|1.5.0|
|81|node-cache|5.1.2|
|82|cookie|0.7.2|
|83|cookie-signature|1.0.7|
|84|cookie-signature|1.2.2|
|85|generic-pool|3.9.0|
|86|depd|2.0.0|
|87|string_decoder|1.3.0|
|88|ini|1.3.8|
|89|object-inspect|1.13.4|
|90|on-finished|2.4.1|
|91|parseurl|1.3.3|
|92|prebuild-install|7.1.3|
|93|proxy-addr|2.0.7|
|94|range-parser|1.2.1|
|95|readable-stream|3.6.2|
|96|router|2.2.0|
|97|safe-buffer|5.2.1|
|98|safer-buffer|2.1.2|
|99|setprototypeof|1.2.0|
|100|side-channel|1.1.0|
|101|side-channel-map|1.0.1|
|102|side-channel-weakmap|1.0.2|
|103|simple-concat|1.0.1|
|104|simple-get|4.0.1|
|105|source-map|0.6.1|
|106|strip-json-comments|2.0.1|
|107|tar-stream|2.2.0|
|108|to-regex-range|5.0.1|
|109|toidentifier|1.0.1|
|110|tunnel-agent|0.6.0|
|111|type-is|1.6.18|
|112|type-is|2.0.1|
|113|uglify-js|3.19.3|
|114|unpipe|1.0.0|
|115|util-deprecate|1.0.2|
|116|utils-merge|1.0.1|
|117|vary|1.1.2|
|118|verror|1.10.1|
|119|ipaddr.js|1.9.1|
|120|wordwrap|1.0.0|
|121|wrappy|1.0.2|
|122|xml-js|1.6.11|
Context:
- Policy Rule: OutdatedFOSSLibraries (Operational Risk HIGH)
- @sap/cds-dk version: 9.9.0 (installed via cds-maven-plugin during Maven build)
- These npm packages are not direct dependencies of our project — they are all transitive dependencies of @sap/cds-dk
- We cannot upgrade them independently in our repo
Request:
- Replace or upgrade unmaintained/deprecated packages (extsprintf, verror, xml-js, source-map 0.6.x, core-util-is, tunnel-agent,
mkdirp-classic)
- General dependency refresh of @sap/cds-dk to reduce OutdatedFOSSLibraries policy violations for downstream consumers
Thank you!
Hi Team,
We are running Black Duck scans on our CAP Java project (portal-common-User-Management) and have identified 122 npm transitive
dependencies from @sap/cds-dk (version 9.9.0, installed via cds-maven-plugin at build time) that violate the OutdatedFOSSLibraries
policy rule (Operational Risk - HIGH).
Among these, the following are unmaintained/deprecated and should be prioritized:
||Package||Version||Status||
|extsprintf|1.4.1|Unmaintained since 2021|
|verror|1.10.1|Unmaintained since 2016, deprecated|
|xml-js|1.6.11|Unmaintained since 2019|
|source-map|0.6.1|v0.6.x EOL, v0.8+ is active|
|core-util-is|1.0.2|Unmaintained since 2019|
|tunnel-agent|0.6.0|Unmaintained/deprecated|
|mkdirp-classic|0.5.3|Unmaintained|
Full list of 122 affected npm packages (all transitive from @sap/cds-dk):
||#||Package||Version||
|1|@cap-js/asyncapi|1.0.3|
|2|array-flatten|1.1.1|
|3|async|3.2.6|
|4|base64-js|1.5.1|
|5|bl|4.1.0|
|6|pluralize|8.0.0|
|7|buffer|5.7.1|
|8|bytes|3.1.2|
|9|call-bind-apply-helpers|1.0.2|
