Removing outdated UI5 versions from UI5 CDN

Technology Blogs by SAP

Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.

Update December 15, 2021: SAP moves forward safeguarding an up-to-date and secure environment which benefits from SAP's enterprise support. As announced in this blog post in January 2021, the UI5 team will delete UI5 versions on the UI5 CDN beginning with:

SAPUI5 / OpenUI5 1.22, 1.24, 1.26 in mid of January 2022

SAPUI5 / OpenUI5 1.28, 1.30, 1.32 in mid of March 2022

Note that a version is fully maintained for the full quarter listed as "End of Cloud Provisioning" in the SAPUI5 Versions Maintenance Status. The version will be deleted right after this quarter. It is planned to have all versions removed by end of Q2/2022, for which the End of Cloud Provisioning has passed. Applications using such versions will stop working. To stay up to date on this, please see The UI5 team reaches out to You.

Update August 16, 2021: The UI5 team wants to re-iterate the importance of this topic. We can see that outdated UI5 versions are still in use by few customers. Please note that once these are removed, applications will break. To avoid a potential security risk, please update to a more recent version as described in this blog post.

SAP sees Security as an essential topic, investing heavily in all product areas and fulfilling respective legal compliance. We are committed to identify and address security issues affecting our software and cloud solutions. This is reflected in a number of Security Offerings including SAP Security Patch Days. UI5 implements latest security patches in order to fix potential vulnerabilities. SAP strongly recommends that customers apply patches on a priority to protect their SAP landscape. For SAP Business Technology Platform, we always recommend upgrading to the latest SAPUI5 version. It includes the latest capabilities, patches and security fixes.

The UI5 team wants to emphasize the importance of this topic as some outdated UI5 versions are still in use. To ensure outdated versions are no longer posing a potential security risk, it is common practice to remove them from cloud delivery. We decided to

Remove SAPUI5 / OpenUI5 versions from the CDN one year after their end of maintenance. In addition, also patches of versions in maintenance which are older than one year will be removed.

See the maintenance status of the UI5 version in the SAPUI5 version overview and the OpenUI5 version overview respectively. The UI5 version/patch is available until the end of the given quarter and being removed soon afterwards.

We begin with the removal in Q3/2021 so that all affected SAP customers and partners have time to react. Depending on your initial situation and whether you want to adopt latest SAP Fiori innovations, our recommendation is to upgrade to a long-term maintenance version:

to SAPUI5 / OpenUI5 1.38 from versions below 1.38

to SAPUI5 / OpenUI5 1.71 / 1.108 from other versions

In general, also plan to regularly consume the latest patch level of the respective version.

Please notice: this in no way means a change in the maintenance strategy / support duration of UI5 versions: Affected are UI5 versions on CDN one year after their end of maintenance.

For your reference see SAP note 3001696 and further information on developing and running secure SAPUI5 apps in Securing Apps. Also see more details on SAPUI5 versioning, upgrading and compatibility rules.

To access the SAPUI5 documentation for outdated on-prem versions, go to the SAP NetWeaver product page, click on your platform version, click on the UI Technologies link and then on SAPUI5: UI Development Toolkit for HTML5. This will open the respective SAPUI5 documentation version.

SAP Managed Tags:
SAP Fiori,
SAPUI5

38 Comments

Hello oliver.graeff ,

First, thanks for the update. I noticed that the page describing all versions has been update to include a column called "End of cloud provisioning". Almost all out of maintenance versions are there with Q3/2021 as you mentioned.

Based on the blog, I understand that:

1) The following links won't serve UI5 content:

Example:

https://ui5.sap.com/1.44.50/resources/sap-ui-core.js

Because 1.44.x is not maintened since Q4/2019

2) the same thing applies for links like:

https://sapui5.netweaver.ondemand.com/

https://openui5.hana.ondemand.com/

https://openui5nightly.hana.ondemand.com/

Questions:

A) Those links also serve the official documentation. Will the documentation still be available? Those versions might still exist on On-Premise systems and the SDK has been removed from SAP_UI component a long time ago. So, there is no change of having the documentation served from the on-premise system.

