react-pdf Vulnerability in used pdfjs-dist version

Describe the bug

from npm audit

pdfjs-dist <=4.1.392 Severity: high PDF.js vulnerable to arbitrary JavaScript execution upon opening a malicious PDF - https://github.com/advisories/GHSA-wgrm-67xf-hhpq

Is this something you can change here or is it further up the chain?

Edit: I see dependabot already added a PR for that

thanks

May 07 '24 12:05 Sogeman

Same problem here, we are very close to a release with our software and this bug is a big problem for our compliance regulations. It would be important to fix this quickly please 🙏

May 07 '24 13:05 marvinjaworski

Just another engineer chiming in on this 🙏🏽

Edit:

You could possibly use a resolution as a workaround. I will be testing this shortly.

May 07 '24 19:05 donovanclarke

Updated my packages and got this warning as well.

May 07 '24 20:05 bombillazo

Temporary fix that worked for me:

in package.json:

  "resolutions": {
    "pdfjs-dist": "^4.2.67"
  }

in vite.config.ts:

    optimizeDeps: {
        esbuildOptions: {
            target: 'esnext'
        }
    },
    build: {
        target: 'esnext'
    }

May 08 '24 07:05 davidovich9

@davidovich9 I use react without nextjs and vite. When I set the resolution in the package.json, the message "2 high severity vulnerabilities" persists on npm install.

May 08 '24 09:05 marvinjaworski

@davidovich9 I use react without nextjs and vite. When I set the resolution in the package.json, the message "2 high severity vulnerabilities" persists on npm install.

Are you using yarn, or npm?

yarn you can use resolutions in your package.json file.

And i believe the npm equivalent is overrides.

May 08 '24 13:05 donovanclarke

Using overrides worked for us to remove the warning! What exactly is that doing to fix the issue?

May 08 '24 15:05 bombillazo

Using overrides worked for us to remove the warning! What exactly is that doing to fix the issue?

Say you have package A.

And package B, C, D use A as a dependency, but they all use different versions of A.

A resolution or override basically centralizes that version to what you have in your resolution or override.

IMHO, its not a long term solution, but definitely can help out in times like this when we need to quickly get something out.

May 08 '24 15:05 donovanclarke

The temporary override (pdfjs-dist -> 4.2.67) seems to fix the audit issues but we (@marvinjaworski ) are facing compatibility issues withreact-pdf in version 8.0.2 So until we found a solution for this, the override doesn't work in all situations.

May 10 '24 10:05 grueneerle

The temporary override (pdfjs-dist -> 4.2.67) seems to fix the audit issues but we (@marvinjaworski ) are facing compatibility issues withreact-pdf in version 8.0.2 So until we found a solution for this, the override doesn't work in all situations.

I mean you are bumping a major version of pdfjs. It is more than likely their will be some sort of breaking change.

You could try linting your project to find where the import error is happening and fix it there. You may run into the same issue even with this library updating the dependency.

May 13 '24 14:05 donovanclarke

"pdfjs-dist": "3.11.174", "react-pdf": "^0.0.10", this updated after i do npm i

nextjs app same problem

May 16 '24 11:05 a-str-o

Fixed for us by switching to react-pdf 9.0.0 and adapting breaking changes.

Jun 07 '24 08:06 grueneerle

Bumping this, this package is still vulnerable, I saw that the updated version was put in then reverted just over a month later: https://github.com/diegomura/react-pdf/commit/f64f3bd26c9ac1cdb0d894d4621cf2f985c8a64b https://github.com/diegomura/react-pdf/commit/3f5bf67d84ee784b6685cf603f04ac5f568a146d

Dec 18 '24 11:12 RichardBoWatt

Why is pdfjs-dist being installed at all? It's a dev dependency here

Jan 11 '25 04:01 diegomura

This is not shipped in react-pdf. Will close

Mar 05 '25 00:03 diegomura