Closed Tyre88 closed 1 month ago
Should be fixed via https://github.com/VadimDez/ng2-pdf-viewer/pull/1092 I suppose?
Cve is resolved, but updating would give some other benefits anyway
Yea, worth noting though that pdfjs 4.x has major breaking changes. When I looked at it, it seemed like it would require major rewrites to this package. Not that it's impossible, of course, but certainly not a quick thing. At the very least though this issue is probably a duplicate of https://github.com/VadimDez/ng2-pdf-viewer/issues/1078
Yea, worth noting though that pdfjs 4.x has major breaking changes. When I looked at it, it seemed like it would require major rewrites to this package. Not that it's impossible, of course, but certainly not a quick thing. At the very least though this issue is probably a duplicate of #1078
Yeah, Upgrading 2->3 was also already a new major version, but I guess there weren't that much (breaking) changes anyway? But now with 3->4 a lot more would be required?
I would also prefer to have it upgraded. Npm still mentioned in version 10.2.2
the high severity vulnerability in pdf.js.
But they mentioned an workaround to set the option isEvalSupported
to false
.
How would that be applied in ng2-pdf-viewer?
I would also prefer to have it upgraded. Npm still mentioned in version
10.2.2
the high severity vulnerability in pdf.js.But they mentioned an workaround to set the option
isEvalSupported
tofalse
. How would that be applied in ng2-pdf-viewer?
In my understanding, it is done in this library to disable this option. This was patched here: #1092
The best and safest would be of course to upgrade the pdfjs-dist to the latest version, but I'm not sure if it's happening anytime soon.
It was fixed in this for me, thanks alot! https://github.com/VadimDez/ng2-pdf-viewer/pull/1092
Updating to version 4 and above would fix this #624 and possibly also this #824 (Note that 824 is not complete, but a stale bot forced it to be completed anyway...)
These are possibly breaking changes according to release notes from https://github.com/mozilla/pdf.js/releases/tag/v4.0.189.
I have highlighted (points 3 & 5) that may pose a challenge:
@Tyre88 , vulnerability issue is not getting fixed with "ng2-pdf-viewer": "10.2.2" & "pdfjs-dist": "^3.11.174" version , any idea how to resolve this? or can you help me which file needs to be updated as we are not using pdfjs-dist directly , what changes need to be done in ng2-pdf-viewer?
You could use this in the meantime https://github.com/intbot/ng2-pdfjs-viewer
Updated in 10.3.0
of ng2-pdf-viewer
Bug Report or Feature Request (mark with an
x
)