Facing vulnerability issues while using xlsx in package.json #3048
Labels
No Label
DBF
Dates
Defined Names
Features
Formula
HTML
Images
Infrastructure
Integration
International
ODS
Operations
Performance
PivotTables
Pro
Protection
Read Bug
SSF
SYLK
Style
Write Bug
good first issue
No Milestone
No Assignees
2 Participants
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: sheetjs/sheetjs#3048
Loading…
Reference in New Issue
No description provided.
Delete Branch "%!s(<nil>)"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Im using latest version for the xlsx package but still getting the vulnerability issue while running npm audit command.
Like this we are getting issue on the particular package
The issue stems from
react-excel-workbook
, which is pulling a very old version of the dependency.Please read the entire comment and let us know if the fix works. If the explanation makes sense, we will add it to the docs.
Diagnosis
In general, to identify the modules that pull
xlsx
, runnpm why xlsx
.When the dependency is not overridden, it will not mention
overridden
. Scan the output for "from the root project" to see which dependencies you are using. For example, if you directly installreact-excel-workbook
, the message will show:If the dependency is overridden, lines will include
overridden
:Reproduction
To reproduce your issue, create a small project that uses
react-excel-workbook
:Using NodeJS
v20.10.0
with npmv10.2.3
, the audit shows issues withxlsx
:Audit output (click to show)
Resolution
As explained in the documentation, you must specify an override to force
react-excel-workbook
to use the latest version:package.json
:For example, the starter project
package.json
should look like:react-excel-workbook
. Pass the--no-save
flag to ensure thepackage.json
is not changed:This forces
react-excel-workbook
to use the overridden version. You can verify this by runningnpm why xlsx
:Hello,
I followed your steps, But I couldn`t able to re install the above package by adding the CDN link in package.json. Find the SS below. The issue looks like below when I try to reinstall.
The error suggests a local npm configuration problem.
Instead of installing from the URL, try downloading and installing the package tarball: https://docs.sheetjs.com/docs/getting-started/installation/nodejs#vendoring
Just installed the xlsx package but still it showing the 4 vulnerabilities.
To use the vendored version:
download https://cdn.sheetjs.com/xlsx-0.20.1/xlsx-0.20.1.tgz and move the file to the root of your project (adding to any git repo)
install the tarball:
It is important to uninstall the dependency and set the override before reinstalling. That will force the correct dependency resolution.