All versions of SheetJS CE through 0.19.2 are vulnerable to "Prototype Pollution" when reading specially crafted files. Workflows that do not read arbitrary files (for example, exporting data to spreadsheet files) are unaffected.
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N (Score 5.3 - Medium)
CWE-1321 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') 
All releases of SheetJS Community Edition up to version 0.19.2 are affected. This includes:
- scripts and modules on the SheetJS CDN through version 0.19.2 
- modules published with the name `xlsx` on npmjs.com 
- scripts on third-party CDNs that pull from the `xlsx` package on npmjs.com  
- modules published with the name `sheetjs` on deno.land 
Users should upgrade to version 0.19.3 or later. Official releases are available on the SheetJS CDN . SheetJS CE documentation includes installation instructions for common deployments .
Special thanks to Vsevolod Kokorin of SolidLab for reporting the issue to us.