Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(deps): update dependency react-pdf to v7 [security] #330

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented May 7, 2024

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
react-pdf (source) ^5.5.0 -> ^7.0.0 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2024-34342

Summary

If PDF.js is used to load a malicious PDF, and PDF.js is configured with isEvalSupported set to true (which is the default value), unrestricted attacker-controlled JavaScript will be executed in the context of the hosting domain.

Patches

This patch forces isEvalSupported to false, removing the attack vector.

Workarounds

Set options.isEvalSupported to false, where options is Document component prop.

References


Release Notes

wojtekmaj/react-pdf (react-pdf)

v7.7.3

Compare Source

Bug fixes

v7.7.2

Compare Source

This version shipped an incorrect fix for a security vulnerability and thus has been deprecated.

Bug fixes

v7.7.1

Compare Source

Bug fixes

  • Fixed Outline, Page and Thumbnail components crashing when placed outside Document, but provided with pdf prop (#​1709).
  • Fixed documentation for using vite-plugin-static-copy suggesting a solution that doesn't work on Windows.

v7.7.0

Compare Source

What's new?

  • Detect not memoized file and options props.

What's changed?

  • Updated documentation to make it clear SVG renderMode is deprecated and will be removed in the future.
  • Replaced tiny-warning with more popular (and equally tiny!) warning.

v7.6.0

Compare Source

What's new?

  • Improved developer experience by moving prop documentation to JSDoc. This means that you can now see descriptions, default values, and examples for all props in your IDE.
  • Improved documentation.

v7.5.1

Compare Source

What's new?

v7.5.0

Compare Source

What's new?

  • Exported PasswordResponses to make it easier to create custom password prompts (#​1615). Thanks, @​pstevovski!
  • Updated documentation on options prop and usage with Next.js.

Bug fixes

  • Fixed customTextRenderer not called on items outside of marked content (#​1593, #​1623).

v7.4.0

Compare Source

What's new?

  • Improved Next.js compatibility.
    • Updated documentation
    • Added samples for Next.js App Router and Next.js Pages Router
  • Updated PDF.js to 3.11.174.
    • Accessibility improvements
    • Form rendering improvements
    • Font conversion and substitution improvements
    • Performance improvements
    • Text selection improvements
    • TypeScript improvements
    • Other features/bugfixes

Bug fixes

  • Fixed index.test.js entry not working in pure ESM mode with "moduleResolution": "node16" TypeScript option enabled.

v7.3.3

Compare Source

Bug fixes

  • Fixed "Cannot set properties of undefined (setting 'workerSrc')" error in legacy Next.js setups (#​1579).

v7.3.2

Compare Source

Bug fixes

  • Fixed "Cannot destructure property 'PDFDataRangeTransport' of 'pdfjs' as it is undefined." in legacy Next.js setups.

v7.3.1

Compare Source

Bug fixes

  • Fixed "Named export 'PDFDataRangeTransport' not found." error in some environments (#​1578).

v7.3.0

Compare Source

What's new?

  • Added support for native ESM modules (#​1574).
  • Added documentation on cMaps and standard fonts for Vite.

What's changed?

  • Improved propTypes.

Bug fixes

v7.2.0

Compare Source

What's new?

  • Added support for new renderMode: "custom". When set, you can pass custom renderer function to customRenderer prop (#​1408).
  • Improved RSC compatibility. You no longer need to add 'use client'; to the parent component for this component to work.

What's changed?

  • Improved documentation not to suggest using inline object as options prop value (#​1567).
  • Added guidelines for installation in Next.js app (#​1508).

Bug fixes

  • @types/react and @types/react-dom are now optional peerDependencies, which eliminates errors caused by duplicate typings.

v7.1.3

Compare Source

What's changed?

  • Updated clsx dependency to 2.0.0 to enable ESM support in the near future.

v7.1.2

Compare Source

Bug fixes

v7.1.1

Compare Source

Bug fixes

  • Improved performance by avoiding unnecessary re-renders (#​1526).

v7.1.0

Compare Source

Large and exciting release, full of improvements and new features, mainly thanks to our contributors, @​kostassite, @​iamandrewluca and @​MattL75, and sponsors. Become a sponsor and help making React-PDF even better!

What's new?

  • Added Thumbnail component which lets you render thumbnails (#​898, #​1519).
  • Forms rendered by annotation layer are now using AnnotationStorage. This allows you to hook into pdf.annotationStorage in pdf provided in onDocumentLoadSuccess callback and listen for form data changes (#​1518). Thanks, @​kostassite!
  • New hooks: useDocumentContext, useOutlineContext and usePageContext. These hooks allow you to build custom components that hook (pun not intended) into React-PDF API (#​1505). Thanks, @​iamandrewluca!
  • If onItemClick was not provided neither to Document nor Outline components, React-PDF will now attempt to navigate to the page of the clicked outline item on its own, just like it does for internal links.

