Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Updated react-pdf dependency #3342

Merged
merged 1 commit into from
May 10, 2024
Merged

Updated react-pdf dependency #3342

merged 1 commit into from
May 10, 2024

Conversation

bexsoft
Copy link
Collaborator

@bexsoft bexsoft commented May 10, 2024
edited
Loading

What does this do?

Updated react-pdf dependency as mentioned in wojtekmaj/react-pdf#1786

According this document audit alert will still appear until mozilla/pdf.js#18051 gets merged & applied to react-pdf library. In the meantime the issue cannot be exploited as react-pdf in their latest version enforced the use of isEvalSupported function to false.

@bexsoft bexsoft self-assigned this May 10, 2024
@bexsoft bexsoft marked this pull request as ready for review May 10, 2024 05:19
bayasdev
bayasdev previously approved these changes May 10, 2024
View reviewed changes
Updated react-pdf dependency
aef18b3 
Signed-off-by: Benjamin Perez <benjamin@bexsoft.net>
@bexsoft bexsoft requested a review from bayasdev May 10, 2024 05:26
@prakashsvmx
Copy link
Member

@bexsoft looks like it is failing in CI
yarn audit v1.22.22
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ high │ PDF.js vulnerable to arbitrary JavaScript execution upon │
│ │ opening a malicious PDF │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ pdfjs-dist │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=4.2.67 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ react-pdf │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ react-pdf > pdfjs-dist │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://www.npmjs.com/advisories/1097244
└───────────────┴──────────────────────────────────────────────────────────────┘
1 vulnerabilities found - Packages audited: 540

@bexsoft
Copy link
Collaborator Author

bexsoft commented May 10, 2024

@bexsoft looks like it is failing in CI yarn audit v1.22.22 ┌───────────────┬──────────────────────────────────────────────────────────────┐ │ high │ PDF.js vulnerable to arbitrary JavaScript execution upon │ │ │ opening a malicious PDF │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Package │ pdfjs-dist │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Patched in │ >=4.2.67 │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Dependency of │ react-pdf │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Path │ react-pdf > pdfjs-dist │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ More info │ https://www.npmjs.com/advisories/1097244 │ └───────────────┴──────────────────────────────────────────────────────────────┘ 1 vulnerabilities found - Packages audited: 540

Yes @prakashsvmx This is expected according wojtekmaj/react-pdf#1786, this updated react-pdf version avoids the exploit of this issue according to the creator of the library

@bexsoft bexsoft merged commit 9e0a020 into minio:master May 10, 2024
31 of 33 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ramondeklein ramondeklein ramondeklein approved these changes

@prakashsvmx prakashsvmx prakashsvmx approved these changes

@donatello donatello Awaiting requested review from donatello

@harshavardhana harshavardhana Awaiting requested review from harshavardhana

@Praveenrajmani Praveenrajmani Awaiting requested review from Praveenrajmani

@cniackz cniackz Awaiting requested review from cniackz

@reivaj05 reivaj05 Awaiting requested review from reivaj05

@cesnietor cesnietor Awaiting requested review from cesnietor

@allanrogerr allanrogerr Awaiting requested review from allanrogerr

@dvaldivia dvaldivia Awaiting requested review from dvaldivia

@kaankabalak kaankabalak Awaiting requested review from kaankabalak

@adriangitvitz adriangitvitz Awaiting requested review from adriangitvitz

@jinapurapu jinapurapu Awaiting requested review from jinapurapu

@bayasdev bayasdev Awaiting requested review from bayasdev

Assignees

@bexsoft bexsoft

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@bexsoft @prakashsvmx @ramondeklein @bayasdev