npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@stackline/xlsx

v1.0.2

Published

SheetJS-compatible spreadsheet parser and writer with Stackline security hardening

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

alex360qcalex360qc

Keywords

excelxlsxlsxxlsbxlsmodscsvdbfdifsylkofficespreadsheet

Readme

@stackline/xlsx

A maintained SheetJS-compatible spreadsheet parser and writer with Stackline security hardening for applications that need a practical replacement path for xlsx.

npm version license GitHub repository Docs

Documentation | npm | Issues | Repository

Public release line: 1.0.2

Why this package?

@stackline/xlsx is an independent maintained fork of SheetJS Community Edition 0.20.2. It keeps the familiar workbook API while adding regression coverage and hardening for known prototype pollution and ReDoS advisories.

The primary goal is compatibility with existing spreadsheet workflows, including Angular applications that currently depend on xlsx.

Compatibility

| Item | Value | | :--- | :--- | | Package | @stackline/[email protected] | | API target | [email protected] | | Runtime dependencies | none | | Supported Node.js | >=20 | | Types | types/index.d.ts | | Module entry | xlsx.mjs | | CommonJS entry | xlsx.js | | CLI | not published in the Stackline package line |

Installation

Use the scoped package for new integrations:

npm install @stackline/xlsx

Applications that must preserve existing imports can use npm alias migration:

npm install xlsx@npm:@stackline/xlsx

That keeps application code like this working:

import * as XLSX from 'xlsx';

Usage

Read a workbook

import * as XLSX from '@stackline/xlsx';

export function parseWorkbook(file: ArrayBuffer) {
  const workbook = XLSX.read(file, { type: 'array' });
  const sheetName = workbook.SheetNames[0];
  return XLSX.utils.sheet_to_json(workbook.Sheets[sheetName], {
    defval: null
  });
}

Create a workbook

import * as XLSX from '@stackline/xlsx';

const worksheet = XLSX.utils.json_to_sheet([
  { name: 'Ada', role: 'Engineer' },
  { name: 'Grace', role: 'Reviewer' }
]);

const workbook = XLSX.utils.book_new();
XLSX.utils.book_append_sheet(workbook, worksheet, 'People');

const output = XLSX.write(workbook, {
  type: 'array',
  bookType: 'xlsx'
});

CommonJS

const XLSX = require('@stackline/xlsx');

const workbook = XLSX.utils.book_new();
const worksheet = XLSX.utils.aoa_to_sheet([
  ['Name', 'Role'],
  ['Katherine', 'Analyst']
]);

XLSX.utils.book_append_sheet(workbook, worksheet, 'People');

Supported Formats

The fork keeps the upstream SheetJS Community Edition 0.20.2 format surface.

| Format family | Read | Write | Notes | | :--- | :---: | :---: | :--- | | XLSX / XLSM / XLSB | Yes | Yes | Modern Excel workbook formats | | XLS | Yes | Yes | Legacy Excel workbook format | | ODS / FODS | Yes | Yes | OpenDocument spreadsheet formats | | CSV / TSV / TXT | Yes | Yes | Plaintext tabular data | | HTML tables | Yes | Yes | Table import and export helpers | | DBF / SYLK / DIF | Yes | Yes | Legacy interchange formats |

Security Hardening

This release blocks or ignores dangerous object keys in parser and conversion paths:

  • __proto__
  • prototype
  • constructor

The hardening covers worksheet names, XML attributes, relationships, custom properties, workbook parsing paths and JSON conversion helpers.

Regression tests cover:

  • GHSA-4r6h-8v6p-xvw6 / CVE-2023-30533 prototype pollution
  • GHSA-5pgg-2g8v-p4x9 / CVE-2024-22363 ReDoS
  • malicious XLSX, ODS, XLS and XLML workbook structures
  • dangerous relationship IDs
  • dangerous custom property names
  • JSON headers that try to pollute Object.prototype
  • malformed HTML input that should not stall regex parsing

API Surface

The public utility names are preserved for existing consumers.

| Utility | Purpose | | :--- | :--- | | XLSX.read | Parse workbook data from buffers, strings and binary inputs | | XLSX.write | Serialize workbooks to supported output formats | | XLSX.writeFile | Write workbook files in Node.js environments | | XLSX.utils.sheet_to_json | Convert a worksheet to row objects | | XLSX.utils.json_to_sheet | Convert row objects to a worksheet | | XLSX.utils.aoa_to_sheet | Convert arrays of arrays to a worksheet | | XLSX.utils.book_new | Create an empty workbook | | XLSX.utils.book_append_sheet | Append worksheets to a workbook |

Local Development

git clone https://github.com/alexandroit/sheetjs.git
cd sheetjs
npm ci

Run the security regression tests:

npx mocha -R spec -t 10000 test.js -g "security regressions"

Run the full suite:

npm test

Build and verify the package:

npm run build
PATH="$PWD/node_modules/.bin:$PATH" make dist
npm pack --dry-run

Consumer Smoke Test

The repository includes a Verdaccio consumer fixture:

cd examples/verdaccio-consumer
npm install
npm test

It validates direct scoped imports, xlsx alias migration and ESM usage.

Release Checklist

  • Confirm npm ci succeeds.
  • Confirm npm test passes.
  • Confirm npm run build passes.
  • Confirm make dist passes.
  • Confirm npm pack --dry-run includes the expected package files.
  • Install the package in a temporary consumer project.
  • Test direct @stackline/xlsx usage.
  • Test xlsx@npm:@stackline/xlsx alias usage.
  • Run npm audit --omit=dev in the consumer project.

License

Apache-2.0. This project is a maintained fork of SheetJS Community Edition. The original SheetJS copyright and license notices are preserved in the source tree and distribution files.