Removing outdated UI5 versions from UI5 CDN
- SAPUI5 / OpenUI5 1.22, 1.24, 1.26 in mid of January 2022
- SAPUI5 / OpenUI5 1.28, 1.30, 1.32 in mid of March 2022
Note that a version is fully maintained for the full quarter listed as “End of Cloud Provisioning” in the SAPUI5 Versions Maintenance Status. The version will be deleted right after this quarter. It is planned to have all versions removed by end of Q2/2022, for which the End of Cloud Provisioning has passed. Applications using such versions will stop working. To stay up to date on this, please see The UI5 team reaches out to You.
The UI5 team wants to emphasize the importance of this topic as some outdated UI5 versions are still in use. To ensure outdated versions are no longer posing a potential security risk, it is common practice to remove them from cloud delivery. We decided to
Remove SAPUI5 / OpenUI5 versions from the CDN one year after their end of maintenance. In addition, also patches of versions in maintenance which are older than one year will be removed.
See the maintenance status of the UI5 version in the SAPUI5 version overview and the OpenUI5 version overview respectively. The UI5 version/patch is available until the end of the given quarter and being removed soon afterwards.We begin with the removal in Q3/2021 so that all affected SAP customers and partners have time to react. Depending on your initial situation and whether you want to adopt latest SAP Fiori innovations, our recommendation is to upgrade to a long-term maintenance version:
- to SAPUI5 / OpenUI5 1.38 from versions below 1.38
- to SAPUI5 / OpenUI5 1.71 / 1.84 from other versions
In general, also plan to regularly consume the latest patch level of the respective version.
Please notice: this in no way means a change in the maintenance strategy / support duration of UI5 versions: Affected are UI5 versions on CDN one year after their end of maintenance.For your reference see SAP note 3001696 and further information on developing and running secure SAPUI5 apps in Securing Apps. Also see more details on SAPUI5 versioning, upgrading and compatibility rules.
To access the SAPUI5 documentation for outdated on-prem versions, go to the SAP NetWeaver product page, click on your platform version, click on the UI Technologies link and then on SAPUI5: UI Development Toolkit for HTML5. This will open the respective SAPUI5 documentation version.
Hello Oliver Graeff ,
First, thanks for the update. I noticed that the page describing all versions has been update to include a column called "End of cloud provisioning". Almost all out of maintenance versions are there with Q3/2021 as you mentioned.
Based on the blog, I understand that:
1) The following links won't serve UI5 content:
Because 1.44.x is not maintened since Q4/2019
2) the same thing applies for links like:
A) Those links also serve the official documentation. Will the documentation still be available? Those versions might still exist on On-Premise systems and the SDK has been removed from SAP_UI component a long time ago. So, there is no change of having the documentation served from the on-premise system.
B) Are there any other links apart from those mentioned above?
yes also links to https://sapui5.netweaver.ondemand.com/ or openui5 will show the same behavior and not serve content for versions after the end of cloud provisioning date.
To your questions:
A) SAP also recommends to follow the same approach for onPremise systems and thus the need for documentation of these versions should also disappear. In case you might have a completely safe internal environment, the SAP Help Portal could be a workaround for documentation: https://help.sap.com/viewer/468a97775123488ab3345a0c48cadd8f/202009.000/en-US/95d113be50ae40d5b0b562b84d715227.html
Also downloading the SDK from https://tools.hana.ondemand.com/#sapui5 in time could be an option.
B) Not sure what you mean. I assume the 2 links in the answer above fall into the category that you're asking for. Otherwise please ask again and I'll do my best to answer:-)
But please, take this topic serious. As Oliver didn't mention it concretely: we have tools like the SAP Theme Designer or SAP Web IDE where even the latest versions can be attacked via vulnerabilities of embedded older versions. We work hard to prevent this, still it helps a lot in having a clean approach via only serving secure enough software.
So the recommendation is to apply at least a patch once a year and based on the customer feedback over several years, the regression risk with later patches is extremely low.
Regarding the removal of patches older than one year which are sill in maintenance (and supported by SAP),
it would be appreciated if you may move them to to a different folder/path instead of completely removing them from the CDN.
We use the CDN also to make regression/combability tests of new developments against different SAPUI5 versions and as long as these patches are supported by SAP we need to support them.
Actually you only have support on version but not on patch level. Corrections for a UI5 version are bundled in patches and therefore always require a patch update.
So, if I understood correctly, customers must (regularly) update the to the latest patch to get support?
That’s the recommendation, but relies on the customer if he wants to update on each patch level or does it in it’s own speed (with skipping some patches in between). But if a customer reports an issue he will either get the answer “your issue is solved in patch xx, please upgrade accordingly” or “your issue will be solved in the next patch”, so to get a fix, the customer needs to upgrade on patch level.
I am wondering if you are mixing up versions and patches here as you are also writing that you are doing regression/compatibility tests against different UI5 versions (which makes sense as new versions come with new functionalities), but I doubt that you are doing these test against all available patches of this version (e.g. 1.38 has 48 patches!).
We have many SAP installations in different SAPUI5 versions and patches.
We don't check all of the available patches, but we do have to check several patches of the same SAPUI5 version (these who are in use in the system).
As long as there isn't any official requirement by SAP to install new patches (or at least don't use patches older than one year), we have to support all these patches.
Even if the fix will eventually require an installation of a new patch, we first need to check it in their existing version/patch.
Hi Margot Wollny ,
this brings me to my old but still unsolved request: I would like to have an "evergreen" (in terms of patches) CDN URL per version, ie eg I want
to work and deliver the latest patch level.
Well, unstable URLs which could potentially change the content which is provided by them may be a bigger risk as this could cause indeterministic issues at customer side.
The problem are the various caches here, at Akamai, within the HTTP proxies, in the browser. The only chance to overcome this is to have unique URLs and the cache busting concept must be used. One more thing, even major.minor stable URLs might be problematic as also major.minor versions may be phased out.
Well this caches problem also holds true for http://openui5.hana.ondemand.com/ https://sapui5.hana.ondemand.com/ and https://ui5.sap.com/ and I do not have seen complaints about indeterministic issues with these URLs.
"One more thing, even major.minor stable URLs might be problematic as also major.minor versions may be phased out." This is another reason I want only major version stable URLs.
So what is the recomendation for non-Launchpad productive UI5 Apps, as using http://openui5.hana.ondemand.com/ https://sapui5.hana.ondemand.com/ and https://ui5.sap.com/ is also discouraged for productive apps? Change app on every UI5 minor release? Closely monitor minor releases for minor releases being phased out and minor releases fixing security probems and act accordingly? Neither seems to be really feasible...
True, but we do not recommend to use the default version of openui5, sapui5, or ui5.sap.com for productive scenarios. They also have a reduced max-age of 1 week only instead of 1 year like the versioned URLs. We had several issues in the past related to cache inconsistencies after hot fixes when we propagated it to use the latest version. For productive scenarios we only use and recommend the versioned URLs.
IMO, the only chance to use these generic URLs is to also use the cachebuster concept, so that we have a chance to invalidate the cache once an update take place. This may be the best solution for those non-launchpad scenarios. Would it be OK in such cases to use the runtime cachebuster concept? This also applies to the default versions. I will definitely take this topic into our discussion. This evergreen discussion also has been raised from other parties as well.
yes, a cachebuster concept would be welcome here!
How is it different from the latest version/patch url?
The URL you mention contains the default SAPUI5 version which is indeed always the latest available version/patch. But as mentioned above, this URL is not meant for productive usage as it is constantly being upgraded and this might have an impact on the stability of your application (see also the arguments by Peter).
Here is one example where an application had an issue because it was relying on the default (unspecified) version: "SAPUI5 has suddenly internal load resource error despite no changes in the app" - Stack Overflow
Also from the documentation:
just today inside UI5ers, Peter Muessig showed the heavily requested bootstrapping for the CDN patch release delivery using CacheBuster (also requested from Wolfgang Röckelein:)
I did not saw the telco from the start, so please can you add the info, when and for what release this feature will be available.
If i understood right, it will be from 1.71 on going, because it depends on async component instantiation in conjunction with CacheBuster.
The used CDN from Peter was just a private SAP BTP hana.ondemand.com address, so i think this is planned and currently not public available.
Maybe you can point me to the relevant roadmap, when this will be available.
It will help to delivery apps, that will untouched support latest patch versions without running in the removed outdated libraries hell.
BTW: It would still be great, if CDN would also support ABAP OnPremise systems, because a lot of customers running on FES 6 with 1.71 have apps that need 1.9x to be able to use new sap.ndc.BarcodeScannerButton because of the removed SAP Fiori Client from stores.
Right now, they are forced to serve nessessary SAPUI5 libs by their own on premise.
This would make their live much more easy.
this feature will be part of the SAPUI5 1.100 version. Once the SAPUI5 SDK on the public CDN is upgraded to 1.100 all LTS versions >= 1.71 will have this possibility to refer to those major.minor version URLs (evergreen URLs).
thanks. I missed that part of your presentation.
Hi Peter Muessig ,
thank you. This is more than welcome!
As a side note: in the manifest,json for BTP Deployment you can also use
With regard to new sap.ndc.BarcodeScannerButton because of the removed SAP Fiori Client from stores: The new sap.ndc.BarcodeScannerButton was downported and is available with the latest patch version for 1.71.(We talked about this in UI5ers live Episode 15 in February ;-))
too many topics in parallel. Just missed this.
I have not expected this inside LTS, because it is somehow a new feature and not just a patch.
But it highly makes sense in conjunction with the removal of the SAP Fiori Client.
As per the above blog, only the UI5 versions till 1.32 was supposed to be removed from the CDN.
I am using 1.38.6 version in my application using CDN and for that also I am getting the following error : The requested UI5 version is outdated and has been removed.
As checked on the version overview page, the End of Cloud Provisioning for 1.38 is Q4/2028.Can someone please explain why the version 1.38.6 has been removed from CDN without any communication.
Following is the URL I am using in my application for bootstrapping :https://sapui5.hana.ondemand.com/1.38.6/resources/sap-ui-core.js
Thanks & Regards,
Hi Sagar Bansal,
sorry to hear this. Kindly note 'In addition, also patches of versions in maintenance which are older than one year will be removed' in this blog post and SAP note 3001696. Also see 'The UI5 team reaches out to You' above: https://ui5.sap.com/ shows a notification saying 'Specifically, this means that in CW 20, we will remove ... patches 5 to 49 for version 1.38.'
Reason is that patch 6 of 1.38 is long outdated and posing a security risk. 'Upgrading' to the latest patch should be straight-forward and corresponds to our recommendation in https://ui5.sap.com/versionoverview.html and Versioning and Maintenance of SAPUI5. Hope this will fix your issue easily.
Thanks for your understanding and best regards,
Thanks for the above clarification.
Unfortunately, I'm again facing a similar issue with version 1.71 now.
As suggested by you in the above blog post, I upgraded my existing apps to 1.71.0 but today I realized that this version has also been removed by SAP. Also, I couldn't find any communication regarding this on the SDK.
I checked on the version overview page, the End of Cloud Provisioning for 1.71 is Q4/2028.
Can you please suggest the best possible solution to tackle such scenarios.
Thanks & Regards,
I am also facing same error for sap-ui-core.js version "1.71". Please advice if any solution to point this version file.
works just fine for me - note that this is the "latest" 1.71.x version.
you will see, that also outdated patches will be removed from CDN!
Currently only 1.71.2 - 1.71.49 are available.
To overcome such issues using CDN you can start using Evergreen Bootstraping using
which returns the latest patch release for you (in this case 1.71.49).
Thanks for your reply.
The information available on https://ui5.sap.com/versionoverview.html doesn’t say anything about when a specific patch for a version will be removed. This is causing a lot of confusion.
Also, as you have suggested to use the evergreen bootstrapping URL, will it work till Q4 2028 which is the end of cloud provisiong date for 1.71 version as specified on the version overview page?
Hi Sagar Bansal,
you'll find information on specific patches further down on the same page.
In Variant for Bootstrapping from Content Delivery Network we see that all long-term maintenance versions >= 1.71 can be used as evergreen versions.
Best regards, Oliver
I used in my project "https://ui5.sap.com/1.71.49/resources/sap-ui-core.js" url. It is showing two different behaviors and issues.
Please advise how I can handle this. .
1.71.49 has not reached its End of Cloud Provisioning and has not been removed from CDN. You might want to ask a question in SAP Community.
We have a bsp application WFDGANTT_UI5 in CRM Gantt Chart where this UI5 link is hardcoded and looks outdated already.
Therefore the user cannot open the Gantt Chart anymore.
Could you please let us know if we should change the link to lastest 1.71.49 manually?
right, please contact the owner of this app to get this bug fixed.
Best regards, Oliver
Working with UI5 version 1.71, (also 1.71.49) the Maintenance status page says it should be available on cloud untill Q2/2024 or later.
But just today 5/5/2023 it has been removed.
As usual nothing works as expected with sap
Hi Daniele Baldo
i can still reach this versions:
yes, this is an issue and SAP is working on this right now.
Sorry for this situation affecting you.