Skip to content

fix(deps): update dependency react-pdf to v7 [security] #2626

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
renovate wants to merge 1 commit into
base: master
Choose a base branch
from
Open

fix(deps): update dependency react-pdf to v7 [security] #2626

renovate wants to merge 1 commit into from
+142 −64

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented May 7, 2024

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
react-pdf (source) ^5.7.2 -> ^7.0.0 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2024-34342

Summary

If PDF.js is used to load a malicious PDF, and PDF.js is configured with isEvalSupported set to true (which is the default value), unrestricted attacker-controlled JavaScript will be executed in the context of the hosting domain.

Patches

This patch forces isEvalSupported to false, removing the attack vector.

Workarounds

Set options.isEvalSupported to false, where options is Document component prop.

References

Release Notes

wojtekmaj/react-pdf (react-pdf)

v7.7.3

Compare Source

Bug fixes

v7.7.2

Compare Source

v7.7.1

Compare Source

Bug fixes

  • Fixed Outline, Page and Thumbnail components crashing when placed outside Document, but provided with pdf prop (#​1709).
  • Fixed documentation for using vite-plugin-static-copy suggesting a solution that doesn't work on Windows.

v7.7.0

Compare Source

What's new?

  • Detect not memoized file and options props.

What's changed?

  • Updated documentation to make it clear SVG renderMode is deprecated and will be removed in the future.
  • Replaced tiny-warning with more popular (and equally tiny!) warning.

v7.6.0

Compare Source

What's new?

  • Improved developer experience by moving prop documentation to JSDoc. This means that you can now see descriptions, default values, and examples for all props in your IDE.
  • Improved documentation.

v7.5.1

Compare Source

What's new?

v7.5.0

Compare Source

What's new?

  • Exported PasswordResponses to make it easier to create custom password prompts (#​1615). Thanks, @​pstevovski!
  • Updated documentation on options prop and usage with Next.js.

Bug fixes

  • Fixed customTextRenderer not called on items outside of marked content (#​1593, #​1623).

v7.4.0

Compare Source

What's new?

  • Improved Next.js compatibility.
    • Updated documentation
    • Added samples for Next.js App Router and Next.js Pages Router
  • Updated PDF.js to 3.11.174.
    • Accessibility improvements
    • Form rendering improvements
    • Font conversion and substitution improvements
    • Performance improvements
    • Text selection improvements
    • TypeScript improvements
    • Other features/bugfixes

Bug fixes

  • Fixed index.test.js entry not working in pure ESM mode with "moduleResolution": "node16" TypeScript option enabled.

v7.3.3

Compare Source

Bug fixes

  • Fixed "Cannot set properties of undefined (setting 'workerSrc')" error in legacy Next.js setups (#​1579).

v7.3.2

Compare Source

Bug fixes

  • Fixed "Cannot destructure property 'PDFDataRangeTransport' of 'pdfjs' as it is undefined." in legacy Next.js setups.

v7.3.1

Compare Source

Bug fixes

  • Fixed "Named export 'PDFDataRangeTransport' not found." error in some environments (#​1578).

v7.3.0

Compare Source

What's new?

  • Added support for native ESM modules (#​1574).
  • Added documentation on cMaps and standard fonts for Vite.

What's changed?

  • Improved propTypes.

Bug fixes

v7.2.0

Compare Source

What's new?

  • Added support for new renderMode: "custom". When set, you can pass custom renderer function to customRenderer prop (#​1408).
  • Improved RSC compatibility. You no longer need to add 'use client'; to the parent component for this component to work.

What's changed?

  • Improved documentation not to suggest using inline object as options prop value (#​1567).
  • Added guidelines for installation in Next.js app (#​1508).

Bug fixes

  • @types/react and @types/react-dom are now optional peerDependencies, which eliminates errors caused by duplicate typings.

v7.1.3

Compare Source

What's changed?

  • Updated clsx dependency to 2.0.0 to enable ESM support in the near future.

v7.1.2

Compare Source

Bug fixes

v7.1.1

Compare Source

Bug fixes

  • Improved performance by avoiding unnecessary re-renders (#​1526).

v7.1.0

Compare Source

Large and exciting release, full of improvements and new features, mainly thanks to our contributors, @​kostassite, @​iamandrewluca and @​MattL75, and sponsors. Become a sponsor and help making React-PDF even better!

What's new?

  • Added Thumbnail component which lets you render thumbnails (#​898, #​1519).
  • Forms rendered by annotation layer are now using AnnotationStorage. This allows you to hook into pdf.annotationStorage in pdf provided in onDocumentLoadSuccess callback and listen for form data changes (#​1518). Thanks, @​kostassite!
  • New hooks: useDocumentContext, useOutlineContext and usePageContext. These hooks allow you to build custom components that hook (pun not intended) into React-PDF API (#​1505). Thanks, @​iamandrewluca!
  • If onItemClick was not provided neither to Document nor Outline components, React-PDF will now attempt to navigate to the page of the clicked outline item on its own, just like it does for internal links.

What's changed?

  • Improved accessibility by introducing structure tree. This also introduces new props in Page: onGetStructTreeSuccess and onGetStructTreeError (#​1494, #​1498). Thanks, @​MattL75!

Bug fixes

  • Fixed onItemClick types incorrectly marking dest as required.
  • Fixed onItemClick not passed from Document to Outline. Previously, you had to manually pass onItemClick to Outline component. Now, you only need to pass it to Document.

v7.0.3

Compare Source

Bug fixes

  • Allowed all DocumentInitParameters to be passed to options prop.

v7.0.2

Compare Source

Bug fixes

  • Fixed "Worker was destroyed" error when Document was unmounted or updated before the worker finished loading the PDF file.
  • Fixed annotations not displaying properly when global CSS had section selector styled.

v7.0.1

Compare Source

Bug fixes

  • Fixed annotation layer rendered under text layer, resulting in some annotations not clickable (#​1503). Thanks, @​iamandrewluca!

v7.0.0

Compare Source

See Upgrade guide from version 6.x to 7.x.

This is one of the biggest update - for React-PDF and for me personally. React-PDF has been rewritten from scratch using TypeScript and React Hooks. I've put a tremendous amount of effort to modernize the package without introducing any major breaking changes. If, however, something have slipped through 137 unit tests we have, please let me know. I hope you will like it.

❗️ = breaking change

What's new?

  • Converted package to TypeScript (#​1420).
  • Rewritten package using React Hooks (#​1370).
  • Updated PDF.js to 3.6.172.
    • Preparations for editor mode support
    • Removed support for outdated browser versions
    • Font conversion/text selection improvements
    • Annotation improvements
    • Image rendering improvements that allow rendering big images even if they are larger than the canvas limits
    • Accessibility improvements
    • Improved overall performance
    • Reduced memory usage
    • Other features/bugfixes

What's changed?

  • React-PDF is now considerably smaller.
  • ❗️ Bundler-specific entry points are no longer provided. Don't worry though, the setup should be straightforward.
  • ❗️ Dropped support for older browsers.
  • ❗️ Removed legacy renderInteractiveForms prop

Bug fixes

  • Fixed "The --scale-factor CSS-variable must be set" error.
  • Fixed black flicker when rendering canvas (#​1340, #​1279). Thanks, @​MattL75!

v6.2.2

Compare Source

Bug fixes

  • Fixed rendering glitches on certain browsers & graphic cards (#​1010).

v6.2.1

Compare Source

What's changed?

  • Brought back pageIndex and pageNumber in customTextRenderer args that, despite undocumented, may have been used by some (#​1190).
  • Replace typeof window checks with typeof document checks to avoid Deno environment being falsely recognized as browser environment.

Bug fixes

v6.2.0

Compare Source

What's new?

  • Added support for devicePixelRatio prop in Page component.

Bug fixes

v6.1.1

Compare Source

Bug fixes

  • Fixed text items misaligned when using customTextRenderer and if textContent items have both text and line break (#​1173).

v6.1.0

Compare Source

What's new?

  • Improved text selection behavior (#​1034).

v6.0.3

Compare Source

Bug fixes

  • Fixed customTextRenderer called too often and potentially with undefined str (#​1151).
  • Fixed text layer rendering twice when using React 18 w. StrictMode on.

v6.0.2

Compare Source

Bug fixes

  • Fixed Vite specific entry causing fake worker to be initialized (#​1148).

v6.0.1

Compare Source

Bug fixes

  • Fixed Vite specific entry causing build to fail (#​1148).

v6.0.0

Compare Source

See Upgrade guide from version 5.x to 6.x.

Note: React <16.8 is not supported. If you're still using React older than 16.8, please use react-pdf@^5.0.0 instead.

❗️ = breaking change

What's new?

  • ❗️ Vastly improved performance and bundle size thanks to the modern version of PDF.js that is now used. This drops support for legacy browsers. See README for details.
  • Added official support for Vite.
  • Updated PDF.js to 2.16.105 (#​1019).
    • Improvements for the text layer (space insertion)
    • Improvements for canvas rendering (thin line rendering)
    • Improvements for forms (printing/saving of choice lists)
    • Improvements for accessibility (sidebar and search results)
    • Bug fixes and optimizations, in particular for annotations, font/image conversion, SMask rendering, text layer rendering and TypeScript definitions
    • Performance improvements for rendering image masks, Type3 fonts and certain drawing instructions
    • Support for specifying custom background/foreground colors for rendering in the viewer (this will be soon be supported in React-PDF)
    • Bugfixes
    • Accessibility improvements
    • Rendering quality improvements.
  • Improved documentation.
    • Fixed instructions on PDF.js worker
    • Added missing documentation on onRenderTextLayerError and onRenderTextLayerSuccess
    • Added a note on SVG mode deprecation.
  • Refactored TextLayer to use pdfjs.renderTextLayer (#​944).
    • Added support for onRenderTextLayerError prop
    • Added support for onRenderTextLayerSuccess prop.
  • React-PDF now warns if required CSS files are not imported.

What's changed?

  • ❗️ Minimum React version is now 16.8.
  • ❗️ onGetTextSuccess is now called with an object containing items and styles.
  • ❗️ TextLayer.css now must be imported manually for TextLayer to work properly.
  • ❗️ Dropped support for React content in customTextRenderer (#​1124).
  • file-loader is now an optional peerDependency (#​970). Thanks, @​rpaasche!
  • Improved documentation on Preact compatibility.
  • Replaced merge-class-names with clsx.

Bug fixes

  • Fixed crash when attempting to cancel rendering of PageCanvas.
  • Fixed crash when text layer in PDFs rendered by React-PDF was used in Preact applications.
  • Fixed legacy renderInteractiveForms prop ignored. Thanks, @​liquidautumn!
  • Fixed Page wrapper allowing to shrink causing children to overflow (#​1118).

Configuration

📅 Schedule: Branch creation - "" in timezone Europe/Paris, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

@renovate renovate bot requested review from JF-Cozy, Ldoppea, Merkur39 and zatteo as code owners May 7, 2024 19:14
@renovate renovate bot added the dependencies label May 7, 2024
@renovate renovate bot force-pushed the renovate/npm-react-pdf-vulnerability branch 10 times, most recently from b571f70 to 5b535cf Compare May 16, 2024 21:27
@renovate renovate bot force-pushed the renovate/npm-react-pdf-vulnerability branch 5 times, most recently from d34ed3b to 86695e4 Compare May 23, 2024 09:33
@renovate renovate bot force-pushed the renovate/npm-react-pdf-vulnerability branch 7 times, most recently from 19a291c to 9d6a298 Compare May 29, 2024 21:38
@renovate renovate bot force-pushed the renovate/npm-react-pdf-vulnerability branch from 9d6a298 to 7964f03 Compare May 30, 2024 06:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@JF-Cozy JF-Cozy Awaiting requested review from JF-Cozy JF-Cozy is a code owner

@Merkur39 Merkur39 Awaiting requested review from Merkur39

@Ldoppea Ldoppea Awaiting requested review from Ldoppea

@zatteo zatteo Awaiting requested review from zatteo zatteo is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

dependencies

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants