chore(deps): consolidated dependency update + CAP 10 upgrade#160
Merged
Conversation
Supersedes the 9 open Dependabot PRs (#146, #147, #148, #149, #151, #152, #153, #156, #157) with one validated update. Direct-dep bumps plus lockfile refreshes that absorb the transitive updates; each subproject's build and test suite was run to confirm the majors are safe. vscode-extension: - @vscode/vsce 2.32 -> 3.9.2 (major), esbuild 0.25 -> 0.28.1 (#147, #149) - transitives via lockfile: markdown-it 12->14, js-yaml 4.3, form-data 4.0.6, undici 7.28, tmp 0.2.7 (#146, #152, #153, #157) - Verified: compile + esbuild bundle + `vsce package` succeed; the .vsix stays self-contained (webview assets present, zero native binaries). app/vue: - vite 6.3 -> 8.1.4 (two majors), @vitejs/plugin-vue 5.2 -> 6.0.7 (major), echarts 6.0 -> 6.1 (#148, #156) - Verified: 46 vitest tests pass; `build` and `build:vscode` succeed and emit the webview assets consumed by the extension .vsix. docs: - dompurify 3.4.3 -> 3.4.11 via lockfile (transitive under mermaid) (#151) - Verified: `docs:build` succeeds. Root `test:ci` (550 passing) and `lint` remain green. Pre-existing app/vue advisories (xlsx, dompurify-via-monaco) are untouched — out of scope and only resolvable with breaking `audit fix --force`.
This was referenced Jul 11, 2026
…rivers Completes the CAP 10 migration on top of the consolidated dependency update. The project's prior pre-work (compat flags already set to CAP 10 targets: legacyLocking=false, ieee754compatible=true, compat_srv_getters=false, compat_texts_entities=false) meant no runtime code changes were required. - @sap/cds ^9.9.0 -> ^10.0.3 - @cap-js/hana 2.8 -> 3.0.1, @cap-js/sqlite 2.4 -> 3.0.2, @cap-js/postgres 2.3 -> 3.0.1, @cap-js/telemetry 1.6 -> 2.0.1 (the 3.x/2.x majors declare `peer @sap/cds ^10`) - Remove @sap/cds-hana: its cds-plugin throws "incompatible with @sap/cds version 9 and higher — use @cap-js/hana instead". Unused in source; @cap-js/hana already covers HANA connectivity. - esbuild: mark generic-pool external — it's an OPTIONAL peer of @cap-js/db-service@3 whose require() is guarded behind the legacy pool path (CAP 10 uses the built-in pool), and it's not installed. Audit: no CAP 10 breaking-change surface in source — no CAP req.params (the one req.params is an Express route param), no ASSERT_MANDATORY matching, no draft SAVE handlers, no @requires/req.user relying on skipped local checks. Bonus: @cap-js/sqlite@3 makes better-sqlite3 an optional peer, so the native binary is no longer installed at all — reinforcing the OS-portable .vsix. Verified on CAP 10.0.3: - root test:ci 550 passing; database+connection utils 50 passing; lint clean - `cds compile` produces SQL; runtime SELECT via node:sqlite works, better-sqlite3 never loads - extension bundles + packages: 352 webview assets, 0 native binaries
`npm update` sweep across all projects to pull patch/minor bumps that sit within existing semver ranges (no package.json changes needed): - root: @cap-js-community/odata-v2-adapter 1.16, @wdio/* 9.29.1, chromedriver 150.0.3, eslint 10.6, terminal-kit 3.1.3, webdriverio, @types/node, hdb 2.29, sap-hdb-promisfied (lockfile only) - docs: vue 3.5.39, @agentmarkup/vite 0.5.2 (56 transitive packages) - app/vue, vscode-extension: already at wanted versions Verified: root test:ci 550 passing, lint clean, docs:build and app/vue vitest (46) green.
TypeScript 7.0 (the native compiler) builds both plain-tsc projects cleanly:
- vscode-extension: ^5.7 -> ^7.0.2 (compile, pretest, esbuild bundle all pass)
- mcp-server: ^6.0.2 -> ^7.0.2 (tsc build passes)
Regenerated mcp-server/build/ (committed output): only .d.ts and .js.map
files change — TS 7 emits single quotes in declarations. Zero runtime .js
changes; no behavior difference.
app/vue is intentionally NOT upgraded: vue-tsc@2 does
`require('typescript/lib/tsc')`, a subpath TS 7 removed from its exports map
(ERR_PACKAGE_PATH_NOT_EXPORTED). It needs vue-tsc@3 first — tracked in the
Group B follow-up issue. app/vue stays on TS 5.9 (within its ^5.7 range).
This was referenced Jul 11, 2026
jung-thomas
added a commit
that referenced
this pull request
Jul 11, 2026
Version bump + changelog for the 4.202607.0 release. Done via PR because the release workflow's workflow_dispatch path pushes the bump commit directly to main, which the branch-protection rulesets reject (GH013). After this merges, pushing the v4.202607.0 tag triggers the workflow's tag path (resolve-version -> publish), which does not push to main and publishes cleanly. Includes: self-contained OS-portable VS Code .vsix (#159), CAP 10 + cds-10 drivers (#160), TypeScript 7 for extension/mcp-server + consolidated deps (#160, #162), Group B majors (#162), i18n key fixes (#163). Co-authored-by: Thomas Jung <12159356+jung-thomas@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
One validated PR that (a) consolidates the 9 open Dependabot PRs, (b) refreshes all in-range patch/minor updates, (c) completes the CAP 10 (
@sap/cds10) upgrade, and (d) upgrades TypeScript 7 where it builds cleanly. Every major here was actually built and tested, not merged blind.Closes #146
Closes #147
Closes #148
Closes #149
Closes #151
Closes #152
Closes #153
Closes #156
Closes #157
Follow-up for deferred majors: #161
CAP 10 upgrade (root)
generic-poolexternal (optional peer of @cap-js/db-service@3, guarded require)better-sqlite3binary entirely.TypeScript 7
vsce package, mcptsc). mcp-server/build regenerated (only.d.ts/.mapquote-style; zero runtime.jschange).vue-tsc@2can't load TS 7 (ERR_PACKAGE_PATH_NOT_EXPORTED); needsvue-tsc@3, tracked in Deferred major dependency upgrades (Group B) #161.Subproject dependency bumps
vscode-extensionapp/vuemcp-serverdocsVerification (on CAP 10.0.3 + TS 7)
test:ci550 passing; database+connection utils 50 passing;eslintcleancds compile→ SQL; runtimeSELECTvia node:sqlite, better-sqlite3 never loadsapp/vue46 vitest pass; builds green on vite 8docs:buildgreen;mcp-servertsc build greenOut of scope (see #161)
Deferred majors: inquirer 14, csv-parse 7, js-yaml 5, marked 18, vue-router 5, vue-tsc 3 (+app/vue TS 7), glob 13, @vscode/test-electron 3, @types/node 26. Pre-existing advisories (
xlsx,dompurify-via-monaco,sap-hdb-promisfiednested deps) — onlyaudit fix --forceresolves; left untouched. Committedapp/vue/dist/regenerated byprepack, not included.