New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update devDependency xlsx to ^0.17.0 [SECURITY] - abandoned #8

Open

renovate wants to merge 1 commit into master from renovate/npm-xlsx-vulnerability

Contributor

renovate bot commented Oct 20, 2021 •

edited

Loading

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
xlsx (source)	`^0.9.1` -> `^0.17.0`

GitHub Vulnerability Alerts

CVE-2021-32012

SheetJS Pro through 0.16.9 allows attackers to cause a denial of service (memory consumption) via a crafted .xlsx document that is mishandled when read by xlsx.js (issue 1 of 2).

CVE-2021-32014

SheetJS Pro through 0.16.9 allows attackers to cause a denial of service (CPU consumption) via a crafted .xlsx document that is mishandled when read by xlsx.js.

CVE-2021-32013

SheetJS Pro through 0.16.9 allows attackers to cause a denial of service (memory consumption) via a crafted .xlsx document that is mishandled when read by xlsx.js (issue 2 of 2).

Release Notes

SheetJS/sheetjs

`v0.17.0`

mini build includes ODS parse/write support
DBF explicitly cap worksheet to 1<<20 rows
XLS throw errors on truncated records

`v0.16.9`

`v0.16.8`

`v0.16.7`

`v0.16.6`

`v0.16.5`

`v0.16.4`

`v0.16.3`

`v0.16.2`

Disabled PRN parsing by default (better support for CSV without delimeters)

`v0.16.1`

skip empty custom property tags if data is absent (fixes DocSecurity issue)
HTML output add raw value, type, number format
DOM parse look for v / t / z attributes when determining value
double quotes in properties escaped using _x0022_
changed AMD structure for NetSuite and other RequireJS implementations

encode_cell and decode_cell do not rely on encode_col / decode_col

`v0.16.0`

Date handling changed
XLML certain tag tests are now case insensitive
Fixed potentially vulnerable regular expressions

`v0.15.6`

CFB prevent infinite loop
ODS empty cells marked as stub (type "z")
cellStyles option implies sheetStubs

`v0.15.5`

sheets parse option to specify which sheets to parse

`v0.15.4`

AOA utilities properly preserve number formats
Number formats captured in stub cells

`v0.15.3`

Properties and Custom Properties properly XML-encoded

`v0.15.2`

sheet_get_cell utility function
sheet_to_json explicitly support null as alias for default behavior
encode_col throw on negative column index
HTML properly handle whitespace around tags in a run
HTML use id option on write
Files starting with 0x09 followed by a display character are now TSV files
XLS parse references col/row indices mod by the correct number for BIFF ver
XLSX comments moved to avoid overlapping cell
XLSB outline level
AutoFilter update _FilterDatabase defined name on write
XLML skip CDATA blocks

`v0.15.1`

XLSX ignore XML artifacts
HTML capture and persist merges

`v0.15.0`

dist/xlsx.mini.min.js mini build with XLSX read/write and some utilities
Removed legacy conversion utility functions

`v0.14.5`

XLS PtgNameX lookup
XLS always create stub cells for blank cells with comments

`v0.14.4`

Better treatment of skipHidden in CSV output
Ignore CLSID in XLS
SYLK 7-bit character encoding
SYLK and DBF codepage support

`v0.14.3`

Proper shifting of addresses in Shared Formulae

`v0.14.2`

Proper XML encoding of comments

`v0.14.1`

raw cell objects can be passed to sheet_add_aoa
_FilterDatabase fix for AutoFilter-related crashes
stream.to_json doesn't end up accidentally scanning to max row

`v0.14.0`

sheet_to_json default flipped to raw: true

`v0.13.5`

HTML output generates <br/> instead of encoded newline character

`v0.13.4`

`v0.13.3`

`v0.13.2`

Buffer.from shim replaced, will not be defined in node <=0.12

`v0.13.1`

`v0.13.0`

Library reshaped to support AMD out of the box

`v0.12.13`

`v0.12.12`

`v0.12.11`

XLS/XLSX/XLSB range truncation (errors in WTF mode)

`v0.12.10`

`v0.12.9`

`v0.12.8`

`v0.12.7`

`v0.12.6`

`v0.12.5`

`v0.12.4`

JSZip renamed to JSZipSync

`v0.12.3`

`v0.12.2`

`v0.12.1`

XLS/XLSX/XLSB range truncation (errors in WTF mode)

`v0.12.0`

Extendscript target script in NPM package

`v0.11.19`

Error on empty workbook

`v0.11.18`

`v0.11.17`

`v0.11.16`

XLS ANSI/CP separation
'array' write type and ArrayBuffer processing

`v0.11.15`

`v0.11.14`

`v0.11.13`

`v0.11.12`

`v0.11.11`

`v0.11.10`

`v0.11.9`

`v0.11.8`

`v0.11.7`

`v0.11.6`

Semicolon-delimited files are detected

`v0.11.5`

Bower main script shifted to full version
'binary' / 'string' encoding

`v0.11.4`

`v0.11.3`

XLS cell ixfe/XF removed

`v0.11.2`

`v0.11.1`

Error on empty workbook

`v0.11.0`

Strip require statements from minified version
minifier mangler enabled

`v0.10.9`

XLML/HTML resolution logic looks further into the data stream to decide type
Errors thrown on suspected RTF files

`v0.10.8`

`v0.10.7`

`v0.10.6`

`v0.10.5`

HTML Table output header/footer should not include <table> tag

`v0.10.3`

`v0.10.1`

`v0.10.0`

`v0.9.13`

`v0.9.12`

`v0.9.11`

`v0.9.10`

--perf renamed to --read-only

`v0.9.9`

default output format changed to XLSB
comment text line endings are now normalized
errors thrown on write when worksheets have invalid names

`v0.9.8`

`v0.9.6`

sheet_to_json now passes null values when raw is set to true
sheet_to_json treats null stub cells as values in conjunction with raw

`v0.9.4`

`v0.9.3`

XLML property names are more closely mapped to the XLSX equivalent
Stub cells are now cell type z

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.


Update devDependency xlsx to ^0.17.0 [SECURITY]

59bc8a6

Contributor Author

renovate bot commented Mar 24, 2023

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠ Warning: custom changes will be lost.

renovate bot changed the title ~~Update devDependency xlsx to ^0.17.0 [SECURITY]~~ Update devDependency xlsx to ^0.17.0 [SECURITY] - abandoned

Contributor Author

renovate bot commented May 28, 2023

Autoclosing Skipped

This PR has been flagged for autoclosing. However, it is being skipped due to the branch being already modified. Please close/delete it manually or report a bug if you think this is in error.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment