-
Notifications
You must be signed in to change notification settings - Fork 217
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
21 high severity vulnerabilities #1752
Comments
Same here. NPM audit is reporting a vulnerability in pdfjs-dist v3 and we need to upgrade to V4. However react-pdf-viewer doesn't seem to be compatible with it. When is react-pdf-core going to be upgraded to support v4 of PDFjs? |
Bumping this as well. There is a High vulnerability with pdfjs-dist v3. If react-pdf-viewer could upgrade to pdfjs-dist v4 ASAP it would be much appreciated. |
Adding in as well. https://www.tenable.com/cve/CVE-2024-4367 in particular is being flagged by our Synk monitoring. |
Bumping again -- when could we expect a release that addresses the vulnerability? |
Any information at all would be helpful, @phuocng. And, as many have mentioned, there are a number of us that would be happy to help out on getting a stable release out. Thanks. |
I think this project is abandoned and not sure if the owner still is present. |
Maybe we will consider a fork or something like that |
I would support a fork as well, but sadly with the projects LICENSE, this is also not really an option. |
@adrianmxb if we've purchased a license, wouldn't that enable us to use a fork where we patch the security vulnerability? The license is worthless otherwise as we'd have to remove the application from our stack, assuming the project is abandoned. According to react-pdf-viewer's license: You are allowed to:
|
You are NOT allowed to:
|
@vicent4no I am not a lawyer, and this is not legal advice, but I believe re-distribute refers to copying the repository and re-selling it to people for profit, modified or not. This repository is public in any case; if you use At present, there are 206 forks of this repository. I believe it would be fine if someone forked it and patched the security vulnerability in question. |
Hello guys, |
Has anyone tried the transformGetDocumentParams function?
|
Yes, this works as advertised. it is the correct mitigation to the vulnerability referenced here. #1752 (comment) |
@phuocng is this project still maintained? |
Awesome, I saw the detail of the workaround and I tried to set it right in the Document base object of pdfjs but it did not work as expected. I did not see that param of |
Recently, when integrating a new package into my project, I encountered security vulnerabilities with react-pdf-viewer/core. Despite attempting to resolve them using npm audit fix, the issue persists. Any idea on how can i fix this ?
The text was updated successfully, but these errors were encountered: