Update dependencies to address vulnerabilities

[protobi-pieter]

Problem

After adding package-lock.json (issue #10), we can now run npm audit to identify and fix security vulnerabilities in dependencies.

Current Status

After running npm audit fix:

• 37 vulnerabilities remain (6 critical, 18 high, 7 moderate, 6 low)
• Many were fixed automatically (1,131 packages updated)
• Remaining issues require breaking changes (npm audit fix --force)

Vulnerability Breakdown

Critical (6)

• flat - Prototype pollution (GHSA-2j2x-2gpw-g8fm)
• Others in devDependencies (mocha, grunt tooling)

High (18)

• braces - Resource consumption (GHSA-grv7-fg5c-xmjg)
• http-cache-semantics - ReDoS (GHSA-rc47-6667-2j5j)
• ip - Private IP misidentification (GHSA-78xj-cgh5-2h22)

Moderate (7)

• got - UNIX socket redirect (GHSA-pfrx-2q88-qq97)
• debug - ReDoS (GHSA-gxpj-cx7g-858c)

Impact Assessment

Most vulnerabilities are in devDependencies (test/build tools):

• ✅ Low production risk - Not shipped to users
• ⚠️ CI/CD risk - Could affect build pipeline security
• ⚠️ Developer risk - Could affect local development environment

Proposed Solution

Phase 1: Non-Breaking Fixes (DONE in this PR)

• ✅ Enabled package-lock in .npmrc
• ✅ Ran npm audit fix (updated 1,131 packages)
• ✅ Updated many transitive dependencies

Phase 2: Breaking Changes (Requires Testing)

Run npm audit fix --force which will:

• Update mocha to v11 (from v8) - test framework
• Update grunt-contrib-jasmine to v4 - test runner
• Update got to v14 - HTTP library (devDep)

Risk: May break existing tests or build scripts

Phase 3: Manual Updates (If Needed)

Some packages may need manual intervention:

• Replace deprecated packages (watchify, grunt tooling)
• Update test configurations
• Fix any broken tests

Testing Plan

Before merging Phase 2:

1. Run full test suite: npm test
2. Run integration tests: npm run test:integration
3. Test build: npm run build
4. Verify CI/CD pipeline passes
5. Manual smoke testing of core functionality

Implementation Steps

# 1. Create branch
git checkout -b fix-audit-vulnerabilities

# 2. Run audit fix with force flag
npm audit fix --force

# 3. Test everything
npm test
npm run test:integration

# 4. Fix any broken tests
# (investigate specific failures)

# 5. Commit and push
git add package-lock.json
git commit -m "Update #N Run npm audit fix --force to address remaining vulnerabilities"
git push origin fix-audit-vulnerabilities

# 6. Create PR for review

Alternative: Manual Updates

If --force breaks too much, manually update problem packages:

npm install mocha@latest --save-dev
npm install grunt-contrib-jasmine@latest --save-dev
# etc.

Security Note

While these are devDependencies, they still matter because:

• Compromised dev tools can inject malicious code during build
• CI/CD environments could be exploited
• Developer machines could be compromised
• Supply chain attacks often target dev dependencies

References

• npm audit documentation: https://docs.npmjs.com/cli/v10/commands/npm-audit
• GHSA advisories: https://github.com/advisories
• Related: Issue Add package-lock.json to enable security auditing #10 (Add package-lock.json)

[protobi-pieter]

Started work in commit e064c9e

Phase 1 Complete: Non-breaking fixes

• Fixed .npmrc to enable package-lock (was set to false)
• Ran npm audit fix successfully
• Updated 1,131 packages automatically

Results:

• Many vulnerabilities fixed automatically
• 37 remain (6 critical, 18 high, 7 moderate, 6 low)
• Most are in devDependencies (test/build tools)

Next: Need to run npm audit fix --force which will update mocha and other test frameworks with breaking changes. Will need to test thoroughly before merging.

[protobi-pieter]

see exceljs#2984

Actual Risk Assessment for glob@7.x in This Library

Using Claude Code I've conducted a detailed investigation into the glob 7.x dependency and related security concerns:

Risk Level: LOW (Manageable)

Key Finding: The glob 7.x dependency poses minimal security risk in ExcelJS's use case:

✅ No Direct Vulnerabilities in glob 7.x:

• glob 7.x has no known CVEs affecting the library API
• CVE-2025-64756 (mentioned in [BUG] Exceljs requires glob 7.x, which has a command injection vulnerability exceljs/exceljs#3006) only affects glob 10.x-11.x CLI interface, not 7.x
• The main issue is deprecation (versions prior to v9 no longer supported)

⚠️ Indirect Risks (Low-Medium):

• brace-expansion@1.1.11 - ReDoS vulnerability (Low severity)
• inflight@1.0.6 - Resource leak (Medium severity)
• minimatch@3.x - ReDoS vulnerability (addressed in later versions)

Dependency Chain

exceljs@4.4.0-protobi.4
└── archiver@5.3.2 (production dependency)
    └── archiver-utils@2.1.0
        └── glob@7.2.3 (deprecated)
            ├── minimatch@3.1.2
            │   └── brace-expansion@1.1.11 ⚠️
            └── inflight@1.0.6 ⚠️

What It Takes to Resolve

Option 1: Upgrade to archiver 7.x ✅ Best solution but requires code changes

Archiver 7.x uses glob 10.x (safe, non-deprecated), BUT:

Blocker: Requires fixing lib/utils/stream-buf.js

• StreamBuf extends Stream.Duplex but doesn't implement required _read() and _write() methods
• Archiver 7.x uses stricter stream validation (is-stream@2.0.1)
• Test failure: Error: input source must be valid Stream or Buffer instance

Required fix:

// lib/utils/stream-buf.js
// Need to add proper Duplex interface implementation:
_read(size) {
  // Implementation needed
}

_write(chunk, encoding, callback) {
  // Implementation needed  
}

Option 2: Wait for upstream 🕐

• ExcelJS maintainers may address this in future releases
• Current risk is low enough to wait

Option 3: Alternative archiver 🤔

• Replace archiver with another ZIP library
• High effort, potential breaking changes

Steps Explored

1. ✅ Updated to latest 5.x: archiver@5.3.2 (patch updates)
2. ✅ Updated unzipper: 0.10.11 → 0.12.3
3. ❌ Attempted archiver 7.x upgrade: Failed due to StreamBuf interface issues
4. ✅ Verified tests: 883 passing, 1 pending
5. ✅ Risk analysis: Confirmed low actual risk from glob 7.x

Commit: f8e3e47

Current Status

✅ Safe to use in production:

• No exploitable vulnerabilities in typical ExcelJS usage
• glob is used for file pattern matching (internal operations)
• User input doesn't reach glob's vulnerable code paths
• ReDoS risk requires malicious file patterns (not user-controlled)

⚠️ Best practice: Eventually fix StreamBuf and upgrade to archiver 7.x to remove deprecated dependencies

References

• Related: [BUG] Exceljs requires glob 7.x, which has a command injection vulnerability exceljs/exceljs#3006 (CVE-2025-64756 clarification)
• Snyk: glob 7.2.3 vulnerabilities
• archiver 7.x changelog

Recommendation: Current state is acceptable for production use. The security scanning alerts are informational rather than critical. A future update to fix StreamBuf and upgrade archiver would be beneficial for maintainability but isn't urgent from a security perspective.

[protobi-pieter]

Vulnerabilities reduced: 38 → 14

What was updated:

• mocha 7 → 11 (fixes ReDoS vulnerabilities)
• chai-xml 0.3 → 0.4 (fixes prototype pollution)
• got 9 → 14 (fixes redirect vulnerability)
• eslint 6 → 9
• grunt-contrib-jasmine 2 → 4
• prettier-eslint updates

Testing:

• All unit tests pass (883 passing)
• All integration tests pass (198 passing)
• Build successful
• No regressions

Remaining 14 vulnerabilities:

• All in dev/build tools (not production code)
• Some have no fixes available (grunt-exorcise/minimist)
• Others blocked by peer dependency conflicts
• Pose minimal risk to end users

Commit: 9c0f259

[protobi-pieter]

Security Vulnerability Updates - Progress Report

Completed Phase 2 (breaking changes) with testing and adjustments.

Summary

Vulnerabilities reduced: 38 → 15 (60% reduction)

Status:

• ✅ Production dependencies updated (archiver, unzipper)
• ✅ Dev dependencies updated with breaking changes (mocha, eslint, etc.)
• ✅ All tests passing
• ✅ Build successful

What Was Updated

Production dependencies:

• archiver: ^5.0.0 → ^5.3.2
• unzipper: 0.10.11 → 0.12.3

Dev dependencies (major updates):

• mocha: ^7.2.0 → ^11.7.5 (fixes debug, js-yaml, minimatch ReDoS)
• chai-xml: ^0.3.2 → ^0.4.1 (fixes xml2js prototype pollution)
• got: ^9.0.0 → ^11.8.6 (see note below)
• grunt-contrib-jasmine: ^2.2.0 → ^4.0.0
• eslint: ^6.5.1 → ^9.39.1
• prettier-eslint: ^11.0.0 → ^16.4.2
• prettier-eslint-cli: ^5.0.0 → ^8.0.1

Testing Results

✅ All tests pass:

• Unit tests: 883 passing, 1 pending
• Integration tests: 198 passing
• End-to-end tests: 1 passing
• Build: successful

Note on got Package

Initially updated to v14.6.5, but had to downgrade to v11.8.6:

• Issue: got v14 has breaking API changes that broke end-to-end tests
• Solution: Downgraded to v11.8.6 which maintains API compatibility
• Trade-off: v11 has 1 moderate vulnerability (UNIX socket redirect)
• Risk: Acceptable - got is devDependency only, not in production code

Future: Can update test code to support got v14 API if needed.

Remaining Vulnerabilities (15 total)

Cannot fix without more work:

1. grunt-exorcise → minimist (Critical - Prototype pollution)

   • No fix available
   • Used only in build process
   • Low practical risk

2. watchify → braces/chokidar (High - ReDoS)

   • No fix without replacing watchify
   • Build tool only
   • Low practical risk

3. puppeteer → tar-fs, ws (High)

   • Used in grunt-contrib-jasmine for browser tests
   • Blocked by peer dependency conflicts
   • Test tool only

4. got (Moderate - UNIX socket redirect)

   • Acceptable for dev dependency
   • Can be fixed later with test updates

Impact Assessment

Production risk: VERY LOW

• All remaining vulnerabilities are in dev/build/test tools
• No production code affected
• No user-facing impact
• Supply chain risk reduced (build tools could theoretically be compromised)

Current state:

• ✅ Safe to use in production
• ✅ Safe to publish to npm
• ✅ Significantly improved from starting point

Related Issues

• Upstream Security vulnerabilities in transitive dependencies (brace-expansion and inflight) exceljs/exceljs#2984 - Security vulnerabilities in transitive dependencies
• Upstream [BUG] Exceljs requires glob 7.x, which has a command injection vulnerability exceljs/exceljs#3006 - glob 7.x (analyzed, low risk, requires code changes to fully resolve)

Commits

• f8e3e47 - Update production dependencies
• 9c0f259 - Update dev dependencies (npm audit fix --force)
• 0d57c7b - Downgrade got to fix test compatibility

Recommendation

Ready to publish - The remaining vulnerabilities are acceptable for a development/build environment and don't affect end users.