Prototype pollution
Parser and conversion paths reject or ignore
__proto__, prototype and
constructor where untrusted input can become an object
key.
Stackline spreadsheet package
SheetJS-compatible spreadsheet parsing with security hardening.
A maintained fork for applications that need a practical replacement
path for xlsx while preserving the familiar workbook API.
A
B
C
1
Name
Role
Status
2
Ada
Engineer
Safe
3
Grace
Reviewer
Parsed
Version
1.0.2
API target
xlsx 0.20.2
Runtime deps
None
Types
Included
Install
Use the scoped package directly.
npm install @stackline/xlsx
Existing apps that must keep
import * as XLSX from 'xlsx' can use npm alias migration.
npm install xlsx@npm:@stackline/xlsxUsage
Read spreadsheets in Angular or browser workflows.
import * as XLSX from '@stackline/xlsx';
export function parseWorkbook(file: ArrayBuffer) {
const workbook = XLSX.read(file, { type: 'array' });
const sheetName = workbook.SheetNames[0];
return XLSX.utils.sheet_to_json(workbook.Sheets[sheetName], {
defval: null
});
}Write
Create workbook data with the familiar API.
const worksheet = XLSX.utils.json_to_sheet([
{ name: 'Ada', role: 'Engineer' },
{ name: 'Grace', role: 'Reviewer' }
]);
const workbook = XLSX.utils.book_new();
XLSX.utils.book_append_sheet(workbook, worksheet, 'People');Security
Regression coverage for known advisories.
ReDoS
The package keeps the upstream regular expression hardening and adds malformed input regression coverage.
Workbook fixtures
Tests cover XLSX, ODS, XLS, XLML, relationships, custom properties and JSON headers with malicious keys.
Formats
Format support follows the SheetJS CE 0.20.2 line.
| Format family | Read | Write | Notes |
|---|---|---|---|
| XLSX / XLSM / XLSB | Yes | Yes | Modern Excel workbook formats |
| XLS | Yes | Yes | Legacy Excel workbook format |
| ODS / FODS | Yes | Yes | OpenDocument spreadsheet formats |
| CSV / TSV / TXT | Yes | Yes | Plaintext tabular data |
| HTML tables | Yes | Yes | Table import and export helpers |
| DBF / SYLK / DIF | Yes | Yes | Legacy interchange formats |
Release
Public release checklist.
- Published as
@stackline/[email protected]on npm. - Run
npm ci. - Run
npm test. - Run
npm run build. - Run
make dist. - Run
npm pack --dry-run. - Smoke test direct scoped usage and npm alias migration.