Facing vulnerability issues while using xlsx in package.json #3048

New Issue

Closed

opened 2024-01-04 10:20:03 +00:00 by Arunsanthoshh · 5 comments

Arunsanthoshh commented 2024-01-04 10:20:03 +00:00

Copy Link

Im using latest version for the xlsx package but still getting the vulnerability issue while running npm audit command.
Like this we are getting issue on the particular package

Im using latest version for the xlsx package but still getting the vulnerability issue while running npm audit command.  Like this we are getting issue on the particular package

image.png

88 KiB

sheetjs commented 2024-01-04 17:44:18 +00:00

Owner

Copy Link

The issue stems from react-excel-workbook, which is pulling a very old version of the dependency.

Please read the entire comment and let us know if the fix works. If the explanation makes sense, we will add it to the docs.

Diagnosis

In general, to identify the modules that pull xlsx, run npm why xlsx.

When the dependency is not overridden, it will not mention overridden. Scan the output for "from the root project" to see which dependencies you are using. For example, if you directly install react-excel-workbook, the message will show:

xlsx@0.10.9
node_modules/xlsx
  xlsx@"^0.10.3" from react-excel-workbook@0.0.4
  node_modules/react-excel-workbook
    react-excel-workbook@"^0.0.4" from the root project <-- `react-excel-workbook` was installed directly

If the dependency is overridden, lines will include overridden:

xlsx@0.20.1 overridden
node_modules/xlsx
  overridden xlsx@"https://cdn.sheetjs.com/xlsx-0.20.1/xlsx-0.20.1.tgz" (was "^0.10.3") from react-excel-workbook@0.0.4
  node_modules/react-excel-workbook
    react-excel-workbook@"^0.0.4" from the root project

Reproduction

To reproduce your issue, create a small project that uses react-excel-workbook:

mkdir issue3048
cd issue3048 
npm init -y
npm i --save react-excel-workbook

Using NodeJS v20.10.0 with npm v10.2.3, the audit shows issues with xlsx:

Audit output (click to show)

xlsx  *
Severity: high
Denial of Service in SheetJS Pro - https://github.com/advisories/GHSA-g973-978j-2c3p
Denial of Service in SheetJS Pro - https://github.com/advisories/GHSA-3x9f-74h4-2fqr
Denial of Service in SheetsJS Pro - https://github.com/advisories/GHSA-8vcr-vxm8-293m
Prototype Pollution in sheetJS - https://github.com/advisories/GHSA-4r6h-8v6p-xvw6
No fix available
node_modules/xlsx
  react-excel-workbook  *
  Depends on vulnerable versions of react
  Depends on vulnerable versions of xlsx
  node_modules/react-excel-workbook

Resolution

As explained in the documentation, you must specify an override to force react-excel-workbook to use the latest version:

1. Add the following section to your package.json:

  "overrides": {
    "xlsx": "https://cdn.sheetjs.com/xlsx-0.20.1/xlsx-0.20.1.tgz"
  }

For example, the starter project package.json should look like:

{
  "name": "issue3048",
  "version": "1.0.0",
  "description": "",
  "main": "index.js",
  "scripts": {
    "test": "echo \"Error: no test specified\" && exit 1"
  },
  "keywords": [],
  "author": "",
  "license": "ISC",
  "overrides": {
    "xlsx": "https://cdn.sheetjs.com/xlsx-0.20.1/xlsx-0.20.1.tgz"
  },
  "dependencies": {
    "react-excel-workbook": "^0.0.4"
  }
}

2. Uninstall react-excel-workbook. Pass the --no-save flag to ensure the package.json is not changed:

npm rm --no-save react-excel-workbook

3. Reinstall the dependency:

npm i react-excel-workbook

This forces react-excel-workbook to use the overridden version. You can verify this by running npm why xlsx:

xlsx@0.20.1 overridden
node_modules/xlsx
  overridden xlsx@"https://cdn.sheetjs.com/xlsx-0.20.1/xlsx-0.20.1.tgz" (was "^0.10.3") from react-excel-workbook@0.0.4
  node_modules/react-excel-workbook
    react-excel-workbook@"^0.0.4" from the root project

The issue stems from `react-excel-workbook`, which is pulling a very old version of the dependency. Please read the entire comment and let us know if the fix works. If the explanation makes sense, we will add it to the docs. #### Diagnosis In general, to identify the modules that pull `xlsx`, run `npm why xlsx`. When the dependency is not overridden, it will not mention `overridden`. Scan the output for "from the root project" to see which dependencies you are using. For example, if you directly install `react-excel-workbook`, the message will show: ``` xlsx@0.10.9 node_modules/xlsx xlsx@"^0.10.3" from react-excel-workbook@0.0.4 node_modules/react-excel-workbook react-excel-workbook@"^0.0.4" from the root project <-- `react-excel-workbook` was installed directly ``` If the dependency is overridden, lines will include `overridden`: ``` xlsx@0.20.1 overridden node_modules/xlsx overridden xlsx@"https://cdn.sheetjs.com/xlsx-0.20.1/xlsx-0.20.1.tgz" (was "^0.10.3") from react-excel-workbook@0.0.4 node_modules/react-excel-workbook react-excel-workbook@"^0.0.4" from the root project ``` #### Reproduction To reproduce your issue, create a small project that uses `react-excel-workbook`: ```bash mkdir issue3048 cd issue3048 npm init -y npm i --save react-excel-workbook ``` Using NodeJS `v20.10.0` with npm `v10.2.3`, the audit shows issues with `xlsx`: <details><summary><b>Audit output</b> (click to show)</summary> ```bash xlsx * Severity: high Denial of Service in SheetJS Pro - https://github.com/advisories/GHSA-g973-978j-2c3p Denial of Service in SheetJS Pro - https://github.com/advisories/GHSA-3x9f-74h4-2fqr Denial of Service in SheetsJS Pro - https://github.com/advisories/GHSA-8vcr-vxm8-293m Prototype Pollution in sheetJS - https://github.com/advisories/GHSA-4r6h-8v6p-xvw6 No fix available node_modules/xlsx react-excel-workbook * Depends on vulnerable versions of react Depends on vulnerable versions of xlsx node_modules/react-excel-workbook ``` </details> #### Resolution As explained [in the documentation](https://docs.sheetjs.com/docs/getting-started/installation/nodejs#legacy-endpoints), you must specify an override to force `react-excel-workbook` to use the latest version: 1) Add the following section to your `package.json`: ``` "overrides": { "xlsx": "https://cdn.sheetjs.com/xlsx-0.20.1/xlsx-0.20.1.tgz" } ``` For example, the starter project `package.json` should look like: ```json { "name": "issue3048", "version": "1.0.0", "description": "", "main": "index.js", "scripts": { "test": "echo \"Error: no test specified\" && exit 1" }, "keywords": [], "author": "", "license": "ISC", "overrides": { "xlsx": "https://cdn.sheetjs.com/xlsx-0.20.1/xlsx-0.20.1.tgz" }, "dependencies": { "react-excel-workbook": "^0.0.4" } } ``` 2) Uninstall `react-excel-workbook`. Pass the `--no-save` flag to ensure the `package.json` is not changed: ```bash npm rm --no-save react-excel-workbook ``` 3) Reinstall the dependency: ```bash npm i react-excel-workbook ``` This forces `react-excel-workbook` to use the overridden version. You can verify this by running `npm why xlsx`: ``` xlsx@0.20.1 overridden node_modules/xlsx overridden xlsx@"https://cdn.sheetjs.com/xlsx-0.20.1/xlsx-0.20.1.tgz" (was "^0.10.3") from react-excel-workbook@0.0.4 node_modules/react-excel-workbook react-excel-workbook@"^0.0.4" from the root project ```

sheetjs closed this issue 2024-01-04 17:44:18 +00:00

Arunsanthoshh commented 2024-01-05 04:25:55 +00:00

Author

Copy Link

Hello,

I followed your steps, But I couldn`t able to re install the above package by adding the CDN link in package.json. Find the SS below. The issue looks like below when I try to reinstall.

Hello, I followed your steps, But I couldn`t able to re install the above package by adding the CDN link in package.json. Find the SS below. The issue looks like below when I try to reinstall. 

image.png

154 KiB

Arunsanthoshh reopened this issue 2024-01-05 04:25:56 +00:00

sheetjs commented 2024-01-05 04:35:25 +00:00

Owner

Copy Link

The error suggests a local npm configuration problem.

Instead of installing from the URL, try downloading and installing the package tarball: https://docs.sheetjs.com/docs/getting-started/installation/nodejs#vendoring

The error suggests a local npm configuration problem. Instead of installing from the URL, try downloading and installing the package tarball: https://docs.sheetjs.com/docs/getting-started/installation/nodejs#vendoring

Arunsanthoshh commented 2024-01-05 08:38:01 +00:00

Author

Copy Link

Just installed the xlsx package but still it showing the 4 vulnerabilities.

Just installed the xlsx package but still it showing the 4 vulnerabilities. 

image.png

57 KiB

sheetjs commented 2024-01-05 10:29:46 +00:00

Owner

Copy Link

To use the vendored version:

1. download https://cdn.sheetjs.com/xlsx-0.20.1/xlsx-0.20.1.tgz and move the file to the root of your project (adding to any git repo)

2. install the tarball:

npm i --save file:xlsx-0.20.1.tgz

3. add the override to package.json:

  "overrides": {
    "xlsx": "file:xlsx-0.20.1.tgz"
  }

4. uninstall the dependency:

npm rm --no-save react-excel-workbook

5. reinstall the dependency:

npm i react-excel-workbook

It is important to uninstall the dependency and set the override before reinstalling. That will force the correct dependency resolution.

To use the vendored version: 1) download https://cdn.sheetjs.com/xlsx-0.20.1/xlsx-0.20.1.tgz and move the file to the root of your project (adding to any git repo) 2) install the tarball: ```bash npm i --save file:xlsx-0.20.1.tgz ``` 3) add the override to package.json: ```js "overrides": { "xlsx": "file:xlsx-0.20.1.tgz" } ``` 4) uninstall the dependency: ```bash npm rm --no-save react-excel-workbook ``` 5) reinstall the dependency: ```bash npm i react-excel-workbook ``` It is important to uninstall the dependency and set the override before reinstalling. That will force the correct dependency resolution.

sheetjs closed this issue 2024-01-05 10:29:47 +00:00

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

master

sankhavaramsaitulasiram/feat-fix-2752

maybeswapnil/issue2737

gh-pages

scottysseus/2560_2

ivan-trusov/fix-basedate

nandanv2702/issue_1300

protobi/master

ThomasChan/master

grantfayvor/master

tom-groves/bug-1105/rounding-error

mgreter/master

v0.20.2

v0.20.1

v0.20.0

v0.19.3

v0.19.2

v0.19.1

v0.19.0

v0.18.12

v0.18.11

v0.18.10

v0.18.9

v0.18.8

v0.18.7

v0.18.5

v0.18.4

v0.18.3

v0.18.2

v0.18.1

v0.18.0

v0.17.5

v0.17.4

v0.17.3

v0.17.2

v0.17.1

v0.17.0

v0.16.8

v0.16.7

v0.16.6

v0.16.5

v0.16.3

v0.16.2

v0.16.1

v0.16.0

v0.15.6

v0.15.5

v0.15.2

v0.14.0

v0.13.5

v0.13.4

v0.13.3

v0.13.1

v0.13.0

v0.12.13

v0.12.12

v0.12.11

v0.12.10

v0.12.9

v0.12.8

v0.12.7

v0.12.6

v0.12.5

v0.12.4

v0.12.3

v0.12.2

v0.12.1

v0.12.0

v0.11.19

v0.11.18

v0.11.17

v0.11.16

v0.11.15

v0.11.14

v0.11.13

v0.11.12

v0.11.11

v0.11.10

v0.11.9

v0.11.8

v0.11.7

v0.11.6

v0.11.5

v0.11.4

v0.11.3

v0.11.2

v0.11.1

v0.11.0

v0.10.9

v0.10.8

v0.10.7

v0.10.6

v0.10.5

v0.10.4

v0.10.3

v0.10.2

v0.10.1

v0.10.0

v0.9.13

v0.9.12

v0.9.11

v0.9.10

v0.9.9

v0.9.8

v0.9.7

v0.9.6

v0.9.5

v0.9.4

v0.9.3

v0.9.2

v0.9.1

v0.9.0

v0.8.8

v0.8.7

v0.8.6

v0.8.5

v0.8.4

v0.8.3

v0.8.2

v0.8.1

v0.8.0

v0.7.11

v0.7.10

v0.7.9

v0.7.7

v0.7.6-i

v0.7.6-h

v0.7.6-a

v0.7.6

v0.7.5

v0.7.4

v0.7.3

v0.7.2

v0.7.1

v0.5.10

v0.5.9

v0.5.8

v0.5.7

v0.5.0

v0.4.3

Labels

Clear labels   

DBF

  

Dates

  

Defined Names

  

Features

  

Formula

  

HTML

  

Images

  

Infrastructure

  

Integration

  

International

  

ODS

  

Operations

  

Performance

  

PivotTables

  

Pro

  

Protection

  

Read Bug

  

SSF

  

SYLK

  

Style

  

Write Bug

  

good first issue

No Label

DBF

Dates

Defined Names

Features

Formula

HTML

Images

Infrastructure

Integration

International

ODS

Operations

Performance

PivotTables

Pro

Protection

Read Bug

SSF

SYLK

Style

Write Bug

good first issue

Milestone

Clear milestone

No items

No Milestone

Assignees

Clear assignees

No Assignees

2 Participants

Notifications

Subscribe

Due Date

The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: sheetjs/sheetjs#3048

No description provided.