Closed NathanJozef closed 3 weeks ago
You can manually pass options={{isEvalSupported: false}}
to Document.
Also, the latest version sets it to false automatically, so unless you're overriding it it is also safe: https://github.com/wojtekmaj/react-pdf/blob/6bfef4b021da04b16d91bc219c4b6cbbd81da22b/packages/react-pdf/src/Document.tsx#L190 even though the dependency isn't updated (so doesn't fix alerts, but fixes vulnerability)
so unless you're overriding it it is also safe:
Even if you're overriding it it's safe, because we're forcing this to be false now. :)
You can manually pass
options={{isEvalSupported: false}}
to Document.
hello, Does this also work with version 6.2.2?I see this option in DocumentInitParameters.But I can not prove it.Because I can not get isEvalSupported with version 6.2.2.How can I know after I set isEvalSupported to false,this option change to false?
Although it may be safe, having a dependency on pdfjs-dist
that is below 4.2.67, will yield in the following error when running yarn audit --groups dependencies
:
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ high │ PDF.js vulnerable to arbitrary JavaScript execution upon │
│ │ opening a malicious PDF │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ pdfjs-dist │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=4.2.67 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ react-pdf │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ react-pdf > pdfjs-dist │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://www.npmjs.com/advisories/1097244 │
└───────────────┴──────────────────────────────────────────────────────────────┘
It would be good to upgrade to a later version anyway. The current version of react-pdf
is based on pdf.js v3, but there are some breaking changes in v4.
You can manually pass
options={{isEvalSupported: false}}
to Document.hello, Does this also work with version 6.2.2?I see this option in DocumentInitParameters.But I can not prove it.Because I can not get isEvalSupported with version 6.2.2.How can I know after I set isEvalSupported to false,this option change to false?
Just checked it, it works.
It would be good to upgrade to a later version anyway. The current version of
react-pdf
is based on pdf.js v3, but there are some breaking changes in v4.
I wholeheartedly agree @ramondeklein, but please have a read here: https://github.com/wojtekmaj/react-pdf/discussions/1786
This issue is stale because it has been open 90 days with no activity. Remove stale label or comment or this issue will be closed in 14 days.
This issue was closed because it has been stalled for 14 days with no activity.
Before you start - checklist
Description
Require a fix for the isEvalSupported security issue. Well documented issue here. This would allow backwards compatibility for users stuck on Node 16.
Steps to reproduce
Run auditing tool on v6.2.2
Expected behavior
Security vulnerability is addressed.
Actual behavior
audit passes with warning. Not error.
Additional information
I have a branch ready to push if you want to review it as a PR. Would need collaborator status to push the branch.
Environment