Research
Security News
Threat Actor Exposes Playbook for Exploiting npm to Build Blockchain-Powered Botnets
A threat actor's playbook for exploiting the npm ecosystem was exposed on the dark web, detailing how to build a blockchain-powered botnet.
The exceljs npm package is a comprehensive library for reading, writing, and manipulating Excel files in various formats such as XLSX, CSV, and more. It provides a wide range of functionalities to work with Excel documents programmatically, including creating new sheets, styling cells, adding formulas, and handling large datasets efficiently.
Reading Excel Files
This feature allows you to read existing Excel files. You can iterate through rows and cells, access values, and perform operations based on the data.
{"const ExcelJS = require('exceljs');
const workbook = new ExcelJS.Workbook();
workbook.xlsx.readFile('path/to/file.xlsx')
.then(() => {
const worksheet = workbook.getWorksheet('Sheet1');
worksheet.eachRow({ includeEmpty: true }, (row, rowNumber) => {
console.log('Row ' + rowNumber + ' = ' + JSON.stringify(row.values));
});
});"}
Writing Excel Files
This feature enables you to create new Excel files or modify existing ones. You can add worksheets, rows, and cells with data, and save the file to the disk.
{"const ExcelJS = require('exceljs');
const workbook = new ExcelJS.Workbook();
const sheet = workbook.addWorksheet('My Sheet');
sheet.addRow(['Name', 'Profession']);
sheet.addRow(['John Doe', 'Developer']);
workbook.xlsx.writeFile('path/to/newfile.xlsx');"}
Styling Cells
This feature allows you to apply various styles to cells, such as fonts, colors, borders, and fills. It helps in making the data more readable and visually appealing.
{"const ExcelJS = require('exceljs');
const workbook = new ExcelJS.Workbook();
const sheet = workbook.addWorksheet('My Sheet');
const row = sheet.addRow(['Name', 'Profession']);
row.getCell(1).font = { bold: true };
row.getCell(2).fill = {
type: 'pattern',
pattern: 'solid',
fgColor: { argb: 'FFFF0000' }
};
workbook.xlsx.writeFile('path/to/styledfile.xlsx');"}
Adding Formulas
This feature lets you insert formulas into cells. You can also pre-calculate the result of the formula and store it in the cell.
{"const ExcelJS = require('exceljs');
const workbook = new ExcelJS.Workbook();
const sheet = workbook.addWorksheet('My Sheet');
const row = sheet.addRow([100, 200, { formula: 'A1+B1', result: 300 }]);
workbook.xlsx.writeFile('path/to/formulafile.xlsx');"}
Handling Large Data Sets
This feature is particularly useful for handling large datasets without running out of memory. It streams the data to the file system as it's being processed.
{"const ExcelJS = require('exceljs');
const workbook = new ExcelJS.stream.xlsx.WorkbookWriter({ filename: 'path/to/largefile.xlsx' });
const sheet = workbook.addWorksheet('My Sheet');
for (let i = 0; i < 1000000; i++) {
sheet.addRow(['Row ' + i, 'Data']);
}
workbook.commit();"}
The 'xlsx' package is another popular library for parsing and writing various spreadsheet formats. It is known for its simplicity and small bundle size, but it may not offer as many features for styling and manipulating data as exceljs.
SheetJS, also known as 'xlsx', is a powerful and comprehensive library that supports a wide range of spreadsheet formats. It is similar to exceljs in functionality but differs in API design and implementation details.
The 'node-xlsx' package is a simpler alternative for parsing and building XLSX/CSV files. It focuses on basic functionality and is easier to use for simple tasks, but lacks the advanced features and fine control provided by exceljs.
Read, manipulate and write spreadsheet data and styles to XLSX and JSON.
Reverse engineered from Excel spreadsheet files as a project.
npm install exceljs
var Excel = require("exceljs");
var workbook = new Excel.Workbook();
workbook.creator = "Me";
workbook.lastModifiedBy = "Her";
workbook.created = new Date(1985, 8, 30);
workbook.modified = new Date();
var sheet = workbook.addWorksheet("My Sheet");
// Iterate over all sheets
// Note: workbook.worksheets.forEach will still work but this is better
workbook.eachSheet(function(worksheet, sheetId) {
// ...
});
// fetch sheet by name
var worksheet = workbook.getWorksheet("My Sheet");
// fetch sheet by id
var worksheet = workbook.getWorksheet(1);
// Add column headers and define column keys and widths
// Note: these column structures are a workbook-building convenience only,
// apart from the column width, they will not be fully persisted.
worksheet.columns = [
{ header: "Id", key: "id", width: 10 },
{ header: "Name", key: "name", width: 32 },
{ header: "D.O.B.", key: "DOB", width: 10 }
];
// Access an individual columns by key, letter and 1-based column number
var idCol = worksheet.getColumn("id");
var nameCol = worksheet.getColumn("B");
var dobCol = worksheet.getColumn(3);
// set column properties
// Note: will overwrite cell value C1
dobCol.header = "Date of Birth";
// Note: this will overwrite cell values C1:C2
dobCol.header = ["Date of Birth", "A.K.A. D.O.B."];
// from this point on, this column will be indexed by "dob" and not "DOB"
dobCol.key = "dob";
dobCol.width = 15;
// iterate over all current cells in this column
dobCol.eachCell(function(cell, rowNumber) {
// ...
});
// iterate over all current cells in this column including empty cells
dobCol.eachCell({ includeEmpty: true }, function(cell, rowNumber) {
// ...
});
// Add a couple of Rows by key-value, after the last current row, using the column keys
worksheet.addRow({id: 1, name: "John Doe", dob: new Date(1970,1,1)});
worksheet.addRow({id: 2, name: "Jane Doe", dob: new Date(1965,1,7)});
// Add a row by contiguous Array (assign to columns A, B & C)
worksheet.addRow([3, "Sam", new Date()]);
// Add a row by sparse Array (assign to columns A, E & I)
var rowValues = [];
rowValues[1] = 4;
rowValues[5] = "Kyle";
rowValues[9] = new Date();
worksheet.addRow(rowValues);
// Get a row object. If it doesn't already exist, a new empty one will be returned
var row = worksheet.getRow(5);
// Get the last editable row in a worksheet (or undefined if there are none)
var row = worksheet.lastRow;
// Set a specific row height
row.height = 42.5;
row.getCell(1).value = 5; // A5's value set to 5
row.getCell("name").value = "Zeb"; // B5's value set to "Zeb" - assuming column 2 is still keyed by name
row.getCell("C").value = new Date(); // C5's value set to now
// Get a row as a sparse array
// Note: interface change: worksheet.getRow(4) ==> worksheet.getRow(4).values
row = worksheet.getRow(4).values;
expect(row[5]).toEqual("Kyle");
// assign row values by contiguous array (where array element 0 has a value)
row.values = [1,2,3];
expect(row.getCell(1).value).toEqual(1);
expect(row.getCell(2).value).toEqual(2);
expect(row.getCell(3).value).toEqual(3);
// assign row values by sparse array (where array element 0 is undefined)
var values = []
values[5] = 7;
values[10] = "Hello, World!";
row.values = values;
expect(row.getCell(1).value).toBeNull();
expect(row.getCell(5).value).toEqual(7);
expect(row.getCell(10).value).toEqual("Hello, World!");
// assign row values by object, using column keys
row.values = {
id: 13,
name: "Thing 1",
dob: new Date()
};
// Iterate over all rows that have values in a worksheet
worksheet.eachRow(function(row, rowNumber) {
console.log("Row " + rowNumber + " = " + JSON.stringify(row.values));
});
// Iterate over all rows (including empty rows) in a worksheet
worksheet.eachRow({ includeEmpty: true }, function(row, rowNumber) {
console.log("Row " + rowNumber + " = " + JSON.stringify(row.values));
});
// Iterate over all non-null cells in a row
row.eachCell(function(cell, colNumber) {
console.log("Cell " + colNumber + " = " + cell.value);
});
// Iterate over all cells in a row (including empty cells)
row.eachCell({ includeEmpty: true }, function(cell, colNumber) {
console.log("Cell " + colNumber + " = " + cell.value);
});
// Commit a completed row to stream
row.commit();
// Modify/Add individual cell
worksheet.getCell("C3").value = new Date(1968, 5, 1);
// query a cell's type
expect(worksheet.getCell("C3").type).toEqual(Excel.ValueType.Date);
// merge a range of cells
worksheet.mergeCells("A4:B5");
// merge by top-left, bottom-right
worksheet.mergeCells("G10", "H11");
worksheet.mergeCells(10,11,12,13); // top,left,bottom,right
// ... merged cells are linked
worksheet.getCell("B5").value = "Hello, World!";
expect(worksheet.getCell("A4").value).toBe(worksheet.getCell("B5").value);
expect(worksheet.getCell("A4")).toBe(worksheet.getCell("B5").master);
Cells, Rows and Columns each support a rich set of styles and formats that affect how the cells are displayed.
