hajareshyam / pdf-creator-node

This package is used to generate HTML to PDF in Nodejs
MIT License
238 stars 80 forks source link

html-pdf@3.0.1 deprecated and embeds vulnerability #115

Open boly38 opened 1 year ago

boly38 commented 1 year ago

Hi thanks for this lib!

it seems that right now, html-pdf@3.0.1 (source) is deprecated and embeds vulnerability

└─┬ pdf-creator-node@2.3.5
  └─┬ html-pdf@3.0.1
    └─┬ phantomjs-prebuilt@2.1.16
      └── request@2.88.2

request  *
Severity: moderate
Server-Side Request Forgery in Request - https://github.com/advisories/GHSA-p8p7-x288-28g6
Depends on vulnerable versions of tough-cookie
No fix available
node_modules/request
  phantomjs-prebuilt  *
  Depends on vulnerable versions of request
  node_modules/phantomjs-prebuilt
    html-pdf  >=2.0.0
    Depends on vulnerable versions of phantomjs-prebuilt
    node_modules/html-pdf
      pdf-creator-node  *
      Depends on vulnerable versions of html-pdf
      node_modules/pdf-creator-node

as html-pdf is deprecated, there is a tips on npmjs page to move to puppeteer.

IDK really the impact :) but did you plan to migrate dep in order to fix the request moderate vulnerability ?

Thanks