-
Notifications
You must be signed in to change notification settings - Fork 16
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Explore SheetJS alternatives #61
Comments
I share similar frustrations. One package I've found is ExcelJS. Been debating back and forth whether to move over to that or start pulling from SheetJS's private CDN |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
SheetJS appears to have stopped publishing updates to NPM, apparently because the maintainer doesn't like 2FA? SheetJS/sheetjs#2822
I'm at a loss to explain why anyone would object to 2FA, especially for such a popular package. Instead of implementing it, the maintainers switched to a private CDN and are now only publishing updates there. This means security fixes (GHSA-4r6h-8v6p-xvw6) aren't being published to NPM anymore, and auto-fixup mechanisms like
npm audit
no longer work for SheetJS.Using a private CDN means that organizations that implement artifact repositories to mirror NPM (often for security or licensing reasons) will never be able to work with SheetJS. If any of those organizations use jupyterlab-spreadsheet, then switching to the SheetJS private CDN may break their installs.
I'm concerned with how lax their communication has been over this, and we should explore other alternatives to see if they can help improve this extension's security posture.
The text was updated successfully, but these errors were encountered: