Vulnerability in used pdfjs-dist version

[Sogeman]

Describe the bug

from npm audit

pdfjs-dist <=4.1.392
Severity: high
PDF.js vulnerable to arbitrary JavaScript execution upon opening a malicious PDF - GHSA-wgrm-67xf-hhpq

Is this something you can change here or is it further up the chain?

Edit: I see dependabot already added a PR for that

thanks

[marvinjaworski]

Same problem here, we are very close to a release with our software and this bug is a big problem for our compliance regulations. It would be important to fix this quickly please 🙏

[donovanclarke]

Just another engineer chiming in on this 🙏🏽

Edit:

You could possibly use a resolution as a workaround. I will be testing this shortly.

[bombillazo]

Updated my packages and got this warning as well.

[davidovich9]

Temporary fix that worked for me:

• in package.json:

  "resolutions": {
    "pdfjs-dist": "^4.2.67"
  }

• in vite.config.ts:

    optimizeDeps: {
        esbuildOptions: {
            target: 'esnext'
        }
    },
    build: {
        target: 'esnext'
    }

[marvinjaworski]

@davidovich9 I use react without nextjs and vite. When I set the resolution in the package.json, the message "2 high severity vulnerabilities" persists on npm install.

[donovanclarke]

@davidovich9 I use react without nextjs and vite. When I set the resolution in the package.json, the message "2 high severity vulnerabilities" persists on npm install.

Are you using yarn, or npm?

yarn you can use resolutions in your package.json file.

And i believe the npm equivalent is overrides.

[bombillazo]

Using overrides worked for us to remove the warning! What exactly is that doing to fix the issue?

[donovanclarke]

Using overrides worked for us to remove the warning! What exactly is that doing to fix the issue?

Say you have package A.

And package B, C, D use A as a dependency, but they all use different versions of A.

A resolution or override basically centralizes that version to what you have in your resolution or override.

IMHO, its not a long term solution, but definitely can help out in times like this when we need to quickly get something out.

[grueneerle]

The temporary override (pdfjs-dist -> 4.2.67) seems to fix the audit issues but we (@marvinjaworski ) are facing compatibility issues withreact-pdf in version 8.0.2

So until we found a solution for this, the override doesn't work in all situations.

[donovanclarke]

The temporary override (pdfjs-dist -> 4.2.67) seems to fix the audit issues but we (@marvinjaworski ) are facing compatibility issues withreact-pdf in version 8.0.2 So until we found a solution for this, the override doesn't work in all situations.

I mean you are bumping a major version of pdfjs. It is more than likely their will be some sort of breaking change.

You could try linting your project to find where the import error is happening and fix it there. You may run into the same issue even with this library updating the dependency.

[a-str-o]

"pdfjs-dist": "3.11.174",
"react-pdf": "^0.0.10", this updated after i do npm i

nextjs app same problem