What's changed?

  • Improved accessibility by introducing structure tree. This also introduces new props in Page: onGetStructTreeSuccess and onGetStructTreeError (#​1494, #​1498). Thanks, @​MattL75!

Bug fixes

  • Fixed onItemClick types incorrectly marking dest as required.
  • Fixed onItemClick not passed from Document to Outline. Previously, you had to manually pass onItemClick to Outline component. Now, you only need to pass it to Document.

v7.0.3

Compare Source

Bug fixes

  • Allowed all DocumentInitParameters to be passed to options prop.

v7.0.2

Compare Source

Bug fixes

  • Fixed "Worker was destroyed" error when Document was unmounted or updated before the worker finished loading the PDF file.
  • Fixed annotations not displaying properly when global CSS had section selector styled.

v7.0.1

Compare Source

Bug fixes

  • Fixed annotation layer rendered under text layer, resulting in some annotations not clickable (#​1503). Thanks, @​iamandrewluca!

v7.0.0

Compare Source

See Upgrade guide from version 6.x to 7.x.

This is one of the biggest update - for React-PDF and for me personally. React-PDF has been rewritten from scratch using TypeScript and React Hooks. I've put a tremendous amount of effort to modernize the package without introducing any major breaking changes. If, however, something have slipped through 137 unit tests we have, please let me know. I hope you will like it.

❗️ = breaking change

What's new?

  • Converted package to TypeScript (#​1420).
  • Rewritten package using React Hooks (#​1370).
  • Updated PDF.js to 3.6.172.
    • Preparations for editor mode support
    • Removed support for outdated browser versions
    • Font conversion/text selection improvements
    • Annotation improvements
    • Image rendering improvements that allow rendering big images even if they are larger than the canvas limits
    • Accessibility improvements
    • Improved overall performance
    • Reduced memory usage
    • Other features/bugfixes

What's changed?

  • React-PDF is now considerably smaller.
  • ❗️ Bundler-specific entry points are no longer provided. Don't worry though, the setup should be straightforward.
  • ❗️ Dropped support for older browsers.
  • ❗️ Removed legacy renderInteractiveForms prop

Bug fixes

  • Fixed "The --scale-factor CSS-variable must be set" error.
  • Fixed black flicker when rendering canvas (#​1340, #​1279). Thanks, @​MattL75!

v6.2.2

Compare Source

Bug fixes

  • Fixed rendering glitches on certain browsers & graphic cards (#​1010).

v6.2.1

Compare Source

What's changed?

  • Brought back pageIndex and pageNumber in customTextRenderer args that, despite undocumented, may have been used by some (#​1190).
  • Replace typeof window checks with typeof document checks to avoid Deno environment being falsely recognized as browser environment.

Bug fixes

v6.2.0

Compare Source

What's new?

  • Added support for devicePixelRatio prop in Page component.

Bug fixes

v6.1.1

Compare Source

Bug fixes

  • Fixed text items misaligned when using customTextRenderer and if textContent items have both text and line break (#​1173).

v6.1.0

Compare Source

What's new?

  • Improved text selection behavior (#​1034).

v6.0.3

Compare Source

Bug fixes

  • Fixed customTextRenderer called too often and potentially with undefined str (#​1151).
  • Fixed text layer rendering twice when using React 18 w. StrictMode on.

v6.0.2

Compare Source

Bug fixes

  • Fixed Vite specific entry causing fake worker to be initialized (#​1148).

v6.0.1

Compare Source

Bug fixes

  • Fixed Vite specific entry causing build to fail (#​1148).

v6.0.0

Compare Source

See Upgrade guide from version 5.x to 6.x.

Note: React <16.8 is not supported. If you're still using React older than 16.8, please use react-pdf@^5.0.0 instead.

❗️ = breaking change

What's new?

