[Security] Prototype Pollution in sheetJS

[lukewang2018]

[Security] Prototype Pollution in sheetJS

https://github.com/advisories/GHSA-4r6h-8v6p-xvw6

Affected version: 0.19.3

Description All versions of SheetJS CE through 0.19.2 are vulnerable to "Prototype Pollution" when reading specially crafted files. Workflows that do not read arbitrary files (for example, exporting data to spreadsheet files) are unaffected.

References https://nvd.nist.gov/vuln/detail/CVE-2023-30533 https://cdn.sheetjs.com/advisories/CVE-2023-30533 https://git.sheetjs.com/sheetjs/sheetjs/src/branch/master/CHANGELOG.md

[mushishi78]

Am I the only one confused that it say it's fixed in 0.19.3 but the latest release of this is 0.18.5?

Ah I can see your meant to do yarn add https://cdn.sheetjs.com/xlsx-0.19.3/xlsx-0.19.3.tgz. Don't mind me. https://docs.sheetjs.com/docs/getting-started/installation/nodejs

[amorimrafael]

Hi guys,

Does anyone know if they have plans to publish this version here on github?

[invaderb]

+1 for an update on this?

[jimmykane]

Why is this not published to NPM ?

[Cellule]

As explained in the Readme, this project is no longer maintained on Github and no longer published to npm. I don't know the reasons why, but moving forward you are supposed to install using their cdn yarn add xlsx@https://cdn.sheetjs.com/xlsx-0.19.3/xlsx-0.19.3.tgz https://github.com/SheetJS/sheetjs/blob/5b4806bff01a9f4289b4c04e8a60a6c4c52fe93a/README.md#L3-L16

Relevant issue as to "why" they no longer publish on npm https://git.sheetjs.com/sheetjs/sheetjs/issues/2667

I am too a little concerned about how future CVE will be reported and notify users. I feel the switch out of npm didn't take into account security concerns.

[Cellule]

Opened another issue on their tracker for future CVE alerting (not explicit of this particular CVE), but more a concern for the future for people switching from NPM to their CDN https://git.sheetjs.com/sheetjs/sheetjs/issues/2935

[invaderb]

That really is piss poor communication on the sheetjs team's part, having it just in their docs is not a wide enough reach to everyone that uses this package, there is nothing in the github readme or on the npm page about essentially the deprecation of the package on npmjs. They should throw up a banner or a message about it, especially for a package that gets 2 million weekly downloads...

I have the same concerns especially about missing out on future security issues with this package now that we have to use the CDN to get updates. I'm also weary about using smaller CDN's, there's a reason why npmjs is the standard and will be around much longer than sheetjs

Just to note for others you don't have to use yarn to install from the CDN you can still use npm or pnpm: npm i https://cdn.sheetjs.com/xlsx-0.19.3/xlsx-0.19.3.tgz

pnpm install https://cdn.sheetjs.com/xlsx-0.19.3/xlsx-0.19.3.tgz

[Snailedlt]

All the info so far

(please let me know if anything's missing, so I can edit this comment)

Update to the new CDN

npm

npm i https://cdn.sheetjs.com/xlsx-0.19.3/xlsx-0.19.3.tgz

pnpm

pnpm install https://cdn.sheetjs.com/xlsx-0.19.3/xlsx-0.19.3.tgz

pnpm

yarn add https://cdn.sheetjs.com/xlsx-0.19.3/xlsx-0.19.3.tgz

Why you need to update

The GitHub repo and npm packages are no longer maintained due to ongoing legal matters with npm (Owned by GitHub). More info here

[dafanzhi]

I tried yarn add https://cdn.sheetjs.com/xlsx-0.19.3/xlsx-0.19.3.tgz,

then run npm audit, still got the vulnerabilities tips:

what should id do?

[Snailedlt]

@dafanzhi seems like you're using npm, and not yarn... So you should use npm install instead of yarn add

[dafanzhi]

got the same result via npm:

[Snailedlt]

@dafanzhi Did you uninstall the old version?

[dafanzhi]

@dafanzhi Did you uninstall the old version?

i've tried removing the old version before reinstall, but still got the same:

As you can see, the problem is the xlsx is already the latest version and installed without any error tips, but the node-xlsx which depends on xlsx can not be installed properly, even i specified the overrides in the package.json:

So, what detailed instructions should i follow to eliminate the vulnerabilities error tips for the xlsx in node-xlsx?

[knoxgon]

All the info so far

(please let me know if anything's missing, so I can edit this comment)

Update to the new CDN

npm

npm i https://cdn.sheetjs.com/xlsx-0.19.3/xlsx-0.19.3.tgz

pnpm

pnpm install https://cdn.sheetjs.com/xlsx-0.19.3/xlsx-0.19.3.tgz

pnpm

yarn add https://cdn.sheetjs.com/xlsx-0.19.3/xlsx-0.19.3.tgz

Why you need to update

The GitHub repo and npm packages are no longer maintained due to ongoing legal matters with npm (Owned by GitHub). More info here

Works Great. Thank you. Although, I wonder... Are there any breaking changes to it? I haven't found any information regarding the release notes...

[Zainzzkk]

Does anyone have any other recommendations for similar packages to use instead of SheetJS? Considering the devs won't reply to us anymore, won't implement 2FA to fix this whole issue and nor will they update the npm readme with a notice of this change

[lukewang2018]

@Zainzzkk you can try excel4node.

"excel4node": "^1.8.2",

https://github.com/advisr-io/excel4node

[rupeshdeotale97]

Hi team getting below error for

$ npm i https://cdn.sheetjs.com/xlsx-0.19.3/xlsx-0.19.3.tgz
npm ERR! code UNABLE_TO_GET_ISSUER_CERT_LOCALLY
npm ERR! errno UNABLE_TO_GET_ISSUER_CERT_LOCALLY
npm ERR! request to https://cdn.sheetjs.com/xlsx-0.19.3/xlsx-0.19.3.tgz failed, reason: unable to get local issuer certificate

[codeams]

Does anyone have any other recommendations for similar packages to use instead of SheetJS? Considering the devs won't reply to us anymore, won't implement 2FA to fix this whole issue and nor will they update the npm readme with a notice of this change

I'm having good results with https://github.com/exceljs/exceljs

[e965]

Hey, folks! I made a little tool that allows you to continue using xlsx in your projects. It checks for updates from the sheetjs selfhosted git repository every day, and if there is a new version there, it is automatically published to npm. The publishing is signed via provenance to prevent extraneous modifications to the project (unless the sheetjs developers themselves come in to sabotage everything, of course).

All code is available for audit here https://github.com/e965/sheetjs-npm-publisher

Installation into your project is also very easy:

- "xlsx": "0.18.5",
+ "xlsx": "npm:@e965/xlsx@0.20.0",

(or just install the package directly and fix all the imports in your code)

[brettwgreen]

I think the truth is they tried to commercialize this project and don't want to support the open source version anymore so they used the lamest excuse possible (NPM is forcing us to use 2FA) to break the open source delivery mechanism and try to squeeze people into using the pro version.

[LukasNemcik]

Does anyone have any other recommendations for similar packages to use instead of SheetJS? Considering the devs won't reply to us anymore, won't implement 2FA to fix this whole issue and nor will they update the npm readme with a notice of this change

I'm having good results with https://github.com/exceljs/exceljs

Exceljs is great but it have one for us important flaw - it supports just .XLSX or .CSV formats and doesn't support older .XLS files. So for that reason we are still using also xlsx package.

[vasudevaraopaila]

@e965 we are using mat table exporter which is internally using cdk table exporter and dependent on xlsx package, so I have created two dummy npm packages for mat table exporter and cdk table exporter and the installed @e965/xlsx as dependency which replacing xlsx. but I am getting below errors

/node_modules/config-table-exporter/fesm2020/cdk-table-exporter.mjs:130:21-54 - Error: Module not found: Error: Can't resolve 'xlsx/dist/xlsx.mini.min' in 'D:\Projects\Sample_project\Sample_project\node_modules\config-table-exporter\fesm2020'

./node_modules/config-table-exporter/fesm2020/cdk-table-exporter.mjs:132:21-35 - Error: Module not found: Error: Can't resolve 'xlsx' in 'D:\Projects\Sample_project\Sample_project\node_modules\config-table-exporter\fesm2020'

updated all the dependencies and imports from xlsx to @e965/xlsx, but still getting the same. Below are the dummy packages I published

https://www.npmjs.com/package/config-mat-table-exporter?activeTab=code https://www.npmjs.com/package/config-table-exporter?activeTab=code

[mikeplacko]

All the info so far

(please let me know if anything's missing, so I can edit this comment)

Update to the new CDN

npm

npm i https://cdn.sheetjs.com/xlsx-0.19.3/xlsx-0.19.3.tgz

pnpm

pnpm install https://cdn.sheetjs.com/xlsx-0.19.3/xlsx-0.19.3.tgz

pnpm

yarn add https://cdn.sheetjs.com/xlsx-0.19.3/xlsx-0.19.3.tgz

Why you need to update

The GitHub repo and npm packages are no longer maintained due to ongoing legal matters with npm (Owned by GitHub). More info here

I think it's worth mentioning that their CDN appears to only be using a self-signed certificate, which npm will not like without you jumping through a bunch of hoops. That's a deal breaker for me.

[Snailedlt]

@mikeplacko would this answer suit you better? https://github.com/SheetJS/sheetjs/issues/2822#issuecomment-1668303942

[mikeplacko]

@mikeplacko would this answer suit you better? #2822 (comment)

That did work. It did not throw an SSL warning and it seems as legitimate as any other NPM package security wise. Maybe I'm nit picking a bit with the self-signed certificate, but I feel like that's a really low bar to meet in 2023.

[basvandorst]

@SheetJSDev could you guys please mark the last package on NPM as deprecated? https://docs.npmjs.com/deprecating-and-undeprecating-packages-or-package-versions

For you guys it's a minute fix but a timesaver for all (thousands of) people that are using your package. Cheers

[rap2hpoutre]

Some production networks allow only npmjs.org for repositories. Having an exception like sheetjs.com is not always possible.

[bingDBdu]

All the info so far

(please let me know if anything's missing, so I can edit this comment)

Update to the new CDN

npm

npm i https://cdn.sheetjs.com/xlsx-0.19.3/xlsx-0.19.3.tgz

pnpm

pnpm install https://cdn.sheetjs.com/xlsx-0.19.3/xlsx-0.19.3.tgz

pnpm

yarn add https://cdn.sheetjs.com/xlsx-0.19.3/xlsx-0.19.3.tgz

Why you need to update

The GitHub repo and npm packages are no longer maintained due to ongoing legal matters with npm (Owned by GitHub). More info here

It looks ugly. I don't like it at all. Hope it's going to be published to NPM as soon as possible.