•  
      request #31926 xlsx dependency should not be pulled from an uncontrolled server
    Infos
    #31926
    Thomas Gerbet (tgerbet)
    2023-05-05 14:47
    2023-05-05 10:51
    33529
    Details
    xlsx dependency should not be pulled from an uncontrolled server

    request #31910 bumped xlsx to the latest version but they do not publish to npmjs registry anymore so their recommendation was followed and the URL to their CDN was directly used. This is not a suitable solution: pulling directly the tarball means we do not have any integrity check of what we pulled (in the JS world this information is initially fetched from the package metadata which does exist when a registry is not used). The consequence is that the tarball can be switched on their server for something else without giving us any chances to detect it.

    This is a supply chain security risk and the fact they seem to complain to have been mandated to enable 2FA on their npmjs account does not bring a lot of confidence.

    Dependencies
    development
    Empty
    • [ ] enhancement
    • [ ] internal improvement
    Empty
    Stage
    Thomas Gerbet (tgerbet)
    Closed
    2023-05-05
    Attachments
    Empty
    References

    Follow-ups