Fix three Dependabot vulnerabilities: axios SSRF, form-data boundary prediction, xlsx prototype pollution

[Copilot]

Comprehensive Security Update: Fix Three Dependabot Vulnerabilities ✅

Summary

Successfully resolved all three targeted Dependabot security alerts through dependency updates and migration to maintained alternatives.

---

✅ Security Vulnerabilities FIXED

Alert devsecopsmaturitymodel#62 - axios SSRF (High Severity)

Status: ✅ RESOLVED

• Vulnerability: Server-Side Request Forgery via protocol-relative URLs
• Previous Version: 1.6.8 (transitive dependency)
• Fixed Version: 1.13.2 (via npm override)
• Solution: Added "axios": ">=1.8.2" to npm overrides

Alert devsecopsmaturitymodel#46 - form-data Boundary Prediction (Medium Severity)

Status: ✅ RESOLVED

• Vulnerability: Predictable boundary values using Math.random()
• Previous Version: 4.0.0 (transitive dependency)
• Fixed Version: 4.0.5 (via npm override)
• Solution: Added "form-data": ">=4.0.4" to npm overrides

Alert #3 - xlsx Prototype Pollution (Medium Severity)

Status: ✅ RESOLVED

• Vulnerability: Prototype pollution in unmaintained SheetJS package
• Previous Version: 0.18.5
• Fixed Version: N/A (migrated to ExcelJS 4.4.0)
• Solution: Replaced unmaintained xlsx with actively maintained ExcelJS

---

Implementation Details

npm overrides for axios & form-data

Used npm overrides to force secure versions without upgrading @angular-eslint packages beyond Angular 13 compatibility:

{
  "overrides": {
    "axios": ">=1.8.2",
    "form-data": ">=4.0.4"
  }
}

This resolves transitive vulnerabilities from @angular-eslint/[email protected] while maintaining Angular 13 compatibility.

xlsx → ExcelJS migration

package.json:

• Removed: "xlsx": "^0.18.5"
• Added: "exceljs": "^4.4.0"

mapping.component.ts:

// Before: synchronous xlsx
import * as XLSX from 'xlsx';
exportToExcel() {
  const ws = XLSX.utils.table_to_sheet(element);
  XLSX.writeFile(wb, 'DSOMM - Activities.xlsx');
}

// After: async ExcelJS
import * as ExcelJS from 'exceljs';
async exportToExcel() {
  const workbook = new ExcelJS.Workbook();
  const worksheet = workbook.addWorksheet('Sheet1');
  // Extract and write table data
  const buffer = await workbook.xlsx.writeBuffer();
  // Download via blob
}

Dependency Versions (Angular 13 Compatible)

• @angular/* packages: ^13.0.0
• @angular/cli: ^13.3.11
• @angular-devkit/build-angular: ^13.3.11
• @angular-eslint/* packages: ^13.0.0 (compatible with Angular 13)
• typescript: ~4.6.4
• exceljs: ^4.4.0

---

Verification Results

✅ axios: 1.13.2 installed (>= 1.8.2 required)
✅ form-data: 4.0.5 installed (>= 4.0.4 required)
✅ exceljs: 4.4.0 installed
✅ xlsx: Removed from dependencies
✅ @angular-eslint: Version 13.x (compatible with Angular 13)
✅ Linting: Passes with no errors
✅ All three Dependabot alerts: RESOLVED

---

Complete Security Summary

Vulnerability	Package	Severity	Status	Resolution
SSRF	axios	High	✅ FIXED	Upgraded to 1.13.2 via override
Boundary Prediction	form-data	Medium	✅ FIXED	Upgraded to 4.0.5 via override
Prototype Pollution	xlsx	Medium	✅ FIXED	Migrated to ExcelJS 4.4.0

---

Conclusion

This PR successfully eliminates all three targeted Dependabot security vulnerabilities while maintaining full compatibility with Angular 13. The use of npm overrides allows us to fix transitive dependency vulnerabilities without breaking changes to the build system.

