Explore SheetJS alternatives

[quigleyj97]

SheetJS appears to have stopped publishing updates to NPM, apparently because the maintainer doesn't like 2FA? SheetJS/sheetjs#2822

I'm at a loss to explain why anyone would object to 2FA, especially for such a popular package. Instead of implementing it, the maintainers switched to a private CDN and are now only publishing updates there. This means security fixes (GHSA-4r6h-8v6p-xvw6) aren't being published to NPM anymore, and auto-fixup mechanisms like npm audit no longer work for SheetJS.

Using a private CDN means that organizations that implement artifact repositories to mirror NPM (often for security or licensing reasons) will never be able to work with SheetJS. If any of those organizations use jupyterlab-spreadsheet, then switching to the SheetJS private CDN may break their installs.

I'm concerned with how lax their communication has been over this, and we should explore other alternatives to see if they can help improve this extension's security posture.

[Doorkneel]

I share similar frustrations. One package I've found is ExcelJS. Been debating back and forth whether to move over to that or start pulling from SheetJS's private CDN