@sap/cds 9.0.4 → 9.1.0

package/CHANGELOG.md

@@ -4,6 +4,31 @@
 - The format is based on [Keep a Changelog](https://keepachangelog.com/).
 - This project adheres to [Semantic Versioning](https://semver.org/).
 
+## Version 9.1.0 - 2025-06-30
+
+### Added
+
+- CDS config schema validations for `cds.requires.auth.tenants`, `cds.cdsc`, `cds.query`, `cds.log`, `cds.server`
+- Queue option `targetPrefix` to prefix `target` value of `cds.outbox.Messages` entries for microservice isolation
+- Basic support for CRUD for hierarchy entities
+
+### Changed
+
+- Reduced the amount of SELECT nesting the OData adapter does for `$apply` queries.
+- Better error messages for unresolved parent associations in hierarchy requests
+- Enabled updated behavior of `draftActivate` to move updates to fields of draft enabled entities with type `cds.LargeBinary` from draft to active table on the database level, with feature flag `cds.env.fiori.move_media_data_in_db`.
+
+### Fixed
+
+- Copies of `cds.context` with `locale`
+- Support for relative paths in `@odata.bind`
+- `cds build` on Windows OS - fixed cli tar usage for resources.tgz
+- Actions and functions with scalar return types use same `@odata.context` calculation as other return types, fixing e.g. `cds.odata.contextAbsoluteUrl` not being respected
+- Improve content-type and content-length handling in OData adapter
+- Parsing incorrect function parameters
+- `cds deploy --dry` no longer tries to load a DB adapter, so that it works w/o one installed.
+- Fix `@mandatory` for actions and functions
+
 ## Version 9.0.4 - 2025-06-18
 
 ### Fixed

package/lib/compile/for/lean_drafts.js

@@ -41,16 +41,14 @@ const { Draft } = cds.linked(`
   }
 `).definitions
 
-
-function DraftEntity4 (active, name = active.name+'.drafts') {
-
-  const draft = Object.create (active, {
+function DraftEntity4(active, name = active.name + '.drafts') {
+  const draft = Object.create(active, {
     name: { value: name }, // REVISIT: lots of things break if we do that!
     elements: { value: { ...active.elements, ...Draft.elements }, enumerable: true },
     actives: { value: active },
     query: { value: undefined }, // to not inherit that from active
     // drafts: { value: undefined }, // to not inherit that from active -> doesn't work yet as the coding in lean-draft.js uses .drafts to identify both active and draft entities
-    isDraft: { value: true },
+    isDraft: { value: true }
   })
 
   // for quoted names, we need to overwrite the cds.persistence.name of the derived, draft entity
@@ -60,7 +58,6 @@ function DraftEntity4 (active, name = active.name+'.drafts') {
   return draft
 }
 
-
 module.exports = function cds_compile_for_lean_drafts(csn) {
   function _redirect(assoc, target) {
     assoc.target = target.name
@@ -153,7 +150,8 @@ module.exports = function cds_compile_for_lean_drafts(csn) {
           key === '@mandatory' ||
           key === '@Common.FieldControl' && newEl[key]?.['#'] === 'Mandatory' ||
           // key === '@Core.Immutable': Not allowed via UI anyway -> okay to cleanse them in PATCH
-          key.startsWith('@assert') ||
+          // REVISIT: Remove feature flag dependency: If active, validation errors will be degraded to messages and stored in draft admin data
+          (!active._service?.entities.DraftAdministrativeData.elements.DraftMessages && key.startsWith('@assert')) || 
           key.startsWith('@PersonalData')
         )
           newEl[key] = undefined
@@ -162,6 +160,23 @@ module.exports = function cds_compile_for_lean_drafts(csn) {
       draft.elements[each] = newEl
     }
 
+    // For list-report hierarchies, there must not be deep deletes w.r.t. recursive compositions
+    // Therefore, they are degraded to associations.
+    // Note: For object-page hiearchies, deep delete on draft recursive compositions is still needed.
+    if (draft.elements.LimitedDescendantCount && draft['@Common.DraftRoot.ActivationAction']) {
+      for (const c in draft.compositions) {
+        const comp = draft.compositions[c]
+        if (comp.target === draft.name) {
+          // modify comp to assoc
+          comp.type = 'cds.Association'
+          comp.isComposition = false
+          comp.is = function(kind) { return kind === 'Association' }
+          delete draft.compositions[c]
+          draft.associations[c] = comp
+        }
+      }
+    }
+
     return draft
   }
 
