Mend issue with @sap/connectivity version 4.2.0

[Abhijeet-eygit]

Describe the Bug

Hi,

As a part of infosec process, we came across high severity issue with library "@sap-cloud-sdk/connectivity": "^4.2.0"

As per the attached screenshot "Mend_2" dependency lib jws needs to be upgraded to 4.0.1 and this being transitive dependency we can't change it in our package.json file.

Can you suggest same solution here.

Regards,
Abhijeet T

Steps to Reproduce

1. need to run mend pipeline

Expected Behavior

it should not come as high severity in mend report

Screenshots

Details of top fix:
"Upgrade to version jws - 4.0.1,https://github.com/auth0/node-jws.git - v3.2.3,jws - 3.2.3,https://github.com/auth0/node-jws.git - v4.0.1
Message: Upgrade to version
Details: GHSA-869p-cjfg-cm3x"

Used Versions

• Node version via node -v: v22.13.1
• NPM version via `npm -v: 10.9.2
• SAP Cloud SDK version: ^8
• For CAP users, CAP version: ...

@sap/cds: 9.6.1
@sap/cds-dk: 9.4.3
@sap/cds-compiler: 6.6.0
@sap/cds-dk (global): 9.4.3
@sap/cds-fiori: 2.1.1
@sap/cds-mtxs: 3.6.1
@cap-js/asyncapi: 1.0.3
@cap-js/db-service: 2.8.1
@cap-js/openapi: 1.3.0
Node.js: v22.13.1
home: /extbin/globals/pnpm/5/.pnpm/@SAP+cds@9.6.1_@eslint+js@9.39.2_express@4.22.1/node_modules/@sap/cds

Code Examples

No response

Log File

No response

Affected Development Phase

Release

Impact

Blocked

Timeline

Info

Additional Context

No response

[KavithaSiva]

Hi @Abhijeet-eygit ,

Thanks for reporting the issue. We have updated jsonwebtoken, the dependency that consumes jws and with our next release, the issue will be fixed.

Until then please add an override for jsonwebtoken to 9.0.3 and run install in your application. This should temporarily fix the issue until our next release.

Regards,
Kavitha

[KavithaSiva]

We released a new version of SAP Cloud SDK today (4.3.0). Please use the latest version to get the updated dependencies.