Skip to content

fix(deps): install xlsx from @e965/xlsx npm mirror#5502

Closed
TheodoreSpeaks wants to merge 1 commit into
stagingfrom
fix/xlsx-npm-mirror
Closed

fix(deps): install xlsx from @e965/xlsx npm mirror#5502
TheodoreSpeaks wants to merge 1 commit into
stagingfrom
fix/xlsx-npm-mirror

Conversation

@TheodoreSpeaks

Copy link
Copy Markdown
Collaborator

Summary

  • xlsx was pinned to a direct tarball on cdn.sheetjs.com, which now returns 403 (Cloudflare bot-challenge) to automated clients — breaking bun install --frozen-lockfile in CI
  • npm's own xlsx is deliberately frozen at 0.18.5, so switch to @e965/xlsx@0.20.3, a community npm republish of the identical SheetJS 0.20.3 CDN build
  • No code changes — every import uses bare 'xlsx', so the npm alias is transparent

Type of Change

  • Bug fix

Testing

  • bun install resolves cleanly; lockfile now points at @e965/xlsx@0.20.3 (npm registry, integrity-hashed)
  • Verified node_modules/xlsx is the real 0.20.3 build
  • bun run lint passes

Checklist

  • Code follows project style guidelines
  • Self-reviewed my changes
  • Tests added/updated and passing
  • No new warnings introduced
  • I confirm that I have read and agree to the terms outlined in the Contributor License Agreement (CLA)

The dependency was pinned to a direct tarball on cdn.sheetjs.com, which
now returns 403 (Cloudflare bot-challenge) to automated clients, breaking
bun install in CI. npm's own xlsx is frozen at 0.18.5, so switch to the
@e965/xlsx mirror which republishes the identical 0.20.3 CDN build to the
npm registry. No code changes needed — all imports use bare 'xlsx'.
@TheodoreSpeaks TheodoreSpeaks requested a review from a team as a code owner July 8, 2026 02:02
@vercel

vercel Bot commented Jul 8, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
docs Ready Ready Preview, Comment Jul 8, 2026 2:06am

Request Review

@cursor

cursor Bot commented Jul 8, 2026

Copy link
Copy Markdown

PR Summary

Low Risk
Dependency resolution-only change with no application logic edits; risk is limited to trusting the third-party npm mirror matches the prior 0.20.3 build.

Overview
Replaces the xlsx dependency source from a direct SheetJS CDN tarball (which now returns 403 in CI/automated installs) with the npm alias npm:@e965/xlsx@0.20.3, a registry-hosted republish of the same 0.20.3 build.

bun.lock is updated to match so bun install --frozen-lockfile resolves from npm with integrity hashing. Application code is unchanged—imports still use 'xlsx', so the alias is transparent at runtime.

Reviewed by Cursor Bugbot for commit a20c114. Bugbot is set up for automated code reviews on this repo. Configure here.

@greptile-apps

greptile-apps Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Greptile Summary

This PR fixes a broken CI dependency install by replacing the xlsx package's CDN tarball source (which now returns 403) with @e965/xlsx@0.20.3 via Bun's npm alias syntax, keeping the same 0.20.3 version and import surface.

  • apps/sim/package.json: changes "xlsx" from https://cdn.sheetjs.com/… to "npm:@e965/xlsx@0.20.3"; no code changes are required because all import sites use the bare 'xlsx' specifier.
  • bun.lock: updated to resolve xlsx through the npm registry entry for @e965/xlsx@0.20.3 with a sha512 integrity hash, replacing the previously unverified CDN tarball entry.

Confidence Score: 4/5

The change is a minimal two-file dependency swap that restores a broken install with no code modifications; all import sites are unaffected.

The switch to an unofficial community mirror is the right pragmatic fix for the CDN 403 breakage, and the lockfile integrity hash prevents future registry substitution attacks. The one open question is whether the published tarball was verified against the official SheetJS 0.20.3 CDN build before the hash was captured — if it wasn't, a compromised publish would be silently trusted.

apps/sim/package.json — the new @e965/xlsx dependency should be verified against the official SheetJS 0.20.3 CDN tarball to confirm the published contents match.

