Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update dependency pdfjs-dist to v4 [SECURITY] #41

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented May 8, 2024

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
pdfjs-dist (source) 2.16.105 -> 4.2.67 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2024-4367

Impact

If pdf.js is used to load a malicious PDF, and PDF.js is configured with isEvalSupported set to true (which is the default value), unrestricted attacker-controlled JavaScript will be executed in the context of the hosting domain.

Patches

The patch removes the use of eval:
https://github.com/mozilla/pdf.js/pull/18015

Workarounds

Set the option isEvalSupported to false.

References

https://bugzilla.mozilla.org/show_bug.cgi?id=1893645


Release Notes

mozilla/pdf.js (pdfjs-dist)

v4.2.67

Compare Source

This release includes a new JPX decoder, based on OpenJPEG, which improves JPX image rendering performance and correctness. Moreover, this release contains improvements for the annotation editor, font conversion and the viewer.

Note that text selection boxes for some PDF files may overlap visually. This is a known issue that we currently track in https://github.com/mozilla/pdf.js/issues/17561.

Changes since v4.1.392

v4.1.392

Compare Source

This release features improvements, bugfixes and optimizations for accessibility, annotation rendering, annotation editing, font rendering, form handling, image rendering, text selection and the viewer.

Note that text selection boxes for some PDF files may overlap visually. This is a known issue that we currently track in #​17561.

Changes since v4.0.379

Configuration

📅 Schedule: Branch creation - "" in timezone Etc/UTC, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot added dependencies Pull requests that update a dependency file npm security labels May 8, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
dependencies Pull requests that update a dependency file npm security
Projects
None yet
Development

Successfully merging this pull request may close these issues.

0 participants