Update your dependencies

Recently I was creating a fresh new UI5 application. I used the @sap/fiori yo generator. I just wanted to create a simple app: Basic UI5 app.

I activate TypeScript and an app was created.

npm warn deprecated

The wizard ends by starting to install the npm dependencies. Here I saw something I think should not happen. A lot of deprecated dependencies were installed.

For instance, rimraf is currently at version 6. While 3.0.2 is still downloaded, it is 6 years old. AFAIK it is only used to remove the archive.zip file after running “npm deploy”. Is it really needed?

Another one is eslint. The current supported eslint version are 9.x. The installed version 8.57.1 is deprecated. Or better: unsupported, EOL.

To see deprecated version of eslint on npmjs, you need to switch on the show deprecated version option.

OK, that version get’s still some downloads. Running eslint via the provided script lint: npm run lint.

The result is not what I am expecting. Seems not only ESLint is outdated, some other packages used during linting should be updated too.

Dependency hell

My TypeScript version is up to date. @typescript-eslint/typescript-estree, however, does have a problem with this. It does not support my TypeScript version. A solution might be to update it. And while doing this, why not update eslint as well? This is the package.json file after creating the app using yo.

The eslint dependency to 8.57.1 comes from three packages. Should be easy to solve.

@typescript-eslint/eslint-plugin and @typescript-eslint/parser are both available in higher versions: 8.46. This is sufficient to remove the warning message about an unsupported TypeScript version.

Eslint, however, is still stuck at a deprecated version. For updating eslint to 9.x, updating those two packages is not sufficient. But there is still package @sap-ux/eslint-plugin-fiori-tools. A newer version 0.6.1 is available.

Updating it in package.json and running npm i.

Only, this does not help. Eslint continues to stay at a deprecated release. The outdated eslint version is coming from the @sap-ux/eslint-plugin-fiori-tools dependency. Looking at the package.json file in node_modules/@sap-ux/eslint-plugin-fiori-tools.

There is a dependency to eslint-plugin-fiori-custom. I was not able to find the repo on GH or somewhere else. It seems the repo is private

The package was last updated 2 years ago.

It comes with a dependency to @babel/eslint-parser 7.19.1, which is 3 years old.

And this package (@babel/eslint-parser@7.19.1) binds us to a deprecated eslint release.

What now

1. From the title of this post. Update your dependencies. With your I mean: dear SAP, please update your dependencies. Do not expect that developers are doing this. Those will just take whatever the wizard generates and use it as is. Starting a new project with already outdated dependencies should be avoided. It would be good to have SAP establish a quality process that ensures that dependencies are up-to-date.
2. For everyone else: please try to update the dependencies from time to time. In case your Fiori app is some years old and you are charged to change something: try to take a look at the dependencies.
3. I updated the yo generators right before running the wizard. It would be nice to have templates that give as few deprecation warnings as possible. That the lint script gives a warning about a not supported TypeScript version can be avoided. The usage of a deprecated version of eslint is something that should not happen. 8.x is EOL since a year. Not having to run an unsupported version of a tool that is part of the development process right after running a app wizard should be the norm.
4. Is the package eslint-plugin-fiori-tools necessary? If so, can the dependency to eslint-plugin-fiori-custom be removed or updated or refactored? That package has not been updated for 2 years. And it is a blocker when you want to upgrade to ESLint 9. Are the rules that come with eslint-plugin-fiori-custom still valid? My .eslintrc file includes eslint-plugin-fiori-tools.

"extends": "plugin:@sap-ux/eslint-plugin-fiori-tools/defaultTS", 

Mybe include the -custom rules there? I mean, @sap-ux/eslint-plugin-fiori-tools is actively developed and maintained. The package eslint-plugin-fiori-custom however seems to be abandoned. Looking at the authors, not everyone is still working at SAP (yes, author name and employee Id is included in the delivered source code of eslint-plugin-fiori-custom).