Installation without https://www.npmjs.com/ #3112
Labels
No Label
DBF
Dates
Defined Names
Features
Formula
HTML
Images
Infrastructure
Integration
International
ODS
Operations
Performance
PivotTables
Pro
Protection
Read Bug
SSF
SYLK
Style
Write Bug
good first issue
No Milestone
No Assignees
3 Participants
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: sheetjs/sheetjs#3112
Loading…
Reference in New Issue
Block a user
No description provided.
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Hello,
I was just wondering about the reason why the CE version of sheetjs is not published on npmjs anymore?
Regards,
Michaël
Please direct all questions and concerns about npmjs to npmjs support.
I'm sorry, I don't think it's a npmjs.com related question.
We use xlsx which can be found here: https://www.npmjs.com/package/xlsx
We wanted to update it and noticed that it had not been updated in quite some time.
So we ended up here and by following your documentation, we noticed that you no longer publish your packages to npm "official repository"
In other words, why did you decide to stop publishing the
xlsx/sheetjs
librairies in the npm registries?I'm just curious, it's not a move I see on other projects and I was wondering why you did this (so I can educate myself).
Regards,
Michaël
npm audit shows a high severity vulnerability for for xlsx. This should be fixed in the latest published community edition 0.20.2, but that version is unpublished to the official npm registry.
Depending on various 3rd party direct downloads or cdns is simply not an option.
0.20.2 should be published to the official npm registry.
I'm sorry @QBDL_nngithub, I think you are missing the point of my issue.
I know they stopped publishing on npmjs repository and that their versions are out of date and with vulnerabilities, I'd like to know why they decided to stop publishing on npmjs repository.
Vendoring instructions are included in each relevant deployment scenario, so there is no need to rely on SheetJS infrastructure beyond initial setup. In general, we strongly recommend either vendoring every dependency and subdependency in your projects or using a proxy registry such as Verdaccio. Both approaches help minimize the software supply chain attack surface.
@QBDL_nngithub your organization clearly allows third-party resources (e.g. npmjs.com is a third-party CDN) so this is ultimately a question of which third-party resources are allowed in your organization. The person or team that authorized npmjs.com is best equipped to address any potential access issues you are encountering with sheetjs.com resources.
If there is a specific concern about using cdn.sheetjs.com or docs.sheetjs.com or git.sheetjs.com or any other resource on sheetjs.com that does not equally apply to other third-party resources that your company relies upon, please ask a member of the team that authorized npmjs.com to reach out to support@sheetjs.com .
@MichaelBitard There are unique considerations that specifically affect SheetJS open source libraries. Microsoft Corporation (the owner of the npmjs registry) blocked a developer from releasing a JavaScript library for XLSX files under a truly open source license.
@sheetjs Thank you for your reply:) We will solve it. And I do understand your point of view a little better now.
Thanks for your explanations!
I understand a lot better now!