---
title: Security
sidebar_position: 7
hide_table_of_contents: true
---

Please report any potential vulnerability or question to security@sheetjs.com

## Known Issues

SheetJS libraries use techniques that may be flagged by overzealous scanners.

**The issues in this section are fundamentally unavoidable.**

### URL References and XML

XLSX, SpreadsheetML2003, and a number of other spreadsheet file formats use XML.

XML namespaces are specified as URLs. For example, XLSX file properties follow
[Dublin Core](https://www.dublincore.org/specifications/dublin-core/dcmi-terms/)
Metadata standards. XLSX files must reference `http://purl.org/dc/elements/1.1/`.

**This is a design flaw of XML!**

Any tool that generates XML files must generate URLs to domains outside of the
control of the vendor.

### Non-ASCII Characters

XLS, CSV and other legacy file formats use system-specific encodings. Excel and
other established software predate UTF-8. As a result, SheetJS libraries ship
with [the `codepage` encodings](/docs/constellation/codepage).

SheetJS libraries include CJK ("Chinese, Japanese and Korean") characters to
support CSV and XLS files generated by East Asian versions of Excel.

**The encodings are required for correct parsing of spreadsheet data!**

[The SheetJS library scripts are reproducible](/docs/miscellany/contributing).
Security-conscious developers should audit the source code and verify that the
build artifacts are identical to the official releases.