Fix `pdfjs-dist` vulnerability (advisory: 1097244)
ramondeklein opened this issue · 2 comments
The yarn audit --groups dependencies
check fails, because of a vulnerability in pdfjs-dist
:
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ high │ PDF.js vulnerable to arbitrary JavaScript execution upon │
│ │ opening a malicious PDF │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ pdfjs-dist │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=4.2.67 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ react-pdf │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ react-pdf > pdfjs-dist │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://www.npmjs.com/advisories/1097244 │
└───────────────┴──────────────────────────────────────────────────────────────┘****
We use react-pdf and it uses pdfjs-dist v3.11.174. Upgrading to v4.2.67 isn't trivial, but it looks like the vulnerability doesn't affect react-pdf, because it forces isEvalSupported
to false
(source). More information can be found here: wojtekmaj/react-pdf#1786.
We are currently using Yarn classic (v1), but the current version of Yarn (v4) is able to:
- Report deprecated packages.
- Ignore specific advisories.
We may want to consider upgrading to Yarn v4 to allow this advisory to be ignored. This command yarn npm audit --recursive --environment production --no-deprecations --ignore 1097244
doesn't report any vulnerabilities. When run normally (yarn npm audit --recursive --environment production
) shows:
├─ are-we-there-yet
│ ├─ ID: are-we-there-yet (deprecation)
│ ├─ Issue: This package is no longer supported.
│ ├─ Severity: moderate
│ ├─ Vulnerable Versions: 2.0.0
│ │
│ ├─ Tree Versions
│ │ └─ 2.0.0
│ │
│ └─ Dependents
│ └─ npmlog@npm:5.0.1
│
├─ gauge
│ ├─ ID: gauge (deprecation)
│ ├─ Issue: This package is no longer supported.
│ ├─ Severity: moderate
│ ├─ Vulnerable Versions: 3.0.2
│ │
│ ├─ Tree Versions
│ │ └─ 3.0.2
│ │
│ └─ Dependents
│ └─ npmlog@npm:5.0.1
│
├─ npmlog
│ ├─ ID: npmlog (deprecation)
│ ├─ Issue: This package is no longer supported.
│ ├─ Severity: moderate
│ ├─ Vulnerable Versions: 5.0.1
│ │
│ ├─ Tree Versions
│ │ └─ 5.0.1
│ │
│ └─ Dependents
│ └─ @mapbox/node-pre-gyp@npm:1.0.11
│
├─ path2d-polyfill
│ ├─ ID: path2d-polyfill (deprecation)
│ ├─ Issue: this package has been deprecated
│ ├─ Severity: moderate
│ ├─ Vulnerable Versions: 2.1.1
│ │
│ ├─ Tree Versions
│ │ └─ 2.1.1
│ │
│ └─ Dependents
│ └─ pdfjs-dist@npm:3.11.174
│
└─ pdfjs-dist
├─ ID: 1097244
├─ Issue: PDF.js vulnerable to arbitrary JavaScript execution upon opening a malicious PDF
├─ URL: https://github.com/advisories/GHSA-wgrm-67xf-hhpq
├─ Severity: high
├─ Vulnerable Versions: <=4.1.392
│
├─ Tree Versions
│ └─ 3.11.174
│
└─ Dependents
└─ react-pdf@npm:8.0.2 [6e957]
Really fixed by #3381.