Installation without https://www.npmjs.com/ #3112

New Issue

Closed

opened 2024-04-17 08:52:42 +00:00 by MichaelBitard · 7 comments

MichaelBitard commented 2024-04-17 08:52:42 +00:00

Copy Link

Hello,

I was just wondering about the reason why the CE version of sheetjs is not published on npmjs anymore?

Regards,
Michaël

Hello, I was just wondering about the reason why the CE version of sheetjs is not published on npmjs anymore? Regards, Michaël

👍 1

sheetjs commented 2024-04-21 01:43:08 +00:00

Owner

Copy Link

Please direct all questions and concerns about npmjs to npmjs support.

Please direct all questions and concerns about npmjs to npmjs support.

👎 1

sheetjs closed this issue 2024-04-21 01:43:09 +00:00

MichaelBitard commented 2024-04-22 07:30:13 +00:00

Author

Copy Link

I'm sorry, I don't think it's a npmjs.com related question.

We use xlsx which can be found here: https://www.npmjs.com/package/xlsx

We wanted to update it and noticed that it had not been updated in quite some time.
So we ended up here and by following your documentation, we noticed that you no longer publish your packages to npm "official repository"

In other words, why did you decide to stop publishing the xlsx/sheetjs librairies in the npm registries?

I'm just curious, it's not a move I see on other projects and I was wondering why you did this (so I can educate myself).

Regards,
Michaël

I'm sorry, I don't think it's a npmjs.com related question. We use xlsx which can be found here: https://www.npmjs.com/package/xlsx We wanted to update it and noticed that it had not been updated in quite some time. So we ended up here and by following your documentation, we noticed that you no longer publish your packages to npm "official repository" In other words, why did you decide to stop publishing the `xlsx/sheetjs` librairies in the npm registries? I'm just curious, it's not a move I see on other projects and I was wondering why you did this (so I can educate myself). Regards, Michaël

👍 2

MichaelBitard reopened this issue 2024-04-29 14:18:57 +00:00

QBDL_nngithub commented 2024-06-17 08:42:39 +00:00

Copy Link

npm audit shows a high severity vulnerability for for xlsx. This should be fixed in the latest published community edition 0.20.2, but that version is unpublished to the official npm registry.

Depending on various 3rd party direct downloads or cdns is simply not an option.

0.20.2 should be published to the official npm registry.

npm audit shows a high severity vulnerability for for xlsx. This should be fixed in the latest published community edition 0.20.2, but that version is unpublished to the official npm registry. Depending on various 3rd party direct downloads or cdns is simply not an option. 0.20.2 should be published to the official npm registry.

MichaelBitard commented 2024-06-17 18:42:43 +00:00

Author

Copy Link

I'm sorry @QBDL_nngithub, I think you are missing the point of my issue.

I know they stopped publishing on npmjs repository and that their versions are out of date and with vulnerabilities, I'd like to know why they decided to stop publishing on npmjs repository.

I'm sorry @QBDL_nngithub, I think you are missing the point of my issue. I know they stopped publishing on npmjs repository and that their versions are out of date and with vulnerabilities, I'd like to know why they decided to stop publishing on npmjs repository.

sheetjs commented 2024-06-18 08:32:19 +00:00

Owner

Copy Link

Vendoring instructions are included in each relevant deployment scenario, so there is no need to rely on SheetJS infrastructure beyond initial setup. In general, we strongly recommend either vendoring every dependency and subdependency in your projects or using a proxy registry such as Verdaccio. Both approaches help minimize the software supply chain attack surface.

@QBDL_nngithub your organization clearly allows third-party resources (e.g. npmjs.com is a third-party CDN) so this is ultimately a question of which third-party resources are allowed in your organization. The person or team that authorized npmjs.com is best equipped to address any potential access issues you are encountering with sheetjs.com resources.

If there is a specific concern about using cdn.sheetjs.com or docs.sheetjs.com or git.sheetjs.com or any other resource on sheetjs.com that does not equally apply to other third-party resources that your company relies upon, please ask a member of the team that authorized npmjs.com to reach out to support@sheetjs.com .

---

@MichaelBitard There are unique considerations that specifically affect SheetJS open source libraries. Microsoft Corporation (the owner of the npmjs registry) blocked a developer from releasing a JavaScript library for XLSX files under a truly open source license.