|10|call-bound|1.0.4|
|11|chownr|1.1.4|
|12|clone|2.1.2|
|13|content-disposition|0.5.4|
|14|core-util-is|1.0.2|
|15|debug|2.6.9|
|16|debug|3.1.0|
|17|debug|4.4.3|
|18|decompress-response|6.0.0|
|19|deep-extend|0.6.0|
|20|destroy|1.2.0|
|21|rc|1.2.8|
|22|dunder-proto|1.0.1|
|23|ee-first|1.1.1|
|24|encodeurl|2.0.0|
|25|es-define-property|1.0.1|
|26|es-errors|1.3.0|
|27|es-object-atoms|1.1.1|
|28|escape-html|1.0.3|
|29|etag|1.8.1|
|30|expand-template|2.0.3|
|31|accepts|1.3.8|
|32|accepts|2.0.0|
|33|extsprintf|1.4.1|
|34|file-uri-to-path|1.0.0|
|35|fill-range|7.1.1|
|36|forwarded|0.2.0|
|37|fs-constants|1.0.0|
|38|function-bind|1.1.2|
|39|get-intrinsic|1.3.0|
|40|get-proto|1.0.1|
|41|github-from-package|0.0.0|
|42|gopd|1.2.0|
|43|has-symbols|1.1.0|
|44|hasown|2.0.2|
|45|http-errors|2.0.1|
|46|iconv-lite|0.4.24|
|47|ieee754|1.2.1|
|48|inherits|2.0.4|
|49|is-number|7.0.0|
|50|once|1.4.0|
|51|is-promise|4.0.0|
|52|content-type|1.0.5|
|53|fresh|0.5.2|
|54|fresh|2.0.0|
|55|negotiator|0.6.3|
|56|negotiator|1.0.0|
|57|mime-types|2.1.35|
|58|livereload-js|4.0.2|
|59|lz4-wasm-nodejs|0.9.2|
|60|math-intrinsics|1.1.0|
|61|media-typer|0.3.0|
|62|media-typer|1.1.0|
|63|merge-descriptors|1.0.3|
|64|merge-descriptors|2.0.0|
|65|methods|1.1.2|
|66|micromatch|4.0.8|
|67|braces|3.0.3|
|68|mime|1.6.0|
|69|mime-db|1.52.0|
|70|mime-db|1.54.0|
|71|mimic-response|3.1.0|
|72|minimist|1.2.8|
|73|mkdirp-classic|0.5.3|
|74|ms|2.0.0|
|75|ms|2.1.3|
|76|mustache|4.2.0|
|77|napi-build-utils|2.0.0|
|78|neo-async|2.6.2|
|79|assert-plus|1.0.0|
|80|bindings|1.5.0|
|81|node-cache|5.1.2|
|82|cookie|0.7.2|
|83|cookie-signature|1.0.7|
|84|cookie-signature|1.2.2|
|85|generic-pool|3.9.0|
|86|depd|2.0.0|
|87|string_decoder|1.3.0|
|88|ini|1.3.8|
|89|object-inspect|1.13.4|
|90|on-finished|2.4.1|
|91|parseurl|1.3.3|
|92|prebuild-install|7.1.3|
|93|proxy-addr|2.0.7|
|94|range-parser|1.2.1|
|95|readable-stream|3.6.2|
|96|router|2.2.0|
|97|safe-buffer|5.2.1|
|98|safer-buffer|2.1.2|
|99|setprototypeof|1.2.0|
|100|side-channel|1.1.0|
|101|side-channel-map|1.0.1|
|102|side-channel-weakmap|1.0.2|
|103|simple-concat|1.0.1|
|104|simple-get|4.0.1|
|105|source-map|0.6.1|
|106|strip-json-comments|2.0.1|
|107|tar-stream|2.2.0|
|108|to-regex-range|5.0.1|
|109|toidentifier|1.0.1|
|110|tunnel-agent|0.6.0|
|111|type-is|1.6.18|
|112|type-is|2.0.1|
|113|uglify-js|3.19.3|
|114|unpipe|1.0.0|
|115|util-deprecate|1.0.2|
|116|utils-merge|1.0.1|
|117|vary|1.1.2|
|118|verror|1.10.1|
|119|ipaddr.js|1.9.1|
|120|wordwrap|1.0.0|
|121|wrappy|1.0.2|
|122|xml-js|1.6.11|
Context:
Request:
mkdirp-classic)
Thank you!