search

HalitTalha / ng-material-extensions

Extended features for @angular/material components
Apache License 2.0
101 stars 52 forks source link

Unable to resolve security vulnerability in mat-table-exporter using npm #181

Open NPcallumt opened 1 year ago

NPcallumt commented 1 year ago

Cannot resolve vulnerability detailed here: https://github.com/advisories/GHSA-4r6h-8v6p-xvw6

mat-table-exporter 15.0.0 (newest version?) depending on xlsx ^0.18.5 and patched version (0.19.3) is not available through npm as detailed here: https://docs.sheetjs.com/docs/getting-started/installation/nodejs/

luca-drf commented 1 year ago

Looks like the project is not maintained on GitHub anymore (see: https://github.com/SheetJS/sheetjs/issues/2822#issuecomment-1532922059) not sure why the npm page wasn't updated.

In the meantime, this project could update its package.json with the new xlsx version/source, that is https://cdn.sheetjs.com/xlsx-0.19.3/xlsx-0.19.3.tgz

ng-mrk commented 1 year ago

It would be nice if the author could use the tarball instead of the npm package in the package.json!

tw2as commented 1 year ago

It would be nice if the author could use the tarball instead of the npm package in the package.json!

or switch to another package that is maintained in npm repo

thong-le98 commented 1 year ago

Any solution to this, guys?

VM1801 commented 1 year ago

Same story for me. Adding "xlsx": https://cdn.sheetjs.com/xlsx-0.19.3/xlsx-0.19.3.tgz in resolutions does not help. After build it throws the following error "Error: Module not found: Error: Can't resolve 'xlsx/dist/xlsx.mini.min' in 'node_modules/cdk-table-exporter/fesm2020'" Any ideas how to resolve ? I even try to move xlsx to my project and modify package json there but no success

mmccaugh-polaris commented 2 months ago

I don't know if the owner of the repo is doing anything about this, but I wrote a little Node.js script to remedy the situation a while back:

const fs = require('fs/promises');
async function run() {
  let packageJson = await fs.readFile('./node_modules/xlsx/package.json', { encoding: 'utf-8' });
  const package = JSON.parse(packageJson);
  if (('./dist/xlsx.mini.min' in package.exports)) {
    console.log('xlsx already exports xlsx.mini.min');
    return;
  }
  package.exports = {
    ...package.exports,
    './dist/xlsx.mini.min': {
      "import": "./dist/xlsx.mini.min.js",
      "types": "./dist/zahl.d.ts"
    }
  };
  packageJson = JSON.stringify(package);
  await fs.writeFile('./node_modules/xlsx/package.json', packageJson, 'utf-8');
  console.log('xlsx now exports xlsx.mini.min');
}
run();

Save that as Add-xlsx-mini-min-export.cjs in your project folder and add the following to your scripts node in package.json:

    "postinstall": "node Add-xlsx-mini-min-export.cjs",

That, with the ..."overrides": { "xlsx": "https://cdn.sheetjs.com/xlsx-0.20.2/xlsx-0.20.2.tgz",... line works for me... (and I've upgraded since the last message here, obv).