@sap/cds-compiler 6.9.1 → 6.9.3

package/CHANGELOG.md

@@ -13,6 +13,26 @@ we might not list every change in its behavior here.
 Productive code should never require a `beta` flag to be set, and
 might use a deprecated flag only for a limited period of time.
 
+## Version 6.9.3 - 2026-06-17
+
+### Bug Fixes
+
+- **api:** New compiler option `noErrorForUnknownAnnotateTarget` downgrades errors to warnings
+for `annotate` statements with security-relevant annotations (`@restrict`, `@requires`, `@ams`)
+whose target does not exist.
+
+
+
+## Version 6.9.2 - 2026-05-08
+
+### Bug Fixes
+
+- **api:** when the environment variable `CDSC_TRACE_API` is set,
+  the compiler writes a trace for calls of API functions;
+  it now has more information, and also traces the exit of the API function.
+
+
+
 ## Version 6.9.1 - 2026-05-05
 
 ### Bug Fixes

package/lib/api/main.js

@@ -1169,7 +1169,7 @@ function publishCsnProcessor( processor, _name ) {
    * @returns {any} What ever the processor returns
    */
   function api( csn, options = {}, ...args ) {
-    trace.traceApi(_name, options);
+    trace.call(_name, options, csn);
     const originalMessageLength = options.messages?.length;
     try {
       const messageFunctions = messages.makeMessageFunction(csn, options, _name);
@@ -1184,6 +1184,7 @@ function publishCsnProcessor( processor, _name ) {
       timetrace.timetrace.start(_name);
       const result = processor( csn, options, messageFunctions, ...args );
       timetrace.timetrace.stop(_name);
+      trace.exit(_name, result);
       return result;
     }
     catch (err) {
@@ -1200,6 +1201,7 @@ function publishCsnProcessor( processor, _name ) {
       if (originalMessageLength !== undefined)
         options.messages.length = originalMessageLength;
 
+      trace.log( 'recompile CSN and retry backend' );
       const messageFunctions = messages.makeMessageFunction( csn, options, _name );
       const recompileMsg = messageFunctions.info( 'api-recompiled-csn', location.emptyLocation('csn.json'), {},
                                                   'CSN input had to be recompiled' );
@@ -1211,7 +1213,10 @@ function publishCsnProcessor( processor, _name ) {
       const xsn = compiler.recompileX(csn, options);
       const recompiledCsn = toCsn.compactModel(xsn);
       messageFunctions.setModel(recompiledCsn);
-      return processor( recompiledCsn, options, messageFunctions, ...args );
+      const result = processor( recompiledCsn, options, messageFunctions, ...args );
+      timetrace.timetrace.stop(_name);
+      trace.exit(_name, result);
+      return result;
     }
   }
 }

package/lib/api/options.js

@@ -19,6 +19,7 @@ const publicOptionsNewAPI = [
   'addTextsLanguageAssoc',
   'localizedLanguageFallback',  // why can't I define the option type here?
   'severities',
+  'noErrorForUnknownAnnotateTarget',
   'messages',
   'withLocations',
   'structXpr',

package/lib/base/messages.js

@@ -16,6 +16,7 @@ const {
 const _messageIdsWithExplanation = require('../../share/messages/message-explanations.json').messages;
 const { analyseCsnPath, traverseQuery } = require('../base/csnRefs');
 const { CompilerAssertion } = require('./error');
+const trace = require('./trace');
 const { getArtifactName } = require('../compiler/base');
 const { cdlNewLineRegEx } = require('../language/textUtils');
 const meta = require('./meta');
@@ -219,6 +220,17 @@ const severitySpecs = {
   debug: { name: 'Debug', level: 3 },
 };
 
+// Message IDs raised for security-relevant annotate statements with non-existing targets.
+// Downgraded to warning when noErrorForUnknownAnnotateTarget option is set.
+const securityAnnotateTargetIds = new Set([
+  'ext-undefined-art-sec',
+  'ext-undefined-def-sec',
+  'ext-undefined-element-sec',
+  'ext-undefined-action-sec',
+  'ext-undefined-param-sec',
+  'ext-unexpected-returns-sec',
+]);
+
 /**
  * Get the reclassified severity of the given message using:
  *
@@ -258,6 +270,11 @@ function reclassifiedSeverity( msg, options, moduleName ) {
     }
   }
 
+  if (options.noErrorForUnknownAnnotateTarget &&
+      severity === 'Error' &&
+      securityAnnotateTargetIds.has(msg.messageId))
+    severity = 'Warning';
+
   if (!options.severities)
     return severity;
 
