<?xml version="1.0" encoding="UTF-8"?><rss xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:atom="http://www.w3.org/2005/Atom" version="2.0"><channel><title><![CDATA[npm package version falsely marked as vulnerable by ProGet]]></title><description><![CDATA[<p dir="auto">ProGet 2025.22</p>
<p dir="auto">The multiple versions of the npm package xlsx (<a href="https://www.npmjs.com/package/xlsx" rel="nofollow">https://www.npmjs.com/package/xlsx</a>) are affected by vulnerabilities <a href="https://security.inedo.com/vulnerability/details/PGV-2330205" rel="nofollow">https://security.inedo.com/vulnerability/details/PGV-2330205</a> and <a href="https://security.inedo.com/vulnerability/details/PGV-2425402" rel="nofollow">https://security.inedo.com/vulnerability/details/PGV-2425402</a>.</p>
<p dir="auto">Newer versions which are no longer affected by those vulnerabilities are not available on <a href="http://npmjs.com" rel="nofollow">npmjs.com</a> but can be downloaded via <a href="https://cdn.sheetjs.com/" rel="nofollow">https://cdn.sheetjs.com/</a> (as noted in the vulnerability database entry details).</p>
<p dir="auto">I've downloaded version 0.20.3 of xlsx and uploaded it to our ProGet npm feed since our developers and CI/CD pipelines are required to pull all packages from ProGet and not directly from internet sources.</p>
<p dir="auto">Even though xlsx 0.20.3 is not affected by the two vulnerabilities mentioned above ProGet is still reporting the package version to be affected, because the "version declaration" in the vulnerability database matches ALL versions ("*").</p>
<p dir="auto">Please update the entries in the Inedo vulnerability database accordingly.</p>
]]></description><link>https://forums.inedo.com/topic/5787/npm-package-version-falsely-marked-as-vulnerable-by-proget</link><generator>RSS for Node</generator><lastBuildDate>Wed, 01 Jul 2026 16:34:52 GMT</lastBuildDate><atom:link href="https://forums.inedo.com/topic/5787.rss" rel="self" type="application/rss+xml"/><pubDate>Mon, 29 Jun 2026 07:35:25 GMT</pubDate><ttl>60</ttl><item><title><![CDATA[Reply to npm package version falsely marked as vulnerable by ProGet on Mon, 29 Jun 2026 07:35:25 GMT]]></title><description><![CDATA[<p dir="auto">ProGet 2025.22</p>
<p dir="auto">The multiple versions of the npm package xlsx (<a href="https://www.npmjs.com/package/xlsx" rel="nofollow">https://www.npmjs.com/package/xlsx</a>) are affected by vulnerabilities <a href="https://security.inedo.com/vulnerability/details/PGV-2330205" rel="nofollow">https://security.inedo.com/vulnerability/details/PGV-2330205</a> and <a href="https://security.inedo.com/vulnerability/details/PGV-2425402" rel="nofollow">https://security.inedo.com/vulnerability/details/PGV-2425402</a>.</p>
<p dir="auto">Newer versions which are no longer affected by those vulnerabilities are not available on <a href="http://npmjs.com" rel="nofollow">npmjs.com</a> but can be downloaded via <a href="https://cdn.sheetjs.com/" rel="nofollow">https://cdn.sheetjs.com/</a> (as noted in the vulnerability database entry details).</p>
<p dir="auto">I've downloaded version 0.20.3 of xlsx and uploaded it to our ProGet npm feed since our developers and CI/CD pipelines are required to pull all packages from ProGet and not directly from internet sources.</p>
<p dir="auto">Even though xlsx 0.20.3 is not affected by the two vulnerabilities mentioned above ProGet is still reporting the package version to be affected, because the "version declaration" in the vulnerability database matches ALL versions ("*").</p>
<p dir="auto">Please update the entries in the Inedo vulnerability database accordingly.</p>
]]></description><link>https://forums.inedo.com/post/19823</link><guid isPermaLink="true">https://forums.inedo.com/post/19823</guid><dc:creator><![CDATA[andreas.unverdorben_1551]]></dc:creator><pubDate>Mon, 29 Jun 2026 07:35:25 GMT</pubDate></item><item><title><![CDATA[Reply to npm package version falsely marked as vulnerable by ProGet on Mon, 29 Jun 2026 15:01:44 GMT]]></title><description><![CDATA[<p dir="auto">Hi <a class="plugin-mentions-user plugin-mentions-a" href="https://forums.inedo.com/uid/3002">@andreas-unverdorben_1551</a> ,</p>
<p dir="auto">I'm afraid this is a problem with our upstream source (GHSA). Long story short, the datafile is incorrect and does not specify a range.</p>
<p dir="auto">We do not have any plans to build a system/module that allows us to "override" data in the upstream datasources at this time, so the only way we can really address it is by fixing the upstream source.</p>
<p dir="auto">I believe the best route to do that would be to submit a pull request to the GHSA repository against the related datafiles (e.g. <a href="https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/04/GHSA-4r6h-8v6p-xvw6/GHSA-4r6h-8v6p-xvw6.json" rel="nofollow">GHSA-4r6h-8v6p-xvw6.json</a>)</p>
<p dir="auto">In this case, they are missing a "fixed" event in the range:</p>
<pre><code>      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "0"
            }
          ]
        }
      ]
</code></pre>
<p dir="auto">Here's what it needs to look like:</p>
<pre><code>      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": " 0.19.3"
            }
          ]
        }
      ]
</code></pre>
<p dir="auto">Thanks,<br />
Steve</p>
]]></description><link>https://forums.inedo.com/post/19824</link><guid isPermaLink="true">https://forums.inedo.com/post/19824</guid><dc:creator><![CDATA[stevedennis]]></dc:creator><pubDate>Mon, 29 Jun 2026 15:01:44 GMT</pubDate></item><item><title><![CDATA[Reply to npm package version falsely marked as vulnerable by ProGet on Tue, 30 Jun 2026 10:04:50 GMT]]></title><description><![CDATA[<p dir="auto">Hi Steve,</p>
<p dir="auto">thanks for the explanation. I also think creating a PR for GHSA would be the best way to go. Since your company is incorporating GHSA into your product I think it's up to Inedo to improve GHSA by creating this PR, thus improving your product for you customers.</p>
<p dir="auto">Thanks,<br />
Andreas</p>
]]></description><link>https://forums.inedo.com/post/19830</link><guid isPermaLink="true">https://forums.inedo.com/post/19830</guid><dc:creator><![CDATA[andreas.unverdorben_1551]]></dc:creator><pubDate>Tue, 30 Jun 2026 10:04:50 GMT</pubDate></item></channel></rss>