Vulnerability for dependency xlsx (upgrade sheetjs dependency to address Prototype Pollution vulnerability (CVE-2023-30533))

[goiaalexandru]

Description:
The current version of the sheetjs dependency used in this package is vulnerable to a Prototype Pollution attack (CVE-2023-30533). This vulnerability can be exploited to potentially compromise the application's security.

Details:

• Vulnerable dependency: sheetjs (version < 0.19.3)
• Vulnerability details: https://git.sheetjs.com/sheetjs/sheetjs/src/branch/master/CHANGELOG.md#v0193 (Fixed "Prototype Pollution" vulnerability (CVE-2023-30533))
• Updated package source: https://git.sheetjs.com/SheetJS/sheetjs# (This repository contains the fixed version 0.19.3) [docs: https://docs.sheetjs.com/docs/getting-started/installation/frameworks#legacy-endpoints ]

[jesse-tong]

I found that the outdated version in npm is related to this: SheetJS/sheetjs#2667
Someone has actually made a replacement package there tho: https://www.npmjs.com/package/@e965/xlsx, which is build on the new git repo

[jesse-tong]

@cscan Please response to this since this is quite important tho (the original npm package has been abandoned and the xlsx maintainers did not even mention anything on npm)

[cscan]

I make npm install xlsx@latest, the version is still 0.18.5

[CageThrottleUs]

I make npm install xlsx@latest, the version is still 0.18.5

I think the issue that is being discussed here is, that there are no new updates on npm.
The developers of the original xlsx package don't update their package on npm anymore. A solution would be to replace it with an updated version of the same package (https://www.npmjs.com/package/@e965/xlsx)

[Kedrihan]

Hello,
I've just sumbitted PR #69 to fix this.

[ChronosMasterOfAllTime]

@Kedrihan As a temporary workaround you can add the following in your package.json:

"overrides": {
  "dependency": {
    "vue3-excel-editor": {
        "xlsx": "npm:@e965/xlsx@^0.20.3",
    }
  }
}