Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(deps): update dependency react-pdf to v7 [security] #62

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

renovate[bot]
Copy link

@renovate renovate bot commented May 8, 2024

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
react-pdf (source) ^4.1.0 -> ^7.7.3 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2024-34342

Summary

If PDF.js is used to load a malicious PDF, and PDF.js is configured with isEvalSupported set to true (which is the default value), unrestricted attacker-controlled JavaScript will be executed in the context of the hosting domain.

Patches

This patch forces isEvalSupported to false, removing the attack vector.

Workarounds

Set options.isEvalSupported to false, where options is Document component prop.

References


Release Notes

wojtekmaj/react-pdf (react-pdf)

v7.7.3

Compare Source

Bug fixes

v7.7.2

Compare Source

This version shipped an incorrect fix for a security vulnerability and thus has been deprecated.

Bug fixes

v7.7.1

Compare Source

Bug fixes

  • Fixed Outline, Page and Thumbnail components crashing when placed outside Document, but provided with pdf prop (#​1709).
  • Fixed documentation for using vite-plugin-static-copy suggesting a solution that doesn't work on Windows.

v7.7.0

Compare Source

What's new?

  • Detect not memoized file and options props.

What's changed?

  • Updated documentation to make it clear SVG renderMode is deprecated and will be removed in the future.
  • Replaced tiny-warning with more popular (and equally tiny!) warning.

v7.6.0

Compare Source

What's new?

  • Improved developer experience by moving prop documentation to JSDoc. This means that you can now see descriptions, default values, and examples for all props in your IDE.
  • Improved documentation.

v7.5.1

Compare Source

What's new?

v7.5.0

Compare Source

What's new?

  • Exported PasswordResponses to make it easier to create custom password prompts (#​1615). Thanks, @​pstevovski!
  • Updated documentation on options prop and usage with Next.js.

Bug fixes

  • Fixed customTextRenderer not called on items outside of marked content (#​1593, #​1623).

v7.4.0

Compare Source

What's new?

  • Improved Next.js compatibility.
    • Updated documentation
    • Added samples for Next.js App Router and Next.js Pages Router
  • Updated PDF.js to 3.11.174.
    • Accessibility improvements
    • Form rendering improvements
    • Font conversion and substitution improvements
    • Performance improvements
    • Text selection improvements
    • TypeScript improvements
    • Other features/bugfixes

Bug fixes

  • Fixed index.test.js entry not working in pure ESM mode with "moduleResolution": "node16" TypeScript option enabled.

v7.3.3

Compare Source

Bug fixes

  • Fixed "Cannot set properties of undefined (setting 'workerSrc')" error in legacy Next.js setups (#​1579).

v7.3.2

Compare Source

Bug fixes

  • Fixed "Cannot destructure property 'PDFDataRangeTransport' of 'pdfjs' as it is undefined." in legacy Next.js setups.

v7.3.1

Compare Source

Bug fixes

  • Fixed "Named export 'PDFDataRangeTransport' not found." error in some environments (#​1578).

v7.3.0

Compare Source

What's new?

  • Added support for native ESM modules (#​1574).
  • Added documentation on cMaps and standard fonts for Vite.

What's changed?

  • Improved propTypes.

Bug fixes

v7.2.0

Compare Source

What's new?

  • Added support for new renderMode: "custom". When set, you can pass custom renderer function to customRenderer prop (#​1408).
  • Improved RSC compatibility. You no longer need to add 'use client'; to the parent component for this component to work.

What's changed?

  • Improved documentation not to suggest using inline object as options prop value (#​1567).
  • Added guidelines for installation in Next.js app (#​1508).

Bug fixes

  • @types/react and @types/react-dom are now optional peerDependencies, which eliminates errors caused by duplicate typings.

v7.1.3

Compare Source

What's changed?

  • Updated clsx dependency to 2.0.0 to enable ESM support in the near future.

v7.1.2

Compare Source

Bug fixes

v7.1.1

Compare Source

Bug fixes

  • Improved performance by avoiding unnecessary re-renders (#​1526).

v7.1.0

Compare Source

Large and exciting release, full of improvements and new features, mainly thanks to our contributors, @​kostassite, @​iamandrewluca and @​MattL75, and sponsors. Become a sponsor and help making React-PDF even better!

What's new?

  • Added Thumbnail component which lets you render thumbnails (#​898, #​1519).
  • Forms rendered by annotation layer are now using AnnotationStorage. This allows you to hook into pdf.annotationStorage in pdf provided in onDocumentLoadSuccess callback and listen for form data changes (#​1518). Thanks, @​kostassite!
  • New hooks: useDocumentContext, useOutlineContext and usePageContext. These hooks allow you to build custom components that hook (pun not intended) into React-PDF API (#​1505). Thanks, @​iamandrewluca!
  • If onItemClick was not provided neither to Document nor Outline components, React-PDF will now attempt to navigate to the page of the clicked outline item on its own, just like it does for internal links.

