ERR! 403 403 URLBlocked - GET https://cdn.sheetjs.com/xlsx-0.19.3/xlsx-0.19.3.tgz

Describe the problem/error/question

I am trying to create a custom private node and deploy as a docker using the documentation provided in the Install private nodes | n8n Docs but the docker build fails and unable to deploy and test the node.

What is the error message (if any)?

ERR! code E403 19:51:27 e[0me[91mnpm ERR! 403 403 URLBlocked - GET https://cdn.sheetjs.com/xlsx-0.19.3/xlsx-0.19.3.tgz 19:51:27 npm ERR! e[0me[91m403 In most cases, you or one of your dependencies are requesting 19:51:27 npm ERR! 403 a package version that is forbidden by your security policy, or 19:51:27 npm ERR!e[0me[91m 403 on a server you do not have access to.
I guess the below dependency is causing the issue and thus causing the custom node docker build to fail in the enterprise CI/CD process since the package has a security vulnerability.

Please share your workflow

(Select the nodes on your canvas and use the keyboard shortcuts CMD+C/CTRL+C and CMD+V/CTRL+V to copy and paste the workflow.)

Share the output returned by the last node

Information on your n8n setup

  • n8n version: 0.236.1
  • Database (default: SQLite):
  • n8n EXECUTIONS_PROCESS setting (default: own, main):
  • Running n8n via (Docker, npm, n8n cloud, desktop app): Docker
  • Operating system: Mac OS/Linux

Hey @Deepanshu_Bhatia,

Welcome to the community :cake:

That version of sheetjs should be ok 0.19.3 is the version that fixes cve-2023-30533, Do you have a policy in place that prevents packages being pulled in that way?

Hello Jon,
Thanks for getting back to me so quickly. Yes, as per policy it’s disallowed connect to external CDN url for security purposes.
Is it possible that there could be a version of node-base module which does not try to explicitly connect to that CDN url, preferably a version of 0.236.1. Since that is the version we are working with.
Please let me know.

Hey @Deepanshu_Bhatia,

You are free to create your version that doesn’t include that package but you would also need to remove any nodes and functionality that may use it. We will probably not be making any more releases of pre v1 so it would be worth upgrading at some point.

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.