npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

ooxml-encryption

v1.0.0

Published

Dependency-free TypeScript library to decrypt and encrypt password-protected OOXML workbooks (.xlsx, .xlsm).

Readme

ooxml-encryption

A compact, dependency-free TypeScript library for decrypting and encrypting password-protected OOXML workbooks (.xlsx, .xlsm).

Use it to unlock a password-protected spreadsheet when you know the password, or to add password protection to a workbook.

Features

  • Decrypt modern, Agile-encrypted .xlsx / .xlsm files with their password.
  • Encrypt a plain workbook with a password (AES-256, SHA-512, 100,000-round key derivation — matching modern Office defaults).
  • Byte-preserving. A decrypt → encrypt round-trip keeps the workbook bytes intact, so .xlsm VBA projects survive unchanged.
  • Zero runtime dependencies. Built entirely on the standard WebCrypto API (globalThis.crypto.subtle).
  • Cross-platform. Runs in Node 20+ and modern browsers.
  • Typed, ESM-first, with full TypeScript declarations.

Install

pnpm add ooxml-encryption
# or: npm install ooxml-encryption
# or: yarn add ooxml-encryption

Quick start

import { readFile, writeFile } from "node:fs/promises";
import { decryptWorkbook, encryptWorkbook } from "ooxml-encryption";

const encrypted = new Uint8Array(await readFile("protected.xlsx"));

// Unlock with the current password.
const workbook = await decryptWorkbook(encrypted, "current-password");
await writeFile("unlocked.xlsx", workbook);

// Re-protect a workbook with a new password.
const reprotected = await encryptWorkbook(workbook, "new-password");
await writeFile("protected-new.xlsx", reprotected);
  • decryptWorkbook returns the decrypted OOXML package — ordinary .xlsx ZIP bytes you can write straight to disk.
  • encryptWorkbook takes those package bytes and returns an encrypted file ready to be opened in Excel with the password.

Both functions accept and return Uint8Array, so the same code runs in the browser (e.g. against bytes from a File or fetch).

Handling wrong passwords

Passwords are case-sensitive. When the password is incorrect, decryptWorkbook throws an OoxmlEncryptionError with code "invalidPassword":

import { decryptWorkbook, OoxmlEncryptionError } from "ooxml-encryption";

try {
  const workbook = await decryptWorkbook(encrypted, userInput);
  // ...use workbook
} catch (error) {
  if (error instanceof OoxmlEncryptionError && error.code === "invalidPassword") {
    console.error("Wrong password.");
  } else {
    throw error;
  }
}

Reading Sheet!A1

readCellA1 reads a single cell from decrypted workbook bytes without a full spreadsheet parser. It resolves shared strings, inline strings, and cached formula strings. Because worksheet parts are usually deflated inside the ZIP, you supply an inflateRaw function from your platform.

Node:

import { promisify } from "node:util";
import { inflateRaw } from "node:zlib";
import { readCellA1 } from "ooxml-encryption";

const inflateRawAsync = promisify(inflateRaw);

const value = await readCellA1(decryptedWorkbook, {
  inflateRaw: async (deflated) => new Uint8Array(await inflateRawAsync(deflated)),
});

Browser:

import { readCellA1 } from "ooxml-encryption";

const value = await readCellA1(decryptedWorkbook, {
  sheetName: "Sheet1", // optional; defaults to the first worksheet
  inflateRaw: async (deflated) => {
    const stream = new DecompressionStream("deflate-raw");
    const writer = stream.writable.getWriter();
    void writer.write(deflated);
    void writer.close();
    return new Uint8Array(await new Response(stream.readable).arrayBuffer());
  },
});

Scope and limitations

Supported: modern Agile-encrypted .xlsx and .xlsm files (AES in CBC mode, with SHA-1/256/384/512 and 128/192/256-bit keys). Encryption output is always AES-256 + SHA-512.

Not supported: legacy .xls, OOXML Standard (binary) encryption, IRM-protected or sensitivity-label-protected files, and certificate-based key encryptors. Attempting these raises an OoxmlEncryptionError with an unsupported* code rather than producing incorrect output.

API

See API.md for the full reference. At a glance:

| Export | Description | | --- | --- | | decryptWorkbook(bytes, password) | Decrypt an encrypted workbook to OOXML package bytes. | | encryptWorkbook(bytes, password) | Encrypt OOXML package bytes with a password. | | readCellA1(bytes, options?) | Read Sheet!A1 from decrypted package bytes. | | OoxmlEncryptionError | Error thrown for all failures, with a typed code. |

License

MIT © Boram Uyar