B) Are there any other links apart from those mentioned above?

Thanks,

Hi,

Regarding the removal of patches older than one year which are sill in maintenance (and supported by SAP),

it would be appreciated if you may move them to to a different folder/path instead of completely removing them from the CDN.

We use the CDN also to make regression/combability tests of new developments against different SAPUI5 versions and as long as these patches are supported by SAP we need to support them.

Actually you only have support on version but not on patch level. Corrections for a UI5 version are bundled in patches and therefore always require a patch update.

Thanks.

So, if I understood correctly, customers must (regularly) update the to the latest patch to get support?

That’s the recommendation, but relies on the customer if he wants to update on each patch level or does it in it’s own speed (with skipping some patches in between). But if a customer reports an issue he will either get the answer “your issue is solved in patch xx, please upgrade accordingly” or “your issue will be solved in the next patch”, so to get a fix, the customer needs to upgrade on patch level.

I am wondering if you are mixing up versions and patches here as you are also writing that you are doing regression/compatibility tests against different UI5 versions (which makes sense as new versions come with new functionalities), but I doubt that you are doing these test against all available patches of this version (e.g. 1.38 has 48 patches!).

Hi,

We have many SAP installations in different SAPUI5 versions and patches.

We don't check all of the available patches, but we do have to check several patches of the same SAPUI5 version (these who are in use in the system).

As long as there isn't any official requirement by SAP to install new patches (or at least don't use patches older than one year), we have to support all these patches.

Even if the fix will eventually require an installation of a new patch, we first need to check it in their existing version/patch.

Hi Fabio,

yes also links to https://sapui5.netweaver.ondemand.com/ or openui5 will show the same behavior and not serve content for versions after the end of cloud provisioning date.

To your questions:

A) SAP also recommends to follow the same approach for onPremise systems and thus the need for documentation of these versions should also disappear. In case you might have a completely safe internal environment, the SAP Help Portal could be a workaround for documentation: https://help.sap.com/viewer/468a97775123488ab3345a0c48cadd8f/202009.000/en-US/95d113be50ae40d5b0b562...

Also downloading the SDK from https://tools.hana.ondemand.com/#sapui5 in time could be an option.

B) Not sure what you mean. I assume the 2 links in the answer above fall into the category that you're asking for. Otherwise please ask again and I'll do my best to answer:-)

But please, take this topic serious. As Oliver didn't mention it concretely: we have tools like the SAP Theme Designer or SAP Web IDE where even the latest versions can be attacked via vulnerabilities of embedded older versions. We work hard to prevent this, still it helps a lot in having a clean approach via only serving secure enough software.

So the recommendation is to apply at least a patch once a year and based on the customer feedback over several years, the regression risk with later patches is extremely low.

Best regards
Stefan

Hi margot.wollny ,

this brings me to my old but still unsolved request: I would like to have an "evergreen" (in terms of patches) CDN URL per version, ie eg I want

https://sapui5.hana.ondemand.com/1.84/resources/sap-ui-core.js

to work and deliver the latest patch level.

Regards,

Wolfgang

Well, unstable URLs which could potentially change the content which is provided by them may be a bigger risk as this could cause indeterministic issues at customer side.

The problem are the various caches here, at Akamai, within the HTTP proxies, in the browser. The only chance to overcome this is to have unique URLs and the cache busting concept must be used. One more thing, even major.minor stable URLs might be problematic as also major.minor versions may be phased out.

Well this caches problem also holds true for http://openui5.hana.ondemand.com/ https://sapui5.hana.ondemand.com/ and https://ui5.sap.com/ and I do not have seen complaints about indeterministic issues with these URLs.

"One more thing, even major.minor stable URLs might be problematic as also major.minor versions may be phased out." This is another reason I want only major version stable URLs.

