Skip to Content
Product Information
Author's profile photo Oliver Graeff

Removing outdated UI5 versions from UI5 CDN

Update December 15, 2021: SAP moves forward safeguarding an up-to-date and secure environment which benefits from SAP’s enterprise support. As announced in this blog post in January 2021, the UI5 team will delete UI5 versions on the UI5 CDN beginning with:

  • SAPUI5 / OpenUI5 1.22, 1.24, 1.26 in mid of January 2022
  • SAPUI5 / OpenUI5 1.28, 1.30, 1.32 in mid of March 2022

Note that a version is fully maintained for the full quarter listed as “End of Cloud Provisioning” in the SAPUI5 Versions Maintenance Status. The version will be deleted right after this quarter. It is planned to have all versions removed by end of Q2/2022, for which the End of Cloud Provisioning has passed. Applications using such versions will stop working. To stay up to date on this, please see The UI5 team reaches out to You.


Update August 16, 2021: The UI5 team wants to re-iterate the importance of this topic. We can see that outdated UI5 versions are still in use by few customers. Please note that once these are removed, applications will break. To avoid a potential security risk, please update to a more recent version as described in this blog post.


SAP sees Security as an essential topic, investing heavily in all product areas and fulfilling respective legal compliance. We are committed to identify and address security issues affecting our software and cloud solutions. This is reflected in a number of Security Offerings including SAP Security Patch Days. UI5 implements latest security patches in order to fix potential vulnerabilities. SAP strongly recommends that customers apply patches on a priority to protect their SAP landscape. For SAP Business Technology Platform, we always recommend upgrading to the latest SAPUI5 version. It includes the latest capabilities, patches and security fixes.

The UI5 team wants to emphasize the importance of this topic as some outdated UI5 versions are still in use. To ensure outdated versions are no longer posing a potential security risk, it is common practice to remove them from cloud delivery. We decided to

Remove SAPUI5 / OpenUI5 versions from the CDN one year after their end of maintenance. In addition, also patches of versions in maintenance which are older than one year will be removed.

See the maintenance status of the UI5 version in the SAPUI5 version overview and the OpenUI5 version overview respectively. The UI5 version/patch is available until the end of the given quarter and being removed soon afterwards.We begin with the removal in Q3/2021 so that all affected SAP customers and partners have time to react. Depending on your initial situation and whether you want to adopt latest SAP Fiori innovations, our recommendation is to upgrade to a long-term maintenance version:

  • to SAPUI5 / OpenUI5 1.38 from versions below 1.38
  • to SAPUI5 / OpenUI5 1.71 / 1.84 from other versions

In general, also plan to regularly consume the latest patch level of the respective version.

Please notice: this in no way means a change in the maintenance strategy / support duration of UI5 versions: Affected are UI5 versions on CDN one year after their end of maintenance.For your reference see SAP note 3001696 and further information on developing and running secure SAPUI5 apps in Securing Apps. Also see more details on SAPUI5 versioning, upgrading and compatibility rules.

To access the SAPUI5 documentation for outdated on-prem versions, go to the SAP NetWeaver product page, click on your platform version, click on the UI Technologies link and then on SAPUI5: UI Development Toolkit for HTML5. This will open the respective SAPUI5 documentation version.

Assigned Tags

      23 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Fábio Luiz Esperati Pagoti
      Fábio Luiz Esperati Pagoti

      Hello Oliver Graeff ,

       

      First, thanks for the update. I noticed that the page describing all versions has been update to include a column called "End of cloud provisioning". Almost all out of maintenance versions are there with Q3/2021 as you mentioned.

      Based on the blog, I understand that:

       

      1) The following links won't serve UI5 content:

      Example:

      https://ui5.sap.com/1.44.50/resources/sap-ui-core.js

       

      Because 1.44.x is not maintened since Q4/2019

       

      2) the same thing applies for links like:

      https://sapui5.netweaver.ondemand.com/

       

      https://openui5.hana.ondemand.com/

       

      https://openui5nightly.hana.ondemand.com/

       

      Questions:

      A) Those links also serve the official documentation. Will the documentation still be available? Those versions might still exist on On-Premise systems and the SDK has been removed from SAP_UI component a long time ago. So, there is no change of having the documentation served from the on-premise system.

       

      B) Are there any other links apart from those mentioned above?

       

      Thanks,

      Author's profile photo Stefan Beck
      Stefan Beck

      Hi Fabio,

      yes also links to https://sapui5.netweaver.ondemand.com/ or openui5 will show the same behavior and not serve content for versions after the end of cloud provisioning date.

       

      To your questions:

      A) SAP also recommends to follow the same approach for onPremise systems and thus the need for documentation of these versions should also disappear. In case you might have a completely safe internal environment, the SAP Help Portal could be a workaround for documentation: https://help.sap.com/viewer/468a97775123488ab3345a0c48cadd8f/202009.000/en-US/95d113be50ae40d5b0b562b84d715227.html

      Also downloading the SDK from https://tools.hana.ondemand.com/#sapui5 in time could be an option.

      B) Not sure what you mean. I assume the 2 links in the answer above fall into the category that you're asking for. Otherwise please ask again and I'll do my best to answer:-)

       

      But please, take this topic serious. As Oliver didn't mention it concretely: we have tools like the SAP Theme Designer or SAP Web IDE where even the latest versions can be attacked via vulnerabilities of embedded older versions. We work hard to prevent this, still it helps a lot in having a clean approach via only serving secure enough software.

      So the recommendation is to apply at least a patch once a year and based on the customer feedback over several years, the regression risk with later patches is extremely low.

      Best regards
      Stefan

      Author's profile photo Shai Sinai
      Shai Sinai

      Hi,

      Regarding the removal of patches older than one year which are sill in maintenance (and supported by SAP),

      it would be appreciated if you may move them to to a different folder/path instead of completely removing them from the CDN.

      We use the CDN also to make regression/combability tests of new developments against different SAPUI5 versions and as long as these patches are supported by SAP we need to support them.

      Author's profile photo Margot Wollny
      Margot Wollny

      Actually you only have support on version but not on patch level. Corrections for a UI5 version are bundled in patches and therefore always require a patch update.

      Author's profile photo Shai Sinai
      Shai Sinai

      Thanks.

      So, if I understood correctly, customers must (regularly) update the to the latest patch to get support?

      Author's profile photo Margot Wollny
      Margot Wollny

      That’s the recommendation, but relies on the customer if he wants to update on each patch level or does it in it’s own speed (with skipping some patches in between). But if a customer reports an issue he will either get the answer “your issue is solved in patch xx, please upgrade accordingly” or “your issue will be solved in the next patch”, so to get a fix, the customer needs to upgrade on patch level.

      I am wondering if you are mixing up versions and patches here as you are also writing that you are doing regression/compatibility tests against different UI5 versions (which makes sense as new versions come with new functionalities), but I doubt that you are doing these test against all available patches of this version (e.g. 1.38 has 48 patches!).

      Author's profile photo Shai Sinai
      Shai Sinai

      Hi,

      We have many SAP installations in different SAPUI5 versions and patches.

      We don't check all of the available patches, but we do have to check several patches of the same SAPUI5 version (these who are in use in the system).

      As long as there isn't any official requirement by SAP to install new patches (or at least don't use patches older than one year), we have to support all these patches.

      Even if the fix will eventually require an installation of a new patch, we first need to check it in their existing version/patch.

      Author's profile photo Wolfgang Röckelein
      Wolfgang Röckelein

      Hi Margot Wollny ,

      this brings me to my old but still unsolved request: I would like to have an "evergreen" (in terms of patches) CDN URL per version, ie eg I want

      https://sapui5.hana.ondemand.com/1.84/resources/sap-ui-core.js

      to work and deliver the latest patch level.

      Regards,

        Wolfgang

      Author's profile photo Margot Wollny
      Margot Wollny

      Well, unstable URLs which could potentially change the content which is provided by them may be a bigger risk as this could cause indeterministic issues at customer side.

      The problem are the various caches here, at Akamai, within the HTTP proxies, in the browser. The only chance to overcome this is to have unique URLs and the cache busting concept must be used. One more thing, even major.minor stable URLs might be problematic as also major.minor versions may be phased out.

      Author's profile photo Wolfgang Röckelein
      Wolfgang Röckelein

      Well this caches problem also holds true for http://openui5.hana.ondemand.com/ https://sapui5.hana.ondemand.com/ and https://ui5.sap.com/ and I do not have seen complaints about indeterministic issues with these URLs.

      "One more thing, even major.minor stable URLs might be problematic as also major.minor versions may be phased out." This is another reason I want only major version stable URLs.

      So what is the recomendation for non-Launchpad productive UI5 Apps, as using http://openui5.hana.ondemand.com/ https://sapui5.hana.ondemand.com/ and https://ui5.sap.com/ is also discouraged for productive apps? Change app on every UI5 minor release? Closely monitor minor releases for minor releases being phased out and minor releases fixing security probems and act accordingly? Neither seems to be really feasible...

      Regards,

      Wolfgang

      Author's profile photo Peter Muessig
      Peter Muessig

      True, but we do not recommend to use the default version of openui5, sapui5, or ui5.sap.com for productive scenarios. They also have a reduced max-age of 1 week only instead of 1 year like the versioned URLs. We had several issues in the past related to cache inconsistencies after hot fixes when we propagated it to use the latest version. For productive scenarios we only use and recommend the versioned URLs.

      IMO, the only chance to use these generic URLs is to also use the cachebuster concept, so that we have a chance to invalidate the cache once an update take place. This may be the best solution for those non-launchpad scenarios. Would it be OK in such cases to use the runtime cachebuster concept? This also applies to the default versions. I will definitely take this topic into our discussion. This evergreen discussion also has been raised from other parties as well.

      Regards,

      Peter

      Author's profile photo Wolfgang Röckelein
      Wolfgang Röckelein

      Hi Peter,

      yes, a cachebuster concept would be welcome here!

      Regards,

      Wolfgang

      Author's profile photo Shai Sinai
      Shai Sinai

      How is it different from the latest version/patch url?

      https://sapui5.hana.ondemand.com/resources/sap-ui-core.js
      Author's profile photo Margot Wollny
      Margot Wollny

      The URL you mention contains the default SAPUI5 version which is indeed always the latest available version/patch. But as mentioned above, this URL is not meant for productive usage  as it is constantly being upgraded and this might have an impact on the stability of your application (see also the arguments by Peter).

      Author's profile photo Boghyon Hoffmann
      Boghyon Hoffmann

      Here is one example where an application had an issue because it was relying on the default (unspecified) version: https://stackoverflow.com/a/60377984/5846045.

      Also from the documentation:

      ⚠ Caution
      The default version is constantly being upgraded and this might have an impact on the stability of your application. Use this version for testing purposes only.

      src="https://sapui5.hana.ondemand.com/resources/sap-ui-core.js"
      (Source)

      Author's profile photo Holger Schäfer
      Holger Schäfer

      Hi Oliver,

      just today inside UI5ers, Peter Muessig showed the heavily requested bootstrapping for the CDN patch release delivery using CacheBuster (also requested from Wolfgang Röckelein:)

      https://sapui5.hana.ondemand.com/1.96/resources/sap-ui-core.js

      I did not saw the telco from the start, so please can you add the info, when and for what release this feature will be available.

      If i understood right, it will be from 1.71 on going, because it depends on async component instantiation in conjunction with CacheBuster.

      The used CDN from Peter was just a private SAP BTP hana.ondemand.com address, so i think this is planned and currently not public available.

      Maybe you can point me to the relevant roadmap, when this will be available.

      It will help to delivery apps, that will untouched support latest patch versions without running in the removed outdated libraries hell.

      BTW: It would still be great, if CDN would also support ABAP OnPremise systems, because a lot of customers running on FES 6 with 1.71 have apps that need 1.9x to be able to use new sap.ndc.BarcodeScannerButton because of the removed SAP Fiori Client from stores.

      Right now, they are forced to serve nessessary SAPUI5 libs by their own on premise.

      This would make their live much more easy.

      Best Regards
      Holger

      Author's profile photo Peter Muessig
      Peter Muessig

      Hi Holger,

      this feature will be part of the SAPUI5 1.100 version. Once the SAPUI5 SDK on the public CDN is upgraded to 1.100 all LTS versions >= 1.71 will have this possibility to refer to those major.minor version URLs (evergreen URLs).

      Best regards,

      Peter

      Author's profile photo Holger Schäfer
      Holger Schäfer

      Hi Peter,

      thanks. I missed that part of your presentation.

      Best Regards

      Holger

       

      Author's profile photo Wolfgang Röckelein
      Wolfgang Röckelein

      Hi Peter Muessig ,

      thank you. This is more than welcome!

      As a side note: in the manifest,json for BTP Deployment you can also use

      "sap.platform.cf": {
        "ui5VersionNumber": "1.84.x"
      }

      meanwhile.

      Regards,

      Wolfgang

      Author's profile photo Margot Wollny
      Margot Wollny

      With regard to  new sap.ndc.BarcodeScannerButton because of the removed SAP Fiori Client from stores: The new sap.ndc.BarcodeScannerButton was downported and is available with the latest patch version for 1.71.(We talked about this in UI5ers live Episode 15 in February ;-))

      Author's profile photo Holger Schäfer
      Holger Schäfer

      Thanks Margot,
      too many topics in parallel. Just missed this.

      I have not expected this inside LTS, because it is somehow a new feature and not just a patch.

      But it highly makes sense in conjunction with the removal of the SAP Fiori Client.

      Best regards

      Holger

      Author's profile photo Sagar Bansal
      Sagar Bansal

      Hi All,

       

      As per the above blog, only the UI5 versions till 1.32 was supposed to be removed from the CDN.

      I am using 1.38.6 version in my application using CDN and for that also I am getting the following error : The requested UI5 version is outdated and has been removed.

      As checked on the version overview page, the End of Cloud Provisioning for 1.38 is Q4/2028.Can someone please explain why the version 1.38.6 has been removed from CDN without any communication.

      Following is the URL I am using in my application for bootstrapping :https://sapui5.hana.ondemand.com/1.38.6/resources/sap-ui-core.js

       

      Thanks & Regards,
      Sagar Bansal

      Author's profile photo Oliver Graeff
      Oliver Graeff
      Blog Post Author

      Hi Sagar Bansal,

      sorry to hear this. Kindly note 'In addition, also patches of versions in maintenance which are older than one year will be removed' in this blog post and SAP note 3001696. Also see 'The UI5 team reaches out to You' above: https://ui5.sap.com/ shows a notification saying 'Specifically, this means that in CW 20, we will remove ... patches 5 to 49 for version 1.38.'

      Reason is that patch 6 of 1.38 is long outdated and posing a security risk. 'Upgrading' to the latest patch should be straight-forward and corresponds to our recommendation in https://ui5.sap.com/versionoverview.html and Versioning and Maintenance of SAPUI5. Hope this will fix your issue easily.

      Thanks for your understanding and best regards,
      Oliver Graeff