Skip to main content

Troubleshooting

Transitive Dependency Vulnerabilities (CVE)

Security scanners may flag a vulnerability in a transitive dependency of the SAP Cloud SDK. This section explains what options you have and what to expect from the SDK team.

Can You Fix It Without Waiting for an SDK Update?

Whether you can resolve the CVE yourself depends on the semver range the SAP Cloud SDK declares for that dependency. A caret prefix (^1.2.3) allows npm to resolve any compatible version >=1.2.3 <2.0.0, so if the patched version is in that range, npm can pick it up automatically. A tilde prefix (~1.2.3) is narrower and only allows patch updates (>=1.2.3 <1.3.0).

If the patched version falls within the declared range, you can resolve the CVE yourself without any SDK changes — see Updating a Transitive Dependency below. If the fix requires a new major version (e.g. 1.x2.x), it is outside the range — see Overriding a Transitive Dependency Version.

Updating a Transitive Dependency

If the fixed version falls within the SDK's declared semver range (i.e., no major version bump), update the vulnerable package:

npm update --min-release-age=0 PACKAGE_NAME

After running this command, verify that the package-lock.json file now resolves the package to the patched version:

npm ls PACKAGE_NAME

Alternatively, use npm audit --min-release-age=0 fix to apply all compatible fixes at once.

note

Be aware of the min-release-age setting in both directions:

  • If min-release-age is set: npm may refuse to install a recently published patch because it has not yet reached the required age. In that case, either wait for the package to age out, or target the specific version explicitly with npm update --min-release-age=0 PACKAGE_NAME.
  • If min-release-age is not set: npm installs the latest matching version immediately, including packages published seconds ago. This is a supply-chain risk — a compromised package could be installed before the community detects it. Consider setting a minimum age.

Overriding a Transitive Dependency Version

If the security fix was released in a new major version of the dependency (e.g., 1.x2.x), the fix is outside the SAP Cloud SDK's declared semver range. npm audit fix will not apply it automatically because the major version bump may contain breaking changes that affect the SDK.

In this case, use npm overrides (npm ≥ v8.3) to force a specific version of the transitive dependency in the package.json file:

{
  "overrides": {
    "PACKAGE_NAME": "PATCHED_VERSION"
  }
}
caution

Forcing a major version upgrade through overrides bypasses the compatibility guarantee that the semver range provides. Test the application thoroughly after applying an override, as the SDK may not have been tested against the forced version.

SAP Cloud SDK Updates

In most cases you do not need to wait for an SAP Cloud SDK release — the approaches described above are sufficient to resolve a CVE in your project. The SAP Cloud SDK team monitors security advisories and updates dependencies to the minimal safe version as part of regular releases. If the fix requires a major version upgrade of the dependency, the SDK team will handle the migration and ship a new SAP Cloud SDK release that is compatible with the updated dependency.

If you are blocked by a CVE and the steps above are not sufficient, open a GitHub issue. Include the CVE identifier, the affected package, and the resolved version you need. This helps the team prioritize the update.

Cannot find module '@sap-cloud-sdk/http-client'

The SAP Cloud Application Programming Mode (CAP) uses the SAP Cloud SDK to execute HTTP requests towards external services. Since not all CAP users call external services, the dependency was excluded since version 6.0.0 of CAP. If you are a CAP user and experience errors like:

cannot find module '@sap-cloud-sdk/http-client'

please install the missing dependency via:

npm install @sap-cloud-sdk/http-client

Connectivity Issue

You are experiencing connectivity issues using the SAP Cloud SDK and the error logs are not conclusive? In such a case please follow the flowchart. For each squared box, a dedicated section gives instructions below. The circle indicate start and end points. A get help circle means opening an issue on the respective component or repository.

Troubleshooting connectivityTroubleshooting connectivity

Use Minimal Example

Often the issue is related to a framework that uses the SAP Cloud SDK and not the code itself. Therefore, add the minimal example to the code to ensure the error is related to the SAP Cloud SDK.

import { executeHttpRequest } from '@sap-cloud-sdk/http-client';
import { getDestination } from '@sap-cloud-sdk/connectivity';

async function minimalTest() {
  const destination = await getDestination({
    destinationName: YOUR_DESTINATION_NAME
  });
  if (destination) {
    destination.authTokens?.forEach(authToken => {
      if (authToken.error) {
        throw new Error(`Error in authToken ${authToken.error}`);
      }
    });
  } else {
    throw new Error('Destination is undefined.');
  }
  console.log('Destination Retrieved.');
  const response = await executeHttpRequest(destination, {
    method: 'get',
    url: YOUR_SERVICE_URL
  });
  if (!response.data) {
    throw new Error('No data returned');
  }
  console.log('Data Retrieved.');
}

Replace YOUR_SERVICE_URL with the URL of your service, e.g., /sap/opu/odata/sap/API_BUSINESS_PARTNER/A_BusinessPartner?%24top=1. Use the same service you also plan to call in production to observe authorization issues in the test case as well. Include all getDestination() options you are using in your real example, like useCache or JWT. Also adjust the example to your needs by adding additional log statements.

You can execute the minimal example locally to have a quicker turnaround time. This is possible when you connect to a cloud system. To do that, copy the VCAP_SERVICES environment of the application to the local process.

Get Destination Error

You retrieved an error in the process of getting the destination or saw alarming logs while retrieving the destination. This can have multiple reasons:

  • The destination name is not correct or the destination is not present in your SAP BTP account.
  • The destination has errors in the authToken object. Adjust the configuration according to the error message until the destination service can receive a token.
  • The destination service is not bound to your application.
  • For OnPremise destinations the connectivity service must be bound to your application.
  • The destination service is missing as a dependency of your application. This is only relevant in multi-tenant applications if you make the call via a subscriber account.

If you are stuck in retrieving the destination, and you think the issue is caused by the SAP Cloud SDK, please open an issue. Please provide the information from you minimal example in the ticket.

Fix Cloud Issues

You retrieved the destination but got an error when calling the cloud target system. This can have multiple reasons:

  • The destination contains wrong user credentials or the user does not exist in the target system.
  • The user is locked in the target system.
  • The permissions of the user are insufficient.
  • The scopes of the JWT in the authTokens are insufficient.

If your request reaches the target system and gets rejected there, the problem most likely does not lie with the SAP Cloud SDK. The error logs of the target system may provide additional information on the error.

Activate Backend Logs

You have a problem connecting to an on-premise system via a Cloud Connector and connectivity service. Often there is an issue in the Cloud Connector setup. To see if a request reaches the backend system, activate the HTTP logs.

  1. Go to transaction SMICM.
  2. Navigate to GOTO->Trace Level and set the trace level to 3 and activate HTTP logs.
    1. You may want to reset the log file to have no old logs GOTO->Trace File.
  3. Trigger your request.
  4. Remember to switch back the trace level after you send the request.
  5. Go to transaction ST11 and investigate the file dev_icm

If you see entries related to your request, your connection is working.

Fix Connection Issues

You have not found entries in the HTTP logs. This means your request got stuck somewhere before.

  • Investigate the logs of the Cloud Connector and check the documentation to fix problems.
  • The connectivity service is not bound to your application.
  • The connectivity service is missing as dependency of your application. This is only relevant in multi-tenant applications if you make the call via a subscriber account.

If you keep experiencing problems, please reach out to the SAP BTP or Cloud Connector support.

Fix On-Premise Issues

Your request reaches the backend, but is rejected there. Usually the content of the HTTP logs should give you a hint what to do. In the end requests get rejected for the same reasons as in the cloud case. In addition, there are on-premise specific problems:

  • The default client is not the client with your user and configuration. Set the sap-client explicitly on the destination.
  • The principal propagation is more difficult to configure. If a destination with basic authentication works you know for sure you have a problem with user propagation.
  • The user mapping is not correctly configured for principal propagation.

Find Difference

The minimal example is working, but your real code is not. This means the framework you are using is calling the SAP Cloud SDK in a different way than you are. At this point, debug the application. Try to reach the point where the executeHttpRequest() function of the SAP Cloud SDK is called and compare the argument to the one of the minimal example.

If you found the difference, try to align it or open an issue with the framework.