So what is the recomendation for non-Launchpad productive UI5 Apps, as using http://openui5.hana.ondemand.com/ https://sapui5.hana.ondemand.com/ and https://ui5.sap.com/ is also discouraged for productive apps? Change app on every UI5 minor release? Closely monitor minor releases for minor releases being phased out and minor releases fixing security probems and act accordingly? Neither seems to be really feasible...

Regards,

Wolfgang

How is it different from the latest version/patch url?

https://sapui5.hana.ondemand.com/resources/sap-ui-core.js

True, but we do not recommend to use the default version of openui5, sapui5, or ui5.sap.com for productive scenarios. They also have a reduced max-age of 1 week only instead of 1 year like the versioned URLs. We had several issues in the past related to cache inconsistencies after hot fixes when we propagated it to use the latest version. For productive scenarios we only use and recommend the versioned URLs.

IMO, the only chance to use these generic URLs is to also use the cachebuster concept, so that we have a chance to invalidate the cache once an update take place. This may be the best solution for those non-launchpad scenarios. Would it be OK in such cases to use the runtime cachebuster concept? This also applies to the default versions. I will definitely take this topic into our discussion. This evergreen discussion also has been raised from other parties as well.

Regards,

Peter

The URL you mention contains the default SAPUI5 version which is indeed always the latest available version/patch. But as mentioned above, this URL is not meant for productive usage as it is constantly being upgraded and this might have an impact on the stability of your application (see also the arguments by Peter).

Hi Peter,

yes, a cachebuster concept would be welcome here!

Regards,

Wolfgang

Here is one example where an application had an issue because it was relying on the default (unspecified) version: "SAPUI5 has suddenly internal load resource error despite no changes in the app" - Stack Overflow

Also from the documentation:

⚠ Caution
The default version is constantly being upgraded and this might have an impact on the stability of your application. Use this version for testing purposes only.
src="https://ui5.sap.com/resources/sap-ui-core.js"
(Source)

Hi Oliver,

just today inside UI5ers, peter.muessig showed the heavily requested bootstrapping for the CDN patch release delivery using CacheBuster (also requested from wroeckelein.fum

https://sapui5.hana.ondemand.com/1.96/resources/sap-ui-core.js

I did not saw the telco from the start, so please can you add the info, when and for what release this feature will be available.

If i understood right, it will be from 1.71 on going, because it depends on async component instantiation in conjunction with CacheBuster.

The used CDN from Peter was just a private SAP BTP hana.ondemand.com address, so i think this is planned and currently not public available.

Maybe you can point me to the relevant roadmap, when this will be available.

It will help to delivery apps, that will untouched support latest patch versions without running in the removed outdated libraries hell.

BTW: It would still be great, if CDN would also support ABAP OnPremise systems, because a lot of customers running on FES 6 with 1.71 have apps that need 1.9x to be able to use new sap.ndc.BarcodeScannerButton because of the removed SAP Fiori Client from stores.

Right now, they are forced to serve nessessary SAPUI5 libs by their own on premise.

This would make their live much more easy.

Best Regards
Holger

Hi Holger,

this feature will be part of the SAPUI5 1.100 version. Once the SAPUI5 SDK on the public CDN is upgraded to 1.100 all LTS versions >= 1.71 will have this possibility to refer to those major.minor version URLs (evergreen URLs).

Best regards,

Peter

Hi Peter,

thanks. I missed that part of your presentation.

Best Regards

Holger

With regard to new sap.ndc.BarcodeScannerButton because of the removed SAP Fiori Client from stores: The new sap.ndc.BarcodeScannerButton was downported and is available with the latest patch version for 1.71.(We talked about this in UI5ers live Episode 15 in February ;-))

Thanks Margot,
too many topics in parallel. Just missed this.

I have not expected this inside LTS, because it is somehow a new feature and not just a patch.

But it highly makes sense in conjunction with the removal of the SAP Fiori Client.

Best regards

Holger

Hi peter.muessig ,

thank you. This is more than welcome!

As a side note: in the manifest,json for BTP Deployment you can also use

"sap.platform.cf": {

  "ui5VersionNumber": "1.84.x"

}

meanwhile.

Regards,

Wolfgang

Hi All,

As per the above blog, only the UI5 versions till 1.32 was supposed to be removed from the CDN.

I am using 1.38.6 version in my application using CDN and for that also I am getting the following error : The requested UI5 version is outdated and has been removed.

As checked on the version overview page, the End of Cloud Provisioning for 1.38 is Q4/2028.Can someone please explain why the version 1.38.6 has been removed from CDN without any communication.

Following is the URL I am using in my application for bootstrapping :https://sapui5.hana.ondemand.com/1.38.6/resources/sap-ui-core.js

Thanks & Regards,
Sagar Bansal

Hi Sagar Bansal,

sorry to hear this. Kindly note 'In addition, also patches of versions in maintenance which are older than one year will be removed' in this blog post and SAP note 3001696. Also see 'The UI5 team reaches out to You' above: https://ui5.sap.com/ shows a notification saying 'Specifically, this means that in CW 20, we will remove ... patches 5 to 49 for version 1.38.'

Reason is that patch 6 of 1.38 is long outdated and posing a security risk. 'Upgrading' to the latest patch should be straight-forward and corresponds to our recommendation in https://ui5.sap.com/versionoverview.html and Versioning and Maintenance of SAPUI5. Hope this will fix your issue easily.

Thanks for your understanding and best regards,
Oliver Graeff

Hi Oliver,

Thanks for the above clarification.

Unfortunately, I'm again facing a similar issue with version 1.71 now.

As suggested by you in the above blog post, I upgraded my existing apps to 1.71.0 but today I realized that this version has also been removed by SAP. Also, I couldn't find any communication regarding this on the SDK.

I checked on the version overview page, the End of Cloud Provisioning for 1.71 is Q4/2028.

Can you please suggest the best possible solution to tackle such scenarios.

Thanks & Regards,
Sagar Bansal

Hi,

I am also facing same error for sap-ui-core.js version "1.71". Please advice if any solution to point this version file.

Thanks

https://sapui5.hana.ondemand.com/1.71/resources/sap-ui-core.js

works just fine for me - note that this is the "latest" 1.71.x version.

Hi,

looking at

https://ui5.sap.com/versionoverview.html

you will see, that also outdated patches will be removed from CDN!

Currently only 1.71.2 - 1.71.49 are available.

To overcome such issues using CDN you can start using Evergreen Bootstraping using

https://ui5.sap.com/1.71/resources/sap-ui-core.js

which returns the latest patch release for you (in this case 1.71.49).

Best regards
Holger

Hi Holger,

Thanks for your reply.

The information available on https://ui5.sap.com/versionoverview.html doesn’t say anything about when a specific patch for a version will be removed. This is causing a lot of confusion.

Also, as you have suggested to use the evergreen bootstrapping URL, will it work till Q4 2028 which is the end of cloud provisiong date for 1.71 version as specified on the version overview page?

Thanks,

Sagar Bansal

Hi Sagar Bansal,

you'll find information on specific patches further down on the same page.

In Variant for Bootstrapping from Content Delivery Network we see that all long-term maintenance versions >= 1.71 can be used as evergreen versions.

Best regards, Oliver

Hi Oliver,

I used in my project "https://ui5.sap.com/1.71.49/resources/sap-ui-core.js" url. It is showing two different behaviors and issues.

Input parameter window only loads in Fireforx browser, when using chrome showing error message "Access to script at 'https://ui5.sap.com/1.71.49/resources/sap-ui-core.js' from origin 'http://servername.com:8180' has been blocked by CORS policy: The request client is not a secure context and the resource is in more-private address space `local`." (this is dev server where I am deploying and testing so no SSL configure)

In Firefox browser input parameter loading but after giving the value it logout the session and this behavior only happen in Linux server, in Windows working fine.

Please advise how I can handle this. .

Regards,

Amit

Hi Amit,

1.71.49 has not reached its End of Cloud Provisioning and has not been removed from CDN. You might want to ask a question in SAP Community.

Regards, Oliver

Hi Oliver,

We have a bsp application WFDGANTT_UI5 in CRM Gantt Chart where this UI5 link is hardcoded and looks outdated already.

"https://sapui5.hana.ondemand.com/1.71.28/resources/sap-ui-core.js"

Therefore the user cannot open the Gantt Chart anymore.

Could you please let us know if we should change the link to lastest 1.71.49 manually?

Best regards

Nana Cai

Hi,

right, please contact the owner of this app to get this bug fixed.

for cloud solutions see options in Variant for Bootstrapping from Content Delivery Network
for non-cloud solutions see note 2943781 - Is the usage of SAP's Content Delivery Network for onPremise systems permitted?

Best regards, Oliver

Hi.
Nice try.
Working with UI5 version 1.71, (also 1.71.49) the Maintenance status page says it should be available on cloud untill Q2/2024 or later.
But just today 5/5/2023 it has been removed.
As usual nothing works as expected with sap

daniele17277

i can still reach this versions:

https://sapui5.hana.ondemand.com/1.71.2/resources/sap-ui-core.js

https://sapui5.hana.ondemand.com/1.71.49/resources/sap-ui-core.js

Hi Daniele,

yes, this is an issue and SAP is working on this right now.

The error message is wrong and misleading, https://ui5.sap.com/1.71.49 is available. No change to the maintenance status. We are investigating to show a better message for this situation.
More importantly, there should be no error situation at all. We're not sure yet whether this occurs in pure SAP standard or in certain customer configurations/apps. We are investigating right now with high priority. If you want to contact the SAP development teams to share your situation, you may create an incident on component EP-WZ-HAV.

Sorry for this situation affecting you.

Best regards,
Oliver

Hi Oliver，

Our system was using SAPUI5 version https://sapui5.hana.ondemand.com/1.96.0/resources/sap-ui-core.js and last week the system crashed because 1.96.0 was suddenly removed without any announcement. We urgently upgraded to 1.96.22 to get the system back

Here I have some questions about the upgrade:

Why the version 1.96.0 has been removed from CDN without any communication?

What is the deprecation rules of the library in CDN?

Any suggestion about which version should we choose to use to ensure the stable of our system?

Is there a major.minor version like 1.96 that we can use?

Thanks and Regards,
Sherry

Hello Sherry,

Sorry to hear that you experienced this situation. (Good that the upgrade to 1.96.22 went smooth, which is expected.) 1.96.0 has been deleted >1 year after it went out of maintenance, meaning it did not receive any patches for >1year, posing a severe security risk to productive systems. Regarding communication we have several sources and especially for pro-active communication see The UI5 team reaches out to You | SAP Blogs. The most important communication I summarize here:

SAPUI5 Versions Maintenance Status with the SAPUI5 maintenance strategy for SAP Business Technology Platform linked in this document.
3001696 - Removed outdated SAPUI5 versions from SAPUI5 CDN - SAP ONE Support Launchpad
Removing outdated UI5 versions from UI5 CDN | SAP Blogs
The UI5 team reaches out to You | SAP Blogs
- notification center on the top-right corner of SAPUI5 SDK https://ui5.sap.com/
- A mailing list for UI5 announcements
Other channels like the SAP Community, notifications in the SAP BTP Cockpit and the BPT What’s New.

For productive systems we recommend using a Maintenance version as listed in SAPUI5 Versions Maintenance Status (which is what you did). And when using a specific patch (in your case '0'), note the 'End of Cloud Provisioning' of that patch(!) in the lower table. Instead of consuming a specific patch, we recommend always getting the latest patch, while staying on a specific version, see Evergreen Version.

Hope this helps to avoid such situations going forward.

Best regards,
Oliver