Mariano/fix deps 23414

[Marfuen]

What does this PR do?

• Fixes #XXXX (GitHub issue number)
• Fixes COMP-XXXX (Linear issue number - should be visible at the bottom of the GitHub issue description)

Visual Demo (For contributors especially)

A visual demonstration is strongly recommended, for both the original and new change (video / image - any one).

Video Demo (if applicable):

• Show screen recordings of the issue or feature.
• Demonstrate how to reproduce the issue, the behavior before and after the change.

Image Demo (if applicable):

• Add side-by-side screenshots of the original and updated change.
• Highlight any significant change(s).

Mandatory Tasks (DO NOT REMOVE)

• I have self-reviewed the code (A decent size PR without self-review might be rejected).
• I have updated the developer docs in /docs if this PR makes changes that would require a documentation change. If N/A, write N/A here and check the checkbox.
• I confirm automated tests are in place that prove my fix is effective or that my feature works.

How should this be tested?

• Are there environment variables that should be set?
• What are the minimal test data to have?
• What is expected (happy path) to have (input and output)?
• Any other important info that could help to test that PR

Checklist

• I haven't read the contributing guide
• My code doesn't follow the style guidelines of this project
• I haven't commented my code, particularly in hard-to-understand areas
• I haven't checked if my changes generate no new warnings

[comp-ai-code-review]

🔒 Comp AI - Security Review

🟡 Risk Level: MEDIUM

OSV scan found 3 CVEs: xlsx@0.18.5 (Prototype Pollution, ReDoS) and ai@5.0.0 (filetype whitelist bypass). No hardcoded credentials or injection code issues observed.

---

📦 Dependency Vulnerabilities

🟠 NPM Packages (HIGH)

Risk Score: 8/10 | Summary: 2 high, 1 low CVEs found

Package	Version	CVE	Severity	CVSS	Summary	Fixed In
xlsx	0.18.5	GHSA-4r6h-8v6p-xvw6	HIGH	N/A	Prototype Pollution in sheetJS	No fix yet
xlsx	0.18.5	GHSA-5pgg-2g8v-p4x9	HIGH	N/A	SheetJS Regular Expression Denial of Service (ReDoS)	No fix yet
ai	5.0.0	GHSA-rwvc-j5jr-mgvh	LOW	N/A	Vercel’s AI SDK's filetype whitelists can be bypassed when uploading files	5.0.52

---

🛡️ Code Security Analysis

✅ No security issues detected in code changes.

---

💡 Recommendations

View 3 recommendation(s)

1. Update xlsx (currently 0.18.5) to a patched release by changing package.json dependency and reinstalling/locking to the fixed version; verify the SheetJS advisories/changelog for the exact safe version before bumping.
2. Bump ai from 5.0.0 to >=5.0.52 (per scan’s fixedIn) in package.json and regenerate the lockfile, then run your test suite to confirm behavior.
3. If your code parses untrusted files with xlsx, add runtime mitigations: validate file type/size before parsing, and sanitize parsed objects to remove keys like "proto"/"constructor" or avoid merging parsed data into application prototypes to reduce Prototype Pollution and ReDoS impact.

---

Powered by Comp AI - AI that handles compliance for you. Reviewed Dec 5, 2025

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Comments	Updated (UTC)
app	Ready	Preview	Comment	Dec 5, 2025 1:42am
portal	Error			Dec 5, 2025 1:42am

[claudfuen]

🎉 This PR is included in version 1.67.0 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