Styles are set by assigning the following properties:
// assign a style to a cell
ws.getCell("A1").numFmt = "0.00%";
// Apply styles to worksheet columns
ws.columnscolumns = [
{ header: "Id", key: "id", width: 10 },
{ header: "Name", key: "name", width: 32, style: { font: { name: "Arial Black" } } },
{ header: "D.O.B.", key: "DOB", width: 10, style: { numFmt: "dd/mm/yyyy" } }
];
// Set Column 3 to Currency Format
ws.getColumn(3).numFmt = "�#,##0;[Red]-�#,##0";
// Set Row 2 to Comic Sans.
ws.getRow(2).font = { name: "Comic Sans MS", family: 4, size: 16, underline: "double", bold: true };
When a style is applied to a row or column, it will be applied to all currently existing cells in that row or column. Also, any new cell that is created will inherit its initial styles from the row and column it belongs to.
If a cell's row and column both define a specific style (e.g. font), the cell will use the row style over the column style. However if the row and column define different styles (e.g. column.numFmt and row.font), the cell will inherit the font from the row and the numFmt from the column.
Caveat: All the above properties (with the exception of numFmt, which is a string), are JS object structures. If the same style object is assigned to more than one spreadsheet entity, then each entity will share the same style object. If the style object is later modified before the spreadsheet is serialized, then all entities referencing that style object will be modified too. This behaviour is intended to prioritize performance by reducing the number of JS objects created. If you want the style objects to be independent, you will need to clone them before assigning them. Also, by default, when a document is read from file (or stream) if spreadsheet entities share similar styles, then they will reference the same style object too.
// display value as "1 3/5"
ws.getCell("A1").value = 1.6;
ws.getCell("A1").numFmt = "# ?/?";
// display value as "1.60%"
ws.getCell("B1").value = 0.016;
ws.getCell("B1").numFmt = "0.00%";
// for the wannabe graphic designers out there
ws.getCell("A1").font = {
name: "Comic Sans MS",
family: 4,
size: 16,
underline: true,
bold: true
};
// for the graduate graphic designers...
ws.getCell("A2").font = {
name: "Arial Black",
color: { argb: "FF00FF00" },
family: 2,
size: 14,
italic: true
};
// note: the cell will store a reference to the font object assigned.
// If the font object is changed afterwards, the cell font will change also...
var font = { name: "Arial", size: 12 };
ws.getCell("A3").font = font;
font.size = 20; // Cell A3 now has font size 20!
