xlsx-template icon indicating copy to clipboard operation
xlsx-template copied to clipboard
verified publisher icon optilude

jszip dependency 2.6.1 is vulnerable to attack CWE-29

Open Apobbot opened this issue 3 years ago • 6 comments

Hi, jszip 2.6.1 dependency is vulnerable to attack CWE-29.

Would be great to get a minor hotfix for this to avoid the vulnerability, if it doesn't impact the codebase much. The versions to update to would be 3.8.0, that doesn't have the vulnerability.

Thanks.

Apobbot avatar Jan 13 '23 12:01 Apobbot

Technically you have 2.7.0 now, but it is still has this vuln. I submit PR https://github.com/Stuk/jszip/pull/884 to backport fix, so hopefully this get accepted, so I can re-release secured version.

kant2002 avatar Jan 13 '23 16:01 kant2002

jszip < 3.8.0 has now had a critical (9.8/10) vulnerability disclosed https://github.com/advisories/GHSA-36fh-84j7-cv5h

Could you update jszip to latest version to resolve these?

jmac105 avatar Feb 07 '23 12:02 jmac105

Ping me in couple days, if there would be no response from JSzip I would publish with forked package.

kant2002 avatar Feb 07 '23 13:02 kant2002

@kant2002 is there any chance to publish this fixes to npm?

aslubsky avatar Feb 15 '23 07:02 aslubsky

@aslubsky and others, I update version to 1.4.1 where I switch to fork of [email protected] which does not have security issues. I start looking for alternatives to jszip with both sync and async API, so I can provide async API without breaking changes. Let me know if you know such alternatives.

kant2002 avatar Feb 15 '23 07:02 kant2002

Thanks a lot! We also use jszip on current project, but on my pet-project I've used pizzip, take a look ot it.

aslubsky avatar Feb 16 '23 10:02 aslubsky