Update xlsx package because vulnerabilities

[jonathan-4iTester]

Hello,

Could you please update the xlsx dependency lib because the npm audit is reporting this issue:

                   === npm audit security report ===                        

┌──────────────────────────────────────────────────────────────────────────────┐
│ Manual Review │
│ Some vulnerabilities require your attention to resolve │
│ │
│ Visit https://go.npm.me/audit-guide for additional guidance │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate │ Prototype Pollution in sheetJS │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ xlsx │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=0.19.3 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ node-xlsx │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ node-xlsx > xlsx │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ GHSA-4r6h-8v6p-xvw6 │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 1 moderate severity vulnerability in 1044 scanned packages
1 vulnerability requires manual review. See the full report for details.

Best Regards.

[jonathan-4iTester]

@mgcrea , any news?

[joyce-4i]

I also have this problem. I was trying search a solution but i don't find. The community needs a solution for this problem.

[Cellule]

See SheetJS/sheetjs#2822 for discussion/information about how to update

[dafanzhi]

I followed the SheetJS/sheetjs#2822 and reinstalled the xlsx, but still got the same vulnerability tips:

What should i do?
I don't know what's the relationships between the node-xlsx and xlsx, can you help to provide detailed instructions?
Thanks a lot!

[milpalabras]

until @mgcrea fix this vulnerabilities, you can override in packaje.json to use the last xlxs module without vulnerabilities (need remove node-xlsx and reinstall again with the override version in packaje,json)
see: https://docs.sheetjs.com/docs/getting-started/installation/nodejs/

[dafanzhi]

@milpalabras, i specified the overrides in the package.json:

then removed the xlsx and node-xlsx, and resintall them:

Still got the same result.
Can you help to provide detailed instructions to install node-xlsx and eliminate the vulnerabilities error tips?

[WilhelmStein]

I made a fork and updated the dependency, but then two tests broke. In inspecting them, I noticed that the tests were only checking the first 10 bytes of the files, which I found a bit odd.

In any case, there seems to be a discrepancy between the 5th byte of the fixture files and the output from the xlsx package. I took a look with a hex editor, and the first 4 bytes seem to conform to the .xlsx file format. I am having some trouble understanding what that change signifies in the 5th byte.

 FAIL  test/specs/build.spec.ts
  ● Console

    console.debug
      Deprecated options['!merges'], please use options.sheetOptions['!merges'] instead.

      at src/index.ts:86:15
          at Array.filter (<anonymous>)

  ● node-xlsx builder › should properly build an XLSX from

    expect(received).toEqual(expected) // deep equality

    - Expected  - 1
    + Received  + 1

    @@ -2,11 +2,11 @@
        "data": Array [
          80,
          75,
          3,
          4,
    -     10,
    +     20,
          0,
          0,
          0,
          0,
          0,

      14 |     expect(result instanceof Buffer).toBeTruthy();
      15 |     // Only check the ten first bytes
    > 16 |     expect(result.slice(0, 10)).toEqual(expected.slice(0, 10));
         |                                 ^
      17 |   });
      18 |   it('should handle !merges sheetOption', () => {
      19 |     const expected = readBufferFixture(`sheetOptions.xlsx`);

      at Object.<anonymous> (test/specs/build.spec.ts:16:33)

  ● node-xlsx builder › should handle !merges sheetOption

    expect(received).toEqual(expected) // deep equality

    - Expected  - 1
    + Received  + 1

    @@ -2,11 +2,11 @@
        "data": Array [
          80,
          75,
          3,
          4,
    -     10,
    +     20,
          0,
          0,
          0,
          0,
          0,

      22 |     expect(result instanceof Buffer).toBeTruthy();
      23 |     // Only check the ten first bytes
    > 24 |     expect(result.slice(0, 10)).toEqual(expected.slice(0, 10));
         |                                 ^
      25 |   });
      26 |   it('should handle global sheet options', () => {
      27 |     const worksheets = JSON.parse(readFixture(`test.json`));

      at Object.<anonymous> (test/specs/build.spec.ts:24:33)

[mgcrea]

Just published the v0.22.0 release with updated deps, should fix your issues.

[dafanzhi]

The issue still exists in v0.22.0:

➜ bodhi git:(3.5.11) ✗ npm rm node-xlsx
removed 10 packages and audited 210 packages in 2.095s

14 packages are looking for funding
run npm fund for details

found 1 moderate severity vulnerability
run npm audit fix to fix them, or npm audit for details

╭───────────────────────────────────────────────────────────────╮
│ │
│ New major version of npm available! 6.14.12 → 9.6.7 │
│ Changelog: https://github.com/npm/cli/releases/tag/v9.6.7 │
│ Run npm install -g npm to update! │
│ │
╰───────────────────────────────────────────────────────────────╯

➜ bodhi git:(3.5.11) ✗ npm rm xlsx
removed 5 packages and audited 209 packages in 1.931s

14 packages are looking for funding
run npm fund for details

found 1 moderate severity vulnerability
run npm audit fix to fix them, or npm audit for details
➜ bodhi git:(3.5.11) ✗ npm install node-xlsx@0.22.0

• node-xlsx@0.22.0
  added 7 packages from 2 contributors, removed 1 package, updated 3 packages and audited 219 packages in 2.968s

14 packages are looking for funding
run npm fund for details

found 2 vulnerabilities (1 moderate, 1 high)
run npm audit fix to fix them, or npm audit for details