// Cells that share similar fonts may reference the same font object after
// the workbook is read from file or stream
Font Property | Description | Example Value(s) |
---|---|---|
name | Font name. | "Arial", "Calibri", etc. |
family | Font family. An integer value. | 1,2,3, etc. |
scheme | Font scheme. | "minor", "major", "none" |
charset | Font charset. An integer value. | 1, 2, etc. |
color | Colour description, an object containing an ARGB value. | { argb: "FFFF0000"} |
bold | Font weight | true, false |
italic | Font slope | true, false |
underline | Font underline style | true, false, "none", "single", "double", "singleAccounting", "doubleAccounting" |
strike | Font | true, false |
outline | Font outline | true, false |
// set cell alignment to top-left, middle-center, bottom-right
ws.getCell("A1").alignment = { vertical: "top", horizontal: "left" };
ws.getCell("B1").alignment = { vertical: "middle", horizontal: "center" };
ws.getCell("C1").alignment = { vertical: "bottom", horizontal: "right" };
// set cell to wrap-text
ws.getCell("D1").alignment = { wrapText: true };
// set cell indent to 1
ws.getCell("E1").alignment = { indent: 1 };
// set cell text rotation to 30deg upwards, 45deg downwards and vertical text
ws.getCell("F1").alignment = { textRotation: 30 };
ws.getCell("G1").alignment = { textRotation: -45 };
ws.getCell("H1").alignment = { textRotation: "vertical" };
Valid Alignment Property Values
horizontal | vertical | wrapText | indent | readingOrder | textRotation |
---|---|---|---|---|---|
left | top | true | integer | rtl | 0 to 90 |
center | middle | false | ltr | -1 to -90 | |
right | bottom | vertical | |||
fill | distributed | ||||
justify | justify | ||||
centerContinuous | |||||
distributed |
// set single thin border around A1
ws.getCell("A1").border = {
top: {style:"thin"},
left: {style:"thin"},
bottom: {style:"thin"},
right: {style:"thin"}
};
// set double thin green border around A3
ws.getCell("A3").border = {
top: {style:"double", color: {argb:"FF00FF00"}},
left: {style:"double", color: {argb:"FF00FF00"}},
bottom: {style:"double", color: {argb:"FF00FF00"}},
right: {style:"double", color: {argb:"FF00FF00"}}
};
// set thick red cross in A5
ws.getCell("A5").border = {
diagonal: {up: true, down: true, style:"thick", color: {argb:"FFFF0000"}}
};
Valid Border Styles
// fill A1 with red darkVertical stripes
ws.getCell("A1").fill = {
type: "pattern",
pattern:"darkVertical",
fgColor:{argb:"FFFF0000"}
};
// fill A2 with yellow dark trellis and blue behind
ws.getCell("A2").fill = {
type: "pattern",
pattern:"darkTrellis",
fgColor:{argb:"FFFFFF00"},
bgColor:{argb:"FF0000FF"}
};
// fill A3 with blue-white-blue gradient from left to right
ws.getCell("A3").fill = {
type: "gradient",
gradient: "angle",
degree: 0,
stops: [
{position:0, color:{argb:"FF0000FF"}},
{position:0.5, color:{argb:"FFFFFFFF"}},
{position:1, color:{argb:"FF0000FF"}}
]
};
// fill A4 with red-green gradient from center
ws.getCell("A2").fill = {
type: "gradient",
gradient: "path",
center:{left:0.5,top:0.5},
stops: [
{position:0, color:{argb:"FFFF0000"}},
{position:1, color:{argb:"FF00FF00"}}
]
};
Property | Required | Description |
---|---|---|
type | Y | Value: "pattern" Specifies this fill uses patterns |
pattern | Y | Specifies type of pattern (see Valid Pattern Types below) |
fgColor | N | Specifies the pattern foreground color. Default is black. |
bgColor | N | Specifies the pattern background color. Default is white. |
Valid Pattern Types
Property | Required | Description |
---|---|---|
type | Y | Value: "gradient" Specifies this fill uses gradients |
gradient | Y | Specifies gradient type. One of ["angle", "path"] |
degree | angle | For "angle" gradient, specifies the direction of the gradient. 0 is from the left to the right. Values from 1 - 359 rotates the direction clockwise |
center | path | For "path" gradient. Specifies the relative coordinates for the start of the path. "left" and "top" values range from 0 to 1 |
stops | Y | Specifies the gradient colour sequence. Is an array of objects containing position and color starting with position 0 and ending with position 1. Intermediatary positions may be used to specify other colours on the path. |
Caveats Using the interface above it may be possible to create gradient fill effects not possible using the XLSX editor program. For example, Excel only supports angle gradients of 0, 45, 90 and 135. Similarly the sequence of stops may also be limited by the UI with positions [0,1] or [0,0.5,1] as the only options. Take care with this fill to be sure it is supported by the target XLSX viewers.
