Skip to Content
Product Information
Author's profile photo Oliver Graeff

Removing outdated UI5 versions from UI5 CDN

Update August 16, 2021: The UI5 team wants to re-iterate the importance of this topic. We can see that outdated UI5 versions are still in use by few customers. Please note that once these are removed, applications will break. To avoid a potential security risk, please update to a more recent version as described in this blog post.


SAP sees Security as an essential topic, investing heavily in all product areas and fulfilling respective legal compliance. We are committed to identify and address security issues affecting our software and cloud solutions. This is reflected in a number of Security Offerings including SAP Security Patch Days. UI5 implements latest security patches in order to fix potential vulnerabilities. SAP strongly recommends that customers apply patches on a priority to protect their SAP landscape. For SAP Business Technology Platform, we always recommend upgrading to the latest SAPUI5 version. It includes the latest capabilities, patches and security fixes.

The UI5 team wants to emphasize the importance of this topic as some outdated UI5 versions are still in use. To ensure outdated versions are no longer posing a potential security risk, it is common practice to remove them from cloud delivery. We decided to

Remove SAPUI5 / OpenUI5 versions from the CDN one year after their end of maintenance. In addition, also patches of versions in maintenance which are older than one year will be removed.

See the maintenance status of the UI5 version in the SAPUI5 version overview and the OpenUI5 version overview respectively.We begin with the removal in Q3/2021 so that all affected SAP customers and partners have time to react. Depending on your initial situation and whether you want to adopt latest SAP Fiori innovations, our recommendation is to upgrade to a long-term maintenance version:

  • to SAPUI5 / OpenUI5 1.38 from versions below 1.38
  • to SAPUI5 / OpenUI5 1.71 / 1.84 from other versions

In general, also plan to regularly consume the latest patch level of the respective version.

Please notice: this in no way means a change in the maintenance strategy / support duration of UI5 versions: Affected are UI5 versions on CDN one year after their end of maintenance.For your reference see SAP note 3001696 and further information on developing and running secure SAPUI5 apps in Securing Apps. Also see more details on SAPUI5 versioning, upgrading and compatibility rules.

To access the SAPUI5 documentation for outdated on-prem versions, go to the SAP NetWeaver product page, click on your platform version, click on the UI Technologies link and then on SAPUI5: UI Development Toolkit for HTML5. This will open the respective SAPUI5 documentation version.

Assigned tags

      15 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Fábio Luiz Esperati Pagoti
      Fábio Luiz Esperati Pagoti

      Hello Oliver Graeff ,

       

      First, thanks for the update. I noticed that the page describing all versions has been update to include a column called "End of cloud provisioning". Almost all out of maintenance versions are there with Q3/2021 as you mentioned.

      Based on the blog, I understand that:

       

      1) The following links won't serve UI5 content:

      Example:

      https://ui5.sap.com/1.44.50/resources/sap-ui-core.js

       

      Because 1.44.x is not maintened since Q4/2019

       

      2) the same thing applies for links like:

      https://sapui5.netweaver.ondemand.com/

       

      https://openui5.hana.ondemand.com/

       

      https://openui5nightly.hana.ondemand.com/

       

      Questions:

      A) Those links also serve the official documentation. Will the documentation still be available? Those versions might still exist on On-Premise systems and the SDK has been removed from SAP_UI component a long time ago. So, there is no change of having the documentation served from the on-premise system.

       

      B) Are there any other links apart from those mentioned above?

       

      Thanks,

      Author's profile photo Stefan Beck
      Stefan Beck

      Hi Fabio,

      yes also links to https://sapui5.netweaver.ondemand.com/ or openui5 will show the same behavior and not serve content for versions after the end of cloud provisioning date.

       

      To your questions:

      A) SAP also recommends to follow the same approach for onPremise systems and thus the need for documentation of these versions should also disappear. In case you might have a completely safe internal environment, the SAP Help Portal could be a workaround for documentation: https://help.sap.com/viewer/468a97775123488ab3345a0c48cadd8f/202009.000/en-US/95d113be50ae40d5b0b562b84d715227.html

      Also downloading the SDK from https://tools.hana.ondemand.com/#sapui5 in time could be an option.

      B) Not sure what you mean. I assume the 2 links in the answer above fall into the category that you're asking for. Otherwise please ask again and I'll do my best to answer:-)

       

      But please, take this topic serious. As Oliver didn't mention it concretely: we have tools like the SAP Theme Designer or SAP Web IDE where even the latest versions can be attacked via vulnerabilities of embedded older versions. We work hard to prevent this, still it helps a lot in having a clean approach via only serving secure enough software.

      So the recommendation is to apply at least a patch once a year and based on the customer feedback over several years, the regression risk with later patches is extremely low.

      Best regards
      Stefan

      Author's profile photo Shai Sinai
      Shai Sinai

      Hi,

      Regarding the removal of patches older than one year which are sill in maintenance (and supported by SAP),

      it would be appreciated if you may move them to to a different folder/path instead of completely removing them from the CDN.

      We use the CDN also to make regression/combability tests of new developments against different SAPUI5 versions and as long as these patches are supported by SAP we need to support them.