Vendoring instructions are included in each relevant deployment scenario, so there is no need to rely on SheetJS infrastructure beyond initial setup. In general, we strongly recommend either vendoring every dependency and subdependency in your projects or using a proxy registry such as [Verdaccio](https://verdaccio.org/). Both approaches help minimize the software supply chain attack surface. @QBDL_nngithub your organization clearly allows third-party resources (e.g. npmjs.com is a third-party CDN) so this is ultimately a question of which third-party resources are allowed in your organization. The person or team that authorized npmjs.com is best equipped to address any potential access issues you are encountering with sheetjs.com resources. If there is a specific concern about using cdn.sheetjs.com or docs.sheetjs.com or git.sheetjs.com or any other resource on sheetjs.com that does not equally apply to other third-party resources that your company relies upon, please ask a member of the team that authorized npmjs.com to reach out to support@sheetjs.com . --- @MichaelBitard There are unique considerations that specifically affect SheetJS open source libraries. Microsoft Corporation (the owner of the npmjs registry) [blocked a developer from releasing a JavaScript library for XLSX files under a truly open source license](https://github.com/stephen-hardy/xlsx.js/issues/8).

sheetjs closed this issue 2024-06-18 08:32:19 +00:00

QBDL_nngithub commented 2024-06-18 19:06:02 +00:00

Copy Link

@sheetjs Thank you for your reply:) We will solve it. And I do understand your point of view a little better now.

@sheetjs Thank you for your reply:) We will solve it. And I do understand your point of view a little better now.

MichaelBitard commented 2024-06-19 07:38:19 +00:00

Author

Copy Link

Thanks for your explanations!

I understand a lot better now!

Thanks for your explanations! I understand a lot better now!

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

master

sankhavaramsaitulasiram/feat-fix-2752

maybeswapnil/issue2737

gh-pages

scottysseus/2560_2

ivan-trusov/fix-basedate

nandanv2702/issue_1300

protobi/master

ThomasChan/master

grantfayvor/master

tom-groves/bug-1105/rounding-error

mgreter/master

v0.20.3

v0.20.2

v0.20.1

v0.20.0

v0.19.3

v0.19.2

v0.19.1

v0.19.0

v0.18.12

v0.18.11

v0.18.10

v0.18.9

v0.18.8

v0.18.7

v0.18.5

v0.18.4

v0.18.3

v0.18.2

v0.18.1

v0.18.0

v0.17.5

v0.17.4

v0.17.3

v0.17.2

v0.17.1

v0.17.0

v0.16.8

v0.16.7

v0.16.6

v0.16.5

v0.16.3

v0.16.2

v0.16.1

v0.16.0

v0.15.6

v0.15.5

v0.15.2

v0.14.0

v0.13.5

v0.13.4

v0.13.3

v0.13.1

v0.13.0

v0.12.13

v0.12.12

v0.12.11

v0.12.10

v0.12.9

v0.12.8

v0.12.7

v0.12.6

v0.12.5

v0.12.4

v0.12.3

v0.12.2

v0.12.1

v0.12.0

v0.11.19

v0.11.18

v0.11.17

v0.11.16

v0.11.15

v0.11.14

v0.11.13

v0.11.12

v0.11.11

v0.11.10

v0.11.9

v0.11.8

v0.11.7

v0.11.6

v0.11.5

v0.11.4

v0.11.3

v0.11.2

v0.11.1

v0.11.0

v0.10.9

v0.10.8

v0.10.7

v0.10.6

v0.10.5

v0.10.4

v0.10.3

v0.10.2

v0.10.1

v0.10.0

v0.9.13

v0.9.12

v0.9.11

v0.9.10

v0.9.9

v0.9.8

v0.9.7

v0.9.6

v0.9.5

v0.9.4

v0.9.3

v0.9.2

v0.9.1

v0.9.0

v0.8.8

v0.8.7

v0.8.6

v0.8.5

v0.8.4

v0.8.3

v0.8.2

v0.8.1

v0.8.0

v0.7.11

v0.7.10

v0.7.9

v0.7.7

v0.7.6-i

v0.7.6-h

v0.7.6-a

v0.7.6

v0.7.5

v0.7.4

v0.7.3

v0.7.2

v0.7.1

v0.5.10

v0.5.9

v0.5.8

v0.5.7

v0.5.0

v0.4.3

Labels

Clear labels   

DBF

  

Dates

  

Defined Names

  

Features

  

Formula

  

HTML

  

Images

  

Infrastructure

  

Integration

  

International

  

ODS

  

Operations

  

Performance

  

PivotTables

  

Pro

  

Protection

  

Read Bug

  

SSF

  

SYLK

  

Style

  

Write Bug

  

good first issue

No Label

DBF

Dates

Defined Names

Features

Formula

HTML

Images

Infrastructure

Integration

International

ODS

Operations

Performance

PivotTables

Pro

Protection

Read Bug

SSF

SYLK

Style

Write Bug

good first issue

Milestone

Clear milestone

No items

No Milestone

Assignees

Clear assignees

No Assignees

3 Participants

Notifications

Subscribe

Due Date

The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: sheetjs/sheetjs#3112

No description provided.