Vulnerabilities

[Templore]

https://www.npmjs.com/package/xlsx

latest version 0.18.5 have two vulnerabilities

[JuanTorchia]

Hi @Templore,

Thank you for highlighting the security vulnerabilities in xlsx version 0.18.5. You're correct that this version has two significant vulnerabilities:

• CVE-2023-30533 (Score 7.5): Prototype Pollution via a crafted file
• CVE-2023-22365 (Score 7.5): Regular Expression Denial of Service (ReDoS)

These security issues have been addressed in newer versions. The recommended solution is to use SheetJS directly from their CDN with version 0.20.3:

yarn remove xlsx
yarn add xlsx@https://cdn.sheetjs.com/xlsx-0.20.3/xlsx-0.20.3.tgz

For newer Yarn versions that require explicit package naming, use the xlsx@ prefix as shown above.

Note that if you're using Snyk security tooling, you might still see warnings about "Prototype Pollution" (SNYK-JS-XLSX-5457926), but according to SheetJS, these are false positives for versions 0.19.3 and later. Their official recommendation is to suppress these warnings.

Thanks for bringing attention to these security issues.

This information is also documented in the official SheetJS documentation: https://docs.sheetjs.com/docs/getting-started/installation/nodejs/

Since there's a clear solution available and the maintainers are aware of these issues, I believe this ticket can be closed. 👍