New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Vulnerability in used pdfjs-dist version #2746
Comments
Same problem here, we are very close to a release with our software and this bug is a big problem for our compliance regulations. It would be important to fix this quickly please 🙏 |
Just another engineer chiming in on this 🙏🏽 Edit: You could possibly use a resolution as a workaround. I will be testing this shortly. |
Updated my packages and got this warning as well. |
Temporary fix that worked for me:
|
@davidovich9 I use react without nextjs and vite. When I set the resolution in the package.json, the message "2 high severity vulnerabilities" persists on npm install. |
Are you using yarn, or npm? yarn you can use And i believe the npm equivalent is |
Using |
Say you have package A. And package B, C, D use A as a dependency, but they all use different versions of A. A resolution or override basically centralizes that version to what you have in your resolution or override. IMHO, its not a long term solution, but definitely can help out in times like this when we need to quickly get something out. |
The temporary override ( |
I mean you are bumping a major version of pdfjs. It is more than likely their will be some sort of breaking change. You could try linting your project to find where the import error is happening and fix it there. You may run into the same issue even with this library updating the dependency. |
"pdfjs-dist": "3.11.174", nextjs app same problem |
Describe the bug
from npm audit
pdfjs-dist <=4.1.392
Severity: high
PDF.js vulnerable to arbitrary JavaScript execution upon opening a malicious PDF - GHSA-wgrm-67xf-hhpq
Is this something you can change here or is it further up the chain?
Edit: I see dependabot already added a PR for that
thanks
The text was updated successfully, but these errors were encountered: