Security vulnerabilities- alex and mocha, markdown-spellcheck needs to be updated #3216

New Issue

Malwinderkaur · 2024-09-12T14:33:59Z

Malwinderkaur commented

2024-09-12 14:33:59 +00:00

When vendoring, security vulnerabilities are shown for the following npm packages- mocha, alex, markdown-spellcheck
Could you please upgrade to latest versions

When vendoring, security vulnerabilities are shown for the following npm packages- mocha, alex, markdown-spellcheck Could you please upgrade to latest versions

sheetjs commented

2024-09-12 17:16:10 +00:00

Those are used in development and are not listed as project dependencies. They should not be installed when vendoring.

To confirm this, the following test was run in darwin-x64:

## Create project structure
cd /tmp 
mkdir i3216
cd i3216
npm init -y

## Vendor
curl -LO https://cdn.sheetjs.com/xlsx-0.20.3/xlsx-0.20.3.tgz
npm i --save file:xlsx-0.20.3.tgz

## Check installed packages
ls node_modules

The last command (which displays the contents of the node_modules folder) only shows xlsx. None of the devDependencies were installed.

To be sure this works for all versions, you can use n to switch between node versions:

for i in 4 6 8 10 12 14 16 18 20 22; do
  rm -rf node_modules;
  sudo n $i;
  npm --version;
  npm install;
  ls node_modules;
done

Based on the output, the following npm versions were confirmed to work:

Node	NPM
4	2.15.11
6	3.10.10
8	6.13.4
10	6.14.2
12	6.14.16
14	6.14.18
16	8.19.4
18	10.7.0
20	10.8.2
22	10.8.2

If you find that the devDependencies are being installed, that is a bug in the npm tool and you are strongly encouraged to raise an issue with Microsoft.

Those are used in development and are not listed as project dependencies. They should not be installed when vendoring. To confirm this, the following test was run in `darwin-x64`: ```bash ## Create project structure cd /tmp mkdir i3216 cd i3216 npm init -y ## Vendor curl -LO https://cdn.sheetjs.com/xlsx-0.20.3/xlsx-0.20.3.tgz npm i --save file:xlsx-0.20.3.tgz ## Check installed packages ls node_modules ``` The last command (which displays the contents of the `node_modules` folder) only shows `xlsx`. None of the `devDependencies` were installed. To be sure this works for all versions, you can use [`n`](https://npm.im/n) to switch between node versions: ```bash for i in 4 6 8 10 12 14 16 18 20 22; do rm -rf node_modules; sudo n $i; npm --version; npm install; ls node_modules; done ``` Based on the output, the following `npm` versions were confirmed to work: | Node | NPM | |:-|:-| | 4 | 2.15.11 | | 6 | 3.10.10 | | 8 | 6.13.4 | | 10 | 6.14.2 | | 12 | 6.14.16 | | 14 | 6.14.18 | | 16 | 8.19.4 | | 18 | 10.7.0 | | 20 | 10.8.2 | | 22 | 10.8.2 | --- If you find that the `devDependencies` are being installed, that is a bug in the `npm` tool and you are strongly encouraged to raise an issue with Microsoft.

sheetjs closed this issue

2024-09-12 17:16:11 +00:00

Malwinderkaur referenced this issue

2024-09-12 17:43:13 +00:00

#3216, vulnerabilities when vendoring unzipped folder #3217

Sign in to join this conversation.