XLSX package vulnerability found, but no updated package available

Question

I am using xlsx in js code. It's been working great since last year. Today I started having issues and the build failed. because:

$ yarn audit: 

yarn audit v1.22.19
┌─────────────────────────────────────────────────────────────────────────────
│ moderate: Prototype Pollution in sheetJS                               
├─────────────────────────────────────────────────────────────────────────────
│ Package: xlsx                                                         
├─────────────────────────────────────────────────────────────────────────────
│ Patched in: >=0.19.3                                                     
├─────────────────────────────────────────────────────────────────────────────
│ Dependency of: xlsx                                                         
├─────────────────────────────────────────────────────────────────────────────
│ Path: xlsx                                                         
├─────────────────────────────────────────────────────────────────────────────
│ More info: https://www.npmjs.com/advisories/1091817                     
└─────────────────────────────────────────────────────────────────────────────

Obviously the solution is to upgrade to version 0.19.3 or higher, but the latest version is 0.18.5 as: https://www.npmjs.com/package/xlsx?activeTab=readme.

Is there any way to solve this problem?

Answer 1

As stated in the README, this project is no longer maintained on GitHub and is no longer published to npm. Try installing from the following link: https://cdn.sheetjs.com/xlsx-0.19.3/xlsx-0.19.3.tgz. Add the following to your package.json file:

"xlsx": "https://cdn.sheetjs.com/xlsx-0.19.3/xlsx-0.19.3.tgz"