react-pdf icon indicating copy to clipboard operation
react-pdf copied to clipboard

Published 20 hours ago verified publisher icon wojtekmaj

[breaking] Update pdfjs-dist to 4.2.67

Open wojtekmaj opened this issue 1 year ago • 10 comments

Closes #1664

Breaking changes (on top of #1690):

  • Raised minimum version of Safari to 16.4

Blockers:

  • No Node.js compatibility at the moment (lack of Promise.withResolvers support), which prevents us from running unit tests

wojtekmaj avatar Apr 30 '24 11:04 wojtekmaj

This PR is currently breaking most setups that do not support top level await (including Vite - see code changes in test app in this PR). I consider this a deal breaker at the moment and therefore postpone merging it.

See https://github.com/mozilla/pdf.js/issues/17349 for more details.

wojtekmaj avatar Apr 30 '24 11:04 wojtekmaj

Hi there, thank you for this - with the latest vulernability in pdfjs-dist (https://osv.dev/vulnerability/GHSA-wgrm-67xf-hhpq), would it be possible to get an alpha release of this package from this PR? e.g. 9.0.0-alpha.1

jacobshirley avatar May 07 '24 10:05 jacobshirley

@jacobshirley version 8.0.2 has been released to address the vulnerability.

wojtekmaj avatar May 07 '24 14:05 wojtekmaj

@jacobshirley version 8.0.2 has been released to address the vulnerability.

@wojtekmaj Unfortunately, after updating react-pdf to version 8.0.2, the dependency pdfjs-dist is version 3.11.174 which is a vulnerable version and fails npm audits. Can pdfjs-dist be upgraded to 4.2.67? Thank you.

pdfjs-dist vulnerability Affected versions <= 4.1.392 Patched versions 4.2.67

https://github.com/advisories/GHSA-wgrm-67xf-hhpq

Hcrab2336 avatar May 07 '24 20:05 Hcrab2336

It's not vulnerable when used with the workaround we're leveraging. And no, we can't update it, reasons stated in the PR.

wojtekmaj avatar May 07 '24 20:05 wojtekmaj

With your workaround patch, npm audit still fails.

codeWriter6 avatar May 08 '24 06:05 codeWriter6

Without a doubt, because we're using pdfjs-dist version that was still vulnerable, unless a certain feature was disabled, which is exactly what React-PDF 7.7.3 and 8.0.2 are doing. You can safely dismiss the audit.

wojtekmaj avatar May 08 '24 06:05 wojtekmaj

Without a doubt, because we're using pdfjs-dist version that was still vulnerable, unless a certain feature was disabled, which is exactly what React-PDF 7.7.3 and 8.0.2 are doing. You can safely dismiss the audit.

Our team use 'npm audit' script to check for vulnerable libraries. It is impossible to 'ignore' specific vulnerability with it. Disabling the audits for the whole project - is not an option.

So, you released the workaround, but it don't fix the audit issue.

We would appreciate if it would be fixed w/o a workaround.

Thank you in advance and have a good day!

vik-buchinski avatar May 08 '24 07:05 vik-buchinski

@vik-buchinski You are more than welcome to sponsor them to prioritize the fix:

https://github.com/mozilla/pdf.js/issues/17245#issuecomment-2017812624

stevelizcano avatar May 08 '24 07:05 stevelizcano

Please read my announcement regarding security vulnerability in https://github.com/wojtekmaj/react-pdf/discussions/1786 and please continue discussion regarding it there if needed.

wojtekmaj avatar May 08 '24 07:05 wojtekmaj

Superseded by #1809

wojtekmaj avatar May 29 '24 11:05 wojtekmaj