Closed jonathan-4iTester closed 1 year ago
@mgcrea , any news?
I also have this problem. I was trying search a solution but i don't find. The community needs a solution for this problem.
See https://github.com/SheetJS/sheetjs/issues/2822 for discussion/information about how to update
I followed the https://github.com/SheetJS/sheetjs/issues/2822 and reinstalled the xlsx, but still got the same vulnerability tips:
What should i do? I don't know what's the relationships between the node-xlsx and xlsx, can you help to provide detailed instructions? Thanks a lot!
until @mgcrea fix this vulnerabilities, you can override in packaje.json to use the last xlxs module without vulnerabilities (need remove node-xlsx and reinstall again with the override version in packaje,json) see: https://docs.sheetjs.com/docs/getting-started/installation/nodejs/
@milpalabras, i specified the overrides in the package.json:
then removed the xlsx and node-xlsx, and resintall them:
Still got the same result. Can you help to provide detailed instructions to install node-xlsx and eliminate the vulnerabilities error tips?
I made a fork and updated the dependency, but then two tests broke. In inspecting them, I noticed that the tests were only checking the first 10 bytes of the files, which I found a bit odd.
In any case, there seems to be a discrepancy between the 5th byte of the fixture files and the output from the xlsx
package. I took a look with a hex editor, and the first 4 bytes seem to conform to the .xlsx
file format. I am having some trouble understanding what that change signifies in the 5th byte.
FAIL test/specs/build.spec.ts
● Console
console.debug
Deprecated options['!merges'], please use options.sheetOptions['!merges'] instead.
at src/index.ts:86:15
at Array.filter (<anonymous>)
● node-xlsx builder › should properly build an XLSX from
expect(received).toEqual(expected) // deep equality
- Expected - 1
+ Received + 1
@@ -2,11 +2,11 @@
"data": Array [
80,
75,
3,
4,
- 10,
+ 20,
0,
0,
0,
0,
0,
14 | expect(result instanceof Buffer).toBeTruthy();
15 | // Only check the ten first bytes
> 16 | expect(result.slice(0, 10)).toEqual(expected.slice(0, 10));
| ^
17 | });
18 | it('should handle !merges sheetOption', () => {
19 | const expected = readBufferFixture(`sheetOptions.xlsx`);
at Object.<anonymous> (test/specs/build.spec.ts:16:33)
● node-xlsx builder › should handle !merges sheetOption
expect(received).toEqual(expected) // deep equality
- Expected - 1
+ Received + 1
@@ -2,11 +2,11 @@
"data": Array [
80,
75,
3,
4,
- 10,
+ 20,
0,
0,
0,
0,
0,
22 | expect(result instanceof Buffer).toBeTruthy();
23 | // Only check the ten first bytes
> 24 | expect(result.slice(0, 10)).toEqual(expected.slice(0, 10));
| ^
25 | });
26 | it('should handle global sheet options', () => {
27 | const worksheets = JSON.parse(readFixture(`test.json`));
at Object.<anonymous> (test/specs/build.spec.ts:24:33)
Just published the v0.22.0 release with updated deps, should fix your issues.
The issue still exists in v0.22.0:
➜ bodhi git:(3.5.11) ✗ npm rm node-xlsx removed 10 packages and audited 210 packages in 2.095s
14 packages are looking for funding
run npm fund
for details
found 1 moderate severity vulnerability
run npm audit fix
to fix them, or npm audit
for details
╭───────────────────────────────────────────────────────────────╮ │ │ │ New major version of npm available! 6.14.12 → 9.6.7 │ │ Changelog: https://github.com/npm/cli/releases/tag/v9.6.7 │ │ Run npm install -g npm to update! │ │ │ ╰───────────────────────────────────────────────────────────────╯
➜ bodhi git:(3.5.11) ✗ npm rm xlsx removed 5 packages and audited 209 packages in 1.931s
14 packages are looking for funding
run npm fund
for details
found 1 moderate severity vulnerability
run npm audit fix
to fix them, or npm audit
for details
➜ bodhi git:(3.5.11) ✗ npm install node-xlsx@0.22.0
14 packages are looking for funding
run npm fund
for details
found 2 vulnerabilities (1 moderate, 1 high)
run npm audit fix
to fix them, or npm audit
for details
Hello,
Could you please update the xlsx dependency lib because the npm audit is reporting this issue:
┌──────────────────────────────────────────────────────────────────────────────┐ │ Manual Review │ │ Some vulnerabilities require your attention to resolve │ │ │ │ Visit https://go.npm.me/audit-guide for additional guidance │ └──────────────────────────────────────────────────────────────────────────────┘ ┌───────────────┬──────────────────────────────────────────────────────────────┐ │ Moderate │ Prototype Pollution in sheetJS │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Package │ xlsx │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Patched in │ >=0.19.3 │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Dependency of │ node-xlsx │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Path │ node-xlsx > xlsx │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ More info │ https://github.com/advisories/GHSA-4r6h-8v6p-xvw6 │ └───────────────┴──────────────────────────────────────────────────────────────┘ found 1 moderate severity vulnerability in 1044 scanned packages 1 vulnerability requires manual review. See the full report for details.
Best Regards.