@@ -173,6 +188,13 @@ module.exports = function cds_compile_for_lean_drafts(csn) {
     def.elements.HasActiveEntity.virtual = true
     if (def.elements.DraftAdministrativeData_DraftUUID) def.elements.DraftAdministrativeData_DraftUUID.virtual = true
     def.elements.DraftAdministrativeData.virtual = true
+    if (def.elements.LimitedDescendantCount) {
+      // for hierarchies: make sure recursive compositions are not part of the draft tree
+      for (const c in def.compositions) {
+        const comp = def.compositions[c]
+        if (comp.target === def.name) comp['@odata.draft.ignore'] = true
+      }
+    }
     // will insert drafts entities, so that others can use `.drafts` even without incoming draft requests
     addDraftEntity(def, csn)
   }

package/lib/dbs/cds-deploy.js

@@ -20,6 +20,9 @@ const deploy = module.exports = function cds_deploy (model, options, csvs) {
     if (o.mocked) deploy.include_external_entities_in(model)
     else deploy.exclude_external_entities_in(model)
 
+    // dry deployment (output schema only)
+    if (o.dry) return await deploy.schema ({model, options:{}}, model, o)
+
     // prepare db
     if (!db.run) db = await cds.connect.to(db)
     if (!cds.db) cds.db = cds.services.db = db
@@ -34,10 +37,9 @@ const deploy = module.exports = function cds_deploy (model, options, csvs) {
 
     // deploy schema and initial data...
     try {
-      const _run = fn => o.dry ? fn(db) : db.run(fn)
-      await _run (async tx => {
+      await db.run (async tx => {
         let any = await deploy.schema (tx, model, o)
-        if ((any || csvs) && !o.dry) await deploy.data (tx, model, o, csvs, file => LOG?.(GREY, ' > init from', local(file), RESET))
+        if (any || csvs) await deploy.data (tx, model, o, csvs, file => LOG?.(GREY, ' > init from', local(file), RESET))
       })
       LOG?.('/> successfully deployed to', descr, '\n')
     } catch (e) {

package/lib/env/cds-requires.js

@@ -157,7 +157,7 @@ const _queue = {
     storeLastError: true,
     timeout: '1h',
     legacyLocking: true,
-    ignoredContext: ['user', 'http', 'model', 'timestamp']
+    ignoredContext: ['user', 'http', 'model', 'timestamp', '_locale', '_features']
   },
   // legacy
   "in-memory-outbox": "in-memory-queue",

package/lib/env/defaults.js

@@ -2,17 +2,6 @@ const production = process.env.NODE_ENV === 'production'
 
 module.exports = {
 
-  /**
-   * For our own tests to replace hard-coded checks for CDS_ENV === 'better-sqlite'
-   * which don't work anymore with cds8 where that is the default.
-   */
-  get _better_sqlite() {
-    if (process.env.CDS_ENV === 'better-sqlite') return true
-    let conf = this.requires.db || this.requires.kinds.sql
-    if (conf?.impl === '@cap-js/sqlite') return true
-    else return false
-  },
-
   production,
 
   requires: require('./cds-requires'),

package/lib/env/schemas/cds-rc.js

@@ -81,23 +81,23 @@ module.exports = {
         folders: {
           type: 'object',
           default: {},
-          description: 'Only set folders if you don\'t want to use the defaults \'app/\', \'db/\', \'srv/\'.',
+          description: 'Overrides for default folders. Only override if you don\'t want to use the defaults \'app/\', \'db/\', \'srv/\'.',
           additionalProperties: true,
           properties: {
             app: {
               type: 'string',
               format: 'uri-reference',
-              description: 'Add a custom path for the app property, which becomes \'cds.roots\'.'
+              description: 'Applications, e.g. UI5 or Fiori apps'
             },
             db: {
               type: 'string',
               format: 'uri-reference',
-              description: 'Add a custom path for the db property, which becomes \'cds.roots\'.'
+              description: 'Database models and migrations'
             },
             srv: {
               type: 'string',
               format: 'uri-reference',
-              description: 'Add a custom path for the srv property, which becomes \'cds.roots\'.'
+              description: 'Services'
             }
           },
           patternProperties: {
@@ -168,7 +168,7 @@ module.exports = {
                   properties: {
                     kind: {
                       type: 'string',
-                      description: 'Define the kind of strategy.',
+                      description: 'Authentication kind.',
                       anyOf: [
                         {
                           $ref: '#/$defs/authType'
@@ -181,6 +181,27 @@ module.exports = {
                     users: {
                       $ref: '#/$defs/mockUsers'
                     },
+                    tenants: {
+                      type: 'object',
+                      description: 'List of tenants with their respective features.',
+                      additionalProperties: true,
+                      patternProperties: {
+                        '.+': {
+                          type: 'object',
+                          additionalProperties: true,
+                          properties: {
+                            features: {
+                              type: 'array',
+                              description: 'List of feature toggles for this tenant.',
+                              uniqueItems: true,
+                              items: {
+                                type: 'string'
+                              }
+                            }
+                          }
+                        }
+                      }
+                    },
                     credentials: {
                       type: 'object',
                       description: 'You can explicitly configure credentials, but this is overruled by VCAP_SERVICES if a matching entry is found therein.',
@@ -645,6 +666,193 @@ module.exports = {
               ]
             }
           }
+        },
+        cdsc: {
+          type: 'object',
+          default: {},
+          description: 'CDS compiler configuration options.',
+          additionalProperties: true,
+          properties: {
+            moduleLookupDirectories: {
+              type: 'array',
+              description: 'List of directories to search for modules.',
+              uniqueItems: true,
+              items: {
+                type: 'string',
+                format: 'uri-reference'
+              }
+            }
+          }
+        },
+        query: {
+          type: 'object',
+          default: {},
+          description: 'Query configuration options.',
+          additionalProperties: true,
+          properties: {
+            limit: {
+              type: 'object',
+              description: 'Default limit for queries.',
+              additionalProperties: true,
+              properties: {
+                default: {
+                  type: 'integer',
+                  description: 'Default number of results returned by a query.',
+                  minimum: 1
+                },
+                max: {
+                  type: 'integer',
+                  description: 'Maximum number of results returned by a query.',
+                  minimum: 1
+                },
+                reliablePaging: {
+                  type: 'boolean',
+                  description: 'Enable reliable paging for queries.'
+                }
+              }
+            }
+          }
+        },
+        log: {
+          type: 'object',
+          default: {},
+          description: 'Logging configuration options.',
+          additionalProperties: true,
+          properties: {
+            format: {
+              type: 'string',
+              description: 'Log format, either \'plain\' or \'json\'.',
+              enum: [
+                'plain',
+                'json'
+              ]
+            },
+            levels: {
+              type: 'object',
+              description: 'Log levels for different components.',
+              additionalProperties: {
+                type: 'string'
+              },
+              properties: {
+                cds: {
+                  type: 'string',
+                  description: 'Server and common output.'
+                },
+                cli: {
+                  type: 'string',
+                  description: 'CLI output.'
+                },
+                build: {
+                  type: 'string',
+                  description: 'CDS build output.'
+                },
+                app: {
+                  type: 'string',
+                  description: 'Application Service.'
+                },
+                db: {
+                  type: 'string',
+                  description: 'Databases.'
+                },
+                sql: {
+                  type: 'string',
+                  description: 'SQL output.'
+                },
+                messaging: {
+                  type: 'string',
+                  description: 'Messaging Service.'
+                },
+                remote: {
+                  type: 'string',
+                  description: 'Remote Service.'
+                },
+                'audit-log': {
+                  type: 'string',
+                  description: 'AuditLog Service.'
+                },
+                odata: {
+                  type: 'string',
+                  description: 'OData Protocol Adapter.'
+                },
+                rest: {
+                  type: 'string',
+                  description: 'REST Protocol Adapter.'
+                },
+                graphql: {
+                  type: 'string',
+                  description: 'GraphQL Protocol Adapter.'
+                },
+                auth: {
+                  type: 'string',
+                  description: 'Authentication.'
+                },
+                deploy: {
+                  type: 'string',
+                  description: 'Database Deployment.'
+                },
+                mtx: {
+                  type: 'string',
+                  description: 'Multitenancy and Extensibility.'
+                }
+              }
+            },
+            mask_headers: {
+              type: 'array',
+              description: 'List of header patterns to mask in logs.',
+              uniqueItems: true,
+              items: {
+                type: 'string'
+              },
+              default: [
+                '/authorization/i',
+                '/cookie/i',
+                '/cert/i',
+                '/ssl/i'
+              ]
+            },
+            als_custom_fields: {
+              type: 'object',
+              description:
+                `Custom fields for Application Logging Service (ALS) in Kibana's error rendering.
+                 Key is the index in the log message array.`,
+              additionalProperties: {
+                type: 'integer'
+              }
+            },
+            cls_custom_fields: {
+              type: 'array',
+              description:
+                `Custom fields for CLS in Kibana's error rendering.
+                 Each entry is a field name.`,
+              uniqueItems: true,
+              items: {
+                type: 'string'
+              }
+            }
+          }
+        },
+        server: {
+          type: 'object',
+          default: {},
+          description: 'Server configuration options.',
+          additionalProperties: true,
+          properties: {
+            port: {
+              type: 'integer',
+              description: 'Port number for the server to listen on.',
+              minimum: 1,
+              maximum: 65535
+            },
+            cors: {
+              type: 'boolean',
+              description: 'Enable CORS support.',
+              default: true
+            },
+            index: {
+              type: 'boolean',
+              description: 'Serve the default index page.'
+            }
+          }
         }
       }
     },
@@ -909,4 +1117,4 @@ module.exports = {
       }
     }
   }
-}
+}

package/lib/req/request.js

@@ -110,7 +110,7 @@ class Request extends require('./event') {
       delete err.stack
       throw err
     }
-    let e = this.error(...args)
+    let e = this._errors.add(4, ...args)
     if (!('stack' in e)) Error.captureStackTrace (e = Object.assign(new Error,e), this.reject)
     if (!('message' in e)) e.message = String (e.code || e.status)
     throw e

package/lib/req/validate.js

@@ -242,8 +242,7 @@ class action extends struct {
     super.validate (data, path, ctx, this.params || {})
   }
 
-  // REVISIT: why is e['@mandatory'] not checked here?
-  _is_mandatory(e) { return e.notNull && !e.default } // params
+  _is_mandatory(e) { return e.notNull && !e.default || e._is_mandatory() } // params
 }
 
 /** Managed associations are struct-like, with foreign keys as elements to validate. */

package/lib/srv/middlewares/auth/xssec.js

@@ -1,6 +1,6 @@
 try {
   const xssec = require('@sap/xssec')
-  module.exports = xssec // use v3 compat api // REVISIT: why ???
+  module.exports = xssec
 } catch (e) {
   if (e.code === 'MODULE_NOT_FOUND') e.message = `Cannot find '@sap/xssec'. Make sure to install it with 'npm i @sap/xssec'\n` + e.message
   throw e

package/lib/utils/inflect.js

@@ -2,7 +2,7 @@
 this.singular4 = (dn,stripped) => {
 	let n = dn.name || dn; if (stripped) n = n.match(last)[0]
 	return dn['@singular'] || (
-		/species|news$/i.test(n) ? n  :
+		/(species|news)$/i.test(n) ? n  :
 		/ess$/.test(n) ? n :      							// Address
 		/ees$/.test(n) ? n.slice(0, -1) : 			// Employees --> Employee
 		/[sz]es$/.test(n) ?  n.slice(0, -2) :
@@ -15,7 +15,7 @@ this.singular4 = (dn,stripped) => {
 this.plural4 = (dn,stripped) => {
 	let n = dn.name || dn; if (stripped) n = n.match(last)[0]
 	return dn['@plural'] || (
-		/analysis|status|species|sheep|news$/i.test(n) ? n  :
+		/(analysis|status|species|sheep|news)$/i.test(n) ? n  :
 		/[^aeiou]y$/.test(n) ? n.slice(0,-1) + 'ies'  :
 		/(s|x|z|ch|sh)$/.test(n) ? n + 'es' :
 		n + 's'

package/lib/utils/tar.js

@@ -1,3 +1,4 @@
+const { PassThrough } = require('stream')
 const child_process = require('child_process')
 const spawn = /\btar\b/.test(process.env.DEBUG) ? (cmd, args, options) => {
   Error.captureStackTrace(spawn,spawn)
@@ -8,26 +9,36 @@ const spawn = /\btar\b/.test(process.env.DEBUG) ? (cmd, args, options) => {
 const cds = require('../index'), { fs, path, mkdirp, exists, rimraf } = cds.utils
 const _resolve = (...x) => path.resolve (cds.root,...x)
 
-// tar does not work properly on Windows (by npm/jest tests) w/o this change
+// ======= ONLY_FOR_WINDOWS ======
+// This section contains logic relevant for Windows OS.
+
+// tar does not work properly on Windows w/o this change
 const win = path => {
   if (!path) return path
   if (typeof path === 'string') return path.replace('C:', '//localhost/c$').replace(/\\+/g, '/')
   if (Array.isArray(path)) return path.map(el => win(el))
 }
 
-async function copyDir(src, dest) {
+// spawn tar on Windows, using the cli version
+const winSpawnDir = (dir, args) => {
+  if (args.some(arg => arg === '-f')) return spawn ('tar', ['c', '-C', win(dir), ...win(args)])
+  else return spawn ('tar', ['cf', '-', '-C', win(dir), ...win(args)])
+}
+
+// copy a directory recursively on Windows, using fs.promises
+async function winCopyDir(src, dest) {
   if ((await fs.promises.stat(src)).isDirectory()) {
     const entries = await fs.promises.readdir(src)
-    return Promise.all(entries.map(async each => copyDir(path.join(src, each), path.join(dest, each))))
+    return Promise.all(entries.map(async each => winCopyDir(path.join(src, each), path.join(dest, each))))
   } else {
     await fs.promises.mkdir(path.dirname(dest), { recursive: true })
     return fs.promises.copyFile(src, dest)
   }
 }
 
-// Copy resources containing files and folders to temp dir on Windows and pack temp dir.
-// cli tar has a size limit on Windows.
-const createTemp = async (root, resources) => {
+// copy resources containing files and folders to temp dir on Windows 
+// cli tar has a size limit on Windows
+const winCreateTemp = async (root, resources) => {
   // Asynchronously copies the entire content from src to dest.
   const temp = await fs.promises.mkdtemp(`${fs.realpathSync(require('os').tmpdir())}${path.sep}tar-`)
   for (let resource of resources) {
@@ -43,7 +54,7 @@ const createTemp = async (root, resources) => {
         await fs.promises.cp(resource, destination, { recursive: true })
       } else {
         // node < 16
-        await copyDir(resource, destination)
+        await winCopyDir(resource, destination)
       }
     }
   }
@@ -51,6 +62,43 @@ const createTemp = async (root, resources) => {
   return temp
 }
 
+// spawn tar on Windows, using a temp dir, which is copied from the original dir
+// cli tar has a size limit on Windows
+const winSpawnTempDir = (dir, args) => {
+  // Synchronous trick: use a PassThrough as placeholder
+  const stdout = new PassThrough()
+  const stderr = new PassThrough()
+  const c = {
+    stdout,
+    stderr,
+    on: (...a) => { stdout.on(...a); stderr.on(...a); return c },
+    once: (...a) => { stdout.once(...a); stderr.once(...a); return c },
+    kill: () => {},
+  }
+  
+  // async copy, then swap streams/events
+  winCreateTemp(dir, args.shift()).then(tempPath => {
+    const real = winSpawnDir(tempPath, args)
+    real.stdout.pipe(stdout)
+    real.stderr && real.stderr.pipe(stderr)
+    const cleanup = () => exists(tempPath) && rimraf(tempPath)
+    real.on('close', (...ev) => { 
+      stdout.emit('close', ...ev)
+      stderr.emit('close', ...ev)
+      cleanup()
+    })
+    real.on('error', (...ev) => { 
+      stdout.emit('error', ...ev)
+      stderr.emit('error', ...ev) 
+      cleanup()
+    })
+    c.kill = (...ev) => real.kill(...ev)
+  })
+  return c
+}
+
+// ====== END ONLY_FOR_WINDOWS ======
+
 const tarInfo = async (info) => {
   let cmd, param
   if (info === 'version') {
@@ -118,19 +166,12 @@ exports.create = (dir='.', ...args) => {
   if (typeof dir === 'string') dir = _resolve(dir)
   if (Array.isArray(dir)) [ dir, ...args ] = [ cds.root, dir, ...args ]
 
-  let c, temp
+  let c
   args = args.filter(el => el)
-  if (process.platform === 'win32') {
-    const spawnDir = (dir, args) => {
-      if (args.some(arg => arg === '-f')) return spawn ('tar', ['c', '-C', win(dir), ...win(args)])
-      else return spawn ('tar', ['cf', '-', '-C', win(dir), ...win(args)])
-    }
+  if (process.platform === 'win32') {    
     args.push('.')
-    if (Array.isArray(args[0])) {
-      c = createTemp(dir, args.shift()) .then (t => spawnDir(t,args))
-    } else {
-      c = spawnDir(dir, args)
-    }
+    if (Array.isArray(args[0])) c = winSpawnTempDir(dir, args)
+    else c = winSpawnDir(dir, args)
   } else {
     if (Array.isArray(args[0])) {
       args.push (...args.shift().map (f => path.isAbsolute(f) ? path.relative(dir,f) : f))
@@ -153,11 +194,7 @@ exports.create = (dir='.', ...args) => {
       c.stdout.on('data', d => data.push(d))
       c.stderr.on('data', d => stderr += d)
       c.on('close', code => code ? reject(new Error(stderr)) : resolve(Buffer.concat(data)))
-      c.on('error', reject)
-      if (process.platform === 'win32') {
-        c.on('close', () => temp && exists(temp) && rimraf(temp))
-        c.on('error', () => temp && exists(temp) && rimraf(temp))
-      }
+      c.on('error', reject)      
     },
 
     /**

package/libx/_runtime/common/generic/crud.js

@@ -78,9 +78,7 @@ module.exports = cds.service.impl(function () {
       if (await _targetEntityDoesNotExist(req)) req.reject(404) // REVISIT: add a reasonable error message
     }
 
-    // flag to trigger read after write in legacy odata adapter
-    if (req.constructor.name in { ODataRequest: 1 }) req._.readAfterWrite = true
-    if (req.protocol?.match(/odata/)) req._.readAfterWrite = true //> REVISIT for noah
+    if (req.protocol?.match(/odata/)) req._.readAfterWrite = true
 
     return req.data
   })

package/libx/_runtime/common/generic/input.js

@@ -251,7 +251,7 @@ async function validate_input(req) {
   }
 
   const errs = cds.validate(req.data, req.target, assertOptions)
-  if (errs) return req._errors.push(...errs)
+  if (errs) return errs.forEach(err => req.error(err))
 
   // -------------------------------------------------
   // REVISIT: is the below still needed?
@@ -332,7 +332,7 @@ function validate_action(req) {
     protocol: req.protocol
   }
   let errs = cds.validate(data, operation, assertOptions)
-  if (errs) return req._errors.push(...errs)
+  if (errs) return errs.forEach(err => req.error(err))
 
   // REVISIT: we still need the following because cds.validate doesn't check for @mandatory params (both flat and nested)
   const errors = []

package/libx/_runtime/common/generic/temporal.js

@@ -76,12 +76,6 @@ function handle_temporal_data(req) {
       _getDateFromQueryOptions(_queryOptions['sap-valid-to'] ?? normalizeTimestamp('9999-12-31T23:59:59.9999999Z'))
     )
   }
-
-  // REVISIT: needed without okra
-  if (req.constructor.name !== 'ODataRequest') {
-    req._['VALID-FROM'] = _['VALID-FROM']
-    req._['VALID-TO'] = _['VALID-TO']
-  }
 }
 handle_temporal_data._initial = true