Installation without https://www.npmjs.com/ #3112

Closed
opened 2024-04-17 08:52:42 +00:00 by MichaelBitard · 7 comments

Hello,

I was just wondering about the reason why the CE version of sheetjs is not published on npmjs anymore?

Regards,
Michaël

Hello, I was just wondering about the reason why the CE version of sheetjs is not published on npmjs anymore? Regards, Michaël
Owner

Please direct all questions and concerns about npmjs to npmjs support.

Please direct all questions and concerns about npmjs to npmjs support.
Author

I'm sorry, I don't think it's a npmjs.com related question.

We use xlsx which can be found here: https://www.npmjs.com/package/xlsx

We wanted to update it and noticed that it had not been updated in quite some time.
So we ended up here and by following your documentation, we noticed that you no longer publish your packages to npm "official repository"

In other words, why did you decide to stop publishing the xlsx/sheetjs librairies in the npm registries?

I'm just curious, it's not a move I see on other projects and I was wondering why you did this (so I can educate myself).

Regards,
Michaël

I'm sorry, I don't think it's a npmjs.com related question. We use xlsx which can be found here: https://www.npmjs.com/package/xlsx We wanted to update it and noticed that it had not been updated in quite some time. So we ended up here and by following your documentation, we noticed that you no longer publish your packages to npm "official repository" In other words, why did you decide to stop publishing the `xlsx/sheetjs` librairies in the npm registries? I'm just curious, it's not a move I see on other projects and I was wondering why you did this (so I can educate myself). Regards, Michaël

npm audit shows a high severity vulnerability for for xlsx. This should be fixed in the latest published community edition 0.20.2, but that version is unpublished to the official npm registry.

Depending on various 3rd party direct downloads or cdns is simply not an option.

0.20.2 should be published to the official npm registry.

npm audit shows a high severity vulnerability for for xlsx. This should be fixed in the latest published community edition 0.20.2, but that version is unpublished to the official npm registry. Depending on various 3rd party direct downloads or cdns is simply not an option. 0.20.2 should be published to the official npm registry.
Author

I'm sorry @QBDL_nngithub, I think you are missing the point of my issue.

I know they stopped publishing on npmjs repository and that their versions are out of date and with vulnerabilities, I'd like to know why they decided to stop publishing on npmjs repository.

I'm sorry @QBDL_nngithub, I think you are missing the point of my issue. I know they stopped publishing on npmjs repository and that their versions are out of date and with vulnerabilities, I'd like to know why they decided to stop publishing on npmjs repository.
Owner

Vendoring instructions are included in each relevant deployment scenario, so there is no need to rely on SheetJS infrastructure beyond initial setup. In general, we strongly recommend either vendoring every dependency and subdependency in your projects or using a proxy registry such as Verdaccio. Both approaches help minimize the software supply chain attack surface.

@QBDL_nngithub your organization clearly allows third-party resources (e.g. npmjs.com is a third-party CDN) so this is ultimately a question of which third-party resources are allowed in your organization. The person or team that authorized npmjs.com is best equipped to address any potential access issues you are encountering with sheetjs.com resources.

If there is a specific concern about using cdn.sheetjs.com or docs.sheetjs.com or git.sheetjs.com or any other resource on sheetjs.com that does not equally apply to other third-party resources that your company relies upon, please ask a member of the team that authorized npmjs.com to reach out to support@sheetjs.com .


@MichaelBitard There are unique considerations that specifically affect SheetJS open source libraries. Microsoft Corporation (the owner of the npmjs registry) blocked a developer from releasing a JavaScript library for XLSX files under a truly open source license.

Vendoring instructions are included in each relevant deployment scenario, so there is no need to rely on SheetJS infrastructure beyond initial setup. In general, we strongly recommend either vendoring every dependency and subdependency in your projects or using a proxy registry such as [Verdaccio](https://verdaccio.org/). Both approaches help minimize the software supply chain attack surface. @QBDL_nngithub your organization clearly allows third-party resources (e.g. npmjs.com is a third-party CDN) so this is ultimately a question of which third-party resources are allowed in your organization. The person or team that authorized npmjs.com is best equipped to address any potential access issues you are encountering with sheetjs.com resources. If there is a specific concern about using cdn.sheetjs.com or docs.sheetjs.com or git.sheetjs.com or any other resource on sheetjs.com that does not equally apply to other third-party resources that your company relies upon, please ask a member of the team that authorized npmjs.com to reach out to support@sheetjs.com . --- @MichaelBitard There are unique considerations that specifically affect SheetJS open source libraries. Microsoft Corporation (the owner of the npmjs registry) [blocked a developer from releasing a JavaScript library for XLSX files under a truly open source license](https://github.com/stephen-hardy/xlsx.js/issues/8).

@sheetjs Thank you for your reply:) We will solve it. And I do understand your point of view a little better now.

@sheetjs Thank you for your reply:) We will solve it. And I do understand your point of view a little better now.
Author

Thanks for your explanations!

I understand a lot better now!

Thanks for your explanations! I understand a lot better now!
Sign in to join this conversation.
No Milestone
No Assignees
3 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: sheetjs/sheetjs#3112
No description provided.