vue3-excel-editor icon indicating copy to clipboard operation
vue3-excel-editor copied to clipboard

Published 20 hours ago verified publisher icon cscan

Vulnerability for dependency xlsx (upgrade sheetjs dependency to address Prototype Pollution vulnerability (CVE-2023-30533))

Open goiaalexandru opened this issue 11 months ago • 2 comments

Description: The current version of the sheetjs dependency used in this package is vulnerable to a Prototype Pollution attack (CVE-2023-30533). This vulnerability can be exploited to potentially compromise the application's security.

Details:

  • Vulnerable dependency: sheetjs (version < 0.19.3)
  • Vulnerability details: https://git.sheetjs.com/sheetjs/sheetjs/src/branch/master/CHANGELOG.md#v0193 (Fixed "Prototype Pollution" vulnerability (CVE-2023-30533))
  • Updated package source: https://git.sheetjs.com/SheetJS/sheetjs# (This repository contains the fixed version 0.19.3) [docs: https://docs.sheetjs.com/docs/getting-started/installation/frameworks#legacy-endpoints ]

goiaalexandru avatar Mar 20 '24 08:03 goiaalexandru

I found that the outdated version in npm is related to this: https://github.com/SheetJS/sheetjs/issues/2667 Someone has actually made a replacement package there tho: https://www.npmjs.com/package/@e965/xlsx, which is build on the new git repo

jesse-tong avatar Jun 24 '24 13:06 jesse-tong

@cscan Please response to this since this is quite important tho (the original npm package has been abandoned and the xlsx maintainers did not even mention anything on npm)

jesse-tong avatar Jul 18 '24 13:07 jesse-tong