Security Review

  • Unofficial npm mirror (@e965/xlsx): The replacement package is published by a third-party community maintainer (e965), not the SheetJS team. The lockfile's sha512 hash guards against future registry tampering but does not attest that the original publish matched the official CDN tarball. Projects consuming this package should independently verify the tarball contents against a trusted source.

Important Files Changed

Filename Overview
apps/sim/package.json Switches xlsx dependency from a CDN tarball (now returning 403) to the community npm mirror @e965/xlsx@0.20.3 using Bun's npm alias syntax; version is kept at 0.20.3
bun.lock Lockfile updated to resolve xlsx via @e965/xlsx@0.20.3 from the npm registry with a sha512 integrity hash; all other entries are unchanged

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[bun install] --> B{Resolve xlsx}
    B -->|Before PR| C[cdn.sheetjs.com/xlsx-0.20.3.tgz]
    B -->|After PR| D[npm registry: @e965/xlsx@0.20.3]
    C --> E[❌ 403 Cloudflare bot-challenge]
    D --> F[✅ Tarball downloaded + sha512 verified]
    F --> G[node_modules/xlsx aliased to @e965/xlsx@0.20.3]
    G --> H[Import 'xlsx' resolves transparently]
    H --> I[xlsx-parser.ts]
    H --> J[xlsx-preview.tsx]
    H --> K[onedrive/upload/route.ts]
Loading
%%{init: {'theme': 'base', 'themeVariables': {"darkMode": true, "background": "#0d1117", "primaryColor": "#21262d", "primaryTextColor": "#e6edf3", "primaryBorderColor": "#8b949e", "lineColor": "#8b949e", "textColor": "#e6edf3", "edgeLabelBackground": "#161b22", "actorBkg": "#21262d", "actorBorder": "#8b949e", "actorTextColor": "#e6edf3", "actorLineColor": "#8b949e", "signalColor": "#8b949e", "signalTextColor": "#e6edf3", "noteBkgColor": "#373320", "noteBorderColor": "#d4a72c", "noteTextColor": "#f0e6c0", "labelBoxBkgColor": "#21262d", "labelBoxBorderColor": "#8b949e", "labelTextColor": "#e6edf3", "loopTextColor": "#e6edf3", "activationBkgColor": "#30363d", "activationBorderColor": "#8b949e"}}}%%
flowchart TD
    A[bun install] --> B{Resolve xlsx}
    B -->|Before PR| C[cdn.sheetjs.com/xlsx-0.20.3.tgz]
    B -->|After PR| D[npm registry: @e965/xlsx@0.20.3]
    C --> E[❌ 403 Cloudflare bot-challenge]
    D --> F[✅ Tarball downloaded + sha512 verified]
    F --> G[node_modules/xlsx aliased to @e965/xlsx@0.20.3]
    G --> H[Import 'xlsx' resolves transparently]
    H --> I[xlsx-parser.ts]
    H --> J[xlsx-preview.tsx]
    H --> K[onedrive/upload/route.ts]
Loading

Reviews (1): Last reviewed commit: "fix(deps): install xlsx from @e965/xlsx ..." | Re-trigger Greptile

Comment thread apps/sim/package.json
"undici": "7.28.0",
"unpdf": "1.4.0",
"xlsx": "https://cdn.sheetjs.com/xlsx-0.20.3/xlsx-0.20.3.tgz",
"xlsx": "npm:@e965/xlsx@0.20.3",

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 security Unofficial community mirror — supply chain consideration

@e965/xlsx is published by an independent third-party developer (GitHub: e965/sheetjs-npm-publisher) who runs an automated pipeline to re-publish SheetJS CDN tarballs to npm. It is not affiliated with or sanctioned by the SheetJS team. While the sha512 integrity hash in bun.lock prevents tampering of the already-fetched tarball, it does not protect against malicious code that may have been included before the hash was captured. This is a pragmatic trade-off given the CDN 403 breakage, but the team should be aware they are now trusting a community maintainer for a package that handles file parsing (a common attack surface). Verifying the published tarball's contents against the official CDN build or checking a known-good hash from the SheetJS changelog would strengthen confidence before merging.

Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant