request #31910 bumped xlsx to the latest version but they do not publish to npmjs registry anymore so their recommendation was followed and the URL to their CDN was directly used. This is not a suitable solution: pulling directly the tarball means we do not have any integrity check of what we pulled (in the JS world this information is initially fetched from the package metadata which does exist when a registry is not used). The consequence is that the tarball can be switched on their server for something else without giving us any chances to detect it.

This is a supply chain security risk and the fact they seem to complain to have been mandated to enable 2FA on their npmjs account does not bring a lot of confidence.