@sap/cds 9.0.4 → 9.2.0

package/CHANGELOG.md

@@ -4,6 +4,64 @@
 - The format is based on [Keep a Changelog](https://keepachangelog.com/).
 - This project adheres to [Semantic Versioning](https://semver.org/).
 
+## Version 9.2.0 - 2025-07-29
+
+### Added
+
+- `srv.schedule` allows to specify the time in a more readable way, e.g. `srv.schedule(...).after('1min')`
+- Support for `jwt`/`xsuaa`-auth on XSA
+- Enable `@sap/xssec`'s caching mechanisms (requires `@sap/xssec^4.8`)
+  + The signature cache can be configured via `cds.requires.auth.config`, which is passed to `@sap/xssec`'s authentication services
+  + The token decode cache can be configured programmatically via `require('@sap/xssec').Token.enableDecodeCache(config?)` and deactivated via `require('@sap/xssec').Token.decodeCache = false`
+- `cds.requires` correctly resolve service credentials on Kyma when its merged env configuration is only `true` and the service is found via its property name.
+- `ias`-auth: Support for fallback XSUAA-based authentication meant to ease migration to IAS
+  + The fallback is automatically enabled if XSUAA credentials are available. To enable the credentials look-up, simply add `cds.requires.xsuaa = true` to your env.
+  + In case you need a custom config for the fallback (passed through to `@sap/xssec` as is!), configure it via `cds.requires.xsuaa = { config: { ... } }`
+- Better error message if `cds.xt.Extensions` table is missing in extensibility scenarios.
+
+### Changed
+
+- Upgrade to Peggy 5 version
+- Enabled conversion of `not exists where not` to OData `all`, integrating the inverse of the policy applied by the OData parser.
+- Numeric values in `.csv` files are now returned as numbers instead of strings, e.g. `1` instead of `'1'`;
+  when pre-padded with zeros, e.g., `0123`, they are returned as strings, e.g. `'0123'` instead of `123`.
+
+### Fixed
+
+- Runtime error in transaction handling in messaging services when used with outbox
+- Always use `cds.context` middleware for `enterprise-messaging` endpoints
+- Crash during Location header generation caused by custom response not matching the entity definition.
+- Support for logging of correct error locations with `cds watch` and `cds run`. 
+- Double-unescaping of values in double quotes during OData URL parsing
+- Throw explicit error if the result of a media data query is not an instance of `Readable`, rather than responding with `No Content`
+- When loading `.csv` files quoted strings containing the separator (comma or semicolon) where erroneously
+  parsed as two separate values instead of one.
+
+## Version 9.1.0 - 2025-06-30
+
+### Added
+
+- CDS config schema validations for `cds.requires.auth.tenants`, `cds.cdsc`, `cds.query`, `cds.log`, `cds.server`
+- Queue option `targetPrefix` to prefix `target` value of `cds.outbox.Messages` entries for microservice isolation
+- Basic support for CRUD for hierarchy entities
+
+### Changed
+
+- Reduced the amount of SELECT nesting the OData adapter does for `$apply` queries.
+- Better error messages for unresolved parent associations in hierarchy requests
+- Enabled updated behavior of `draftActivate` to move updates to fields of draft enabled entities with type `cds.LargeBinary` from draft to active table on the database level, with feature flag `cds.env.fiori.move_media_data_in_db`.
+
+### Fixed
+
+- Copies of `cds.context` with `locale`
+- Support for relative paths in `@odata.bind`
+- `cds build` on Windows OS - fixed cli tar usage for resources.tgz
+- Actions and functions with scalar return types use same `@odata.context` calculation as other return types, fixing e.g. `cds.odata.contextAbsoluteUrl` not being respected
+- Improve content-type and content-length handling in OData adapter
+- Parsing incorrect function parameters
+- `cds deploy --dry` no longer tries to load a DB adapter, so that it works w/o one installed.
+- Fix `@mandatory` for actions and functions
+
 ## Version 9.0.4 - 2025-06-18
 
 ### Fixed
@@ -38,6 +96,7 @@
 ### Changed
 
 - Lean draft handler is registered in a service only if a draft-enabled service entity exists
+- Add back in server version on CAP server launch info log record
 
 ### Fixed
 
@@ -135,6 +194,15 @@
 - Deprecated stripping of unnecessary topic prefix `topic:` in messaging
 - Deprecated messaging `Outbox` class. Please use config or `cds.outboxed(srv)` to outbox your service.
 
