MartijnHols
commented
4 months ago You can manually pass options={{isEvalSupported: false}} to Document.
Closed NathanJozef closed 3 weeks ago
MartijnHols
commented
4 months ago You can manually pass options={{isEvalSupported: false}} to Document.
Dispersia
commented
4 months ago Also, the latest version sets it to false automatically, so unless you're overriding it it is also safe: https://github.com/wojtekmaj/react-pdf/blob/6bfef4b021da04b16d91bc219c4b6cbbd81da22b/packages/react-pdf/src/Document.tsx#L190 even though the dependency isn't updated (so doesn't fix alerts, but fixes vulnerability)
wojtekmaj
commented
4 months ago so unless you're overriding it it is also safe:
Even if you're overriding it it's safe, because we're forcing this to be false now. :)
xlj-code
commented
4 months ago You can manually pass
options={{isEvalSupported: false}}to Document.
hello, Does this also work with version 6.2.2?I see this option in DocumentInitParameters.But I can not prove it.Because I can not get isEvalSupported with version 6.2.2.How can I know after I set isEvalSupported to false,this option change to false?
ramondeklein
commented
4 months ago Although it may be safe, having a dependency on pdfjs-dist that is below 4.2.67, will yield in the following error when running yarn audit --groups dependencies:
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ high │ PDF.js vulnerable to arbitrary JavaScript execution upon │
│ │ opening a malicious PDF │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ pdfjs-dist │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=4.2.67 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ react-pdf │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ react-pdf > pdfjs-dist │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://www.npmjs.com/advisories/1097244 │
└───────────────┴──────────────────────────────────────────────────────────────┘It would be good to upgrade to a later version anyway. The current version of react-pdf is based on pdf.js v3, but there are some breaking changes in v4.
ra3orblade
commented
4 months ago You can manually pass
options={{isEvalSupported: false}}to Document.hello, Does this also work with version 6.2.2?I see this option in DocumentInitParameters.But I can not prove it.Because I can not get isEvalSupported with version 6.2.2.How can I know after I set isEvalSupported to false,this option change to false?
Just checked it, it works.
wojtekmaj
commented
4 months ago It would be good to upgrade to a later version anyway. The current version of
react-pdfis based on pdf.js v3, but there are some breaking changes in v4.
I wholeheartedly agree @ramondeklein, but please have a read here: https://github.com/wojtekmaj/react-pdf/discussions/1786
github-actions[bot]
commented
1 month ago This issue is stale because it has been open 90 days with no activity. Remove stale label or comment or this issue will be closed in 14 days.
github-actions[bot]
commented
3 weeks ago This issue was closed because it has been stalled for 14 days with no activity.
Before you start - checklist
Description
Require a fix for the isEvalSupported security issue. Well documented issue here. This would allow backwards compatibility for users stuck on Node 16.
Steps to reproduce
Run auditing tool on v6.2.2
Expected behavior
Security vulnerability is addressed.
Actual behavior
audit passes with warning. Not error.
Additional information
I have a branch ready to push if you want to review it as a PR. Would need collaborator status to push the branch.
Environment