nlp.js icon indicating copy to clipboard operation
nlp.js copied to clipboard

Published 20 hours ago verified publisher icon axa-group

@nlpjs/xtables depends on vulnerable version of xlsx

Open ahitrov opened this issue 1 year ago • 3 comments

[Security] Prototype Pollution in sheetJS

https://github.com/advisories/GHSA-4r6h-8v6p-xvw6

Affected version: 0.19.3

Description All versions of SheetJS CE through 0.19.2 are vulnerable to "Prototype Pollution" when reading specially crafted files. Workflows that do not read arbitrary files (for example, exporting data to spreadsheet files) are unaffected.

References https://nvd.nist.gov/vuln/detail/CVE-2023-30533 https://cdn.sheetjs.com/advisories/CVE-2023-30533 https://git.sheetjs.com/sheetjs/sheetjs/src/branch/master/CHANGELOG.md

ahitrov avatar Jun 06 '23 09:06 ahitrov

This is currently heavily affecting us also as npm audit does not pass and it is marked as a high severity security issue.

Could we get an update on this?

Mitko-Kerezov avatar Aug 30 '23 11:08 Mitko-Kerezov

@ericzon Can we help with this?

kibertoad avatar Sep 20 '23 07:09 kibertoad

@ericzon We've created an npm version for a newer version of XLSX (which is distributed with Apache 2 license over CDN): https://www.npmjs.com/package/@lokalise/xlsx

It should resolve the security issue in question.

kibertoad avatar Feb 18 '24 18:02 kibertoad