[Security] Prototype Pollution in sheetJS #2822
Comments
|
Ah I can see your meant to do |
|
Hi guys, Does anyone know if they have plans to publish this version here on github? |
|
+1 for an update on this? |
|
Why is this not published to NPM ? |
|
As explained in the Readme, this project is no longer maintained on Github and no longer published to npm. Lines 3 to 16 in 5b4806b Relevant issue as to "why" they no longer publish on npm I am too a little concerned about how future CVE will be reported and notify users. I feel the switch out of npm didn't take into account security concerns. |
|
Opened another issue on their tracker for future CVE alerting (not explicit of this particular CVE), but more a concern for the future for people switching from NPM to their CDN |
|
That really is piss poor communication on the sheetjs team's part, having it just in their docs is not a wide enough reach to everyone that uses this package, there is nothing in the github readme or on the npm page about essentially the deprecation of the package on npmjs. They should throw up a banner or a message about it, especially for a package that gets 2 million weekly downloads... I have the same concerns especially about missing out on future security issues with this package now that we have to use the CDN to get updates. I'm also weary about using smaller CDN's, there's a reason why npmjs is the standard and will be around much longer than sheetjs Just to note for others you don't have to use yarn to install from the CDN you can still use npm or pnpm: pnpm install https://cdn.sheetjs.com/xlsx-0.19.3/xlsx-0.19.3.tgz |
All the info so far(please let me know if anything's missing, so I can edit this comment) Update to the new CDNnpmnpm i https://cdn.sheetjs.com/xlsx-0.19.3/xlsx-0.19.3.tgzpnpmpnpm install https://cdn.sheetjs.com/xlsx-0.19.3/xlsx-0.19.3.tgzpnpmyarn add https://cdn.sheetjs.com/xlsx-0.19.3/xlsx-0.19.3.tgzWhy you need to updateThe GitHub repo and npm packages are no longer maintained due to ongoing legal matters with npm (Owned by GitHub). More info here |
…nerability. See SheetJS/sheetjs#2822. Also upgrade Mocha to 10.2.0 to avoid other vulnerabilities mentioned by npm audit.
|
I tried yarn add https://cdn.sheetjs.com/xlsx-0.19.3/xlsx-0.19.3.tgz, what should id do? |
|
@dafanzhi seems like you're using npm, and not yarn... So you should use |
|
got the same result via npm: |
|
@dafanzhi Did you uninstall the old version? |
i've tried removing the old version before reinstall, but still got the same: As you can see, the problem is the xlsx is already the latest version and installed without any error tips, but the node-xlsx which depends on xlsx can not be installed properly, even i specified the overrides in the package.json: So, what detailed instructions should i follow to eliminate the vulnerabilities error tips for the xlsx in node-xlsx? |
Works Great. Thank you. Although, I wonder... Are there any breaking changes to it? I haven't found any information regarding the release notes... |
|
Does anyone have any other recommendations for similar packages to use instead of SheetJS? Considering the devs won't reply to us anymore, won't implement 2FA to fix this whole issue and nor will they update the npm readme with a notice of this change |
|
@Zainzzkk you can try excel4node.
|
|
Hi team getting below error for |
I'm having good results with https://github.com/exceljs/exceljs |
|
Hey, folks! I made a little tool that allows you to continue using xlsx in your projects. It checks for updates from the sheetjs selfhosted git repository every day, and if there is a new version there, it is automatically published to npm. The publishing is signed via provenance to prevent extraneous modifications to the project (unless the sheetjs developers themselves come in to sabotage everything, of course). All code is available for audit here https://github.com/e965/sheetjs-npm-publisher Installation into your project is also very easy: - "xlsx": "0.18.5",
+ "xlsx": "npm:@e965/xlsx@0.20.0",(or just install the package directly and fix all the imports in your code) |
|
I think the truth is they tried to commercialize this project and don't want to support the open source version anymore so they used the lamest excuse possible (NPM is forcing us to use 2FA) to break the open source delivery mechanism and try to squeeze people into using the pro version. |
Exceljs is great but it have one for us important flaw - it supports just .XLSX or .CSV formats and doesn't support older .XLS files. So for that reason we are still using also xlsx package. |
|
@e965 we are using mat table exporter which is internally using cdk table exporter and dependent on xlsx package, so I have created two dummy npm packages for mat table exporter and cdk table exporter and the installed @e965/xlsx as dependency which replacing xlsx. but I am getting below errors /node_modules/config-table-exporter/fesm2020/cdk-table-exporter.mjs:130:21-54 - Error: Module not found: Error: Can't resolve 'xlsx/dist/xlsx.mini.min' in 'D:\Projects\Sample_project\Sample_project\node_modules\config-table-exporter\fesm2020' ./node_modules/config-table-exporter/fesm2020/cdk-table-exporter.mjs:132:21-35 - Error: Module not found: Error: Can't resolve 'xlsx' in 'D:\Projects\Sample_project\Sample_project\node_modules\config-table-exporter\fesm2020' updated all the dependencies and imports from xlsx to @e965/xlsx, but still getting the same. Below are the dummy packages I published https://www.npmjs.com/package/config-mat-table-exporter?activeTab=code |
I think it's worth mentioning that their CDN appears to only be using a self-signed certificate, which npm will not like without you jumping through a bunch of hoops. That's a deal breaker for me. |
|
@mikeplacko would this answer suit you better? #2822 (comment) |
That did work. It did not throw an SSL warning and it seems as legitimate as any other NPM package security wise. Maybe I'm nit picking a bit with the self-signed certificate, but I feel like that's a really low bar to meet in 2023. |
|
@SheetJSDev could you guys please mark the last package on NPM as deprecated? For you guys it's a minute fix but a timesaver for all (thousands of) people that are using your package. Cheers |
|
Some production networks allow only npmjs.org for repositories. Having an exception like |
It looks ugly. I don't like it at all. Hope it's going to be published to NPM as soon as possible. |
|
I have created a script that republishes the package automatically to NPM.
|
|
@NoNameProvided competition is wonderful 🙂 |
|
Oh, dang, I didn't see that! I came from the above-linked issue and only commented here after I had made my script. It seems you build from source code which may result in different package content than the actually published artifacts. I have decided to republish the tarball they publish on their own CDN. It ensures you get the exact same content the developers intended. It's a subtle but important difference. |
|
@NoNameProvided Yes and no - right now, given that the content of our packages is identical, both of our solutions are correct. But I agree that in the possible future your strategy is more correct. |
and others
[Security] Prototype Pollution in sheetJS
GHSA-4r6h-8v6p-xvw6
Affected version: 0.19.3
Description
All versions of SheetJS CE through 0.19.2 are vulnerable to "Prototype Pollution" when reading specially crafted files. Workflows that do not read arbitrary files (for example, exporting data to spreadsheet files) are unaffected.
References
https://nvd.nist.gov/vuln/detail/CVE-2023-30533
https://cdn.sheetjs.com/advisories/CVE-2023-30533
https://git.sheetjs.com/sheetjs/sheetjs/src/branch/master/CHANGELOG.md
The text was updated successfully, but these errors were encountered: