refactor: changed from npm to SheetJS cdn

[noufalrahim]

Proposed Changes

• Fixes Upgrade SheetJS to solve vulnerability to Regular Expression Denial of Service (ReDoS). #9183
• Changed from npm to sheetjs cdn

@ohcnetwork/care-fe-code-reviewers

Merge Checklist

• Add specs that demonstrate bug / test a new feature.
• Update product documentation.
• Ensure that UI text is kept in I18n files.
• Prep screenshot or demo video for changelog entry, and attach it to issue.
• Request for Peer Reviews
• Completion of QA

Summary by CodeRabbit

• Chores
  • Reorganized the @radix-ui/react-icons dependency in the project.
  • Updated the xlsx dependency to reference a local file instead of the npm registry.

[coderabbitai]

Walkthrough

The changes in this pull request primarily involve modifications to the package.json file, specifically within the dependencies section. The dependency @radix-ui/react-icons was removed and then re-added with the same version, while the xlsx dependency was updated from a version reference to a local file reference. These changes indicate a restructuring of how dependencies are managed without altering the functionality or versions significantly.

Changes

File	Change Summary
package.json	- Removed and re-added @radix-ui/react-icons with version ^1.3.2. - Updated xlsx from ^0.18.5 to file:vendor/xlsx-0.20.3.tgz.

Assessment against linked issues

Objective	Addressed	Explanation
Upgrade SheetJS to solve vulnerability to Regular Expression Denial of Service (ReDoS) (#9183)	✅

Poem

🐇 In the garden where dependencies grow,
A tidy patch we now bestow.
With xlsx in a cozy nook,
And @radix-ui back in the book.
Hopping forward, we’ll code with glee,
For every change brings harmony! 🌼

---

📜 Recent review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Reviewing files that changed from the base of the PR and between 4622120 and ff632be.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (1)

• package.json (2 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• package.json

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR. (Experiment)
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[netlify]

✅ Deploy Preview for care-ohc ready!

Name	Link
🔨 Latest commit	ff632be
🔍 Latest deploy log	https://app.netlify.com/sites/care-ohc/deploys/6758d3f5cb7964000861c20e
😎 Deploy Preview	https://deploy-preview-9323--care-ohc.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site configuration.

[coderabbitai]

Actionable comments posted: 0

🧹 Outside diff range and nitpick comments (1)

package.json (1)

104-104: Consider a two-phase approach for SheetJS dependency

Given the PR objectives and the mention of potentially moving away from SheetJS, consider this approach:

1. Immediate fix (Phase 1):

   • Replace the local vendor file with SheetJS CDN as originally intended
   • Follow the official SheetJS documentation for CDN implementation

2. Long-term solution (Phase 2):

   • Plan the transition away from SheetJS
   • Research alternative libraries with better security track records
   • Consider native browser features where possible

This ensures we address the immediate security concern while preparing for future improvements.

Would you like help creating a migration plan for either phase?

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Reviewing files that changed from the base of the PR and between fac77a7 and 4622120.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (1)

• package.json (2 hunks)

🔇 Additional comments (2)

package.json (2)

63-63: LGTM: No functional changes

The re-addition of @radix-ui/react-icons with the same version (^1.3.2) appears to be a package.json reorganization with no functional impact.

---

104-104: ⚠️ Potential issue

Implementation doesn't match PR objectives

The PR objective is to switch from npm to SheetJS CDN to address the ReDoS vulnerability. However, the implementation uses a local vendor file (file:vendor/xlsx-0.20.3.tgz) instead of a CDN reference. While the version upgrade from 0.18.5 to 0.20.3 might address the vulnerability, the implementation approach differs from the intended solution.

Consider these concerns:

1. Using a vendored package instead of CDN contradicts the PR objectives
2. Local vendor files require manual updates and maintenance
3. The SheetJS documentation specifically recommends using their CDN for this use case

Let's verify if the vendor file exists and check its contents:

[sainak]

Use CDN link instead of adding the package to git the docs states to run npm i --save https://cdn.sheetjs.com/xlsx-0.20.3/xlsx-0.20.3.tgz which does exactly that

[sainak]

this file should not be added to the repo

[noufalrahim]

@nihal467

[nihal467]

@noufalrahim https://github.com/ohcnetwork/care_fe/actions/runs/12266788899/job/34225612132?pr=9323 the care_fe deploy is failing, look into it

[noufalrahim]

What exactly is this error..?

@noufalrahim https://github.com/ohcnetwork/care_fe/actions/runs/12266788899/job/34225612132?pr=9323 the care_fe deploy is failing, look into it

[rithviknishad]

Just Ctrl/Cmd + F with "error" keyword will point you to the error.