Welcome to the Inedo Forums! Check out the Forums Guide for help getting started.

If you are experiencing any issues with the forum software, please visit the Contact Form on our website and let us know!

npm package version falsely marked as vulnerable by ProGet



  • ProGet 2025.22

    The multiple versions of the npm package xlsx (https://www.npmjs.com/package/xlsx) are affected by vulnerabilities https://security.inedo.com/vulnerability/details/PGV-2330205 and https://security.inedo.com/vulnerability/details/PGV-2425402.

    Newer versions which are no longer affected by those vulnerabilities are not available on npmjs.com but can be downloaded via https://cdn.sheetjs.com/ (as noted in the vulnerability database entry details).

    I've downloaded version 0.20.3 of xlsx and uploaded it to our ProGet npm feed since our developers and CI/CD pipelines are required to pull all packages from ProGet and not directly from internet sources.

    Even though xlsx 0.20.3 is not affected by the two vulnerabilities mentioned above ProGet is still reporting the package version to be affected, because the "version declaration" in the vulnerability database matches ALL versions ("*").

    Please update the entries in the Inedo vulnerability database accordingly.


  • inedo-engineer

    Hi @andreas-unverdorben_1551 ,

    I'm afraid this is a problem with our upstream source (GHSA). Long story short, the datafile is incorrect and does not specify a range.

    We do not have any plans to build a system/module that allows us to "override" data in the upstream datasources at this time, so the only way we can really address it is by fixing the upstream source.

    I believe the best route to do that would be to submit a pull request to the GHSA repository against the related datafiles (e.g. GHSA-4r6h-8v6p-xvw6.json)

    In this case, they are missing a "fixed" event in the range:

          "ranges": [
            {
              "type": "ECOSYSTEM",
              "events": [
                {
                  "introduced": "0"
                }
              ]
            }
          ]
    

    Here's what it needs to look like:

          "ranges": [
            {
              "type": "ECOSYSTEM",
              "events": [
                {
                  "introduced": "0"
                },
                {
                  "fixed": " 0.19.3"
                }
              ]
            }
          ]
    

    Thanks,
    Steve



  • Hi Steve,

    thanks for the explanation. I also think creating a PR for GHSA would be the best way to go. Since your company is incorporating GHSA into your product I think it's up to Inedo to improve GHSA by creating this PR, thus improving your product for you customers.

    Thanks,
    Andreas


Log in to reply
 

Inedo Website HomeSupport HomeCode of ConductForums GuideDocumentation