Welcome to the Inedo Forums! Check out the Forums Guide for help getting started.
If you are experiencing any issues with the forum software, please visit the Contact Form on our website and let us know!
npm package version falsely marked as vulnerable by ProGet
-
ProGet 2025.22
The multiple versions of the npm package xlsx (https://www.npmjs.com/package/xlsx) are affected by vulnerabilities https://security.inedo.com/vulnerability/details/PGV-2330205 and https://security.inedo.com/vulnerability/details/PGV-2425402.
Newer versions which are no longer affected by those vulnerabilities are not available on npmjs.com but can be downloaded via https://cdn.sheetjs.com/ (as noted in the vulnerability database entry details).
I've downloaded version 0.20.3 of xlsx and uploaded it to our ProGet npm feed since our developers and CI/CD pipelines are required to pull all packages from ProGet and not directly from internet sources.
Even though xlsx 0.20.3 is not affected by the two vulnerabilities mentioned above ProGet is still reporting the package version to be affected, because the "version declaration" in the vulnerability database matches ALL versions ("*").
Please update the entries in the Inedo vulnerability database accordingly.
-
Hi @andreas-unverdorben_1551 ,
I'm afraid this is a problem with our upstream source (GHSA). Long story short, the datafile is incorrect and does not specify a range.
We do not have any plans to build a system/module that allows us to "override" data in the upstream datasources at this time, so the only way we can really address it is by fixing the upstream source.
I believe the best route to do that would be to submit a pull request to the GHSA repository against the related datafiles (e.g. GHSA-4r6h-8v6p-xvw6.json)
In this case, they are missing a "fixed" event in the range:
"ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" } ] } ]Here's what it needs to look like:
"ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": " 0.19.3" } ] } ]Thanks,
Steve -
Hi Steve,
thanks for the explanation. I also think creating a PR for GHSA would be the best way to go. Since your company is incorporating GHSA into your product I think it's up to Inedo to improve GHSA by creating this PR, thus improving your product for you customers.
Thanks,
Andreas -
Hi @andreas.unverdorben_1551 ,
Just as an FYI, I submitted two pull requests for this:
- https://github.com/github/advisory-database/pull/8689
- https://github.com/github/advisory-database/pull/8690
Thanks,
Alana -
Hello! It looks like you're interested in this conversation, but you don't have an account yet.
Getting fed up of having to scroll through the same posts each visit? When you register for an account, you'll always come back to exactly where you were before, and choose to be notified of new replies (either via email, or push notification). You'll also be able to save bookmarks and upvote posts to show your appreciation to other community members.
With your input, this post could be even better 💗
Register Login