How to prevent execution of embedded JS via OpenActions in the react-pdf v9?

[uttejcorpay]

Recently i upgraded my company's project's react-pdf to v9 to resolve this security advisory. Though we have resolved the issue with latest version, there is a strange behavior i observed. When i upload a PDF that contains a basic (alert()) script embedded via OpenActions and when isEvalSupported:false passed to options on Document, i could still able to see the alert being executed after the upload.

  return (
    <Document
      file={safe}
      options={{ isEvalSupported: false }}
      onLoadError={(e) => console.error("PDF load error", e)}
      onSourceError={(e) => console.error("PDF source error", e)}
    >
      <Page pageNumber={1} renderTextLayer={false} renderAnnotationLayer={false} />
    </Document>
  );

Did i miss anything here?