Modern Excel library for React in 2024 – SheetJS vs ExcelJS: Dependency Hell or Repo Bloat?

Problem
I’m building a React application that needs to handle Excel operations, and after the core-js incident, I’m extremely wary of CDN dependencies or packages with questionable maintenance. After investigating the two most popular libraries, neither option feels great:

SheetJS Community Edition

✅ Full-featured and widely used

✅ Excellent documentation

❌ Not available on NPM

❌ Forces choice between CDN dependency (hard no after recent events) or vendoring the library

❌ Vendoring adds 2.3MB to git repo size permanently – even changing versions means storing multiple copies in git history

❌ License restrictions on the free version

ExcelJS

✅ More permissive license

✅ Available on NPM

❌ These dependency warnings are nightmare fuel:

Copynpm WARN deprecated [email protected]: This module is not supported, and leaks memory
npm WARN deprecated [email protected]: Rimraf versions prior to v4 are no longer supported
npm WARN deprecated [email protected]: Glob versions prior to v9 are no longer supported
npm WARN deprecated [email protected]: This package is no longer supported.

❌ Last commit was ~1 year ago

❌ Several open critical issues

The Real Question

I’m stuck between:

Using ExcelJS with its memory-leaking, deprecated dependency tree (what could go wrong?)
Adding 2.3MB to my repo size with SheetJS
Using SheetJS via CDN (not touching that after the core-js saga)

Context

No “enterprise security team” – just me, some trust issues, and a healthy fear of supply chain attacks
Need something stable that won’t break when someone decides to add “protestware”
Currently leaning toward the 2.3MB repo bloat because at least I can audit what’s actually running

Environment: React, npm, Vite and Typescript

Is there even a right answer here? Is this a me problem? Or are we all just choosing our preferred flavor of technical debt?