      Author's profile photo Margot Wollny
      Margot Wollny

      Actually you only have support on version but not on patch level. Corrections for a UI5 version are bundled in patches and therefore always require a patch update.

      Author's profile photo Shai Sinai
      Shai Sinai

      Thanks.

      So, if I understood correctly, customers must (regularly) update the to the latest patch to get support?

      Author's profile photo Margot Wollny
      Margot Wollny

      That’s the recommendation, but relies on the customer if he wants to update on each patch level or does it in it’s own speed (with skipping some patches in between). But if a customer reports an issue he will either get the answer “your issue is solved in patch xx, please upgrade accordingly” or “your issue will be solved in the next patch”, so to get a fix, the customer needs to upgrade on patch level.

      I am wondering if you are mixing up versions and patches here as you are also writing that you are doing regression/compatibility tests against different UI5 versions (which makes sense as new versions come with new functionalities), but I doubt that you are doing these test against all available patches of this version (e.g. 1.38 has 48 patches!).

      Author's profile photo Shai Sinai
      Shai Sinai

      Hi,

      We have many SAP installations in different SAPUI5 versions and patches.

      We don't check all of the available patches, but we do have to check several patches of the same SAPUI5 version (these who are in use in the system).

      As long as there isn't any official requirement by SAP to install new patches (or at least don't use patches older than one year), we have to support all these patches.

      Even if the fix will eventually require an installation of a new patch, we first need to check it in their existing version/patch.

      Author's profile photo Wolfgang Röckelein
      Wolfgang Röckelein

      Hi Margot Wollny ,

      this brings me to my old but still unsolved request: I would like to have an "evergreen" (in terms of patches) CDN URL per version, ie eg I want

      https://sapui5.hana.ondemand.com/1.84/resources/sap-ui-core.js

      to work and deliver the latest patch level.

      Regards,

        Wolfgang

      Author's profile photo Margot Wollny
      Margot Wollny

      Well, unstable URLs which could potentially change the content which is provided by them may be a bigger risk as this could cause indeterministic issues at customer side.

      The problem are the various caches here, at Akamai, within the HTTP proxies, in the browser. The only chance to overcome this is to have unique URLs and the cache busting concept must be used. One more thing, even major.minor stable URLs might be problematic as also major.minor versions may be phased out.

      Author's profile photo Wolfgang Röckelein
      Wolfgang Röckelein

      Well this caches problem also holds true for http://openui5.hana.ondemand.com/ https://sapui5.hana.ondemand.com/ and https://ui5.sap.com/ and I do not have seen complaints about indeterministic issues with these URLs.

      "One more thing, even major.minor stable URLs might be problematic as also major.minor versions may be phased out." This is another reason I want only major version stable URLs.

      So what is the recomendation for non-Launchpad productive UI5 Apps, as using http://openui5.hana.ondemand.com/ https://sapui5.hana.ondemand.com/ and https://ui5.sap.com/ is also discouraged for productive apps? Change app on every UI5 minor release? Closely monitor minor releases for minor releases being phased out and minor releases fixing security probems and act accordingly? Neither seems to be really feasible...

      Regards,

      Wolfgang

      Author's profile photo Peter Muessig
      Peter Muessig

      True, but we do not recommend to use the default version of openui5, sapui5, or ui5.sap.com for productive scenarios. They also have a reduced max-age of 1 week only instead of 1 year like the versioned URLs. We had several issues in the past related to cache inconsistencies after hot fixes when we propagated it to use the latest version. For productive scenarios we only use and recommend the versioned URLs.

      IMO, the only chance to use these generic URLs is to also use the cachebuster concept, so that we have a chance to invalidate the cache once an update take place. This may be the best solution for those non-launchpad scenarios. Would it be OK in such cases to use the runtime cachebuster concept? This also applies to the default versions. I will definitely take this topic into our discussion. This evergreen discussion also has been raised from other parties as well.

      Regards,

      Peter

      Author's profile photo Wolfgang Röckelein
      Wolfgang Röckelein

      Hi Peter,

      yes, a cachebuster concept would be welcome here!

      Regards,

      Wolfgang

      Author's profile photo Shai Sinai
      Shai Sinai

      How is it different from the latest version/patch url?

      https://sapui5.hana.ondemand.com/resources/sap-ui-core.js
      Author's profile photo Margot Wollny
      Margot Wollny

      The URL you mention contains the default SAPUI5 version which is indeed always the latest available version/patch. But as mentioned above, this URL is not meant for productive usage  as it is constantly being upgraded and this might have an impact on the stability of your application (see also the arguments by Peter).

      Author's profile photo Boghyon Hoffmann
      Boghyon Hoffmann

      Here is one example where an application had an issue because it was relying on the default (unspecified) version: https://stackoverflow.com/a/60377984/5846045.

      Also from the documentation:

      ⚠ Caution
      The default version is constantly being upgraded and this might have an impact on the stability of your application. Use this version for testing purposes only.

      src="https://sapui5.hana.ondemand.com/resources/sap-ui-core.js"
      (Source)