Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(deps): update dependency pdfjs-dist to v4 [security] #1010

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented May 7, 2024

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
pdfjs-dist (source) ^2.1.266 -> ^4.2.67 age adoption passing confidence
pdfjs-dist (source) 2.12.313 -> 4.2.67 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2024-4367

Impact

If pdf.js is used to load a malicious PDF, and PDF.js is configured with isEvalSupported set to true (which is the default value), unrestricted attacker-controlled JavaScript will be executed in the context of the hosting domain.

Patches

The patch removes the use of eval:
https://github.com/mozilla/pdf.js/pull/18015

Workarounds

Set the option isEvalSupported to false.

References

https://bugzilla.mozilla.org/show_bug.cgi?id=1893645


Release Notes

mozilla/pdf.js (pdfjs-dist)

v4.2.67

Compare Source

This release includes a new JPX decoder, based on OpenJPEG, which improves JPX image rendering performance and correctness. Moreover, this release contains improvements for the annotation editor, font conversion and the viewer.

Note that text selection boxes for some PDF files may overlap visually. This is a known issue that we currently track in https://github.com/mozilla/pdf.js/issues/17561.

Changes since v4.1.392

v4.1.392

Compare Source

This release features improvements, bugfixes and optimizations for accessibility, annotation rendering, annotation editing, font rendering, form handling, image rendering, text selection and the viewer.

Note that text selection boxes for some PDF files may overlap visually. This is a known issue that we currently track in #​17561.

Changes since v4.0.379

Configuration

📅 Schedule: Branch creation - "" in timezone Europe/Paris, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot requested a review from a team as a code owner May 7, 2024 14:27
@renovate renovate bot added the dependencies Pull requests that update a dependency file label May 7, 2024
@renovate renovate bot force-pushed the renovate/npm-pdfjs-dist-vulnerability branch 2 times, most recently from f7defb6 to 0f28a30 Compare May 23, 2024 14:35
@renovate renovate bot force-pushed the renovate/npm-pdfjs-dist-vulnerability branch from 0f28a30 to c2a7cda Compare June 17, 2024 08:21
@renovate renovate bot force-pushed the renovate/npm-pdfjs-dist-vulnerability branch 2 times, most recently from bac3091 to dd98cea Compare July 18, 2024 10:28
@renovate renovate bot force-pushed the renovate/npm-pdfjs-dist-vulnerability branch 3 times, most recently from 5f618c9 to 829911e Compare July 26, 2024 13:55
@renovate renovate bot force-pushed the renovate/npm-pdfjs-dist-vulnerability branch from 829911e to 8b6629b Compare August 6, 2024 08:10
@renovate renovate bot force-pushed the renovate/npm-pdfjs-dist-vulnerability branch 2 times, most recently from 89eb1e0 to 4d90677 Compare September 17, 2024 07:26
@renovate renovate bot force-pushed the renovate/npm-pdfjs-dist-vulnerability branch 2 times, most recently from 1d4b3fe to 881bd4f Compare October 9, 2024 12:53
@renovate renovate bot force-pushed the renovate/npm-pdfjs-dist-vulnerability branch 3 times, most recently from 528fe28 to 418e1ba Compare October 16, 2024 20:01
@renovate renovate bot force-pushed the renovate/npm-pdfjs-dist-vulnerability branch from 418e1ba to 51677f7 Compare October 28, 2024 16:54
@renovate renovate bot force-pushed the renovate/npm-pdfjs-dist-vulnerability branch from 51677f7 to 1f98ec2 Compare October 28, 2024 19:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
dependencies Pull requests that update a dependency file
Projects
None yet
Development

Successfully merging this pull request may close these issues.

0 participants