@@ -567,8 +584,10 @@ function makeMessageFunction( model, options, _moduleName = null ) {
   }
 
   function throwWithError() {
-    if (hasNewError)
+    if (hasNewError) {
+      trace.log( `stop compilation with ${ messages.length } messages` );
       throw new CompilationError(messages, options.attachValidNames && model);
+    }
   }
 
   /**
@@ -583,8 +602,10 @@ function makeMessageFunction( model, options, _moduleName = null ) {
     if (!messages || !messages.length)
       return;
     const hasError = options.testMode ? hasNonDowngradableErrors : hasErrors;
-    if (hasError( messages, moduleName, options ))
+    if (hasError( messages, moduleName, options )) {
+      trace.log( `stop compilation with ${ messages.length } messages` );
       throw new CompilationError(messages, options.attachValidNames && model);
+    }
   }
 
   /**

package/lib/base/trace.js

@@ -5,33 +5,87 @@ const shouldTraceApi = process?.env?.CDSC_TRACE_API;
 
 /**
  * Placeholder for disabled tracing (no-op).
- *
- * @param {string} apiName API name
- * @param {object} options Options passed to the API.
- * @param {...any} [args] Arguments to be logged to stderr
  */
-// eslint-disable-next-line no-unused-vars
-function noOp( apiName, options, ...args ) {
+function noOp() {
   // no-op
 }
 
 /**
- * Print args to stderr if CDSC_TRACE_API is set
- *
- * @param {string} apiName API name
- * @param {object} options Options passed to the API.
- * @param {...any} [args] Arguments to be logged to stderr
+ * Print trace info to stderr when calling an API function
  */
-function traceApi( apiName, options, ...args ) {
-  const optStr = typeof options === 'object' ? JSON.stringify(options, null, 2) : options;
-  const argsStr = args.map(val => JSON.stringify(val)).join(', ');
-  const rest = args.length > 0 ? ` | ${ argsStr }` : '';
-  // Local require: Only load on-demand, not when tracing is disabled.
+function call( apiName, options, csn, files ) {
   const { version } = require('../../package.json');
+  const now = (new Date( Date.now() )).toISOString();
+  const args = (files || csn)
+    ? `${ optionsString( options ) } on ${ filesInfo( files ) || csnInfo( csn ) }`
+    : optionsString( options );
   // eslint-disable-next-line no-console
-  console.error( `CDSC_TRACE_API | ${ version } | ${ apiName }(…) | options: ${ optStr }${ rest }`);
+  console.error( 'CDSC_TRACE_API: at %s, call %s() of v%s with options %s',
+                 now, apiName, version, args );
 }
 
-module.exports = {
-  traceApi: shouldTraceApi ? traceApi : noOp,
-};
+/**
+ * Print trace info to stderr when exiting an API function
+ */
+function exit( apiName, result ) {
+  const now = (new Date( Date.now() )).toISOString();
+  const info = (result?.definitions || result?.extensions)
+    ? csnInfo( result )
+    : `a result of type ${ typeof result }`;
+  // eslint-disable-next-line no-console
+  console.error( 'CDSC_TRACE_API: at %s, exit %s() and return %s',
+                 now, apiName, info );
+}
+
+/**
+ * Print trace info to stderr for miscellaneous use cases
+ */
+function log( info ) {
+  const now = (new Date( Date.now() )).toISOString();
+  // eslint-disable-next-line no-console
+  console.error( 'CDSC_TRACE_API: at %s, %s', now, info );
+}
+
+function optionsString( obj ) {
+  if (!obj || typeof obj !== 'object')
+    return obj.toString();
+  try {
+    if (Array.isArray( obj.messages ) && obj.messages.length) {
+      const messages = {};
+      for (const msg of obj.messages)
+        messages[msg.severity] = (messages[msg.severity] || 0) + 1;
+      obj = { ...obj, messages };
+    }
+    return JSON.stringify( obj, null, 2 );
+  }
+  catch (err) {
+    return err.toString();
+  }
+}
+
+function filesInfo( files ) {
+  if (!files)
+    return files;
+  if (!Array.isArray( files ))
+    files = Object.keys( files );
+  return files.length ? [ 'files', ...files ].join( '\n  ') : 'no files';
+}
+
+function csnInfo( csn ) {
+  if (!csn || typeof csn !== 'object' || Array.isArray( csn ))
+    return `some value of type ${ typeof csn }`;
+  try {
+    JSON.stringify( csn );
+    const defs = csn.definitions ? Object.keys( csn.definitions ).length : 'no';
+    const exts = csn.extensions ? csn.extensions.length : 'no';
+    const flavor = csn.meta?.flavor || csn.meta?.compilerCsnFlavor || 'unknown';
+    return `a CSN of flavor '${ flavor }' with ${ defs } definitions and ${ exts } extensions`;
+  }
+  catch (err) {
+    return `a CORRUPTED CSN (${ err.toString() })`;
+  }
+}
+
+module.exports = (shouldTraceApi)
+  ? { call, exit, log }
+  : { call: noOp, exit: noOp, log: noOp };

package/lib/main.d.ts

@@ -32,6 +32,18 @@ declare namespace compiler {
      * during compilation otherwise.
      */
     severities?: { [messageId: string]: MessageSeverity}
+    /**
+     * Downgrade the errors raised for `annotate` statements containing a
+     * security-relevant annotation (`@restrict`, `@requires`, `@ams`) but
+     * whose target does not exist.  Intended as a long-lived migration
+     * switch for projects that cannot fix all such statements at once.
+     *
+     * Explicit per-id entries in `severities` still take precedence over
+     * this option.
+     *
+     * @default false
+     */
+    noErrorForUnknownAnnotateTarget?: boolean
     /**
      * Dictionary of beta flag names.  This option allows fine-grained control
      * over which beta features should be enabled.

package/lib/main.js

@@ -16,7 +16,7 @@
 
 const lazyload = require('./utils/lazyload')( module );
 
-const { traceApi } = require('./base/trace');
+const trace = require('./base/trace');
 
 const snapi = lazyload('./api/main');
 const csnUtils = lazyload('./model/csnUtils');
@@ -40,6 +40,7 @@ const meta = lazyload('./base/meta');
 const toCsn = lazyload('./json/to-csn');
 
 function parseCdl( cdlSource, filename, options = {} ) {
+  trace.call( 'parse.cdl', options );
   options = Object.assign( {}, options, { parseCdl: true } );
   const sources = Object.create(null);
   /** @type {XSN.Model} */
@@ -56,7 +57,7 @@ function parseCdl( cdlSource, filename, options = {} ) {
   define( model );
   finalizeParseCdl( model );
   messageFunctions.throwWithError();
-  return toCsn.compactModel( model );
+  return compactAndTrace( model, 'parse.cdl' );
 }
 
 function parseCql( cdlSource, filename = '<query>.cds', options = {} ) {
@@ -75,6 +76,12 @@ function parseExpr( cdlSource, filename = '<expr>.cds', options = {} ) {
   return toCsn.compactExpr( xsn );
 }
 
+function compactAndTrace( xsn, apiName = 'compile' ) {
+  const csn = toCsn.compactModel( xsn );
+  trace.exit( apiName, csn );
+  return csn;
+}
+
 // FIXME: The implementation of those functions that delegate to 'backends'
 //        should probably move here
 // ATTENTION: Keep in sync with main.d.ts!
@@ -82,16 +89,19 @@ module.exports = {
   // Compiler
   version: () => meta.version(),
   compile: (filenames, dir, options, fileCache) => { // main function
-    traceApi( 'compile', options );
-    return compiler.compileX(filenames, dir, options, fileCache).then(toCsn.compactModel);
+    trace.call( 'compile', options, null, filenames );
+    return compiler.compileX( filenames, dir, options, fileCache )
+      .then( compactAndTrace );
   },
   compileSync: (filenames, dir, options, fileCache) => { // main function
-    traceApi('compileSync', options);
-    return toCsn.compactModel(compiler.compileSyncX(filenames, dir, options, fileCache));
+    trace.call( 'compileSync', options, null, filenames );
+    const xsn = compiler.compileSyncX( filenames, dir, options, fileCache );
+    return compactAndTrace( xsn, 'compileSync' );
   },
   compileSources: (sourcesDict, options) => { // main function
-    traceApi('compileSources', options);
-    return toCsn.compactModel(compiler.compileSourcesX(sourcesDict, options));
+    trace.call( 'compileSources', options, null, sourcesDict );
+    const xsn = compiler.compileSourcesX( sourcesDict, options );
+    return compactAndTrace( xsn, 'compileSources' );
   },
   compactModel: csn => csn,     // for easy v2 migration
   get CompilationError() {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@sap/cds-compiler",
-  "version": "6.9.1",
+  "version": "6.9.3",
   "description": "CDS (Core Data Services) compiler and backends",
   "homepage": "https://cap.cloud.sap/",
   "author": "SAP SE (https://www.sap.com)",