Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

vulnerability in XLSX #4261

Closed
dstarzyknetpr opened this issue May 5, 2023 · 3 comments
Closed

vulnerability in XLSX #4261

dstarzyknetpr opened this issue May 5, 2023 · 3 comments
Labels
enhancement

Comments

@dstarzyknetpr
Copy link

dstarzyknetpr commented May 5, 2023
edited
Loading

Can you update amchart, because current version has vulnerability in XLSX?
GHSA-4r6h-8v6p-xvw6

All versions of SheetJS CE through 0.19.2 are vulnerable to "Prototype Pollution" when reading specially crafted files. Workflows that do not read arbitrary files (for example, exporting data to spreadsheet files) are unaffected.
@dstarzyknetpr dstarzyknetpr changed the title Dependency in XLSX vulnerability in XLSX May 5, 2023
@robrichardson27
Copy link

Looks like SheetJS no longer publish to npm: SheetJS/sheetjs#2822

@martynasma
Copy link
Collaborator

Correct. They are not publishing to NPM anymore, so it's difficult for us to use it as a dependency with newer versions.

In amCharts 5, we're preparing an update that bundles hard-copy of their latest version off of their own Git. More info.

We will consider something similar for amCharts 4, too. Just not yet sure when/if that will happen because amCharts 4 is already on dev freeze, and this particular vulnerability does not affect any of the functionality used in amCharts.

@martynasma martynasma added the in next release Implemented. Available soon. label May 17, 2023
This was referenced May 18, 2023
Closed
Closed
@martynasma
Copy link
Collaborator

Fixed in 4.10.36.

[4.10.36] - 2023-05-18

Added

  • New locale: Faroese (fo_FO). Thanks Martin Puge.

Changed

  • A link object that was created with linkWith for ForceDirectedNode is pushed to the child node's data items childLinks array and also node.linksWith list.
  • Removed xlsx package (with vulnerability) from dependencies in favor of a bundled hard copy (version 0.19.3) due to their decision not to publish to NPM. (Issue 4261).

Fixed

  • In some cases, when a series was removed from a SerialChart it was not disposing one of the listeners and could remain in the memory.
  • Grip rollover labels of a vertical Scrollbar were showing opposite values.

@martynasma martynasma removed the in next release Implemented. Available soon. label May 18, 2023
@fer-rouco fer-rouco mentioned this issue Jun 17, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@martynasma @robrichardson27 @dstarzyknetpr