@ui5/migration
Tooling to support the migration of UI5 projects by adapting code for new UI5 framework versions
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| semgrep | semgrep:dll-injection-apis | AI (semgrep): False positive on array literal declaration; no actual DLL/process injection API in use. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Task-loader pattern loading local plugin files from a known path; not arbitrary module loading. | ai | |
| phantom-deps | phantom-dep:json5 | AI (phantom-deps): json5 is listed in dependencies and used via config files; stable false positive for this package. | ai |
Versions (showing 1 of 1)
| Version | Deps | Published |
|---|---|---|
| 0.3.0 | 11 / 19 |
v0.3.0
7 findingsDLL injection API detected — potential process injection attack Source: ssh://[email protected]/SAP/ui5-migration/blob/8817d6aba5cc72708fed5fabb86770981482faf9/js/src/util/APIInfo.js#L391 389 | try { 390 | oLibraryDoc = this.getLocalLibraryAPIJSON(sLibrary); > 391 | const aLoadLibraryApiJson = []; 392 | if (oLibraryDoc) { 393 | aLoadLibraryApiJson.push(Promise.resolve(oLibraryDoc));
DLL injection API detected — potential process injection attack Source: ssh://[email protected]/SAP/ui5-migration/blob/8817d6aba5cc72708fed5fabb86770981482faf9/js/src/util/APIInfo.js#L393 391 | const aLoadLibraryApiJson = []; 392 | if (oLibraryDoc) { > 393 | aLoadLibraryApiJson.push(Promise.resolve(oLibraryDoc)); 394 | } 395 | else if (this.rootPath) {
DLL injection API detected — potential process injection attack Source: ssh://[email protected]/SAP/ui5-migration/blob/8817d6aba5cc72708fed5fabb86770981482faf9/js/src/util/APIInfo.js#L396 394 | } 395 | else if (this.rootPath) { > 396 | aLoadLibraryApiJson.push(this.loadJSON(this.rootPath, "test-resources/" + 397 | sLibrary.replace(/\./g, "/") + 398 | "/designtime/api.json").then(function (oRes) {
DLL injection API detected — potential process injection attack Source: ssh://[email protected]/SAP/ui5-migration/blob/8817d6aba5cc72708fed5fabb86770981482faf9/js/src/util/APIInfo.js#L422 420 | const oResources = this.getLocalResourcesAPIJSON(sLibrary); 421 | if (oResources) { > 422 | aLoadLibraryApiJson.push(Promise.resolve(oResources)); 423 | } 424 | else if (this.rootPath) {
DLL injection API detected — potential process injection attack Source: ssh://[email protected]/SAP/ui5-migration/blob/8817d6aba5cc72708fed5fabb86770981482faf9/js/src/util/APIInfo.js#L425 423 | } 424 | else if (this.rootPath) { > 425 | aLoadLibraryApiJson.push(this.loadJSON(this.rootPath, "resources/" + 426 | sLibrary.replace(/\./g, "/") + 427 | "/resources.json").catch(function () {
DLL injection API detected — potential process injection attack Source: ssh://[email protected]/SAP/ui5-migration/blob/8817d6aba5cc72708fed5fabb86770981482faf9/js/src/util/APIInfo.js#L432 430 | })); 431 | } > 432 | return Promise.all(aLoadLibraryApiJson).then(function (aResults) { 433 | oLibraryDoc = that.postProcessAPIJSON(oLibraryDoc || EMPTY_LIB_DOC, that.reporter); 434 | if (aResults.length > 1) {
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.