-
Notifications
You must be signed in to change notification settings - Fork 23
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
PDF.js Vulnerability #234
Comments
thanks for the heads up. unfortunately this fix has not been backported to v3. v4 is a breaking change which no longer includes a commonjs export, so there is no way that we can fix this without forcing all users of this package to upgrade to esm modules. Even a dynamic import ( |
Ok, thank you for checking. I also tried upgrading pdfjs-dist. I couldn't find a way to make it work. |
In mozilla/pdf.js#18168 (comment), the maintainers confirmed that the patch will not be backported to v3. So, I've released a new version of this module, which sets |
Hello, We are having audit issues because of pdfjs-dist. By reading this issue, I understand that although eval is set to false, the "problematic" dependency still exists, and that there is no way around it. Is this right? If so, is there a way we can just ignore that in the audit scripts? |
Yes, if you upgrade to v3 of this library, then Unfortunately, audit tools won't understand this :( I'm looking into alternative solutions that won't force everyone to use ESM modules and nodejs v22, but there's no straightforward solution |
The pdfjs-dist dependency is pinned to version 3.2.146 which has vulnerability CVE-2024-4367. This is fixed in pdfjs-dist version 4.2.67.
This should be solved by #233... but there is a problem with "PromiseWithResolvers". The TypeScript error might be avoided by setting skipLibCheck in tsconfig.
Unfortunately that still leaves the following error, which I don't know how to solve.
The text was updated successfully, but these errors were encountered: