Vulnerability Patch #2992
Labels
No Label
DBF
Dates
Defined Names
Features
Formula
HTML
Images
Infrastructure
Integration
International
ODS
Operations
Performance
PivotTables
Pro
Protection
Read Bug
SSF
SYLK
Style
Write Bug
good first issue
No Milestone
No Assignees
2 Participants
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: sheetjs/sheetjs#2992
Loading…
Reference in New Issue
No description provided.
Delete Branch "%!s(<nil>)"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Hello,
Snyk is finding Medium Severity warning for XLSX package for the latest version
"xlsx": "https://cdn.sheetjs.com/xlsx-0.20.0/xlsx-0.20.0.tgz",
mentioned here https://docs.sheetjs.com/docs/getting-started/installation/nodejs/#legacy-endpointsDo you plan to have an update to address this vulnerability?
This is believed to be a bug in Snyk processing. See #2986 for more details.
tl;dr: there is a "Product Status" field in the CVE report. Snyk uses that field to calculate affected versions. The MITRE corporation (who runs cve.org), as a matter of policy, does not use that field.
If you have a support plan with them, please reach out to Snyk support and direct them to this issue or ask them to reach out to security@sheetjs.com
@stof out of curiosity, was Snyk the "auditing tool" that was expecting the "affected versions" field?
The Note in the Snyk page clearly states:
It would seem that Snyk flagging version 0.20.0 is a bug in Snyk. A teammate reached out to Snyk support to get the issue resolved.
Until Snyk fixes the bug, there is a way to ignore specific vulnerabilities :