Update xlsx dependency to version 0.20.3 for improved security #1016
Conversation
There was a problem hiding this comment.
Pull request overview
This PR updates the xlsx library dependency from version 0.18.5 to 0.20.3, with the stated goal of improving security. However, instead of using the standard npm registry, it sources the package from a CDN (https://cdn.sheetjs.com).
Key Changes:
- Updated xlsx dependency from npm version ^0.18.5 to CDN-hosted version 0.20.3
- Removed transitive dependencies (adler-32, cfb, codepage, crc-32, ssf, wmf, word) as they're bundled in the new version
- Multiple peer dependency marking changes throughout package-lock.json
Reviewed changes
Copilot reviewed 1 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| electron/package.json | Changes xlsx dependency source from npm registry to CDN URL for version 0.20.3 |
| electron/package-lock.json | Updates lock file with new xlsx version, removes bundled dependencies, and adjusts peer dependency markers |
Files not reviewed (1)
- electron/package-lock.json: Language not supported
| "tailwindcss-animate": "^1.0.7", | ||
| "uplot": "^1.6.32", | ||
| "xlsx": "^0.18.5", | ||
| "xlsx": "https://cdn.sheetjs.com/xlsx-0.20.3/xlsx-0.20.3.tgz", |
There was a problem hiding this comment.
Using a CDN URL for dependencies is a best practices violation in Node.js projects. Standard practice is to use semver ranges from the npm registry (e.g., "^0.20.3"), which ensures dependency integrity through package-lock.json, enables security auditing via npm audit, and maintains reproducible builds. CDN-hosted packages can become unavailable or compromised without the protections provided by the npm ecosystem.
| "xlsx": "https://cdn.sheetjs.com/xlsx-0.20.3/xlsx-0.20.3.tgz", | |
| "xlsx": "0.20.3", |
| "tailwindcss-animate": "^1.0.7", | ||
| "uplot": "^1.6.32", | ||
| "xlsx": "^0.18.5", | ||
| "xlsx": "https://cdn.sheetjs.com/xlsx-0.20.3/xlsx-0.20.3.tgz", |
There was a problem hiding this comment.
Using a CDN URL as a dependency source introduces security and reliability risks. If the CDN becomes unavailable, compromised, or the URL changes, builds will fail. This also bypasses npm's security scanning and audit capabilities. Consider using the official npm registry version instead (e.g., "xlsx": "^0.20.3") which provides better security, reproducibility, and follows standard Node.js dependency management practices.
| "xlsx": "https://cdn.sheetjs.com/xlsx-0.20.3/xlsx-0.20.3.tgz", | |
| "xlsx": "^0.20.3", |
Oshgnacknak
force-pushed
the
1015-fix-xlsx-vulnerabilities
branch
from
e77e03b to
e9ee1f4
Compare
|
Not sure what copilot means, that version does not exist. I tested that using the following also compiles in our codebase diff --git a/electron/package.json b/electron/package.json
index 9b850629..0cc39b85 100644
--- a/electron/package.json
+++ b/electron/package.json
@@ -103,13 +103,13 @@
"react-virtualized": "^9.22.6",
"rehype-raw": "^7.0.0",
"remark-gfm": "^4.0.1",
+ "sheetjs": "^2.0.0",
"socket.io-client": "^4.8.1",
"socket.io-msgpack-parser": "^3.0.2",
"sonner": "^2.0.1",
"tailwind-merge": "^3.0.1",
"tailwindcss-animate": "^1.0.7",
"uplot": "^1.6.32",
- "xlsx": "^0.18.5",
"zod": "^3.24.2",
"zod-validation-error": "^3.4.0",
"zustand": "^5.0.8"I cannot make out, why two packages exist that seemingly both originate from the same group |
No description provided.