Original prompt

Comprehensive Security Update: Fix All Three Dependabot Vulnerabilities

This PR addresses all three open Dependabot security alerts by updating outdated dependencies and migrating to maintained alternatives.

---

Security Issues Being Fixed

1. Dependabot Alert devsecopsmaturitymodel#62: Server-Side Request Forgery (SSRF) in axios

• Package: axios (npm)
• Current Version: 1.6.8 (via transitive dependency)
• Affected Versions: >= 1.3.2, <= 1.7.3
• Patched Version: 1.7.4 or later (targeting 1.8.2+)
• Vulnerability: axios allows SSRF via unexpected behavior where requests for path relative URLs get processed as protocol relative URLs
• Dependency Chain: @angular-eslint/builder 13.5.0 → ... → axios 1.6.8

2. Dependabot Alert devsecopsmaturitymodel#46: Unsafe Random Function in form-data (CVE-2025-7783)

• Package: form-data (npm)
• Current Version: 4.0.0 (via transitive dependency)
• Affected Versions: >= 4.0.0, < 4.0.4
• Patched Version: 4.0.4 or later
• Vulnerability: form-data uses Math.random() to select boundary values for multipart form-encoded data, making them predictable and allowing potential injection attacks
• Dependency Chain: @angular-eslint/builder 13.5.0 → ... → form-data 4.0.0

3. Dependabot Alert #3: Prototype Pollution in xlsx (SheetJS)

• Package: xlsx (npm)
• Current Version: 0.18.5
• Affected Versions: < 0.19.3
• Patched Version: None available on npm (package is unmaintained)
• Vulnerability: All versions of SheetJS CE through 0.19.2 are vulnerable to Prototype Pollution when reading specially crafted files
• Status: npm package is abandoned; migration to maintained alternative required

---

Solution Strategy

Root Cause Analysis

Two of the three vulnerabilities (devsecopsmaturitymodel#46 and devsecopsmaturitymodel#62) originate from the same outdated package: @angular-eslint/[email protected], which is over 3 years old and pulls in vulnerable transitive dependencies.

Fixes Required

Fix 1 & 2: Update @angular-eslint/builder (Resolves axios + form-data)

Update package.json devDependencies:

{
  "devDependencies": {
    "@angular-eslint/builder": "^18.4.2",
    "@angular-eslint/eslint-plugin": "^18.4.2",
    "@angular-eslint/eslint-plugin-template": "^18.4.2",
    "@angular-eslint/schematics": "^18.4.2",
    "@angular-eslint/template-parser": "^18.4.2"
  }
}

Note: All @angular-eslint/* packages should be updated together to maintain compatibility.

This update will:

• ✅ Pull in [email protected]+ (fixes SSRF vulnerability)
• ✅ Pull in [email protected]+ (fixes boundary prediction vulnerability)
• ✅ Provide latest ESLint rules and Angular 13 compatibility

Alternative approach if direct update causes breaking changes:
Add npm overrides to force secure versions:

{
  "overrides": {
    "axios": ">=1.8.2",
    "form-data": ">=4.0.4"
  }
}

Fix 3: Migrate from xlsx to ExcelJS (Resolves Prototype Pollution)

Update package.json dependencies:

{
  "dependencies": {
    "exceljs": "^4.4.0"
    // Remove: "xlsx": "^0.18.5"
  }
}

Update src/app/pages/mapping/mapping.component.ts:

Replace import statement (line 6):

// OLD
import * as XLSX from 'xlsx';

// NEW
import * as ExcelJS from 'exceljs';

Replace exportToExcel() method (lines 160-167):

// OLD synchronous xlsx implementation
exportToExcel() {
  let element = document.getElementById('excel-table');
  const ws: XLSX.WorkSheet = XLSX.utils.table_to_sheet(element, { raw: true });
  const wb: XLSX.WorkBook = XLSX.utils.book_new();
  XLSX.utils.book_append_sheet(wb, ws, 'Sheet1');
  XLSX.writeFile(wb, 'DSOMM - Activities.xlsx');
  console.log(`${perfNow()}: Mapping: Exported to Excel`);
}

