BUG - @sap/ux-ui5-tooling reports multiple moderate vulnerabilities

[huulanka]

Description

Running npm install / npm audit in a consumer project that uses @sap/ux-ui5-tooling reports multiple moderate vulnerabilities due to a vulnerable js-yaml dependency pulled in transitively via the Open UX Tools packages. The recommended fix from npm audit would require a breaking upgrade of @sap/ux-ui5-tooling, which cannot be done safely by consumers on their own.

Steps to Reproduce

Steps to reproduce the behavior:

1. Create or open a CAP / UI5 project that uses @sap/ux-ui5-tooling as a devDependency (for example via SAP Fiori tools).
2. Run npm install in the project.
3. Run npm audit (or npm audit fix).
4. See the reported vulnerabilities for js-yaml and related @sap-ux/* packages coming from Open UX Tools.

Expected results

• npm audit should not report vulnerabilities originating from js-yaml in the Open UX Tools dependency tree.
• No need for consumers to run npm audit fix --force or perform breaking upgrades on their own to mitigate these issues.

Actual results

• npm install prints a deprecation warning for querystring@0.2.0.
• npm audit reports 12 moderate vulnerabilities related to js-yaml < 4.1.1 (prototype pollution in merge (<<)), referenced via @sap-ux/ui5-config, @sap-ux/adp-tooling, @sap-ux/preview-middleware, @sap-ux/project-access, @sap-ux/odata-service-writer, @sap-ux/project-input-validator, @sap-ux/mockserver-config-writer, @sap-ux/fiori-generator-shared, and @sap-ux/telemetry.
• npm audit recommends npm audit fix --force, which would install a newer @sap/ux-ui5-tooling version (>= 1.19.1 / >= 1.19.3) and is flagged as a breaking change.

Version/Components/Environment

• Consumer project: CAP / UI5 project using @sap/ux-ui5-tooling@1.19.5 (as an example)
• Open UX Tools packages involved: @sap-ux/ui5-config, @sap-ux/adp-tooling, @sap-ux/preview-middleware, @sap-ux/project-access, @sap-ux/odata-service-writer, @sap-ux/project-input-validator, @sap-ux/mockserver-config-writer, @sap-ux/fiori-generator-shared, @sap-ux/telemetry
• OS:
  • Mac OS
  • Windows
  • Other (Linux)

Additional context:

• npm audit output references advisory GHSA-mh29-5h37-fv8m for js-yaml.
• There is already a related PR in this repository: fix(deps): update dependency js-yaml [security] #3840

# npm audit report

js-yaml  <4.1.1
Severity: moderate
js-yaml has prototype pollution in merge (<<) - https://github.com/advisories/GHSA-mh29-5h37-fv8m
fix available via `npm audit fix --force`
Will install @sap/ux-ui5-tooling@1.19.1, which is a breaking change
node_modules/@sap/cds-dk/node_modules/js-yaml
node_modules/js-yaml
  @sap-ux/adp-tooling  >=0.12.113
  Depends on vulnerable versions of @sap-ux/inquirer-common
  Depends on vulnerable versions of @sap-ux/odata-service-writer
  Depends on vulnerable versions of @sap-ux/project-access
  Depends on vulnerable versions of @sap-ux/project-input-validator
  Depends on vulnerable versions of @sap-ux/ui5-config
  Depends on vulnerable versions of js-yaml
  node_modules/@sap-ux/adp-tooling
    @sap-ux/preview-middleware  >=0.17.1
    Depends on vulnerable versions of @sap-ux/adp-tooling
    Depends on vulnerable versions of @sap-ux/project-access
    node_modules/@sap-ux/preview-middleware
      @sap/ux-ui5-tooling  >=1.19.3
      Depends on vulnerable versions of @sap-ux/preview-middleware
      node_modules/@sap/ux-ui5-tooling
  @sap-ux/ui5-config  >=0.26.1
  Depends on vulnerable versions of js-yaml
  node_modules/@sap-ux/ui5-config
    @sap-ux/mockserver-config-writer  >=0.7.2
    Depends on vulnerable versions of @sap-ux/project-access
    Depends on vulnerable versions of @sap-ux/ui5-config
    node_modules/@sap-ux/mockserver-config-writer
    @sap-ux/odata-service-writer  >=0.25.4
    Depends on vulnerable versions of @sap-ux/mockserver-config-writer
    Depends on vulnerable versions of @sap-ux/project-access
    Depends on vulnerable versions of @sap-ux/ui5-config
    node_modules/@sap-ux/odata-service-writer
    @sap-ux/project-access  >=1.29.1
    Depends on vulnerable versions of @sap-ux/ui5-config
    node_modules/@sap-ux/project-access
      @sap-ux/fiori-generator-shared  >=0.7.20
      Depends on vulnerable versions of @sap-ux/project-access
      Depends on vulnerable versions of @sap-ux/telemetry
      node_modules/@sap-ux/fiori-generator-shared
      @sap-ux/project-input-validator  >=0.4.0
      Depends on vulnerable versions of @sap-ux/project-access
      node_modules/@sap-ux/project-input-validator
    @sap-ux/telemetry  >=0.5.52
    Depends on vulnerable versions of @sap-ux/project-access
    Depends on vulnerable versions of @sap-ux/ui5-config
    node_modules/@sap-ux/telemetry
      @sap-ux/inquirer-common  >=0.6.6
      Depends on vulnerable versions of @sap-ux/fiori-generator-shared
      Depends on vulnerable versions of @sap-ux/telemetry
      node_modules/@sap-ux/inquirer-common

12 moderate severity vulnerabilities

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

Root Cause Analysis

Problem

{describe the problem}

Fix

{describe the fix}

Why was it missed

{Some explanation why this issue might have been missed during normal development/testing cycle}

How can we avoid this

{if we don’t want to see this type of issues anymore what we should do to prevent}

[donal-tobin-sap]

Upgrade is being worked on as it causes changes to the test snapshots with the yaml change.