fix(deps): install xlsx from @e965/xlsx npm mirror#5502
Conversation
The dependency was pinned to a direct tarball on cdn.sheetjs.com, which now returns 403 (Cloudflare bot-challenge) to automated clients, breaking bun install in CI. npm's own xlsx is frozen at 0.18.5, so switch to the @e965/xlsx mirror which republishes the identical 0.20.3 CDN build to the npm registry. No code changes needed — all imports use bare 'xlsx'.
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
PR SummaryLow Risk Overview
Reviewed by Cursor Bugbot for commit a20c114. Bugbot is set up for automated code reviews on this repo. Configure here. |
Greptile SummaryThis PR fixes a broken CI dependency install by replacing the
Confidence Score: 4/5The change is a minimal two-file dependency swap that restores a broken install with no code modifications; all import sites are unaffected. The switch to an unofficial community mirror is the right pragmatic fix for the CDN 403 breakage, and the lockfile integrity hash prevents future registry substitution attacks. The one open question is whether the published tarball was verified against the official SheetJS 0.20.3 CDN build before the hash was captured — if it wasn't, a compromised publish would be silently trusted. apps/sim/package.json — the new @e965/xlsx dependency should be verified against the official SheetJS 0.20.3 CDN tarball to confirm the published contents match.
|
| Filename | Overview |
|---|---|
| apps/sim/package.json | Switches xlsx dependency from a CDN tarball (now returning 403) to the community npm mirror @e965/xlsx@0.20.3 using Bun's npm alias syntax; version is kept at 0.20.3 |
| bun.lock | Lockfile updated to resolve xlsx via @e965/xlsx@0.20.3 from the npm registry with a sha512 integrity hash; all other entries are unchanged |
Flowchart
%%{init: {'theme': 'neutral'}}%%
flowchart TD
A[bun install] --> B{Resolve xlsx}
B -->|Before PR| C[cdn.sheetjs.com/xlsx-0.20.3.tgz]
B -->|After PR| D[npm registry: @e965/xlsx@0.20.3]
C --> E[❌ 403 Cloudflare bot-challenge]
D --> F[✅ Tarball downloaded + sha512 verified]
F --> G[node_modules/xlsx aliased to @e965/xlsx@0.20.3]
G --> H[Import 'xlsx' resolves transparently]
H --> I[xlsx-parser.ts]
H --> J[xlsx-preview.tsx]
H --> K[onedrive/upload/route.ts]
%%{init: {'theme': 'base', 'themeVariables': {"darkMode": true, "background": "#0d1117", "primaryColor": "#21262d", "primaryTextColor": "#e6edf3", "primaryBorderColor": "#8b949e", "lineColor": "#8b949e", "textColor": "#e6edf3", "edgeLabelBackground": "#161b22", "actorBkg": "#21262d", "actorBorder": "#8b949e", "actorTextColor": "#e6edf3", "actorLineColor": "#8b949e", "signalColor": "#8b949e", "signalTextColor": "#e6edf3", "noteBkgColor": "#373320", "noteBorderColor": "#d4a72c", "noteTextColor": "#f0e6c0", "labelBoxBkgColor": "#21262d", "labelBoxBorderColor": "#8b949e", "labelTextColor": "#e6edf3", "loopTextColor": "#e6edf3", "activationBkgColor": "#30363d", "activationBorderColor": "#8b949e"}}}%%
flowchart TD
A[bun install] --> B{Resolve xlsx}
B -->|Before PR| C[cdn.sheetjs.com/xlsx-0.20.3.tgz]
B -->|After PR| D[npm registry: @e965/xlsx@0.20.3]
C --> E[❌ 403 Cloudflare bot-challenge]
D --> F[✅ Tarball downloaded + sha512 verified]
F --> G[node_modules/xlsx aliased to @e965/xlsx@0.20.3]
G --> H[Import 'xlsx' resolves transparently]
H --> I[xlsx-parser.ts]
H --> J[xlsx-preview.tsx]
H --> K[onedrive/upload/route.ts]
Reviews (1): Last reviewed commit: "fix(deps): install xlsx from @e965/xlsx ..." | Re-trigger Greptile
| "undici": "7.28.0", | ||
| "unpdf": "1.4.0", | ||
| "xlsx": "https://cdn.sheetjs.com/xlsx-0.20.3/xlsx-0.20.3.tgz", | ||
| "xlsx": "npm:@e965/xlsx@0.20.3", |
There was a problem hiding this comment.
Unofficial community mirror — supply chain consideration
@e965/xlsx is published by an independent third-party developer (GitHub: e965/sheetjs-npm-publisher) who runs an automated pipeline to re-publish SheetJS CDN tarballs to npm. It is not affiliated with or sanctioned by the SheetJS team. While the sha512 integrity hash in bun.lock prevents tampering of the already-fetched tarball, it does not protect against malicious code that may have been included before the hash was captured. This is a pragmatic trade-off given the CDN 403 breakage, but the team should be aware they are now trusting a community maintainer for a package that handles file parsing (a common attack surface). Verifying the published tarball's contents against the official CDN build or checking a known-good hash from the SheetJS changelog would strengthen confidence before merging.
Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!
Summary
xlsxwas pinned to a direct tarball oncdn.sheetjs.com, which now returns 403 (Cloudflare bot-challenge) to automated clients — breakingbun install --frozen-lockfilein CIxlsxis deliberately frozen at 0.18.5, so switch to@e965/xlsx@0.20.3, a community npm republish of the identical SheetJS 0.20.3 CDN build'xlsx', so the npm alias is transparentType of Change
Testing
bun installresolves cleanly; lockfile now points at@e965/xlsx@0.20.3(npm registry, integrity-hashed)node_modules/xlsxis the real 0.20.3 buildbun run lintpassesChecklist