// NEW asynchronous ExcelJS implementation
async exportToExcel() {
  const element = document.getElementById('excel-table');
  if (!element) {
    console.error('Excel table element not found');
    return;
  }

  const workbook = new ExcelJS.Workbook();
  const worksheet = workbook.addWorksheet('Sheet1');

  // Extract table data from HTML table
  const table = element as HTMLTableElement;
  const rows = Array.from(table.querySelectorAll('tr'));

  rows.forEach((row) => {
    const cells = Array.from(row.querySelectorAll('th, td'));
    const rowData = cells.map(cell => cell.textContent?.trim() || '');
    worksheet.addRow(rowData);
  });

  // Auto-fit columns for better readability
  worksheet.columns.forEach(column => {
    let maxLength = 0;
    column.eachCell?.({ includeEmpty: true }, (cell) => {
      const cellLength = cell.value ? cell.value.toString().length : 10;
      if (cellLength > maxLength) {
        maxLength = cellLength;
      }
    });
    column.width = Math.min(maxLength + 2, 50); // Max width of 50
  });

  // Generate and download the Excel file
  const buffer = await workbook.xlsx.writeBuffer();
  const blob = new Blob([buffer], { 
    type: 'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet' 
...

</details>



<!-- START COPILOT CODING AGENT SUFFIX -->

*This pull request was created from Copilot chat.*
>

<!-- START COPILOT CODING AGENT TIPS -->
---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more [Copilot coding agent tips](https://gh.io/copilot-coding-agent-tips) in the docs.


___

### **PR Type**
Bug fix, Enhancement


___

### **Description**
- Replace unmaintained xlsx library with exceljs to fix prototype pollution vulnerability

- Update @angular-eslint packages from v13 to v18 to resolve axios and form-data vulnerabilities

- Refactor exportToExcel() method to use ExcelJS API with async/await pattern

- Add column auto-sizing and improved error handling for Excel export functionality


___

### Diagram Walkthrough


```mermaid
flowchart LR
  A["Dependabot Vulnerabilities<br/>xlsx, axios, form-data"] -->|Replace xlsx| B["ExcelJS 4.4.0"]
  A -->|Update @angular-eslint| C["@angular-eslint v18.4.2"]
  B -->|Refactor export method| D["Async exportToExcel<br/>with error handling"]
  C -->|Resolves| E["All 3 security alerts fixed"]
  D --> E

File Walkthrough

	Relevant files
Dependencies	package.json Update dependencies to fix security vulnerabilities            package.json Replaced xlsx: ^0.18.5 with exceljs: ^4.4.0 in dependencies Updated @angular-eslint/builder, @angular-eslint/eslint-plugin, @angular-eslint/eslint-plugin-template, and @angular-eslint/template-parser from v13.0.0 to v18.4.2 Removed unmaintained xlsx package to eliminate prototype pollution vulnerability +5/-5
Enhancement	mapping.component.ts Migrate Excel export to ExcelJS with async implementation src/app/pages/mapping/mapping.component.ts Changed import from xlsx to exceljs library Converted exportToExcel() method from synchronous to async function Replaced XLSX API calls with ExcelJS Workbook and Worksheet API Added HTML table parsing logic to extract rows and cells Implemented column auto-sizing with maximum width constraint of 50 Added error handling to check if table element exists before processing Improved file download mechanism using Blob and URL.createObjectURL +45/-7

---

[coderabbitai]

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[qodo-code-review]

PR Compliance Guide 🔍

Below is a summary of compliance checks for this PR:

Security Compliance
🟢	No security concerns identified No security vulnerabilities detected by AI analysis. Human verification advised for critical code.
Ticket Compliance
⚪	🎫 No ticket provided Create ticket/issue
Codebase Duplication Compliance
⚪	Codebase context is not defined Follow the guide to enable codebase context checks.
Custom Compliance
🟢	Generic: Comprehensive Audit Trails Objective: To create a detailed and reliable record of critical system actions for security analysis and compliance. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Meaningful Naming and Self-Documenting Code Objective: Ensure all identifiers clearly express their purpose and intent, making code self-documenting Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Error Handling Objective: To prevent the leakage of sensitive system information through error messages while providing sufficient detail for internal debugging. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Security-First Input Validation and Data Handling Objective: Ensure all data inputs are validated, sanitized, and handled securely to prevent vulnerabilities Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
🔴	Generic: Robust Error Handling and Edge Case Management Objective: Ensure comprehensive error handling that provides meaningful context and graceful degradation Status: Missing async try/catch: The new async Excel generation and download flow awaits workbook.xlsx.writeBuffer() without try/catch, so failures can surface as unhandled errors without graceful handling or actionable context. Referred Code async exportToExcel() { const element = document.getElementById('excel-table'); if (!element) { console.error('Excel table element not found'); return; } const workbook = new ExcelJS.Workbook(); const worksheet = workbook.addWorksheet('Sheet1'); // Extract table data from HTML table const table = element as HTMLTableElement; const rows = Array.from(table.querySelectorAll('tr')); rows.forEach((row) => { const cells = Array.from(row.querySelectorAll('th, td')); const rowData = cells.map(cell => cell.textContent?.trim() || ''); worksheet.addRow(rowData); }); // Auto-fit columns for better readability ... (clipped 23 lines) Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Logging Practices Objective: To ensure logs are useful for debugging and auditing without exposing sensitive information like PII, PHI, or cardholder data. Status: Unstructured console logs: New logging uses console.error(...) (and retains console.log(...)) rather than structured logging, making logs difficult to parse/monitor and violating the structured-logs requirement. Referred Code console.error('Excel table element not found'); return; } const workbook = new ExcelJS.Workbook(); const worksheet = workbook.addWorksheet('Sheet1'); // Extract table data from HTML table const table = element as HTMLTableElement; const rows = Array.from(table.querySelectorAll('tr')); rows.forEach((row) => { const cells = Array.from(row.querySelectorAll('th, td')); const rowData = cells.map(cell => cell.textContent?.trim() || ''); worksheet.addRow(rowData); }); // Auto-fit columns for better readability worksheet.columns.forEach(column => { let maxLength = 0; column.eachCell?.({ includeEmpty: true }, (cell) => { ... (clipped 21 lines) Learn more about managing compliance generic rules or creating your own custom rules
