Update pdfjs-dist to 4.2.67 or later
Tyre88 opened this issue · 10 comments
Bug Report or Feature Request (mark with an x)
- [ ] Regression (a behavior that used to work and stopped working in a new release)
- [ ] Bug report -> please search issues before submitting
- [x] Feature request
- [ ] Documentation issue or request
Should be fixed via #1092 I suppose?
Cve is resolved, but updating would give some other benefits anyway
Yea, worth noting though that pdfjs 4.x has major breaking changes. When I looked at it, it seemed like it would require major rewrites to this package. Not that it's impossible, of course, but certainly not a quick thing. At the very least though this issue is probably a duplicate of #1078
Yea, worth noting though that pdfjs 4.x has major breaking changes. When I looked at it, it seemed like it would require major rewrites to this package. Not that it's impossible, of course, but certainly not a quick thing. At the very least though this issue is probably a duplicate of #1078
Yeah,
Upgrading 2->3 was also already a new major version, but I guess there weren't that much (breaking) changes anyway? But now with 3->4 a lot more would be required?
Yes, 2 -> 3 was a major version in terms of semver, but wasnt too bad. 3 --> 4 is much bigger, imho of course, see https://github.com/mozilla/pdf.js/releases/tag/v4.0.189
I havent looked at it again, again its of course not impossible but unfortunately I think significantly more
I would also prefer to have it upgraded. Npm still mentioned in version 10.2.2 the high severity vulnerability in pdf.js.
But they mentioned an workaround to set the option isEvalSupported to false.
How would that be applied in ng2-pdf-viewer?
I would also prefer to have it upgraded. Npm still mentioned in version
10.2.2the high severity vulnerability in pdf.js.But they mentioned an workaround to set the option
isEvalSupportedtofalse. How would that be applied in ng2-pdf-viewer?
In my understanding, it is done in this library to disable this option. This was patched here: #1092
The best and safest would be of course to upgrade the pdfjs-dist to the latest version, but I'm not sure if it's happening anytime soon.
Updating to version 4 and above would fix this #624 and possibly also this #824 (Note that 824 is not complete, but a stale bot forced it to be completed anyway...)
- [api-major] Remove the SVG back-end (PR 15173 follow-up) by @Snuffleupagus in https://github.com/mozilla/pdf.js/pull/16699[api-major] Output JavaScript modules in the builds (issue 10317) by @Snuffleupagus in mozilla/pdf.js#17055
- [api-major] Remove various deprecated functionality and options by @Snuffleupagus in mozilla/pdf.js#16774
- [api-major] Output JavaScript modules in the builds (issue 10317) by @Snuffleupagus in mozilla/pdf.js#17055
- [api-minor] Stop polyfilling structuredClone in legacy builds by @Snuffleupagus in mozilla/pdf.js#17086
- [api-minor] Move to Fluent for the localization (bug 1858715) by @calixteman in mozilla/pdf.js#17115
These are possibly breaking changes according to release notes from https://github.com/mozilla/pdf.js/releases/tag/v4.0.189.
I have highlighted (points 3 & 5) that may pose a challenge:
- Output JavaScript modules in the builds - This will require looking at where new ones are and how to load them properly.
- I have no clue how, if at all, translations are handled in this package...
@Tyre88 , vulnerability issue is not getting fixed with "ng2-pdf-viewer": "10.2.2" & "pdfjs-dist": "^3.11.174" version , any idea how to resolve this? or can you help me which file needs to be updated as we are not using pdfjs-dist directly , what changes need to be done in ng2-pdf-viewer?
You could use this in the meantime https://github.com/intbot/ng2-pdfjs-viewer