Closed wojtekmaj closed 4 months ago
This PR is currently breaking most setups that do not support top level await (including Vite - see code changes in test app in this PR). I consider this a deal breaker at the moment and therefore postpone merging it.
See https://github.com/mozilla/pdf.js/issues/17349 for more details.
Hi there, thank you for this - with the latest vulernability in pdfjs-dist (https://osv.dev/vulnerability/GHSA-wgrm-67xf-hhpq), would it be possible to get an alpha release of this package from this PR? e.g. 9.0.0-alpha.1
@jacobshirley version 8.0.2 has been released to address the vulnerability.
@jacobshirley version 8.0.2 has been released to address the vulnerability.
@wojtekmaj Unfortunately, after updating react-pdf to version 8.0.2, the dependency pdfjs-dist is version 3.11.174 which is a vulnerable version and fails npm audits. Can pdfjs-dist be upgraded to 4.2.67? Thank you.
pdfjs-dist vulnerability Affected versions <= 4.1.392 Patched versions 4.2.67
It's not vulnerable when used with the workaround we're leveraging. And no, we can't update it, reasons stated in the PR.
With your workaround patch, npm audit still fails.
Without a doubt, because we're using pdfjs-dist version that was still vulnerable, unless a certain feature was disabled, which is exactly what React-PDF 7.7.3 and 8.0.2 are doing. You can safely dismiss the audit.
Without a doubt, because we're using pdfjs-dist version that was still vulnerable, unless a certain feature was disabled, which is exactly what React-PDF 7.7.3 and 8.0.2 are doing. You can safely dismiss the audit.
Our team use 'npm audit' script to check for vulnerable libraries. It is impossible to 'ignore' specific vulnerability with it. Disabling the audits for the whole project - is not an option.
So, you released the workaround, but it don't fix the audit issue.
We would appreciate if it would be fixed w/o a workaround.
Thank you in advance and have a good day!
@vik-buchinski You are more than welcome to sponsor them to prioritize the fix:
https://github.com/mozilla/pdf.js/issues/17245#issuecomment-2017812624
Please read my announcement regarding security vulnerability in https://github.com/wojtekmaj/react-pdf/discussions/1786 and please continue discussion regarding it there if needed.
Superseded by #1809
Closes #1664
Breaking changes (on top of #1690):
Blockers: