Best Practices


    Managing Dependencies

    Projects using CAP need to manage dependencies to the respective tools and libraries in their package.json and/or pom.xml respectively. Follow the guidelines to make sure that you consume the latest fixes and avoid vulnerabilities and version incompatibilities. These guidelines apply to you as a consumer of reuse packages as well as a provider of such reuse packages.

    Always Use the Latest Minor Releases → for Example, ^3.1.0

    This applies to both, @sap packages as well as open source ones. It makes sure that your projects receive important fixes during development. It also makes sure that bundles have a minimal footprint by leveraging npm’s dedupe feature.


    "dependencies": {
      "@sap/cds": "^3.1.0",
      "@sap/some-reuse-package": "^1.1.2",
      "express": "^4.16.4"

    We recommend using the caret form, that is, ^1.0.2 to add your dependencies, which are also the default for npm install, as that clearly captures the minimum patch version.

    We also recommend running npm update regularly and frequently during development to ensure that you receive the latest fixes.

    Keep Open Ranges When Publishing for Reuse

    Let’s explain this by looking at counter examples.

    Let’s assume that you’ve developed a reuse package that others can use in their projects, and you also use a reuse package. For whatever reason, you decided to violate the previous rules and use exact dependencies in your package.json as follows:

    "name": "@sap/your-reuse-package",
    "version": "1.1.2",
    "dependencies": {
      "@sap/cds": "3.0.3",
      "@sap/foundation": "2.0.1",
      "express": "4.16.3"

    The effect would be as follows:

    1. Consuming projects would get duplicate versions of each package that they also use directly, for example, @sap/cds, @sap/foundation, and express.
    2. Consuming projects wouldn’t receive important fixes for the packages used in your implementations unless you also provide an update.
    3. It wouldn’t be possible to reuse CDS models from common reuse packages (for example, would already fail for @sap/cds/common).

    Therefore, the rules when publishing packages for reuse are:

    • Keep the open ranges in your package.json (just don’t touch them).
    • Do an npm update before publishing and test thoroughly. (→ ideally automated in your CI/CD pipeline).
    • Do the vulnerability checks for your software and all open-source software used by you or by packages you used (→ Minimize Usage of Open Source Packages).
    • Don’t do npm shrinkwrap → see also npm’s docs: “It’s discouraged for library authors to publish this file, …”

    If both your package and a consuming package reuse the same CDS models, loading those models would fail because it’s impossible to automatically merge the two versions, nor is it possible to load two independent versions. The reason for this is that it’s reusing models that share the same single definitions.

    Shrinkwrap When Releasing to End Consumers

    When releasing a service or an application to end consumers, use npm shrinkwrap to ensure frozen dependencies. This allows you to guarantee that it works correctly as it did the last time you tested it and checked it for vulnerabilities.

    Overall, the process for your release should include these steps:

    npm update      # ensure you got latest fixes
    npm dedupe      # ensure all is in shape
    npm shrinkwrap  # freeze dependencies
    # conduct all test and vulnerability checks

    The npm-shrinkwrap.json file in your project root freezes all dependencies and is shipped and deployed with your package. Subsequent npm installs, such as by users or by cloud deployers or build packs, always get the same versions, which you checked upon your release.

    This ensures that the deployed tool/service/app doesn’t receive new vulnerabilities, for example, through updated open source packages, without you being able to apply the necessary tests as prescribed by our security standards.

    Minimize Usage of Open Source Packages

    This rule for keeping open ranges for dependencies during development, as well as when publishing for reuse, also applies for open source packages.

    Because open source packages are less reliable with respect to vulnerability checks, this means that end-of-chain projects have to ensure respective checks for all the open source packages they use directly, as well as those they ‘inherit’ transitively from reuse packages.

    So, always take into account these rules:

    • When releasing to end consumers, you always have to conduct vulnerability checks for all open source packages that you used directly or transitively.

    • As a provider of reuse packages you should minimize the usage of open source packages to a reasonable minimum.

    Q: Why not freeze open source dependencies when releasing for reuse?

    A: Because that would only affect directly consumed packages, while packages from transitive dependencies would still reach your consumers.

    A good approach is to also provide certain features in combination with third-party packages, but to keep them, and hence the dependencies, optional; for example, express.js does this.

    Upgrade to Latest Majors as Soon as Possible

    As providers of evolving SDKs we provide major feature updates, enhancements, and improvements in 6-12 month release cycles. These updates come with an increment of major release numbers.

    At the same time, we can’t maintain and support unlimited numbers of branches with fixes. The following rules apply:

    • Fixes and nonbreaking enhancements are made available frequently in upstream release branches (current major).
    • Critical fixes also reach recent majors in a 2-month grace period.

    To make sure that you receive ongoing fixes, make sure to also adopt the latest major releases in a timely fashion in your actively maintained projects, that is, following the 6-12 month cycle.

    Additional Advice

    Using package-lock.json — To ensure reproducible setups with your teammates in a project, you might want to consider using package-lock.json as recommended by npm.

    Note that this is in line with the guidelines and previous recommendations. Use npm update frequently during development and check in the updated package-lock.json file subsequently to share the updated setup again in your project.

    Securing Your Application

    To keep builds as small as possible, the Node.js runtime doesn’t bring any potentially unnecessary dependencies and, hence, doesn’t automatically mount any express middlewares, such as the popular helmet and csurf.

    However, application developers can easily mount custom or best-practice express middlewares using the bootstrapping mechanism.


