Bump the non-major group across 1 directory with 4 updates

[dependabot]

Bumps the non-major group with 4 updates in the / directory: @sap/cds-dk, cds-plugin-ui5, ui5-middleware-cap and ui5-middleware-livereload.

Updates @sap/cds-dk from 9.9.1 to 9.9.2

Updates cds-plugin-ui5 from 0.17.1 to 0.17.3

Changelog

Sourced from cds-plugin-ui5's changelog.

0.17.3

Patch Changes

• #1373 3c544b7 Thanks @​petermuessig! - Bump the express peerDependency floor from >=4.18.2 to >=4.19.2 so the declared range no longer permits versions affected by GHSA-rv95-896h-c2vc (open redirect). Closes Dependabot alerts #110, #111, #113, #114, #115, #117.

0.17.2

Patch Changes

• #1370 dd71c42 Thanks @​petermuessig! - Bump runtime dependencies to clear open dependabot alerts and pick up upstream patch releases:
  • cds-plugin-ui5: semver ^7.8.0 → ^7.8.1
  • ui5-middleware-approuter: @sap/approuter ^22.0.0 → ^22.0.1
  • ui5-middleware-serveframework: node-fetch ^2.7.0 → ^3.3.2
  • ui5-middleware-websocket: ws ^8.20.1 → ^8.21.0
  • ui5-task-copyright: @typescript-eslint/typescript-estree ^8.59.3 → ^8.60.0
  • ui5-tooling-transpile: @babel/core, @babel/preset-env, @babel/preset-typescript → ^7.29.7

All notable changes to this project will be documented in this file. See Conventional Commits for commit guidelines.

Commits

• a873e21 chore(release): publish
• 3c544b7 fix(security): harden path-segment strip + raise express peerDep floor (#1373)
• 5708388 chore(release): publish
• 04cbb7c chore: prepare for dependabot fixes and modernize bundling
• See full diff in compare view

Updates ui5-middleware-cap from 3.3.4 to 3.3.6

Changelog

Sourced from ui5-middleware-cap's changelog.

3.3.6

Patch Changes

• #1373 3c544b7 Thanks @​petermuessig! - Bump the express peerDependency floor from >=4.18.2 to >=4.19.2 so the declared range no longer permits versions affected by GHSA-rv95-896h-c2vc (open redirect). Closes Dependabot alerts #110, #111, #113, #114, #115, #117.

All notable changes to this project will be documented in this file. See Conventional Commits for commit guidelines.

3.3.5 (2026-05-21)

Note: Version bump only for package ui5-middleware-cap

Commits

• a873e21 chore(release): publish
• 3c544b7 fix(security): harden path-segment strip + raise express peerDep floor (#1373)
• 0e1de5b chore(release): publish
• 804db50 chore: simplify LICENSE and standardize README license sections (#1350)
• See full diff in compare view

Updates ui5-middleware-livereload from 3.3.0 to 3.3.1

Release notes

Sourced from ui5-middleware-livereload's releases.

ui5-tooling-modules@3.37.3

Patch Changes

• #1386 f96206f Thanks @​petermuessig! - fix(ui5-tooling-modules): keep Node.js 20 support by holding ignore-walk at ^8.0.0

  ignore-walk@9 is a Node-engines-only bump (no API changes) that raises the required Node.js version to ^22.22.2 || ^24.15.0 || >=26.0.0. Since the only usage site is unchanged between v8 and v9, downgrade to ^8.0.0 so the package keeps working on Node.js 20 (^20.17.0 || >=22.9.0). See DEPENDENCIES.md for the rationale and the conditions under which this hold-back can be lifted.

ui5-tooling-modules@3.37.2

Patch Changes

• #1384 81eb56c Thanks @​petermuessig! - fix(ui5-tooling-modules): align @implements JSDoc with the interfaces metadata declaration in generated WebComponent wrappers

  The generated wrappers (dist/gen/.../<Component>-dbg.js) emitted an @implements JSDoc that did not match the interfaces metadata declaration it was meant to describe. The interfaces declaration was already correct (e.g. ....dist.Button.IButton — the interface as a sibling of its host class module), but the JSDoc was hand-built from ${this.namespace}.${interfaceDef.name} and dropped the dist/<Class> segment entirely.

  The JSDoc emission now reuses the precomputed _ui5QualifiedNameSlashes so it is built from the same source of truth as the metadata, producing the proper named-export module shape (slashes in the module path, dot before the named export, e.g. module:.../dist/Button.IButton). JSDoc and metadata are now in lockstep by construction.

ui5-tooling-transpile@3.11.3

Patch Changes

• #1382 ca396eb Thanks @​petermuessig! - fix(ui5-tooling-transpile): preserve export modifier on top-level declarations in generated .d.ts files

  When the task generates .d.ts files for a TypeScript library it wraps the original source in declare module "<fqn>" { ... } so the emitted type definition references the fully-qualified UI5 module name. TSC's d.ts emitter however strips the export modifier from declarations inside an ambient module body, turning previously-exported type / enum / interface / class / function / const / let / var / namespace declarations into module-private symbols that consumers can no longer import.

  The task now post-processes the emitted d.ts: it collects the names that were re-exported in the original source and re-prepends export to the matching top-level declarations inside the wrapped module body. Names that were never exported in the source remain module-private as before.

  Fixes #1380.

... (truncated)

Changelog

Sourced from ui5-middleware-livereload's changelog.

3.3.1 (2026-05-21)

Note: Version bump only for package ui5-middleware-livereload

Commits

• 0e1de5b chore(release): publish
• 804db50 chore: simplify LICENSE and standardize README license sections (#1350)
• See full diff in compare view

[dependabot]

Labels

The following labels could not be found: dependencies. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

[akudev]

@dependabot recreate

[akudev]

https://github.com/dependabot recreate