Fix `pdfjs-dist` vulnerability (advisory: 1097244)

Question

Fix `pdfjs-dist` vulnerability (advisory: 1097244)

ramondeklein opened this issue 4 months ago · 2 comments

The yarn audit --groups dependencies check fails, because of a vulnerability in pdfjs-dist:

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ high          │ PDF.js vulnerable to arbitrary JavaScript execution upon     │
│               │ opening a malicious PDF                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ pdfjs-dist                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=4.2.67                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ react-pdf                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ react-pdf > pdfjs-dist                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1097244                     │
└───────────────┴──────────────────────────────────────────────────────────────┘****

We use react-pdf and it uses pdfjs-dist v3.11.174. Upgrading to v4.2.67 isn't trivial, but it looks like the vulnerability doesn't affect react-pdf, because it forces isEvalSupported to false (source). More information can be found here: wojtekmaj/react-pdf#1786.

Answer 1 · 2024-05-21T19:21:06.000Z

We are currently using Yarn classic (v1), but the current version of Yarn (v4) is able to:

Report deprecated packages.
Ignore specific advisories.

We may want to consider upgrading to Yarn v4 to allow this advisory to be ignored. This command yarn npm audit --recursive --environment production --no-deprecations --ignore 1097244 doesn't report any vulnerabilities. When run normally (yarn npm audit --recursive --environment production) shows:

├─ are-we-there-yet
│  ├─ ID: are-we-there-yet (deprecation)
│  ├─ Issue: This package is no longer supported.
│  ├─ Severity: moderate
│  ├─ Vulnerable Versions: 2.0.0
│  │
│  ├─ Tree Versions
│  │  └─ 2.0.0
│  │
│  └─ Dependents
│     └─ npmlog@npm:5.0.1
│
├─ gauge
│  ├─ ID: gauge (deprecation)
│  ├─ Issue: This package is no longer supported.
│  ├─ Severity: moderate
│  ├─ Vulnerable Versions: 3.0.2
│  │
│  ├─ Tree Versions
│  │  └─ 3.0.2
│  │
│  └─ Dependents
│     └─ npmlog@npm:5.0.1
│
├─ npmlog
│  ├─ ID: npmlog (deprecation)
│  ├─ Issue: This package is no longer supported.
│  ├─ Severity: moderate
│  ├─ Vulnerable Versions: 5.0.1
│  │
│  ├─ Tree Versions
│  │  └─ 5.0.1
│  │
│  └─ Dependents
│     └─ @mapbox/node-pre-gyp@npm:1.0.11
│
├─ path2d-polyfill
│  ├─ ID: path2d-polyfill (deprecation)
│  ├─ Issue: this package has been deprecated
│  ├─ Severity: moderate
│  ├─ Vulnerable Versions: 2.1.1
│  │
│  ├─ Tree Versions
│  │  └─ 2.1.1
│  │
│  └─ Dependents
│     └─ pdfjs-dist@npm:3.11.174
│
└─ pdfjs-dist
   ├─ ID: 1097244
   ├─ Issue: PDF.js vulnerable to arbitrary JavaScript execution upon opening a malicious PDF
   ├─ URL: https://github.com/advisories/GHSA-wgrm-67xf-hhpq
   ├─ Severity: high
   ├─ Vulnerable Versions: <=4.1.392
   │
   ├─ Tree Versions
   │  └─ 3.11.174
   │
   └─ Dependents
      └─ react-pdf@npm:8.0.2 [6e957]

Answer 2 · 2024-06-13T13:52:32.000Z

Really fixed by #3381.