// read from a file
var workbook = new Excel.Workbook();
workbook.xlsx.readFile(filename)
.then(function() {
// use workbook
});
// pipe from stream
var workbook = new Excel.Workbook();
stream.pipe(workbook.xlsx.createInputStream());
// write to a file
var workbook = createAndFillWorkbook();
workbook.xlsx.writeFile(filename)
.then(function() {
// done
});
// write to a stream
workbook.xlsx.write(stream)
.then(function() {
// done
});
// read from a file
var workbook = new Excel.Workbook();
workbook.csv.readFile(filename)
.then(function(worksheet) {
// use workbook or worksheet
});
// read from a stream
var workbook = new Excel.Workbook();
workbook.csv.read(stream)
.then(function(worksheet) {
// use workbook or worksheet
});
// pipe from stream
var workbook = new Excel.Workbook();
stream.pipe(workbook.csv.createInputStream());
// read from a file with European Dates
var workbook = new Excel.Workbook();
var options = {
dateFormats: ["DD/MM/YYYY"]
};
workbook.csv.readFile(filename, options)
.then(function(worksheet) {
// use workbook or worksheet
});
// read from a file with custom value parsing
var workbook = new Excel.Workbook();
var options = {
map: function(value, index) {
switch(index) {
case 0:
// column 1 is string
return value;
case 1:
// column 2 is a date
return new Date(value);
case 2:
// column 3 is JSON of a formula value
return JSON.parse(value);
default:
// the rest are numbers
return parseFloat(value);
}
}
};
workbook.csv.readFile(filename, options)
.then(function(worksheet) {
// use workbook or worksheet
});
The CSV parser uses fast-csv to read the CSV file. The options passed into the read functions above is also passed to fast-csv for parsing of the csv data. Please refer to the fast-csv README.md for details.
Dates are parsed using the npm module moment. If no dateFormats are supplied, the following are used:
// write to a file
var workbook = createAndFillWorkbook();
workbook.csv.writeFile(filename)
.then(function() {
// done
});
// write to a stream
workbook.csv.write(stream)
.then(function() {
// done
});
// read from a file with European Date-Times
var workbook = new Excel.Workbook();
var options = {
dateFormat: "DD/MM/YYYY HH:mm:ss"
};
workbook.csv.readFile(filename, options)
.then(function(worksheet) {
// use workbook or worksheet
});
// read from a file with custom value formatting
var workbook = new Excel.Workbook();
var options = {
map: function(value, index) {
switch(index) {
case 0:
// column 1 is string
return value;
case 1:
// column 2 is a date
return moment(value).format("YYYY-MM-DD");
case 2:
// column 3 is a formula, write just the result
return value.result;
default:
// the rest are numbers
return value;
}
}
};
workbook.csv.readFile(filename, options)
.then(function(worksheet) {
// use workbook or worksheet
});
The CSV parser uses fast-csv to write the CSV file. The options passed into the write functions above is also passed to fast-csv for writing the csv data. Please refer to the fast-csv README.md for details.
Dates are formatted using the npm module moment. If no dateFormat is supplied, moment.ISO_8601 is used.
The File I/O documented above requires that an entire workbook is built up in memory before the file can be written. While convenient, it can limit the size of the document due to the amount of memory required.
A streaming writer (or reader) processes the workbook or worksheet data as it is generated, converting it into file form as it goes. Typically this is much more efficient on memory as the final memory footprint and even intermediate memory footprints are much more compact than with the document version, especially when you consider that the row and cell objects are disposed once they are committed.
The interface to the streaming workbook and worksheet is almost the same as the document versions with a few minor practical differences:
Note that it is possible to build the entire workbook without committing any rows. When the workbook is committed, all added worksheets (including all uncommitted rows) will be automatically committed. However in this case, little will have been gained over the Document version.
The streaming XLSX writer is available in the ExcelJS.stream.xlsx namespace.
The constructor takes an optional options object with the following fields:
Field | Description |
---|---|
stream | Specifies a writable stream to write the XLSX workbook to. |
filename | If stream not specified, this field specifies the path to a file to write the XLSX workbook to. |
useSharedStrings | Specifies whether to use shared strings in the workbook. Default is false |
useStyles | Specifies whether to add style information to the workbook. Styles can add some performance overhead. Default is false |
If neither stream nor filename is specified in the options, the workbook writer will create a StreamBuf object that will store the contents of the XLSX workbook in memory. This StreamBuf object, which can be accessed via the property workbook.stream, can be used to either access the bytes directly by stream.read() or to pipe the contents to another stream.
