Skip to content
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion apps/sim/package.json
Original file line number Diff line number Diff line change
Expand Up @@ -212,7 +212,7 @@
"twilio": "5.9.0",
"undici": "7.28.0",
"unpdf": "1.4.0",
"xlsx": "https://cdn.sheetjs.com/xlsx-0.20.3/xlsx-0.20.3.tgz",
"xlsx": "npm:@e965/xlsx@0.20.3",

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 security Unofficial community mirror — supply chain consideration

@e965/xlsx is published by an independent third-party developer (GitHub: e965/sheetjs-npm-publisher) who runs an automated pipeline to re-publish SheetJS CDN tarballs to npm. It is not affiliated with or sanctioned by the SheetJS team. While the sha512 integrity hash in bun.lock prevents tampering of the already-fetched tarball, it does not protect against malicious code that may have been included before the hash was captured. This is a pragmatic trade-off given the CDN 403 breakage, but the team should be aware they are now trusting a community maintainer for a package that handles file parsing (a common attack surface). Verifying the published tarball's contents against the official CDN build or checking a known-good hash from the SheetJS changelog would strengthen confidence before merging.

Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!

"zod": "4.3.6",
"zustand": "^5.0.13"
},
Expand Down
4 changes: 2 additions & 2 deletions bun.lock

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading