Update xlsx package because vulnerabilities
jonathan-4iTester opened this issue · 9 comments
Hello,
Could you please update the xlsx dependency lib because the npm audit is reporting this issue:
=== npm audit security report ===
┌──────────────────────────────────────────────────────────────────────────────┐
│ Manual Review │
│ Some vulnerabilities require your attention to resolve │
│ │
│ Visit https://go.npm.me/audit-guide for additional guidance │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate │ Prototype Pollution in sheetJS │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ xlsx │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=0.19.3 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ node-xlsx │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ node-xlsx > xlsx │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ GHSA-4r6h-8v6p-xvw6 │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 1 moderate severity vulnerability in 1044 scanned packages
1 vulnerability requires manual review. See the full report for details.
Best Regards.
@mgcrea , any news?
See SheetJS/sheetjs#2822 for discussion/information about how to update
I followed the SheetJS/sheetjs#2822 and reinstalled the xlsx, but still got the same vulnerability tips:
What should i do?
I don't know what's the relationships between the node-xlsx and xlsx, can you help to provide detailed instructions?
Thanks a lot!
until @mgcrea fix this vulnerabilities, you can override in packaje.json to use the last xlxs module without vulnerabilities (need remove node-xlsx and reinstall again with the override version in packaje,json)
see: https://docs.sheetjs.com/docs/getting-started/installation/nodejs/
@milpalabras, i specified the overrides in the package.json:
then removed the xlsx and node-xlsx, and resintall them:
Still got the same result.
Can you help to provide detailed instructions to install node-xlsx and eliminate the vulnerabilities error tips?
I made a fork and updated the dependency, but then two tests broke. In inspecting them, I noticed that the tests were only checking the first 10 bytes of the files, which I found a bit odd.
In any case, there seems to be a discrepancy between the 5th byte of the fixture files and the output from the xlsx
package. I took a look with a hex editor, and the first 4 bytes seem to conform to the .xlsx
file format. I am having some trouble understanding what that change signifies in the 5th byte.
FAIL test/specs/build.spec.ts
● Console
console.debug
Deprecated options['!merges'], please use options.sheetOptions['!merges'] instead.
at src/index.ts:86:15
at Array.filter (<anonymous>)
● node-xlsx builder › should properly build an XLSX from
expect(received).toEqual(expected) // deep equality
- Expected - 1
+ Received + 1
@@ -2,11 +2,11 @@
"data": Array [
80,
75,
3,
4,
- 10,
+ 20,
0,
0,
0,
0,
0,
14 | expect(result instanceof Buffer).toBeTruthy();
15 | // Only check the ten first bytes
> 16 | expect(result.slice(0, 10)).toEqual(expected.slice(0, 10));
| ^
17 | });
18 | it('should handle !merges sheetOption', () => {
19 | const expected = readBufferFixture(`sheetOptions.xlsx`);
at Object.<anonymous> (test/specs/build.spec.ts:16:33)
● node-xlsx builder › should handle !merges sheetOption
expect(received).toEqual(expected) // deep equality
- Expected - 1
+ Received + 1
@@ -2,11 +2,11 @@
"data": Array [
80,
75,
3,
4,
- 10,
+ 20,
0,
0,
0,
0,
0,
22 | expect(result instanceof Buffer).toBeTruthy();
23 | // Only check the ten first bytes
> 24 | expect(result.slice(0, 10)).toEqual(expected.slice(0, 10));
| ^
25 | });
26 | it('should handle global sheet options', () => {
27 | const worksheets = JSON.parse(readFixture(`test.json`));
at Object.<anonymous> (test/specs/build.spec.ts:24:33)
Just published the v0.22.0 release with updated deps, should fix your issues.
The issue still exists in v0.22.0:
➜ bodhi git:(3.5.11) ✗ npm rm node-xlsx
removed 10 packages and audited 210 packages in 2.095s
14 packages are looking for funding
run npm fund
for details
found 1 moderate severity vulnerability
run npm audit fix
to fix them, or npm audit
for details
╭───────────────────────────────────────────────────────────────╮
│ │
│ New major version of npm available! 6.14.12 → 9.6.7 │
│ Changelog: https://github.com/npm/cli/releases/tag/v9.6.7 │
│ Run npm install -g npm to update! │
│ │
╰───────────────────────────────────────────────────────────────╯
➜ bodhi git:(3.5.11) ✗ npm rm xlsx
removed 5 packages and audited 209 packages in 1.931s
14 packages are looking for funding
run npm fund
for details
found 1 moderate severity vulnerability
run npm audit fix
to fix them, or npm audit
for details
➜ bodhi git:(3.5.11) ✗ npm install node-xlsx@0.22.0
- node-xlsx@0.22.0
added 7 packages from 2 contributors, removed 1 package, updated 3 packages and audited 219 packages in 2.968s
14 packages are looking for funding
run npm fund
for details
found 2 vulnerabilities (1 moderate, 1 high)
run npm audit fix
to fix them, or npm audit
for details