  • ❗️ Vastly improved performance and bundle size thanks to the modern version of PDF.js that is now used. This drops support for legacy browsers. See README for details.
  • Added official support for Vite.
  • Updated PDF.js to 2.16.105 (#​1019).
    • Improvements for the text layer (space insertion)
    • Improvements for canvas rendering (thin line rendering)
    • Improvements for forms (printing/saving of choice lists)
    • Improvements for accessibility (sidebar and search results)
    • Bug fixes and optimizations, in particular for annotations, font/image conversion, SMask rendering, text layer rendering and TypeScript definitions
    • Performance improvements for rendering image masks, Type3 fonts and certain drawing instructions
    • Support for specifying custom background/foreground colors for rendering in the viewer (this will be soon be supported in React-PDF)
    • Bugfixes
    • Accessibility improvements
    • Rendering quality improvements.
  • Improved documentation.
    • Fixed instructions on PDF.js worker
    • Added missing documentation on onRenderTextLayerError and onRenderTextLayerSuccess
    • Added a note on SVG mode deprecation.
  • Refactored TextLayer to use pdfjs.renderTextLayer (#​944).
    • Added support for onRenderTextLayerError prop
    • Added support for onRenderTextLayerSuccess prop.
  • React-PDF now warns if required CSS files are not imported.

What's changed?

  • ❗️ Minimum React version is now 16.8.
  • ❗️ onGetTextSuccess is now called with an object containing items and styles.
  • ❗️ TextLayer.css now must be imported manually for TextLayer to work properly.
  • ❗️ Dropped support for React content in customTextRenderer (#​1124).
  • file-loader is now an optional peerDependency (#​970). Thanks, @​rpaasche!
  • Improved documentation on Preact compatibility.
  • Replaced merge-class-names with clsx.

Bug fixes

  • Fixed crash when attempting to cancel rendering of PageCanvas.
  • Fixed crash when text layer in PDFs rendered by React-PDF was used in Preact applications.
  • Fixed legacy renderInteractiveForms prop ignored. Thanks, @​liquidautumn!
  • Fixed Page wrapper allowing to shrink causing children to overflow (#​1118).

Configuration

📅 Schedule: Branch creation - "" in timezone America/New_York, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot force-pushed the renovate/npm-react-pdf-vulnerability branch from 929d487 to 425e33c Compare May 23, 2024 14:29
@renovate renovate bot force-pushed the renovate/npm-react-pdf-vulnerability branch from 425e33c to 86ce5ee Compare June 17, 2024 15:14
@renovate renovate bot force-pushed the renovate/npm-react-pdf-vulnerability branch from 86ce5ee to 60e0290 Compare July 24, 2024 17:17
@renovate renovate bot force-pushed the renovate/npm-react-pdf-vulnerability branch from 60e0290 to b393df4 Compare August 7, 2024 14:02
@renovate renovate bot force-pushed the renovate/npm-react-pdf-vulnerability branch 2 times, most recently from 3d47540 to 600cc1b Compare September 6, 2024 16:24
@renovate renovate bot force-pushed the renovate/npm-react-pdf-vulnerability branch from 600cc1b to ca3bfa0 Compare September 13, 2024 13:20
@renovate renovate bot force-pushed the renovate/npm-react-pdf-vulnerability branch from ca3bfa0 to 974c5b2 Compare September 20, 2024 14:29
@renovate renovate bot force-pushed the renovate/npm-react-pdf-vulnerability branch from 974c5b2 to cd9f06c Compare October 22, 2024 23:21
@renovate renovate bot force-pushed the renovate/npm-react-pdf-vulnerability branch 3 times, most recently from 6a3ffa8 to 13ae1e5 Compare November 5, 2024 17:01
@renovate renovate bot force-pushed the renovate/npm-react-pdf-vulnerability branch 2 times, most recently from 78ffaad to 5f6fe2d Compare November 19, 2024 12:50
@renovate renovate bot force-pushed the renovate/npm-react-pdf-vulnerability branch 5 times, most recently from 7753d21 to fee8504 Compare November 25, 2024 08:45
@renovate renovate bot force-pushed the renovate/npm-react-pdf-vulnerability branch from fee8504 to 3a477a9 Compare November 30, 2024 11:52
@renovate renovate bot force-pushed the renovate/npm-react-pdf-vulnerability branch from 3a477a9 to 14f449d Compare December 6, 2024 13:55
@renovate renovate bot changed the title fix(deps): update dependency react-pdf to v7 [security] fix(deps): update dependency react-pdf to v7 [security] - autoclosed Dec 8, 2024
@renovate renovate bot closed this Dec 8, 2024
@renovate renovate bot deleted the renovate/npm-react-pdf-vulnerability branch December 8, 2024 18:48
@renovate renovate bot changed the title fix(deps): update dependency react-pdf to v7 [security] - autoclosed fix(deps): update dependency react-pdf to v7 [security] Dec 8, 2024
@renovate renovate bot reopened this Dec 8, 2024
@renovate renovate bot force-pushed the renovate/npm-react-pdf-vulnerability branch from 7e09fb9 to 14f449d Compare December 8, 2024 23:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

0 participants