@sap/cds-compiler 6.9.2 → 6.9.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +10 -0
- package/lib/api/options.js +1 -0
- package/lib/base/messages.js +16 -0
- package/lib/main.d.ts +12 -0
- package/package.json +1 -1
package/CHANGELOG.md
CHANGED
|
@@ -13,6 +13,16 @@ we might not list every change in its behavior here.
|
|
|
13
13
|
Productive code should never require a `beta` flag to be set, and
|
|
14
14
|
might use a deprecated flag only for a limited period of time.
|
|
15
15
|
|
|
16
|
+
## Version 6.9.3 - 2026-06-17
|
|
17
|
+
|
|
18
|
+
### Bug Fixes
|
|
19
|
+
|
|
20
|
+
- **api:** New compiler option `noErrorForUnknownAnnotateTarget` downgrades errors to warnings
|
|
21
|
+
for `annotate` statements with security-relevant annotations (`@restrict`, `@requires`, `@ams`)
|
|
22
|
+
whose target does not exist.
|
|
23
|
+
|
|
24
|
+
|
|
25
|
+
|
|
16
26
|
## Version 6.9.2 - 2026-05-08
|
|
17
27
|
|
|
18
28
|
### Bug Fixes
|
package/lib/api/options.js
CHANGED
package/lib/base/messages.js
CHANGED
|
@@ -220,6 +220,17 @@ const severitySpecs = {
|
|
|
220
220
|
debug: { name: 'Debug', level: 3 },
|
|
221
221
|
};
|
|
222
222
|
|
|
223
|
+
// Message IDs raised for security-relevant annotate statements with non-existing targets.
|
|
224
|
+
// Downgraded to warning when noErrorForUnknownAnnotateTarget option is set.
|
|
225
|
+
const securityAnnotateTargetIds = new Set([
|
|
226
|
+
'ext-undefined-art-sec',
|
|
227
|
+
'ext-undefined-def-sec',
|
|
228
|
+
'ext-undefined-element-sec',
|
|
229
|
+
'ext-undefined-action-sec',
|
|
230
|
+
'ext-undefined-param-sec',
|
|
231
|
+
'ext-unexpected-returns-sec',
|
|
232
|
+
]);
|
|
233
|
+
|
|
223
234
|
/**
|
|
224
235
|
* Get the reclassified severity of the given message using:
|
|
225
236
|
*
|
|
@@ -259,6 +270,11 @@ function reclassifiedSeverity( msg, options, moduleName ) {
|
|
|
259
270
|
}
|
|
260
271
|
}
|
|
261
272
|
|
|
273
|
+
if (options.noErrorForUnknownAnnotateTarget &&
|
|
274
|
+
severity === 'Error' &&
|
|
275
|
+
securityAnnotateTargetIds.has(msg.messageId))
|
|
276
|
+
severity = 'Warning';
|
|
277
|
+
|
|
262
278
|
if (!options.severities)
|
|
263
279
|
return severity;
|
|
264
280
|
|
package/lib/main.d.ts
CHANGED
|
@@ -32,6 +32,18 @@ declare namespace compiler {
|
|
|
32
32
|
* during compilation otherwise.
|
|
33
33
|
*/
|
|
34
34
|
severities?: { [messageId: string]: MessageSeverity}
|
|
35
|
+
/**
|
|
36
|
+
* Downgrade the errors raised for `annotate` statements containing a
|
|
37
|
+
* security-relevant annotation (`@restrict`, `@requires`, `@ams`) but
|
|
38
|
+
* whose target does not exist. Intended as a long-lived migration
|
|
39
|
+
* switch for projects that cannot fix all such statements at once.
|
|
40
|
+
*
|
|
41
|
+
* Explicit per-id entries in `severities` still take precedence over
|
|
42
|
+
* this option.
|
|
43
|
+
*
|
|
44
|
+
* @default false
|
|
45
|
+
*/
|
|
46
|
+
noErrorForUnknownAnnotateTarget?: boolean
|
|
35
47
|
/**
|
|
36
48
|
* Dictionary of beta flag names. This option allows fine-grained control
|
|
37
49
|
* over which beta features should be enabled.
|