Problem
I’m building a React application that needs to handle Excel operations, and after the core-js incident, I’m extremely wary of CDN dependencies or packages with questionable maintenance. After investigating the two most popular libraries, neither option feels great:
SheetJS Community Edition
✅ Full-featured and widely used
✅ Excellent documentation
❌ Not available on NPM
❌ Forces choice between CDN dependency (hard no after recent events) or vendoring the library
❌ Vendoring adds 2.3MB to git repo size permanently – even changing versions means storing multiple copies in git history
❌ License restrictions on the free version
ExcelJS
✅ More permissive license
✅ Available on NPM
❌ These dependency warnings are nightmare fuel:
Copynpm WARN deprecated [email protected]: This module is not supported, and leaks memory
npm WARN deprecated [email protected]: Rimraf versions prior to v4 are no longer supported
npm WARN deprecated [email protected]: Glob versions prior to v9 are no longer supported
npm WARN deprecated [email protected]: This package is no longer supported.
❌ Last commit was ~1 year ago
❌ Several open critical issues
The Real Question
I’m stuck between:
Using ExcelJS with its memory-leaking, deprecated dependency tree (what could go wrong?)
Adding 2.3MB to my repo size with SheetJS
Using SheetJS via CDN (not touching that after the core-js saga)
Context
No “enterprise security team” – just me, some trust issues, and a healthy fear of supply chain attacks
Need something stable that won’t break when someone decides to add “protestware”
Currently leaning toward the 2.3MB repo bloat because at least I can audit what’s actually running
Environment: React, npm, Vite and Typescript
Is there even a right answer here? Is this a me problem? Or are we all just choosing our preferred flavor of technical debt?