xlsx-for-ai 1.5.3 → 1.5.4

package/README.md

@@ -2,7 +2,7 @@
 
 > 👋 **New here? Not a programmer?** → [Read WHY.md for the plain-English version](WHY.md). The README below is the technical reference.
 
-**The bidirectional bridge between spreadsheets and AI agents.** Reads `.xlsx` (and `.xls`, `.xlsb`, `.ods`, `.csv`, `.tsv`) into the formats LLMs actually consume — markdown, JSON, text, SQL — and writes spreadsheets back out from AI-generated specs. Same tool, both directions.
+**The bidirectional bridge between spreadsheets and AI agents.** Reads `.xlsx` (plus `.csv`, `.tsv`) into the formats LLMs actually consume — markdown, JSON, text, SQL — and writes spreadsheets back out from AI-generated specs. Same tool, both directions.
 
 AI tools — Claude, Cursor, Copilot, ChatGPT, and other LLM coding agents — can read text files but **not** `.xlsx` binaries. This CLI closes the loop:
 
@@ -10,7 +10,7 @@ AI tools — Claude, Cursor, Copilot, ChatGPT, and other LLM coding agents — c
 
 **✍️ Write mode (`xlsx-for-ai write`)** — turn an AI-generated JSON or markdown spec into a real `.xlsx` file. Closes the round-trip so an agent that *reviews* your spreadsheet can also *deliver the corrected file*. The output includes a `_xlsx-for-ai` review tab explaining every structural change the round-trip made (with risks, tradeoffs, and overrides) — the supervisor model: AI does the work, the human stays in control of every decision. Verified lossless on 29/30 real workbooks.
 
-**Input formats:** `.xlsx` `.xls` `.xlsb` `.ods` `.csv` `.tsv`
+**Input formats:** `.xlsx` `.csv` `.tsv` (legacy `.xls` / `.xlsb` / `.ods` removed in 1.5.4 — convert to `.xlsx` first; see [#26](https://github.com/senoff/xlsx-for-ai/issues/26))
 
 **Output modes:** text dump, markdown tables (best LLM comprehension per token), JSON, SQL `CREATE TABLE`+`INSERT`, inferred schema, workbook diff, real `.xlsx` (write mode).
 
@@ -315,28 +315,16 @@ The CLI install (`npm install -g xlsx-for-ai`) is clean — no deprecation warni
 
 Run `rm -rf node_modules package-lock.json && npm install` and the warnings will clear. xlsx-for-ai's tests pass against these versions, so the upgrade is safe.
 
-A future release may apply these dep upgrades via `patch-package` so they travel through the dep graph automatically. The infrastructure is in place; the patches haven't been needed urgently because most installs are CLI-direct.
+`patch-package` is in `devDependencies` for authoring patches. The postinstall hook is *not* wired today — no patches exist, and a hook that tries to invoke a missing dev-only binary would break consumer installs. When the first patch lands, the hook is added in the same commit as the patch file.
 
-### Audit findings on install (what's inherited from upstream)
+### Audit findings on install
 
-When you `npm install xlsx-for-ai` (especially as a library dep, not the top-level project), `npm audit` may surface one or more advisories. Most are inherited transitively from `@protobi/exceljs` and the legacy `xlsx` fallback parser. Each one has been triaged and is documented in [`.github/audit-allowlist.json`](.github/audit-allowlist.json), which is the canonical list our CI's `audit.yml` job reads.
+As of 1.5.4, `npm install xlsx-for-ai` finds **no inherited audit advisories**. The previous `xlsx` (sheetJS) and `uuid` findings were closed by:
 
-Each allowlist entry includes:
+- **`xlsx` removed in 1.5.4** — see [#26](https://github.com/senoff/xlsx-for-ai/issues/26). The legacy `.xls` / `.xlsb` / `.ods` input path that depended on it is no longer supported; the modern `@protobi/exceljs` engine handles `.xlsx` (and CSV / TSV continue to use `papaparse`).
+- **`uuid` bumped to ^14 via `overrides`** — clears the `GHSA-w5hq-g745-h8pq` advisory inherited transitively from ExcelJS. Mirrors the upstream protobi/exceljs gift PR locally.
 
-- **`ghsa`** — the advisory ID (e.g. `GHSA-w5hq-g745-h8pq`).
-- **`package`** — the dependency the advisory lives on.
-- **`severity`** — the advisory's published severity.
-- **`reason`** — why the finding is accepted, including the code path's reachability in our usage.
-- **`reassess`** — the date by which we will re-evaluate (typically a quarterly cadence).
-- **`owner`** — who owns the re-evaluation.
-
-The current set covers two `xlsx` advisories (the npm-published 0.18.5 line is unmaintained; we carry it as a fallback parser only) and one `uuid` advisory inherited from ExcelJS (`v4()` call sites in ExcelJS do not pass a pre-allocated buffer, so the bounds-check gap is unreachable here). An upstream gift PR is open to bump uuid in the protobi fork; once merged and released, the `uuid` line will drop on the next `@protobi/exceljs` update.
-
-If you embed xlsx-for-ai in a product with stricter audit policies than ours, you have three clean options:
-
-1. **Mirror the allowlist entries** into your own audit configuration (e.g. `npm audit --omit=dev` filters, Snyk policy file, GitHub Dependabot ignore rules) using the same `ghsa` IDs.
-2. **Pin to a future xlsx-for-ai release** that bumps `@protobi/exceljs` past the upstream uuid bump (will drop the `uuid` advisory automatically; tracked in the allowlist's `reassess` date).
-3. **Vendor the parser path you actually use** — if you only need the modern `@protobi/exceljs` engine and not the legacy `xlsx` fallback, you can disable the fallback in your wrapper and the `xlsx` advisories cease to apply to your dep graph.
+The triage workflow lives in [`.github/audit-allowlist.json`](.github/audit-allowlist.json) (currently empty) and `audit.yml` for whenever a future advisory needs accepting.
 
 ## Reporting bugs
 

package/WHY.md

@@ -30,7 +30,6 @@ A few examples people find useful:
 - **Compare two versions of the same spreadsheet** ("what changed between V11 and V14?") and get a list of every cell that moved.
 - **Turn a CSV export from QuickBooks into a clean SQL database table** in one command, with the column types figured out automatically.
 - **Walk through a 50-tab model someone else built** and have the AI explain how the sheets reference each other.
-- **Process a folder of legacy `.xls` files** that won't even open in modern Excel without complaint.
 
 But the biggest unlock is the next thing.
 

package/index.js

@@ -31,8 +31,7 @@ const engine = require('./lib/engine');
 
 // Lazy-load heavy deps only when their feature is used (keeps cold start fast
 // for the common --stdout / --json / --md path that needs none of them).
-let _xlsxLib, _papaLib, _formulaJsLib, _tokenizerLib;
-const lazyXlsx       = () => (_xlsxLib       ??= require('xlsx'));
+let _papaLib, _formulaJsLib, _tokenizerLib;
 const lazyPapa       = () => (_papaLib       ??= require('papaparse'));
 const lazyFormulaJs  = () => (_formulaJsLib  ??= require('@formulajs/formulajs'));
 const lazyTokenizer  = () => (_tokenizerLib  ??= require('gpt-tokenizer'));
@@ -108,7 +107,7 @@ coding agents can read. Preserves values, formulas, formatting, layout.
 The 'write' sub-command does the reverse: takes a JSON or markdown spec and
 produces an .xlsx file. Run 'xlsx-for-ai write --help' for details.
 
-Input formats: .xlsx .xls .xlsb .ods .csv .tsv
+Input formats: .xlsx .csv .tsv
 
 Output modes (mutually exclusive; default = text):
   --md              Markdown tables — best LLM comprehension per token
@@ -1081,40 +1080,14 @@ async function loadAnyWorkbook(filePath) {
     return wb;
   }
   if (ext === '.xls' || ext === '.xlsb' || ext === '.ods') {
-    return loadViaSheetJS(filePath);
-  }
-  throw new Error(`Unsupported extension: ${ext}. Supported: .xlsx .xls .xlsb .ods .csv .tsv`);
-}
-
-// Read a non-xlsx spreadsheet via SheetJS, materialize into the engine's
-// workbook representation so the rest of the code (dump/markdown/json/sql/
-// schema) works unchanged. Loses some formatting; preserves values + formulas.
-function loadViaSheetJS(filePath) {
-  const XLSX = lazyXlsx();
-  const sheetJsWb = XLSX.readFile(filePath, { cellFormula: true, cellDates: true });
-  const wb = engine.createWorkbook();
-  for (const name of sheetJsWb.SheetNames) {
-    const sjsSheet = sheetJsWb.Sheets[name];
-    const ws = wb.addWorksheet(name);
-    if (!sjsSheet['!ref']) continue;
-    const range = XLSX.utils.decode_range(sjsSheet['!ref']);
-    for (let r = range.s.r; r <= range.e.r; r++) {
-      for (let c = range.s.c; c <= range.e.c; c++) {
-        const addr = XLSX.utils.encode_cell({ r, c });
-        const cell = sjsSheet[addr];
-        if (!cell) continue;
-        const target = ws.getRow(r + 1).getCell(c + 1);
-        if (cell.f) {
-          target.value = { formula: cell.f, result: cell.v };
-        } else if (cell.t === 'd') {
-          target.value = cell.v instanceof Date ? cell.v : new Date(cell.v);
-        } else {
-          target.value = cell.v;
-        }
-      }
-    }
+    throw new Error(
+      `Legacy format ${ext} is no longer supported. Convert to .xlsx first ` +
+      `(e.g. open in Excel/LibreOffice and Save As .xlsx). See ` +
+      `https://github.com/senoff/xlsx-for-ai/issues/26 for the discussion of ` +
+      `whether to restore native support.`
+    );
   }
-  return wb;
+  throw new Error(`Unsupported extension: ${ext}. Supported: .xlsx .csv .tsv`);
 }
 
 // ---------------------------------------------------------------------------
@@ -1938,7 +1911,7 @@ async function main() {
   }
   // Min 22 bytes (zip EOCD) only meaningful for binary formats; CSV/TSV can be smaller.
   const ext = path.extname(filePath).toLowerCase();
-  const isBinary = ext === '.xlsx' || ext === '.xls' || ext === '.xlsb' || ext === '.ods';
+  const isBinary = ext === '.xlsx';
   if (isBinary && stat.size < 22) {
     console.error(`File is too small (${stat.size} bytes) to be a valid spreadsheet: ${filePath}`);
     process.exit(1);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "xlsx-for-ai",
-  "version": "1.5.3",
+  "version": "1.5.4",
   "description": "CLI that converts .xlsx files into rich text or JSON dumps that AI coding agents (Claude, Cursor, Copilot, ChatGPT, etc.) can read — preserving values, formulas, formatting, colors, column widths, frozen panes, named ranges, tables, and more.",
   "main": "index.js",
   "bin": {
@@ -51,8 +51,7 @@
     "@protobi/exceljs": "^4.4.0-protobi.9",
     "gpt-tokenizer": "^3.4.0",
     "jszip": "^3.10.1",
-    "papaparse": "^5.5.3",
-    "xlsx": "^0.18.5"
+    "papaparse": "^5.5.3"
   },
   "devDependencies": {
     "patch-package": "^8.0.1"
@@ -61,6 +60,7 @@
     "glob": "^13.0.0",
     "rimraf": "^5.0.10",
     "unzipper": "^0.12.3",
-    "fast-csv": "^5.0.2"
+    "fast-csv": "^5.0.2",
+    "uuid": "^14.0.0"
   }
 }