fix(security): resolve all current high/critical vulnerabilities (#4531)

* fix(security): resolve all current high/critical vulnerabilities

* fix(eslint): add rules to handle unresolved imports for @modelcontextprotocol/sdk

* fix(eslint): bump lodash to 4.18.1

Author: mikicvi-SAP

.changeset/security-fix-fe-fpm-writer-xmldom.md

@@ -0,0 +1,5 @@
+---
+"@sap-ux/fe-fpm-writer": patch
+---
+
+chore(fe-fpm-writer): upgrade @xmldom/xmldom 0.8.11 → 0.8.12 (security fix)

.changeset/security-fix-lodash-4-18-0.md

@@ -0,0 +1,18 @@
+---
+"@sap-ux/abap-deploy-config-writer": patch
+"@sap-ux/axios-extension": patch
+"@sap-ux/eslint-plugin-fiori-tools": patch
+"@sap-ux/fiori-app-sub-generator": patch
+"@sap-ux/fiori-elements-writer": patch
+"@sap-ux/fiori-freestyle-writer": patch
+"@sap-ux/flp-config-inquirer": patch
+"@sap-ux/inquirer-common": patch
+"@sap-ux/logger": patch
+"@sap-ux/ui5-application-inquirer": patch
+"@sap-ux/ui5-application-writer": patch
+"@sap-ux/ui5-config": patch
+"@sap-ux/ui5-library-writer": patch
+"@sap-ux/yaml": patch
+---
+
+chore: upgrade lodash 4.17.23 → 4.18.1 (CVE security fix, vulnerable range <=4.17.23)

.changeset/security-fix-mcp-sdk-1-29-0.md

@@ -0,0 +1,5 @@
+---
+"@sap-ux/fiori-mcp-server": patch
+---
+
+chore(fiori-mcp-server): upgrade @modelcontextprotocol/sdk 1.28.0 → 1.29.0 (hono/express-rate-limit/path-to-regexp security fixes)

.changeset/security-fix-xmldom-0-8-12.md

@@ -0,0 +1,5 @@
+---
+"@sap-ux/axios-extension": patch
+---
+
+chore(axios-extension): upgrade @xmldom/xmldom 0.8.11 → 0.8.12 (security fix)

package.json

@@ -36,7 +36,7 @@
         "react-select": "5.10.2",
         "react-virtualized": "9.22.6",
         "rimraf": "6.1.3",
-        "ts-jest": "29.4.6",
+        "ts-jest": "29.4.9",
         "typescript": "5.9.3",
         "typescript-eslint": "8.57.2",
         "update-ts-references": "4.0.0",
@@ -84,13 +84,30 @@
             "@sap/service-provider-apis>axios": "^1.13.5",
             "@sap/subaccount-destination-service-provider>@sap/bas-sdk": "^3.13.3",
             "esbuild@<=0.24.2": ">=0.25.0",
-            "@aws-sdk/xml-builder>fast-xml-parser": "^5.4.1",
-            "@sap-ux/project-access@<1.35.9>fast-xml-parser": "^5.4.1",
-            "lodash": ">=4.17.23",
+            "fast-xml-parser": ">=5.5.6",
+            "@xmldom/xmldom": ">=0.8.12",
+            "node-forge": ">=1.4.0",
+            "express-rate-limit": ">=8.2.2",
+            "serialize-javascript": ">=7.0.5",
+            "drizzle-orm": ">=0.45.2",
+            "socket.io-parser": ">=4.2.6",
+            "underscore": ">=1.13.8",
+            "undici@>=6.0.0 <6.24.0": "^6.24.0",
+            "undici@>=7.0.0 <7.24.0": "^7.24.0",
+            "lodash": ">=4.17.24",
             "mta-local": "1.0.8",
-            "router>path-to-regexp": "0.1.12",
-            "router@^2.0.0>path-to-regexp": "8.2.0",
-            "tar@<7.5.7": ">=7.5.7",
+            "@modelcontextprotocol/sdk": ">=1.29.0",
+            "hono": ">=4.12.12",
+            "@hono/node-server": ">=1.19.13",
+            "handlebars": ">=4.7.9",
+            "flatted": ">=3.4.2",
+            "picomatch@<2.3.2": "2.3.2",
+            "picomatch@>=4.0.0 <4.0.4": "4.0.4",
+            "router>path-to-regexp": "0.1.13",
+            "express>path-to-regexp": "0.1.13",
+            "router@^2.0.0>path-to-regexp": "8.4.0",
+            "tar": ">=7.5.13",
+            "express>qs": "6.14.2",
             "get-uri>basic-ftp": "=5.2.0",
             "@puppeteer/browsers>proxy-agent": ">=6.5.0",
             "minimatch@<3.1.5": "^3.1.5",

packages/abap-deploy-config-writer/package.json

@@ -35,7 +35,7 @@
         "@sap-ux/system-access": "workspace:*",
         "@sap-ux/ui5-config": "workspace:*",
         "fast-glob": "3.3.3",
-        "lodash": "4.17.23",
+        "lodash": "4.18.1",
         "mem-fs": "2.1.0",
         "mem-fs-editor": "9.4.0",
         "semver": "7.7.4"

packages/axios-extension/package.json

@@ -32,11 +32,11 @@
         "axios": "1.13.6",
         "detect-content-type": "1.2.0",
         "fast-xml-parser": "5.5.9",
-        "lodash": "4.17.23",
+        "lodash": "4.18.1",
         "open": "8.4.2",
         "qs": "6.15.0",
         "xpath": "0.0.34",
-        "@xmldom/xmldom": "0.8.11",
+        "@xmldom/xmldom": "0.8.12",
         "https-proxy-agent": "7.0.6",
         "http-proxy-agent": "7.0.2",
         "proxy-from-env": "1.1.0"

packages/control-property-editor-common/package.json

@@ -24,7 +24,7 @@
         "@sap-ux/logger": "workspace:*",
         "npm-run-all2": "8.0.4",
         "rimraf": "6.1.3",
-        "ts-jest": "29.4.6"
+        "ts-jest": "29.4.9"
     },
     "engines": {
         "node": ">=20.x"

packages/control-property-editor/package.json

@@ -52,7 +52,7 @@
         "source-map-support": "0.5.21",
         "stream-browserify": "3.0.0",
         "ts-import-plugin": "3.0.0",
-        "ts-jest": "29.4.6",
+        "ts-jest": "29.4.9",
         "postcss-modules": "6.0.1",
         "ejs": "3.1.10",
         "@ui5/fs": "4.0.5",

packages/eslint-plugin-fiori-tools/package.json

@@ -49,7 +49,7 @@
         "@humanwhocodes/momoa": "^3.3.9",
         "@eslint/plugin-kit": "0.5.0",
         "globals": "17.4.0",
-        "lodash": "4.17.23",
+        "lodash": "4.18.1",
         "requireindex": "^1.2.0",
         "synckit": "0.11.12",
         "yaml": "2.8.3",