// construct a streaming XLSX workbook writer with styles and shared strings
var options = {
filename: "./streamed-workbook.xlsx",
useStyles: true,
useSharedStrings: true
};
var workbook = new Excel.stream.xlsx.WorkbookWriter(options);
In general, the interface to the streaming XLSX writer is the same as the Document workbook (and worksheets) described above, in fact the row, cell and style objects are the same.
However there are some differences...
Construction
As seen above, the WorkbookWriter will typically require the output stream or file to be specified in the constructor.
Committing Data
When a worksheet row is ready, it should be committed so that the row object and contents can be freed. Typically this would be done as each row is added...
worksheet.addRow({
id: i,
name: theName,
etc: someOtherDetail
}).commit();
The reason the WorksheetWriter does not commit rows as they are added is to allow cells to be merged across rows:
worksheet.mergeCells("A1:B2");
worksheet.getCell("A1").value = "I am merged";
worksheet.getCell("C1").value = "I am not";
worksheet.getCell("C2").value = "Neither am I";
worksheet.getRow(2).commit(); // now rows 1 and two are committed.
As each worksheet is completed, it must also be committed:
// Finished adding data. Commit the worksheet
worksheet.commit();
To complete the XLSX document, the workbook must be committed. If any worksheet in a workbook are uncommitted, they will be committed automatically as part of the workbook commit.
// Finished the workbook.
workbook.commit();
The following value types are supported.
Enum Name | Enum(*) | Description | Example Value |
---|---|---|---|
Excel.ValueType.Null | 0 | No value. | null |
Excel.ValueType.Merge | 1 | N/A | N/A |
Excel.ValueType.Number | 2 | A numerical value | 3.14 |
Excel.ValueType.String | 3 | A text value | "Hello, World!" |
Excel.ValueType.Date | 4 | A Date value | new Date() |
Excel.ValueType.Hyperlink | 5 | A hyperlink | { text: "www.mylink.com", hyperlink: "http://www.mylink.com" } |
Excel.ValueType.Formula | 6 | A formula | { formula: "A1+A2", result: 7 } |
Every effort is made to make a good consistent interface that doesn't break through the versions but regrettably, now and then some things have to change for the greater good.
The arguments in the callback function to Worksheet.eachRow have been swapped and changed; it was function(rowNumber,rowValues), now it is function(row, rowNumber) which gives it a look and feel more like the underscore (_.each) function and prioritises the row object over the row number.
This function has changed from returning a sparse array of cell values to returning a Row object. This enables accessing row properties and will facilitate managing row styles and so on.
The sparse array of cell values is still available via Worksheet.getRow(rowNumber).values;
cell.styles renamed to cell.style
There appears to be an issue in one of the dependent libraries (unzip) where too many files causes the following error to be emitted:
invalid signature: 0x80014
In practical terms, this error only seems to arise with over 98 sheets (or 49 sheets with hyperlinks) so it shouldn't affect that many. I will keep an eye on it though.
Version | Changes |
---|---|
0.0.9 | |
0.1.0 |
|
0.1.1 |
|
0.1.2 |
|
0.1.3 |
|
0.1.5 |
|
0.1.6 |
|
0.1.8 |
|
0.1.9 |
|
0.1.10 |
|
0.1.11 |
|
0.2.0 |
|
FAQs
Excel Workbook Manager - Read and Write xlsx and csv Files.
The npm package exceljs receives a total of 0 weekly downloads. As such, exceljs popularity was classified as not popular.
We found that exceljs demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 2 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
A threat actor's playbook for exploiting the npm ecosystem was exposed on the dark web, detailing how to build a blockchain-powered botnet.
Security News
NVD’s backlog surpasses 20,000 CVEs as analysis slows and NIST announces new system updates to address ongoing delays.
Security News
Research
A malicious npm package disguised as a WhatsApp client is exploiting authentication flows with a remote kill switch to exfiltrate data and destroy files.