search

gamemaker1 / office-text-extractor

Yet another library to extract text from MS Office and PDF files
https://npm.im/office-text-extractor
ISC License
59 stars 7 forks source link

Dependency: Update xlsx version to resolve high security vulnerability #15

Closed chazzmoney closed 6 months ago

chazzmoney commented 6 months ago

https://cdn.sheetjs.com/advisories/CVE-2024-22363

Summary

All versions of SheetJS CE through 0.20.1 are vulnerable to "Regular Expression Denial of Service" (ReDoS). For more details, see https://regexide.com

Categorization

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (Score 7.5 - High)

CWE-1333 Inefficient Regular Expression Complexity [1]

Remediation

Users should upgrade to version 0.20.2 or later. Official releases are available on the SheetJS CDN [2]. SheetJS CE documentation includes installation instructions for common deployments [7].

Changed

gamemaker1 commented 6 months ago

Hi, sorry for the late reply.

Thanks for the fix, I merged it manually because the CI kept failing on this PR. It should be included in the next version.