Publish 0.19.3 to npmjs.org to fix security vulnerability CVE-2023-30533 #2961

New Issue

balassy · 2023-06-07T16:54:13Z

balassy commented

2023-06-07 16:54:13 +00:00

The latest version of SheetJS that is published to the public npm registry is 0.18.5.

That version of SheetJS contains the security vulnerability described in CVE-2023-30533

The vulnerability has been fixed in SheetJS 0.19.3, but that version has not published to npmjs.org. This leaves many existing customers vulnerable who refer the xlsx package in their package.json file.

Publishing the latest version to npmjs.org could fix this situation.

The [latest version](https://lastpass.atlassian.net/browse/LP-70161?focusedCommentId=218230) of SheetJS that is published to the public npm registry is `0.18.5`. That version of SheetJS contains the security vulnerability described in [CVE-2023-30533](https://cdn.sheetjs.com/advisories/CVE-2023-30533) The vulnerability has been fixed in SheetJS `0.19.3`, but that version has not published to npmjs.org. This leaves many existing customers vulnerable who refer the `xlsx` package in their `package.json` file. Publishing the latest version to npmjs.org could fix this situation.

sheetjs commented

2023-06-08 02:16:02 +00:00

As mentioned in the note in https://docs.sheetjs.com/docs/getting-started/installation/nodejs#installation

When the xlsx library is a dependency of a dependency, the overrides field in package.json can control module resolution:

{
  "overrides": {
    "xlsx": "https://cdn.sheetjs.com/xlsx-0.19.3/xlsx-0.19.3.tgz"
  }
}

For example, the GatsbyJS demo uses gatsby-transformer-excel which depends on the public registry. The complete demo sets the overrides field to ensure that npm install pulls the correct version.

As mentioned in the note in https://docs.sheetjs.com/docs/getting-started/installation/nodejs#installation > When the `xlsx` library is a dependency of a dependency, the overrides field in `package.json` can control module resolution: ```json { "overrides": { "xlsx": "https://cdn.sheetjs.com/xlsx-0.19.3/xlsx-0.19.3.tgz" } } ``` For example, the [GatsbyJS demo](https://docs.sheetjs.com/docs/demos/static/gatsbyjs) uses `gatsby-transformer-excel` which depends on the public registry. The [complete demo](https://docs.sheetjs.com/docs/demos/static/gatsbyjs#project-setup) sets the `overrides` field to ensure that `npm install` pulls the correct version.

sheetjs closed this issue

2023-06-08 02:16:02 +00:00

balassy commented

2023-06-08 09:29:52 +00:00

Yes, it's doable, thanks for pointing out this workaround for future readers of this ticket. 👍

According to npmjs.org there were 915K downloads of the vulnerable 0.18.5 version in the last 7 days from the public registry. I believe the majority of those downloads did not explicitly specify the version but always download the latest version.

Again, according to npmjs.org there are 3868 other public packages that depend on SheetJS, with only God knows how many downloads per week in total.

You created a successful, very popular library, and the open source community depends on it, depends on your work, depends on you. Not publishing a security fix for the old channel is not responsible to your users, to the open source community.

(Similarly, operating system vendors often decide that new features are published only for the new version of the OS, but the old version is supported with security fixes for a longer time.)

Thank you.

Yes, it's doable, thanks for pointing out this workaround for future readers of this ticket. 👍 According to npmjs.org there were 915K downloads of the vulnerable 0.18.5 version in the last 7 days from the public registry. I believe the majority of those downloads did not explicitly specify the version but always download the latest version. Again, according to npmjs.org there are 3868 other public packages that depend on SheetJS, with only God knows how many downloads per week in total. You created a successful, very popular library, and the open source community depends on it, depends on your work, depends on you. Not publishing a security fix for the old channel is not responsible to your users, to the open source community. (Similarly, operating system vendors often decide that new features are published only for the new version of the OS, but the old version is supported with security fixes for a longer time.) Thank you.

Sign in to join this conversation.