@sap/cds 9.6.1 → 9.6.3

package/CHANGELOG.md

@@ -4,6 +4,22 @@
 - The format is based on [Keep a Changelog](https://keepachangelog.com/).
 - This project adheres to [Semantic Versioning](https://semver.org/).
 
+## Version 9.6.3 - 2026-01-14
+
+### Fixed
+
+- `queue`: Exactly-once guarantee only with `legacyLocking: false`
+
+## Version 9.6.2 - 2026-01-08
+
+### Fixed
+
+- Consider `@mandatory.message` for the error message, when a mandatory action / function parameter is not provided
+- Respond with error code `400` when receiving requests that use `any()` / `all()` filters on an association to one
+- Error message of unknown property check will no longer include `undefined` to identify structs without a name
+- `enterprise-messaging`: Type error in check for unofficial XSUAA fallback
+- Status Transition Flows: Exclusions for multiple projections
+
 ## Version 9.6.1 - 2025-12-18
 
 ### Fixed

package/lib/compile/for/flows.js

@@ -186,8 +186,7 @@ module.exports = function cds_compile_for_flows(csn) {
     }
   }
 
-  const extensions = new Set()
-  const exclusions = new Set()
+  const to_be_extended = new Set()
 
   for (const name in csn.definitions) {
     const def = csn.definitions[name]
@@ -225,28 +224,35 @@ module.exports = function cds_compile_for_flows(csn) {
     if (base.elements?.transitions_) continue //> manually added -> don't interfere
 
     // add aspect FlowHistory to db entity
-    extensions.add(base_name)
-
-    // hack for "excludes" not possible via extensions
-    if (projections.length) projections.forEach(p => exclusions.add(p))
+    to_be_extended.add(base_name)
   }
 
-  if (extensions.size) {
+  if (to_be_extended.size) {
     // REVISIT: ensure sap.common.FlowHistory is there
     csn.definitions['sap.common.FlowHistory'] ??= JSON.parse(FlowHistory)
 
-    const _extensions = [...extensions].map(extend => ({ extend, includes: ['sap.common.FlowHistory'] }))
-    csn = cds.extend(csn).with({ extensions: _extensions })
+    const extensions = [...to_be_extended].map(extend => ({ extend, includes: ['sap.common.FlowHistory'] }))
+    const dsn = cds.extend(csn).with({ extensions })
 
     // REVISIT: annotate all generated X.transitions_ with @cds.autoexpose: false
-    for (const each of extensions) csn.definitions[`${each}.transitions_`]['@cds.autoexpose'] = false
-  }
+    for (const each of to_be_extended) dsn.definitions[`${each}.transitions_`]['@cds.autoexpose'] = false
 
-  if (exclusions.size) {
-    for (const proj of exclusions) {
-      delete csn.definitions[proj].elements.transitions_
-      delete csn.definitions[`${proj}.transitions_`]
+    // hack for "excludes" not possible via extensions
+    for (const name in dsn.definitions) {
+      const _new = dsn.definitions[name]
+      if (
+        _new.kind !== 'entity' ||
+        to_be_extended.has(name.replace(/\.transitions_$/, '')) ||
+        (!name.match(/\.transitions_$/) && !_new.elements.transitions_)
+      ) {
+        continue
+      }
+      const _old = csn.definitions[name]
+      if (!_old) delete dsn.definitions[name]
+      else if (_new.elements.transitions_ && !_old.elements.transitions_) delete _new.elements.transitions_
     }
+
+    csn = dsn
   }
 
   // REVISIT: annotate all X.transitions_ with @odata.draft.enabled: false

package/lib/req/validate.js

@@ -28,14 +28,18 @@ class Validation {
     this.cleanse = options.cleanse !== false
   }
 
+  _targetFromPath (p,n) {
+    if (n === undefined) return p
+    if (n.row) return p + this.filter4(n)          // > some/entity(ID=1)...
+    if (typeof n === 'number') return p + `[${n}]` // > some/array[1]...
+    if (p && n) return p+'/'+n                     // > some/element...
+    return n    
+  }
+
   error (code, path, leaf, i18n, ...args) {
     const err = (this.errors ??= new ValidationErrors).add (code)
     if (this.options.path) path = [ this.options.path, ...path ] // e.g. used to prefix 'in/' for actions
-    if (path) err.target = (!leaf ? path : path.concat(leaf)).reduce?.((p,n)=> (
-      n?.row ? p + this.filter4(n) :          //> some/entity(ID=1)...
-      typeof n === 'number' ? p + `[${n}]` :  //> some/array[1]...
-      p && n ? p+'/'+n : n                    //> some/element...
-    ),'')
+    if (path) err.target = (!leaf ? path : path.concat(leaf)).reduce?.((p, n) => this._targetFromPath(p, n),'')
     if (typeof i18n === 'string') err.i18n = i18n
     if (args.length) err.args = args
     return err
@@ -50,12 +54,16 @@ class Validation {
       else if (typeof v === 'string' && !entity.elements[k].isUUID || entity.elements[k]['@odata.Type'] === 'Edm.String') v = `'${v}'`
       filter.push (`${k}=${v}`)
     }
-    return filter.length ? `(${filter})` : `[${index}]`
+    if (filter.length) return `(${filter})`
+    if (index !== undefined) return `[${index}]`
+    return ''
   }
 
-  unknown(e,d,input) {
+  unknown(e,d,input, path) {
     if (this.protocol === 'odata' && e.match(/^\w*@\w+\.\w+$/)) return delete input[e] //> skip all annotations, like @odata.Type (according to OData spec annotations contain an "@" and a ".")
-    d['@open'] || cds.error (`Property "${e}" does not exist in ${d.name}`, {status:400})
+    if (d['@open']) return
+    const target = d.name ?? path.reduce((p, n) => this._targetFromPath(p, n), '')
+    cds.error (`Property "${e}" does not exist in ${target}`, { status: 400, target }) 
   }
 }
 
@@ -209,12 +217,12 @@ class struct extends $any {
       if (each.$struct in data) continue // got struct for flattened element/fk, e.g. {author:{ID:1}}
       if ((each.elements && each.kind !== 'param' ) || each.foreignKeys) continue // skip struct-likes as we check flat payloads above, and deep payloads via struct.validate(), parameters don't have flat elements
       if (each.isAssociation) continue // unmanaged associations are always ignored (no value like)
-      else ctx.error (ASSERT_MANDATORY, path_, each.name)
+      else ctx.error (ASSERT_MANDATORY, path_, each.name, each['@mandatory.message'] || each['@mandatory'])
     }
     // check values of given data
     for (let each in data) { // will work for structured payloads as well as flattened ones with universal CSN
       let /** @type {$any} */ d = Object.hasOwn(elements, each) && elements[each]
-      if (!d || (d['@cds.api.ignore'] && ctx.rejectIgnore)) ctx.unknown (each, this, data)
+      if (!d || (d['@cds.api.ignore'] && ctx.rejectIgnore)) ctx.unknown (each, this, data, path_)
       else if (ctx.cleanse && d._is_readonly() && !d.key) delete data[each]
       else if (ctx.cleanse && d._is_immutable() && !ctx.insert && !path) delete data[each] // @Core.Immutable processed only for root, children are handled when knowing db state
       else if (d['@cds.validate'] !== false) d.validate (data[each], path_, ctx)

package/libx/_runtime/messaging/enterprise-messaging-utils/registerEndpoints.js

@@ -29,7 +29,7 @@ class EndpointRegistry {
     cds.app.use(basePath, cds.middlewares.context())
     if (_IS_SECURED) {
       // unofficial XSUAA fallback
-      if (cds.env.requires.messaging.xsuaa) {
+      if (cds.env.requires.messaging?.xsuaa) {
         cds.app.use(basePath, _xsuaa_fallback())
       } else {
         cds.app.use(basePath, cds.middlewares.auth())

package/libx/odata/middleware/error.js

@@ -56,7 +56,7 @@ const _normalize = (err, req, keep,
   const status = err.status || err.statusCode || _status4(err) || _reduce(details)
 
   // Determine error code and message
-  const key = err.message || err.code || status
+  const key = err.message || err.code || status // REVISIT: Should we use the message over the code every time?
   const msg = i18n.messages.at (key, '', err.args) // lookup messages for log output from factory default texts
   if (msg && msg !== key) {
     if (typeof err.code !== 'string') err.code = key

package/libx/odata/parse/afterburner.js

@@ -85,7 +85,7 @@ function _addDefaultParams(ref, view) {
 }
 
 function getResolvedElement(entity, { ref }) {
-  const element = entity.elements[ref[0]]
+  const element = entity.elements[ref[0]?.id ?? ref[0]]
 
   if (element && element.isAssociation && ref.length > 1) {
     return getResolvedElement(element._target, { ref: ref.slice(1) })
@@ -782,7 +782,9 @@ function _validateXpr(xpr, target, isOne, model, aliases = []) {
     .map(element => element.name)
   const newFoundAliases = []
 
-  for (const x of xpr) {
+  for (let i = 0; i < xpr.length; i++) {
+    const x = xpr[i]
+
     if (x.as) newFoundAliases.push(x.as)
 
     if (x.xpr) {
@@ -795,9 +797,7 @@ function _validateXpr(xpr, target, isOne, model, aliases = []) {
 
       if (x.ref[0].where) {
         const element = target.elements[refName]
-        if (!element) {
-          _doesNotExistError(true, refName, target.name)
-        }
+        if (!element) _doesNotExistError(true, refName, target.name)
         _validateXpr(x.ref[0].where, element._target ?? element.items, isOne, model)
       }
 
@@ -818,28 +818,34 @@ function _validateXpr(xpr, target, isOne, model, aliases = []) {
         }
       }
 
+      if (xpr[i - 1] === 'exists') {
+        const element = getResolvedElement(target, x)
+        if (!element.isAssociation)
+          cds.error({ status: 400, message: 'Invalid use of lambda any / all on a non-association' })
+        if (element.is2one)
+          cds.error({ status: 400, message: 'Invalid use of lambda any / all on an association to one' })
+      }
+
       if (x.expand) {
         let element = target.elements[refName]
+
         if (element.kind === 'element' && element.elements) {
           // structured
           _validateXpr([{ ref: x.ref.slice(1) }], element, isOne, model)
           element = _structProperty(x.ref.slice(1), element)
         }
+
         const target_service = _get_service_of(target)
+
         if (!element._target || element._target._service !== target_service) {
-          _doesNotExistError(
-            true,
-            refName,
-            target_service ? target.name.replace(target_service.name + '.', '') : target.name
-          )
+          const targetName = target_service ? target.name.replace(target_service.name + '.', '') : target.name
+          _doesNotExistError(true, refName, targetName)
         }
+
         _validateXpr(x.expand, element._target, false, model)
-        if (x.where) {
-          _validateXpr(x.where, element._target, false, model)
-        }
-        if (x.orderBy) {
-          _validateXpr(x.orderBy, element._target, false, model)
-        }
+
+        if (x.where) _validateXpr(x.where, element._target, false, model)
+        if (x.orderBy) _validateXpr(x.orderBy, element._target, false, model)
       }
     }
 

package/libx/queue/index.js

@@ -244,7 +244,8 @@ const _processTasks = (target, tenant, _opts = {}) => {
             const _run = opts.legacyLocking && cds.db?.kind === 'sqlite' ? cds._with : service.tx.bind(service)
             const result = await _run({ ...task.context, tenant }, async () => {
               const result = opts.handle ? await opts.handle.call(service, task.msg) : await service.handle(task.msg)
-              await DELETE.from(tasksEntity).where({ ID: task.ID })
+              // we can only delete in the current tx if legacyLocking (i.e., long-lasting db locks) is false
+              if (!opts.legacyLocking) await DELETE.from(tasksEntity).where({ ID: task.ID })
               return result
             })
             task.results = result
@@ -295,13 +296,15 @@ const _processTasks = (target, tenant, _opts = {}) => {
       }
 
       const queries = []
-      if (toBeDeleted.length)
+      const _toBeDeleted = opts.legacyLocking ? toBeDeleted.concat(succeeded) : toBeDeleted
+      if (_toBeDeleted.length) {
         queries.push(
           DELETE.from(tasksEntity).where(
             'ID in',
-            toBeDeleted.map(msg => msg.ID)
+            _toBeDeleted.map(msg => msg.ID)
           )
         )
+      }
 
       // There can be tasks which are not updated / deleted, their status must be set back to `null`
       const updateTasks = selectedTasks.filter(

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@sap/cds",
-  "version": "9.6.1",
+  "version": "9.6.3",
   "description": "SAP Cloud Application Programming Model - CDS for Node.js",
   "homepage": "https://cap.cloud.sap/",
   "keywords": [