    // local ./server.js
    const cds = require('@sap/cds')
    const helmet = require('helmet')
    cds.on('bootstrap', (app) => {
    module.exports = cds.server // > delegate to default server.js

    Consult sources such as Express’ Production Best Practices: Security documentation for state of the art application security.

    Content Security Policy (CSP)

    Creating a Content Security Policy (CSP) is a major building block in securing your web application.

    helmet provides a default policy out-of-the-box that you can also customize as follows:

    cds.on('bootstrap', (app) => {
        contentSecurityPolicy: {
          directives: {
            // custom settings

    Consult OpenUI5 Content Security Policy documentation for the list of directives that SAPUI5 requires.

    Cross-Site Request Forgery (CSRF) Token

    For a SAPUI5 (SAP Fiori/SAP Fiori Elements) application developer, CSRF token handling is transparent. There’s no need to program or to configure anything in additional. In case the server rejects the request with 403 and “X-CSRF-Token: required”, the UI sends a HEAD request to the service document to fetch a new token.

    ❗ The request must never be cacheable.

    Learn more about CSRF tokens and SAPUI5 in the Cross-Site Scripting documentation.

    On the backend side, except for handling the HEAD request mentioned previously, also the handlers for each CSRF protected method and path should be added. In the following example, the POST method is protected.

    If you use SAP Fiori Elements, requests to the backend are sent as batch requests using the POST method. In this case, an arbitrary POST request should be protected.

    As already mentioned, in case the server rejects because of a bad CSRF token, the response with a status 403 and a header “X-CSRF-Token: required” should be returned to the UI. For this purpose, the error handling in the following example is extended:

    cds.on('bootstrap',async(app) => {
      var csrfProtection = csrf({ cookie: true })
      var parseForm = express.urlencoded({ extended: false })
      // TODO: provide actual service endpoints of served services
      // Needs to be adapted for non-Fiori Elements UIs
      app.head('/<service endpoint>', csrfProtection, function (req, res) {
        res.set('X-CSRF-Token', req.csrfToken())
      // TODO: provide actual service endpoints of served services
      // Needs to be adapted for non-Fiori Elements UIs'/<service endpoint>/$batch', parseForm, csrfProtection, function (req, res, next) {
      app.use(function (err, req, res, next) {
        if (err.code !== 'EBADCSRFTOKEN') return next(err)
        res.set('X-CSRF-Token', 'required')

    Learn more about backend coding in the csurf documentation.

    If you’re using horizontal scaling of Node.js virtual machines, the CSRF handling should be done at the approuter level.

    Availability Checks

    To proactively identify problems, projects should set up availability monitoring for all the components involved in their solution.

    Anonymous Ping

    An anonymous ping service should be implemented with the least overhead possible. Hence, it should not use any authentication or authorization mechanism, but simply respond to whoever is asking.

    The Node.js runtime does not yet provide an out of the box solution for availability monitoring. However, the anonymous ping endpoint can be easily provided via a custom express middleware as follows.

    cds.on('bootstrap', app => {
      app.get('/health', (_, res) => {

    Error Handling

    Good error handling is important to ensure the correctness and performance of the running app and developer productivity. We will give you a brief overview of common best practices.

    Error Types

    We need to distinguish between two types of errors:

    • Programming errors: These occur because of some programming mistakes (for example, cannot read 'foo' of undefined). They need to be fixed.
    • Operational errors: These occur during the operation (for example, when a request is sent to an erroneous remote system). They need to be handled.


    Let It Crash

    ‘Let it crash’ is a philosophy coming from the Erlang programming language (Joe Armstrong) which can also be (partially) applied to Node.js.

    The most important aspects for programming errors are:

    • Fail loudly: Do not hide errors and silently continue. Make sure that unexpected errors are correctly logged. Do not catch errors you can’t handle.
    • Don’t program in a defensive way: Concentrate on your business logic and only handle errors if you know that they occur. Only use try/catch blocks when necessary.

    Never attempt to catch and handle unexpected errors, promise rejections, etc. If it’s unexpected, you can’t handle it correctly. If you could, it would be expected (and should already be handled). Even though your apps should be stateless, you can never be 100% certain that any shared resource wasn’t affected by the unexpected error. Hence, you should never keep an app running after such an event, especially in multi-tenant apps that bear the risk of information disclosure.

    This will make your code shorter, clearer, and simpler.

    Don’t Hide Origins of Errors

    If an error occurs, it should be possible to know the origin. If you catch errors and re-throw them without the original information, it becomes hard to find and fix the root cause.


    try {
      // something
    } catch (e) {
      // augment instead of replace details
      e.message = 'Oh no! ' + e.message
      e.additionalInfo = 'This is just an example.'
      // re-throw same object
      throw e

    In rare cases, throwing a new error is necessary, for example, if the original error has sensitive details that should not be propagated any further. This should be kept to an absolute minimum.

    Further Readings

    The following articles might be of interest:


    When using timestamps (for example for managed dates) the Node.js runtime offers a way to easily deal with that without knowing the format of the time string. The req object contains a property timestamp that holds the current time (specifically new Date(), which is comparable to CURRENT_TIMESTAMP in SQL). It also stays the same until the request finished, so if it is used in multiple places in the same transaction or request it will always be the same.


    srv.before("UPDATE", "EntityName", (req) => {
      const now = req.timestamp; = now;

    Internally the timestamp is a Javascript Date object, that is converted to the right format, when sent to the database. So if in any case a date string is needed, the best solution would be to initialize a Date object, that is then translated to the correct UTC String for the database.

    Show/Hide Beta Features