Inedo Community Forums Forums
    • Recent
    • Tags
    • Popular
    • Login

    Welcome to the Inedo Forums! Check out the Forums Guide for help getting started.

    If you are experiencing any issues with the forum software, please visit the Contact Form on our website and let us know!

    npm package version falsely marked as vulnerable by ProGet

    Scheduled Pinned Locked Moved Support
    5 Posts 3 Posters 27 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A Offline
      andreas.unverdorben_1551
      last edited by

      ProGet 2025.22

      The multiple versions of the npm package xlsx (https://www.npmjs.com/package/xlsx) are affected by vulnerabilities https://security.inedo.com/vulnerability/details/PGV-2330205 and https://security.inedo.com/vulnerability/details/PGV-2425402.

      Newer versions which are no longer affected by those vulnerabilities are not available on npmjs.com but can be downloaded via https://cdn.sheetjs.com/ (as noted in the vulnerability database entry details).

      I've downloaded version 0.20.3 of xlsx and uploaded it to our ProGet npm feed since our developers and CI/CD pipelines are required to pull all packages from ProGet and not directly from internet sources.

      Even though xlsx 0.20.3 is not affected by the two vulnerabilities mentioned above ProGet is still reporting the package version to be affected, because the "version declaration" in the vulnerability database matches ALL versions ("*").

      Please update the entries in the Inedo vulnerability database accordingly.

      stevedennisS 1 Reply Last reply Reply Quote 0
      • stevedennisS Offline
        stevedennis inedo-engineer @andreas.unverdorben_1551
        last edited by

        Hi @andreas-unverdorben_1551 ,

        I'm afraid this is a problem with our upstream source (GHSA). Long story short, the datafile is incorrect and does not specify a range.

        We do not have any plans to build a system/module that allows us to "override" data in the upstream datasources at this time, so the only way we can really address it is by fixing the upstream source.

        I believe the best route to do that would be to submit a pull request to the GHSA repository against the related datafiles (e.g. GHSA-4r6h-8v6p-xvw6.json)

        In this case, they are missing a "fixed" event in the range:

              "ranges": [
                {
                  "type": "ECOSYSTEM",
                  "events": [
                    {
                      "introduced": "0"
                    }
                  ]
                }
              ]
        

        Here's what it needs to look like:

              "ranges": [
                {
                  "type": "ECOSYSTEM",
                  "events": [
                    {
                      "introduced": "0"
                    },
                    {
                      "fixed": " 0.19.3"
                    }
                  ]
                }
              ]
        

        Thanks,
        Steve

        1 Reply Last reply Reply Quote 1
        • A Offline
          andreas.unverdorben_1551
          last edited by

          Hi Steve,

          thanks for the explanation. I also think creating a PR for GHSA would be the best way to go. Since your company is incorporating GHSA into your product I think it's up to Inedo to improve GHSA by creating this PR, thus improving your product for you customers.

          Thanks,
          Andreas

          atrippA 1 Reply Last reply Reply Quote 0
          • atrippA Offline
            atripp inedo-engineer @andreas.unverdorben_1551
            last edited by

            Hi @andreas.unverdorben_1551 ,

            Just as an FYI, I submitted two pull requests for this:

            • https://github.com/github/advisory-database/pull/8689
            • https://github.com/github/advisory-database/pull/8690

            Thanks,
            Alana

            A 1 Reply Last reply Reply Quote 2
            • A Offline
              andreas.unverdorben_1551 @atripp
              last edited by

              @atripp said:

              ust as an FYI, I submitted two pull requests for this:

              Thank you very much, Alana!

              1 Reply Last reply Reply Quote 0

              Hello! It looks like you're interested in this conversation, but you don't have an account yet.

              Getting fed up of having to scroll through the same posts each visit? When you register for an account, you'll always come back to exactly where you were before, and choose to be notified of new replies (either via email, or push notification). You'll also be able to save bookmarks and upvote posts to show your appreciation to other community members.

              With your input, this post could be even better 💗

              Register Login
              • 1 / 1
              • First post
                Last post
              Inedo Website Home • Support Home • Code of Conduct • Forums Guide • Documentation