+## Version 8.9.5 - 2025-07-25
+
+### Fixed
+
+- `req.diff` in case of draft entities using associations to joins/unions
+- Locale detection does not enforce `<http-req>.query` to be present. Some protocol adapters do not set it.
+- View metadata for requests with $apply
+- Handling of bad timestamps in URL ($filter and temporals)
+
 ## Version 8.9.4 - 2025-05-16
 
 ### Fixed

package/bin/deploy.js

@@ -0,0 +1,29 @@
+#!/usr/bin/env node
+/* eslint-disable no-console */
+
+const cds = require('../lib');
+const argv = process.argv.slice(2);
+const o = {};
+cds.cli = { command: 'deploy', argv, options: o }
+
+Promise.resolve(cds.plugins).then(async () => {
+  let db = cds.requires.db || {}
+  for (let i = 0; i < argv.length; ++i) {
+    let k = argv[i], v = argv[++i]
+    if (!k.startsWith('--')) return error `Invalid argument: ${k}. Expected format --key value`
+    if (v?.startsWith('--')) { --i; v = true } // allow --key without value
+    o[k = k.slice(2)] = v ?? true // allow last --key without value
+    if (k === 'to') db = { kind: v, dialect: v }
+    else (db.credentials ??= {})[k] = v
+  }
+  console.debug('Deploying with options:', db, o)
+  cds.db = await cds.connect.to(db)
+  return await cds.deploy('*',o).to(db)
+})
+.catch (e => { console.error(e); process.exitCode = 1 })
+.finally (() => cds.db?.disconnect?.())
+
+const error = (...args) => {
+  console.error (String.raw(...args))
+  process.exitCode = 1
+}

package/bin/serve.js

@@ -275,10 +275,6 @@ async function _local_server_js() {
 function _prepare_logging () { // NOSONAR
 
   const LOG = cds.log('cds.serve|server',{label:'cds'}); if (!LOG._info) return; else log = LOG.info
-  const _timer = process.env.NODE_ENV === 'production'
-    ? `[cds] - server launched at ${new Date().toLocaleString()}, version: ${cds.version}, in`
-    : '[cds] - server launched in'
-  console.time (_timer)
 
   // print information when model is loaded
   cds.on ('loaded', ({$sources:srcs})=>{
@@ -313,7 +309,7 @@ function _prepare_logging () { // NOSONAR
   cds.once ('listening', ({url})=>{
     console.log()
     LOG.info ('server listening on',{url})
-    _timer && console.timeEnd (_timer)
+    LOG.info ('server', 'v'+cds.version, 'launched in', performance.now().toFixed(0),'ms')
     if (process.stdin.isTTY) LOG.info (`[ terminate with ^C ]\n`)
   })
 }

package/lib/compile/etc/csv.js

@@ -34,6 +34,10 @@ function parse (csv) {
         if (headers.includes(currCol))  values.push (_value4(val, quoted)) // skip value if column was skipped
         val = undefined, quoted = false //> start new val
       }
+      else if (c === ' ' && val === undefined) {
+        // ignore leading spaces
+        continue
+      }
       else if (c === '"' && val === undefined) { // start quoted string
         val = ''
         inString = true
@@ -43,7 +47,7 @@ function parse (csv) {
         else inString = false, quoted = true // stop string
       }
       else {  // normal char
-        if (val === undefined)  val = ''
+        val ??= ''
         val += c
       }
     }
@@ -59,12 +63,13 @@ function parse (csv) {
   return rows
 }
 
-function _value4 (val, quoted = false) {
+const globals = { null:null, true:true, false:false }
+function _value4 (val, quoted) {
   if (quoted)  return val
-  if (val)  val = val.trim()
-  if (val === 'true') return true
-  else if (val === 'false') return false
-  else return val
+  if (val) val = val.trim(); else return undefined
+  if (val in globals) return globals[val] //> null, true, false
+  let n = Number(val)
+  return n.toString() == val ? n : val
 }
 
 function _ignoreLine(line) {

package/lib/compile/for/lean_drafts.js

@@ -41,16 +41,14 @@ const { Draft } = cds.linked(`
   }
 `).definitions
 
-
-function DraftEntity4 (active, name = active.name+'.drafts') {
-
-  const draft = Object.create (active, {
+function DraftEntity4(active, name = active.name + '.drafts') {
+  const draft = Object.create(active, {
     name: { value: name }, // REVISIT: lots of things break if we do that!
     elements: { value: { ...active.elements, ...Draft.elements }, enumerable: true },
     actives: { value: active },
     query: { value: undefined }, // to not inherit that from active
     // drafts: { value: undefined }, // to not inherit that from active -> doesn't work yet as the coding in lean-draft.js uses .drafts to identify both active and draft entities
-    isDraft: { value: true },
+    isDraft: { value: true }
   })
 
   // for quoted names, we need to overwrite the cds.persistence.name of the derived, draft entity
@@ -60,7 +58,6 @@ function DraftEntity4 (active, name = active.name+'.drafts') {
   return draft
 }
 
-
 module.exports = function cds_compile_for_lean_drafts(csn) {
   function _redirect(assoc, target) {
     assoc.target = target.name
@@ -153,7 +150,8 @@ module.exports = function cds_compile_for_lean_drafts(csn) {
           key === '@mandatory' ||
           key === '@Common.FieldControl' && newEl[key]?.['#'] === 'Mandatory' ||
           // key === '@Core.Immutable': Not allowed via UI anyway -> okay to cleanse them in PATCH
-          key.startsWith('@assert') ||
+          // REVISIT: Remove feature flag dependency: If active, validation errors will be degraded to messages and stored in draft admin data
+          (!active._service?.entities.DraftAdministrativeData.elements.DraftMessages && key.startsWith('@assert')) || 
           key.startsWith('@PersonalData')
         )
           newEl[key] = undefined
@@ -162,6 +160,23 @@ module.exports = function cds_compile_for_lean_drafts(csn) {
       draft.elements[each] = newEl
     }
 
+    // For list-report hierarchies, there must not be deep deletes w.r.t. recursive compositions
+    // Therefore, they are degraded to associations.
+    // Note: For object-page hiearchies, deep delete on draft recursive compositions is still needed.
+    if (draft.elements.LimitedDescendantCount && draft['@Common.DraftRoot.ActivationAction']) {
+      for (const c in draft.compositions) {
+        const comp = draft.compositions[c]
+        if (comp.target === draft.name) {
+          // modify comp to assoc
+          comp.type = 'cds.Association'
+          comp.isComposition = false
+          comp.is = function(kind) { return kind === 'Association' }
+          delete draft.compositions[c]
+          draft.associations[c] = comp
+        }
+      }
+    }
+
     return draft
   }
 
@@ -173,6 +188,13 @@ module.exports = function cds_compile_for_lean_drafts(csn) {
     def.elements.HasActiveEntity.virtual = true
     if (def.elements.DraftAdministrativeData_DraftUUID) def.elements.DraftAdministrativeData_DraftUUID.virtual = true
     def.elements.DraftAdministrativeData.virtual = true
+    if (def.elements.LimitedDescendantCount) {
+      // for hierarchies: make sure recursive compositions are not part of the draft tree
+      for (const c in def.compositions) {
+        const comp = def.compositions[c]
+        if (comp.target === def.name) comp['@odata.draft.ignore'] = true
+      }
+    }
     // will insert drafts entities, so that others can use `.drafts` even without incoming draft requests
     addDraftEntity(def, csn)
   }

package/lib/compile/load.js

@@ -9,13 +9,16 @@ if (TRACE) {
 module.exports = exports = function load (files, options) {
   let any = cds.resolve(files,options)
 
+  // REVISIT: we need to find a better way to handle this -> doing that in cds.load is by far too central
   // REVISIT: bandaid for grow as you go scenario with task queues enabled by default
   let locations
-  const _is_outbox = p => cds.utils.path.posix.normalize(p).match(/\/cds\/srv\/outbox(\.cds)?$/)
-  const _outbox_only = any?.length === 1 && _is_outbox(any[0]) && (!Array.isArray(files) || !files.some(_is_outbox))
-  if (_outbox_only) {
-    any = undefined
-    locations = cds.resolve(files, false).filter(f => !_is_outbox(f))
+  if (cds.watched) {
+    const _is_outbox = p => cds.utils.path.posix.normalize(p).match(/\/cds\/srv\/outbox(\.cds)?$/)
+    const _outbox_only = any?.length === 1 && _is_outbox(any[0]) && (!Array.isArray(files) || !files.some(_is_outbox))
+    if (_outbox_only) {
+      any = undefined
+      locations = cds.resolve(files, false).filter(f => !_is_outbox(f))
+    }
   }
 
   if (!any) return Promise.reject (new cds.error ({

package/lib/compile/to/hdbtabledata.js

@@ -1,4 +1,4 @@
-const cds = require('../../../lib')
+const cds = require('../..')
 const { getElementCdsPersistenceName, getArtifactCdsPersistenceName } = require('@sap/cds-compiler')
 const { fs, path, isdir, csv } = cds.utils
 const { readdir } = fs.promises

package/lib/dbs/cds-deploy.js

@@ -1,4 +1,3 @@
-#!/usr/bin/env node
 const cds = require('../index'), { local, path } = cds.utils
 const DEBUG = cds.debug('deploy')
 const TRACE = cds.debug('trace')
@@ -20,6 +19,9 @@ const deploy = module.exports = function cds_deploy (model, options, csvs) {
     if (o.mocked) deploy.include_external_entities_in(model)
     else deploy.exclude_external_entities_in(model)
 
+    // dry deployment (output schema only)
+    if (o.dry) return await deploy.schema ({model, options:{}}, model, o)
+
     // prepare db
     if (!db.run) db = await cds.connect.to(db)
     if (!cds.db) cds.db = cds.services.db = db
@@ -34,10 +36,9 @@ const deploy = module.exports = function cds_deploy (model, options, csvs) {
 
     // deploy schema and initial data...
     try {
-      const _run = fn => o.dry ? fn(db) : db.run(fn)
-      await _run (async tx => {
+      await db.run (async tx => {
         let any = await deploy.schema (tx, model, o)
-        if ((any || csvs) && !o.dry) await deploy.data (tx, model, o, csvs, file => LOG?.(GREY, ' > init from', local(file), RESET))
+        if (any || csvs) await deploy.data (tx, model, o, csvs, file => LOG?.(GREY, ' > init from', local(file), RESET))
       })
       LOG?.('/> successfully deployed to', descr, '\n')
     } catch (e) {
@@ -385,33 +386,3 @@ const _entity4 = (file, csn) => {
   }
   return entity.name ? entity : { name, __proto__:entity }
 }
-
-/** CLI used as via cds-deploy as deployer for PostgreSQL */
-if (!module.parent) (async function CLI () {
-  cds.cli = { command: 'deploy', argv: process.argv.slice(2), options: {} }
-  await cds.plugins // IMPORTANT: that has to go before any call to cds.env, like through cds.deploy or cds.requires below
-  let db = cds.requires.db
-  try {
-    let o={}, recent
-    for (let each of process.argv.slice(2)) {
-      if (each.startsWith('--')) o[(recent = each.slice(2))] = true
-      else o[recent] = each
-    }
-    if (o.to) {
-      db = { kind: o.to, dialect: o.to }
-      if (o.url) (db.credentials ??= {}).url = o.url
-      if (o.host) (db.credentials ??= {}).host = o.host
-      if (o.port) (db.credentials ??= {}).port = o.port
-      if (o.username) (db.credentials ??= {}).username = o.username
-      if (o.password) (db.credentials ??= {}).password = o.password
-    }
-    cds.cli.options = o
-    db = await cds.connect.to(db);
-    db = await cds.deploy('*',o).to(db)
-  } finally {
-    await db?.disconnect?.()
-  }
-})().catch((e) => {
-  console.error(e)
-  process.exitCode = 1
-})

package/lib/env/cds-env.js

@@ -408,7 +408,8 @@ class Config {
       const { credentials } = this._find_credentials_for_required_service(service, conf, vcaps) || {}
       if (credentials)  {
         // Merge `credentials`.  Needed because some app-defined things like `credentials.destination` must survive.
-        any = conf.credentials = Object.assign ({}, conf.credentials, credentials)
+        if (conf === true) any = this.requires[service] = { credentials }
+        else any = conf.credentials = { ...conf.credentials, ...credentials }
       }
     }
     return !!any

package/lib/env/cds-requires.js

@@ -85,6 +85,9 @@ for (let each of Object.values(_authentication_strategies)) {
   }})
 }
 
+// enable credentials lookup for xsuaa fallback
+_authentication_strategies.xsuaa = { vcap: { label: 'xsuaa' } }
+
 const _services = {
 
   "app-service": {
@@ -157,7 +160,7 @@ const _queue = {
     storeLastError: true,
     timeout: '1h',
     legacyLocking: true,
-    ignoredContext: ['user', 'http', 'model', 'timestamp']
+    ignoredContext: ['user', 'http', 'model', 'timestamp', '_locale', '_features']
   },
   // legacy
   "in-memory-outbox": "in-memory-queue",

package/lib/env/defaults.js

@@ -2,17 +2,6 @@ const production = process.env.NODE_ENV === 'production'
 
 module.exports = {
 
-  /**
-   * For our own tests to replace hard-coded checks for CDS_ENV === 'better-sqlite'
-   * which don't work anymore with cds8 where that is the default.
-   */
-  get _better_sqlite() {
-    if (process.env.CDS_ENV === 'better-sqlite') return true
-    let conf = this.requires.db || this.requires.kinds.sql
-    if (conf?.impl === '@cap-js/sqlite') return true
-    else return false
-  },
-
   production,
 
   requires: require('./cds-requires'),

package/lib/env/schemas/cds-rc.js

@@ -81,23 +81,23 @@ module.exports = {
         folders: {
           type: 'object',
           default: {},
-          description: 'Only set folders if you don\'t want to use the defaults \'app/\', \'db/\', \'srv/\'.',
+          description: 'Overrides for default folders. Only override if you don\'t want to use the defaults \'app/\', \'db/\', \'srv/\'.',
           additionalProperties: true,
           properties: {
             app: {
               type: 'string',
               format: 'uri-reference',
-              description: 'Add a custom path for the app property, which becomes \'cds.roots\'.'
+              description: 'Applications, e.g. UI5 or Fiori apps'
             },
             db: {
               type: 'string',
               format: 'uri-reference',
-              description: 'Add a custom path for the db property, which becomes \'cds.roots\'.'
+              description: 'Database models and migrations'
             },
             srv: {
               type: 'string',
               format: 'uri-reference',
-              description: 'Add a custom path for the srv property, which becomes \'cds.roots\'.'
+              description: 'Services'
             }
           },
           patternProperties: {
@@ -168,7 +168,7 @@ module.exports = {
                   properties: {
                     kind: {
                       type: 'string',
-                      description: 'Define the kind of strategy.',
+                      description: 'Authentication kind.',
                       anyOf: [
                         {
                           $ref: '#/$defs/authType'
@@ -181,6 +181,27 @@ module.exports = {
                     users: {
                       $ref: '#/$defs/mockUsers'
                     },
+                    tenants: {
+                      type: 'object',
+                      description: 'List of tenants with their respective features.',
+                      additionalProperties: true,
+                      patternProperties: {
+                        '.+': {
+                          type: 'object',
+                          additionalProperties: true,
+                          properties: {
+                            features: {
+                              type: 'array',
+                              description: 'List of feature toggles for this tenant.',
+                              uniqueItems: true,
+                              items: {
+                                type: 'string'
+                              }
+                            }
+                          }
+                        }
+                      }
+                    },
                     credentials: {
                       type: 'object',
                       description: 'You can explicitly configure credentials, but this is overruled by VCAP_SERVICES if a matching entry is found therein.',
@@ -198,6 +219,10 @@ module.exports = {
             },
             db: {
               oneOf: [
+                {
+                  type: 'boolean',
+                  description: 'Shortcut to enable primary database.'
+                },
                 {
                   type: 'string',
                   description: 'Settings for the primary database (shortcut).',
@@ -645,6 +670,193 @@ module.exports = {
               ]
             }
           }
+        },
+        cdsc: {
+          type: 'object',
+          default: {},
+          description: 'CDS compiler configuration options.',
+          additionalProperties: true,
+          properties: {
+            moduleLookupDirectories: {
+              type: 'array',
+              description: 'List of directories to search for modules.',
+              uniqueItems: true,
+              items: {
+                type: 'string',
+                format: 'uri-reference'
+              }
+            }
+          }
+        },
+        query: {
+          type: 'object',
+          default: {},
+          description: 'Query configuration options.',
+          additionalProperties: true,
+          properties: {
+            limit: {
+              type: 'object',
+              description: 'Default limit for queries.',
+              additionalProperties: true,
+              properties: {
+                default: {
+                  type: 'integer',
+                  description: 'Default number of results returned by a query.',
+                  minimum: 1
+                },
+                max: {
+                  type: 'integer',
+                  description: 'Maximum number of results returned by a query.',
+                  minimum: 1
+                },
+                reliablePaging: {
+                  type: 'boolean',
+                  description: 'Enable reliable paging for queries.'
+                }
+              }
+            }
+          }
+        },
+        log: {
+          type: 'object',
+          default: {},
+          description: 'Logging configuration options.',
+          additionalProperties: true,
+          properties: {
+            format: {
+              type: 'string',
+              description: 'Log format, either \'plain\' or \'json\'.',
+              enum: [
+                'plain',
+                'json'
+              ]
+            },
+            levels: {
+              type: 'object',
+              description: 'Log levels for different components.',
+              additionalProperties: {
+                type: 'string'
+              },
+              properties: {
+                cds: {
+                  type: 'string',
+                  description: 'Server and common output.'
+                },
+                cli: {
+                  type: 'string',
+                  description: 'CLI output.'
+                },
+                build: {
+                  type: 'string',
+                  description: 'CDS build output.'
+                },
+                app: {
+                  type: 'string',
+                  description: 'Application Service.'
+                },
+                db: {
+                  type: 'string',
+                  description: 'Databases.'
+                },
+                sql: {
+                  type: 'string',
+                  description: 'SQL output.'
+                },
+                messaging: {
+                  type: 'string',
+                  description: 'Messaging Service.'
+                },
+                remote: {
+                  type: 'string',
+                  description: 'Remote Service.'
+                },
+                'audit-log': {
+                  type: 'string',
+                  description: 'AuditLog Service.'
+                },
+                odata: {
+                  type: 'string',
+                  description: 'OData Protocol Adapter.'
+                },
+                rest: {
+                  type: 'string',
+                  description: 'REST Protocol Adapter.'
+                },
+                graphql: {
+                  type: 'string',
+                  description: 'GraphQL Protocol Adapter.'
+                },
+                auth: {
+                  type: 'string',
+                  description: 'Authentication.'
+                },
+                deploy: {
+                  type: 'string',
+                  description: 'Database Deployment.'
+                },
+                mtx: {
+                  type: 'string',
+                  description: 'Multitenancy and Extensibility.'
+                }
+              }
+            },
+            mask_headers: {
+              type: 'array',
+              description: 'List of header patterns to mask in logs.',
+              uniqueItems: true,
+              items: {
+                type: 'string'
+              },
+              default: [
+                '/authorization/i',
+                '/cookie/i',
+                '/cert/i',
+                '/ssl/i'
+              ]
+            },
+            als_custom_fields: {
+              type: 'object',
+              description:
+                `Custom fields for Application Logging Service (ALS) in Kibana's error rendering.
+                 Key is the index in the log message array.`,
+              additionalProperties: {
+                type: 'integer'
+              }
+            },
+            cls_custom_fields: {
+              type: 'array',
+              description:
+                `Custom fields for CLS in Kibana's error rendering.
+                 Each entry is a field name.`,
+              uniqueItems: true,
+              items: {
+                type: 'string'
+              }
+            }
+          }
+        },
+        server: {
+          type: 'object',
+          default: {},
+          description: 'Server configuration options.',
+          additionalProperties: true,
+          properties: {
+            port: {
+              type: 'integer',
+              description: 'Port number for the server to listen on.',
+              minimum: 1,
+              maximum: 65535
+            },
+            cors: {
+              type: 'boolean',
+              description: 'Enable CORS support.',
+              default: true
+            },
+            index: {
+              type: 'boolean',
+              description: 'Serve the default index page.'
+            }
+          }
         }
       }
     },
@@ -909,4 +1121,4 @@ module.exports = {
       }
     }
   }
-}
+}