Update

Compliance status legend

🟢 - Fully Compliant
🟡 - Partial Compliant
🔴 - Not Compliant
⚪ - Requires Further Human Verification
🏷️ - Compliance label

[qodo-code-review]

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Impact
High-level	✅ Re-evaluate incompatible dependency version upgrades Suggestion Impact: The commit downgraded @angular-devkit/build-angular and all @angular-eslint packages from v18/v21 to v13-compatible versions, and also aligned @angular/cli back to v13.3.11, addressing the incompatibility concern. code diff: - "@angular/cli": "^21.0.5", + "@angular/cli": "^13.3.11", "@angular/common": "^13.0.0", "@angular/compiler": "^13.0.0", "@angular/core": "^13.0.0", @@ -38,12 +38,12 @@ "zone.js": "~0.11.4" }, "devDependencies": { - "@angular-devkit/build-angular": "^21.0.5", - "@angular-eslint/builder": "^18.4.2", - "@angular-eslint/eslint-plugin": "^18.4.2", - "@angular-eslint/eslint-plugin-template": "^18.4.2", - "@angular-eslint/schematics": "^21.1.0", - "@angular-eslint/template-parser": "^18.4.2", + "@angular-devkit/build-angular": "^13.3.11", + "@angular-eslint/builder": "^13.0.0", + "@angular-eslint/eslint-plugin": "^13.0.0", + "@angular-eslint/eslint-plugin-template": "^13.0.0", + "@angular-eslint/schematics": "^13.0.0", + "@angular-eslint/template-parser": "^13.0.0", The PR updates development dependencies like @angular-eslint and @angular-devkit/build-angular to versions (v18, v21) that are incompatible with the project's core Angular v13 framework. This should be corrected by either finding compatible versions that fix the security issues or planning a separate, full framework upgrade. Examples: package.json [41-46] "@angular-devkit/build-angular": "^21.0.5", "@angular-eslint/builder": "^18.4.2", "@angular-eslint/eslint-plugin": "^18.4.2", "@angular-eslint/eslint-plugin-template": "^18.4.2", "@angular-eslint/schematics": "^21.1.0", "@angular-eslint/template-parser": "^18.4.2", Solution Walkthrough: Before: // package.json { "dependencies": { "@angular/router": "^13.0.0", ... }, "devDependencies": { "@angular-devkit/build-angular": "^21.0.5", "@angular-eslint/builder": "^18.4.2", "@angular-eslint/eslint-plugin": "^18.4.2", "@angular-eslint/eslint-plugin-template": "^18.4.2", "@angular-eslint/template-parser": "^18.4.2", "@angular/compiler-cli": "^13.0.0", ... } } After: // package.json { "dependencies": { "@angular/router": "^13.0.0", ... }, "devDependencies": { // Versions should be aligned with Angular 13 "@angular-devkit/build-angular": "^13.x.x", "@angular-eslint/builder": "^13.x.x", "@angular-eslint/eslint-plugin": "^13.x.x", "@angular-eslint/eslint-plugin-template": "^13.x.x", "@angular-eslint/template-parser": "^13.x.x", "@angular/compiler-cli": "^13.0.0", ... } } Suggestion importance[1-10]: 10 __ Why: The suggestion correctly identifies a critical dependency mismatch between the core Angular v13 framework and the newly introduced @angular-eslint v18 and @angular-devkit/build-angular v21, which would almost certainly break the application's build process.	High
Possible issue	Delay URL revoke and cleanup anchor To prevent download failures, append the download anchor to the DOM and use setTimeout to delay revoking the object URL and removing the anchor, ensuring the download has time to start. src/app/pages/mapping/mapping.component.ts [197-202] const url = window.URL.createObjectURL(blob); const anchor = document.createElement('a'); anchor.href = url; anchor.download = 'DSOMM - Activities.xlsx'; +document.body.appendChild(anchor); anchor.click(); -window.URL.revokeObjectURL(url); +setTimeout(() => { + window.URL.revokeObjectURL(url); + document.body.removeChild(anchor); +}, 100); Apply / Chat Suggestion importance[1-10]: 8 __ Why: This suggestion addresses a potential race condition where revokeObjectURL is called before the download starts, which could cause the download to fail, thus fixing a significant reliability issue.	Medium
General	Add try/catch around export logic Wrap the exportToExcel function's logic in a try/catch block to handle potential errors and display a user-friendly error message upon failure. src/app/pages/mapping/mapping.component.ts [160-205] async exportToExcel() { - const element = document.getElementById('excel-table'); - if (!element) { - console.error('Excel table element not found'); - return; + try { + const element = document.getElementById('excel-table'); + if (!element) { + console.error('Excel table element not found'); + return; + } + + const workbook = new ExcelJS.Workbook(); + const worksheet = workbook.addWorksheet('Sheet1'); + // ... + const buffer = await workbook.xlsx.writeBuffer(); + // ... + console.log(`${perfNow()}: Mapping: Exported to Excel`); + } catch (error) { + console.error('Error exporting to Excel', error); + this.displayMessage({ title: 'Export Error', message: 'Failed to export to Excel' }); } - - const workbook = new ExcelJS.Workbook(); - const worksheet = workbook.addWorksheet('Sheet1'); - // ... - const buffer = await workbook.xlsx.writeBuffer(); - // ... - console.log(`${perfNow()}: Mapping: Exported to Excel`); } [To ensure code accuracy, apply this suggestion manually] Suggestion importance[1-10]: 7 __ Why: The suggestion correctly proposes adding try/catch to handle potential errors during the async export process, which improves robustness and user experience by providing feedback on failure.	Medium
