Alerting of Security vulnerabilities CVE with dependabot #2935

New Issue

Open

opened 2023-05-03 12:56:42 +00:00 by Cellule · 3 comments

Cellule commented 2023-05-03 12:56:42 +00:00

Copy Link

Recently this CVE was published
https://cdn.sheetjs.com/advisories/CVE-2023-30533

Swarm of people are being alerted about it and prompted to update to 0.19.3
However, since you no longer publish on NPM, people are starting to switch to install from your CDN.

I'm not looking to question why you're not publishing on NPM
This issue already kinda addresses it: #2667

My real serious concern is how will security tools like dependabot will now warn users of your library of future CVEs?
A lot of these tools rely greatly on NPM registry and standard installs in package.json, package-lock.json, yarn.lock, etc...

It's hard to know if my fear is founded or not and we'll only truly know when/if another CVE is reported on a version >0.19.3

But I want to make sure your team is aware of the concern and has at least some form of solution/work around in mind to ensure the safety of applications using your library.

Recently this CVE was published https://cdn.sheetjs.com/advisories/CVE-2023-30533 Swarm of people are being alerted about it and prompted to update to 0.19.3 However, since you no longer publish on NPM, people are starting to switch to install from your CDN. I'm not looking to question why you're not publishing on NPM This issue already kinda addresses it: https://git.sheetjs.com/sheetjs/sheetjs/issues/2667 My real serious concern is how will security tools like dependabot will now warn users of your library of future CVEs? A lot of these tools rely greatly on NPM registry and standard installs in package.json, package-lock.json, yarn.lock, etc... It's hard to know if my fear is founded or not and we'll only truly know when/if another CVE is reported on a version >0.19.3 But I want to make sure your team is aware of the concern and has at least some form of solution/work around in mind to ensure the safety of applications using your library.

👍 6

sheetjs commented 2023-05-03 15:32:38 +00:00

Owner

Copy Link

All future advisories will be posted at https://cdn.sheetjs.com/advisories/

In the immediate term, you can watch this repo or subscribe to the release RSS feed (https://git.sheetjs.com/sheetjs/sheetjs/tags.rss) to keep up to date.

We will set up a RSS feed for security advisories.

Please report any issues involving third-party tooling with the respective vendors.

All future advisories will be posted at https://cdn.sheetjs.com/advisories/ In the immediate term, you can watch this repo or subscribe to the release RSS feed (https://git.sheetjs.com/sheetjs/sheetjs/tags.rss) to keep up to date. We will set up a RSS feed for security advisories. Please report any issues involving third-party tooling with the respective vendors.

Cellule commented 2023-05-03 15:47:43 +00:00

Author

Copy Link

Sorry but this is a very backward way of thinking.
The whole ecosystem has been building over the past years to ensure proper communications and delivery of updates/security related alerts.

Your response is that everything we are used to is thrown out the window and it is our responsibility to actively watch your library for vulnerabilities?

Don't get me wrong, we are a serious company so we will likely have to abide by your provided solution whether we like it or not.

My real concern is for all the smaller/single devs out there that are likely to have their application become vulnerable because they simply cannot watch your special way of doing things.

In my opinion, you had a security flaw in your library, it is your responsibility to alert as many people as possible. One easy way to do this would be to publish security fixes to NPM.
If you only publish security fixes it would ensure proper deliverability of potential threat and you would become part of a healthier javascript ecosystem by making use of already established and time proven security mechanism.

Sorry but this is a very backward way of thinking. The whole ecosystem has been building over the past years to ensure proper communications and delivery of updates/security related alerts. Your response is that everything we are used to is thrown out the window and it is our responsibility to actively watch your library for vulnerabilities? Don't get me wrong, we are a serious company so we will likely have to abide by your provided solution whether we like it or not. My real concern is for all the smaller/single devs out there that are likely to have their application become vulnerable because they simply cannot watch your special way of doing things. In my opinion, you had a security flaw in your library, it is your responsibility to alert as many people as possible. One easy way to do this would be to publish security fixes to NPM. If you only publish security fixes it would ensure proper deliverability of potential threat and you would become part of a healthier javascript ecosystem by making use of already established and time proven security mechanism.

👍 6 ❤️ 4

invaderb commented 2023-05-04 16:13:16 +00:00

Copy Link

I 100% agree with everything Cellule said. it's really backwards to abandon an established system for reasons that were obviously not thought through.

Please Sheetjs team reconsider moving back to npmjs for the community edition. it will make the lives of thousands of developers much easier.

I 100% agree with everything Cellule said. it's really backwards to abandon an established system for reasons that were obviously not thought through. Please Sheetjs team reconsider moving back to npmjs for the community edition. it will make the lives of thousands of developers much easier.

👍 7

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

master

sankhavaramsaitulasiram/feat-fix-2752

maybeswapnil/issue2737

gh-pages

scottysseus/2560_2

ivan-trusov/fix-basedate

nandanv2702/issue_1300

protobi/master

ThomasChan/master

grantfayvor/master

tom-groves/bug-1105/rounding-error

mgreter/master

v0.20.3

v0.20.2

v0.20.1

v0.20.0

v0.19.3

v0.19.2

v0.19.1

v0.19.0

v0.18.12

v0.18.11

v0.18.10

v0.18.9

v0.18.8

v0.18.7

v0.18.5

v0.18.4

v0.18.3

v0.18.2

v0.18.1

v0.18.0

v0.17.5

v0.17.4

v0.17.3

v0.17.2

v0.17.1

v0.17.0

v0.16.8

v0.16.7

v0.16.6

v0.16.5

v0.16.3

v0.16.2

v0.16.1

v0.16.0

v0.15.6

v0.15.5

v0.15.2

v0.14.0

v0.13.5

v0.13.4

v0.13.3

v0.13.1

v0.13.0

v0.12.13

v0.12.12

v0.12.11

v0.12.10

v0.12.9

v0.12.8

v0.12.7

v0.12.6

v0.12.5

v0.12.4

v0.12.3

v0.12.2

v0.12.1

v0.12.0

v0.11.19

v0.11.18

v0.11.17

v0.11.16

v0.11.15

v0.11.14

v0.11.13

v0.11.12

v0.11.11

v0.11.10

v0.11.9

v0.11.8

v0.11.7

v0.11.6

v0.11.5

v0.11.4

v0.11.3

v0.11.2

v0.11.1

v0.11.0

v0.10.9

v0.10.8

v0.10.7

v0.10.6

v0.10.5

v0.10.4

v0.10.3

v0.10.2

v0.10.1

v0.10.0

v0.9.13

v0.9.12

v0.9.11

v0.9.10

v0.9.9

v0.9.8

v0.9.7

v0.9.6

v0.9.5

v0.9.4

v0.9.3

v0.9.2

v0.9.1

v0.9.0

v0.8.8

v0.8.7

v0.8.6

v0.8.5

v0.8.4

v0.8.3

v0.8.2

v0.8.1

v0.8.0

v0.7.11

v0.7.10

v0.7.9

v0.7.7

v0.7.6-i

v0.7.6-h

v0.7.6-a

v0.7.6

v0.7.5

v0.7.4

v0.7.3

v0.7.2

v0.7.1

v0.5.10

v0.5.9

v0.5.8

v0.5.7

v0.5.0

v0.4.3

Labels

Clear labels   

DBF

  

Dates

  

Defined Names

  

Features

  

Formula

  

HTML

  

Images

  

Infrastructure

  

Integration

  

International

  

ODS

  

Operations

  

Performance

  

PivotTables

  

Pro

  

Protection

  

Read Bug

  

SSF

  

SYLK

  

Style

  

Write Bug

  

good first issue

No Label

DBF

Dates

Defined Names

Features

Formula

HTML

Images

Infrastructure

Integration

International

ODS

Operations

Performance

PivotTables

Pro

Protection

Read Bug

SSF

SYLK

Style

Write Bug

good first issue

Milestone

Clear milestone

No items

No Milestone

Assignees

Clear assignees

No Assignees

3 Participants

Notifications

Subscribe

Due Date

The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: sheetjs/sheetjs#2935

No description provided.