Critical Security Vulnerability in dependency package "pdfjs"
bdalvandi-awaremd opened this issue · 6 comments
Bug Report or Feature Request (mark with an x
)
- [ ] Regression (a behavior that used to work and stopped working in a new release)
- [X] Bug report -> please search issues before submitting
- [ ] Feature request
- [ ] Documentation issue or request
The latest version of ng2-pdf-viewer
(10.2.2) has a dependency to pdfjs-dist
version 3.11.x
which has recently been discovered to have an extremely critical vulnerability, allowing attacks on the domain.
The latest version of pdfjs-dist
has remediated that vulnerability, I am wondering if a new version of ng2-pdf-viewer
coming out soon that uses the latest version and remediates this vulnerability?
Did you search? Multiple issues cover this already
Did you search? Multiple issues cover this already
Yes. But I don't see any of them clearly explaining how to overcome the vulnerability. The closest thing I have seen is ppl mentioning to set the eval
to false
or something, but where and how is not clear.
Can you by any chance point me to a clear solution? thanks.
I agree it's not clear how to resolve this security issue. Is there a patch or update coming?
Does anyone know what is the effort to update the dependency to pdfjs 4.x?