Skip to content

Deferred major dependency upgrades (Group B) #161

Description

@jung-thomas

Context

While consolidating Dependabot PRs + upgrading to CAP 10 and TypeScript 7 (PR #160), several major-version bumps were deliberately deferred because each carries breaking-change risk and needs individual API review + testing. This issue tracks them so they aren't forgotten.

Everything in PR #160 is done: all patch/minor "wanted" bumps, CAP 10 (@sap/cds 10 + cds-10-native cap-js drivers), and TypeScript 7 for vscode-extension + mcp-server. The items below remain.

Deferred majors

Root (package.json) — directly imported in source, need API review

Package Current Latest Notes
csv-parse ^6.2.1 7.0.1 Imported in 1 source file (bin/import.js). v7 has API/option changes — review parse options.
js-yaml ^4.1.0 5.2.1 Imported in 2 source files. v5 is ESM-focused with API changes.
marked ^17.0.6 18.0.6 Imported in 4 source files. Check renderer/extension API changes.
inquirer ^13.4.2 14.0.2 Imported in 3 source files. v14 requires Node ≥20.17 / ≥22.13 — verify against engines (currently >=22).

app/vue

Package Current Latest Notes
vue-tsc ^2.2.0 3.3.7 Blocks TypeScript 7 in app/vue — vue-tsc@2 does require('typescript/lib/tsc'), a subpath TS 7 removed (ERR_PACKAGE_PATH_NOT_EXPORTED).
typescript ^5.7.0 (resolves 5.9) 7.0.2 Do together with vue-tsc@3 above. vscode-extension + mcp-server are already on TS 7.
vue-router ^4.5.0 5.1.0 Router v5 major — review navigation guards / API.

vscode-extension

Package Current Latest Notes
glob ^11.0.0 13.0.6 Two majors. Verify glob API usage in esbuild.config.mjs route/util discovery.
@vscode/test-electron ^2.3.0 3.0.0 Test harness major. Note: extension integration tests need a display (not run in headless CI today).
@types/node ^25.8.0 26.1.1 Types-only; low risk but a major.

Suggested grouping for follow-up PRs

  1. app/vue TS toolchain: vue-tsc 3 + typescript 7 together (unblocks the last TS 7 holdout), optionally vue-router 5.
  2. Root source-imported libs: csv-parse 7, js-yaml 5, marked 18, inquirer 14 — each needs a code review of its usage; can be one PR with per-package verification or split.
  3. vscode-extension dev tooling: glob 13, @vscode/test-electron 3, @types/node 26.

Pre-existing security advisories (also deferred — only npm audit fix --force resolves, risks breakage)

  • xlsx (SheetJS) — no upstream fix available.
  • dompurify via monaco-editor (app/vue).
  • sap-hdb-promisfied nested deps: brace-expansion, diff, js-yaml, serialize-javascript.

Refs: PR #160.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions