npm install xlsx (latest version 0.18.5)--> 1 high severity vulnerability #3098

New Issue

mkannan007 · 2024-03-30T11:03:13Z

mkannan007 commented

2024-03-30 11:03:13 +00:00

When I try to install xlsx, I got 1 high severity vulnerability

I am not able to fix via npm audit fix --force

Please let me know, How can I fix this

When I try to install xlsx, I got **1 high severity vulnerability** I am not able to fix via `npm audit fix --force` Please let me know, How can I fix this ![image](/attachments/6c690a65-dd7d-484f-aeff-c4552f884b23)

image.png

12 KiB

sheetjs commented

2024-03-30 19:09:05 +00:00

https://docs.sheetjs.com/docs/getting-started/installation/nodejs#legacy-endpoints covers some details, but here is a more direct list of steps. We will expand the docs section in the future.

Run the following command:

npm why xlsx

It will print information explaining why the xlsx library is loaded.

If the library is a direct dependency, you will see a line like

  xlsx@"^0.18.5" from the root project

If the library is in a dependency chain (required by another library), then you will see an tree whose leaves are the libraries that your project directly depends on.

For example, gatsby-transformer-excel depends on xlsx and the tree looks like

  xlsx@"^0.18.3" from gatsby-transformer-excel@5.13.1
  node_modules/gatsby-transformer-excel
    gatsby-transformer-excel@"^5.13.1" from the root project

If the library is a direct dependency

Remove the existing dependency:

npm rm --save xlsx

Install from the official location:

npm i --save https://cdn.sheetjs.com/xlsx-0.20.1/xlsx-0.20.1.tgz

If you are indirectly using the library (a dependency of a dependency):

Inspect the output of npm why xlsx and identify each module that depends on the library. The lines will end with from the root project.

On Linux and macOS, you can use grep:

npm why xlsx | grep "from the root project"

Remove each listed dependency.

For example, in a GatsbyJS project using gatsby-transformer-excel:

npm rm --save --force gatsby-transformer-excel`

Add an override to your package.json:

{
  /* add the next three lines to your package.json */
  "overrides": {
    "xlsx": "https://cdn.sheetjs.com/xlsx-0.20.1/xlsx-0.20.1.tgz"
  },

  "name": "...",
  /* ... rest of your package.json */
}

Reinstall each dependency.

Using the GatsbyJS example:

npm i gatsby-transformer-excel@5.13.1 --save --force

https://docs.sheetjs.com/docs/getting-started/installation/nodejs#legacy-endpoints covers some details, but here is a more direct list of steps. We will expand the docs section in the future. --- Run the following command: ```bash npm why xlsx ``` It will print information explaining why the `xlsx` library is loaded. If the library is a direct dependency, you will see a line like ``` xlsx@"^0.18.5" from the root project ``` If the library is in a dependency chain (required by another library), then you will see an tree whose leaves are the libraries that your project directly depends on. For example, `gatsby-transformer-excel` depends on `xlsx` and the tree looks like ``` xlsx@"^0.18.3" from gatsby-transformer-excel@5.13.1 node_modules/gatsby-transformer-excel gatsby-transformer-excel@"^5.13.1" from the root project ``` **If the library is a direct dependency** 1) Remove the existing dependency: ```bash npm rm --save xlsx ``` 2) Install from the official location: ```bash npm i --save https://cdn.sheetjs.com/xlsx-0.20.1/xlsx-0.20.1.tgz ``` **If you are indirectly using the library** (a dependency of a dependency): 1) Inspect the output of `npm why xlsx` and identify each module that depends on the library. The lines will end with `from the root project`. On Linux and macOS, you can use `grep`: ```bash npm why xlsx | grep "from the root project" ``` 2) Remove each listed dependency. For example, in a GatsbyJS project using `gatsby-transformer-excel`: ```bash npm rm --save --force gatsby-transformer-excel` ``` 3) Add an override to your `package.json`: ```js { /* add the next three lines to your package.json */ "overrides": { "xlsx": "https://cdn.sheetjs.com/xlsx-0.20.1/xlsx-0.20.1.tgz" }, "name": "...", /* ... rest of your package.json */ } ``` 4) Reinstall each dependency. Using the GatsbyJS example: ```bash npm i gatsby-transformer-excel@5.13.1 --save --force ```

sheetjs closed this issue

2024-03-30 19:09:05 +00:00

mkannan007 referenced this issue

2024-04-19 09:01:11 +00:00

High Vulnerability npm i --save https://cdn.sheetjs.com/xlsx-0.20.1/xlsx-0.20.1.tgz #3113

Sign in to join this conversation.