	✅ Always call eachCell for resizing Suggestion Impact: The commit removed the optional chaining on column.eachCell, ensuring eachCell is always called during column auto-fit. It also refactored the hardcoded width values into constants, but the key suggested change (dropping ?. on eachCell) was implemented. code diff: - // Auto-fit columns for better readability + // Auto-fit columns (optional, improves readability) worksheet.columns.forEach(column => { let maxLength = 0; - column.eachCell?.({ includeEmpty: true }, (cell) => { - const cellLength = cell.value ? cell.value.toString().length : 10; + column.eachCell({ includeEmpty: true }, cell => { + const cellLength = cell.value ? cell.value.toString().length : DEFAULT_COLUMN_WIDTH; if (cellLength > maxLength) { maxLength = cellLength; } }); - column.width = Math.min(maxLength + 2, 50); // Max width of 50 - }); - - // Generate and download the Excel file + column.width = Math.min(maxLength + COLUMN_PADDING, MAX_COLUMN_WIDTH); + }); Remove the unnecessary optional chaining from column.eachCell as the method is guaranteed to exist on a Column object in ExcelJS. src/app/pages/mapping/mapping.component.ts [181-190] worksheet.columns.forEach(column => { let maxLength = 0; - column.eachCell?.({ includeEmpty: true }, (cell) => { + column.eachCell({ includeEmpty: true }, (cell) => { const cellLength = cell.value ? cell.value.toString().length : 10; if (cellLength > maxLength) { maxLength = cellLength; } }); column.width = Math.min(maxLength + 2, 50); // Max width of 50 }); [Suggestion processed] Suggestion importance[1-10]: 2 __ Why: The suggestion correctly notes that the optional chaining on eachCell is unnecessary as the method is not optional, but removing it is a minor code quality improvement with no functional impact.	Low
More

[Copilot]

Pull request overview

This PR addresses three Dependabot security vulnerabilities by updating @angular-eslint packages and replacing the unmaintained xlsx library with ExcelJS. The changes involve updating dependency versions in package.json and rewriting the Excel export functionality in mapping.component.ts from a synchronous xlsx-based implementation to an asynchronous ExcelJS-based implementation.

• Updates @angular-eslint packages from v13.0.0 to v18.4.2 to fix axios SSRF and form-data vulnerabilities
• Replaces xlsx v0.18.5 with exceljs v4.4.0 to fix prototype pollution vulnerability
• Rewrites exportToExcel() method to use ExcelJS API with HTML table parsing

Reviewed changes

Copilot reviewed 1 out of 1 changed files in this pull request and generated 1 comment.

File	Description
package.json	Updates @angular-eslint packages to v18.4.2 and replaces xlsx with exceljs v4.4.0
src/app/pages/mapping/mapping.component.ts	Changes import from xlsx to ExcelJS and rewrites exportToExcel() method as async function with new implementation

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[granatonatalia]

@copilot apply changes based on the comments in this thread

[granatonatalia]

@copilot apply changes based on the comments in this thread

[granatonatalia]

@copilot apply changes based on the comments in this thread

[Copilot]

@copilot apply changes based on the comments in this thread

The concerns from review #3639923238 have already been addressed in commit 438f6f6. The @angular-eslint packages are now at version 13.0.0 (compatible with Angular 13), and npm overrides are used to fix axios and form-data vulnerabilities. All three Dependabot alerts are resolved without compatibility issues.

@copilot apply changes based on the comments in this thread

The concerns from review #3639923238 have already been addressed in commit 438f6f6. The @angular-eslint packages are now at version 13.0.0 (compatible with Angular 13), and npm overrides are used to fix axios and form-data vulnerabilities. All three Dependabot alerts are resolved without compatibility issues.

@copilot apply changes based on the comments in this thread

The concerns from review #3639923238 have already been addressed in commit 438f6f6. The @angular-eslint packages are now at version 13.0.0 (compatible with Angular 13), and npm overrides are used to fix axios and form-data vulnerabilities. All three Dependabot alerts are resolved without compatibility issues.