What's changed?

  • Improved accessibility by introducing structure tree. This also introduces new props in Page: onGetStructTreeSuccess and onGetStructTreeError (#​1494, #​1498). Thanks, @​MattL75!

Bug fixes

  • Fixed onItemClick types incorrectly marking dest as required.
  • Fixed onItemClick not passed from Document to Outline. Previously, you had to manually pass onItemClick to Outline component. Now, you only need to pass it to Document.

v7.0.3

Compare Source

Bug fixes

  • Allowed all DocumentInitParameters to be passed to options prop.

v7.0.2

Compare Source

Bug fixes

  • Fixed "Worker was destroyed" error when Document was unmounted or updated before the worker finished loading the PDF file.
  • Fixed annotations not displaying properly when global CSS had section selector styled.

v7.0.1

Compare Source

Bug fixes

  • Fixed annotation layer rendered under text layer, resulting in some annotations not clickable (#​1503). Thanks, @​iamandrewluca!

v7.0.0

Compare Source

See Upgrade guide from version 6.x to 7.x.

This is one of the biggest update - for React-PDF and for me personally. React-PDF has been rewritten from scratch using TypeScript and React Hooks. I've put a tremendous amount of effort to modernize the package without introducing any major breaking changes. If, however, something have slipped through 137 unit tests we have, please let me know. I hope you will like it.

❗️ = breaking change

What's new?

  • Converted package to TypeScript (#​1420).
  • Rewritten package using React Hooks (#​1370).
  • Updated PDF.js to 3.6.172.
    • Preparations for editor mode support
    • Removed support for outdated browser versions
    • Font conversion/text selection improvements
    • Annotation improvements
    • Image rendering improvements that allow rendering big images even if they are larger than the canvas limits
    • Accessibility improvements
    • Improved overall performance
    • Reduced memory usage
    • Other features/bugfixes

What's changed?

  • React-PDF is now considerably smaller.
  • ❗️ Bundler-specific entry points are no longer provided. Don't worry though, the setup should be straightforward.
  • ❗️ Dropped support for older browsers.
  • ❗️ Removed legacy renderInteractiveForms prop

Bug fixes

  • Fixed "The --scale-factor CSS-variable must be set" error.
  • Fixed black flicker when rendering canvas (#​1340, #​1279). Thanks, @​MattL75!

v6.2.2

Compare Source

Bug fixes

  • Fixed rendering glitches on certain browsers & graphic cards (#​1010).

v6.2.1

Compare Source

What's changed?

  • Brought back pageIndex and pageNumber in customTextRenderer args that, despite undocumented, may have been used by some (#​1190).
  • Replace typeof window checks with typeof document checks to avoid Deno environment being falsely recognized as browser environment.

Bug fixes

v6.2.0

Compare Source

What's new?

  • Added support for devicePixelRatio prop in Page component.

Bug fixes

v6.1.1

Compare Source

Bug fixes

  • Fixed text items misaligned when using customTextRenderer and if textContent items have both text and line break (#​1173).

v6.1.0

Compare Source

What's new?

  • Improved text selection behavior (#​1034).

v6.0.3

Compare Source

Bug fixes

  • Fixed customTextRenderer called too often and potentially with undefined str (#​1151).
  • Fixed text layer rendering twice when using React 18 w. StrictMode on.

v6.0.2

Compare Source

Bug fixes

  • Fixed Vite specific entry causing fake worker to be initialized (#​1148).

v6.0.1

Compare Source

Bug fixes

  • Fixed Vite specific entry causing build to fail (#​1148).

v6.0.0

Compare Source

See Upgrade guide from version 5.x to 6.x.

Note: React <16.8 is not supported. If you're still using React older than 16.8, please use react-pdf@^5.0.0 instead.

❗️ = breaking change

What's new?

  • ❗️ Vastly improved performance and bundle size thanks to the modern version of PDF.js that is now used. This drops support for legacy browsers. See README for details.
  • Added official support for Vite.
  • Updated PDF.js to 2.16.105 (#​1019).
    • Improvements for the text layer (space insertion)
    • Improvements for canvas rendering (thin line rendering)
    • Improvements for forms (printing/saving of choice lists)
    • Improvements for accessibility (sidebar and search results)
    • Bug fixes and optimizations, in particular for annotations, font/image conversion, SMask rendering, text layer rendering and TypeScript definitions
    • Performance improvements for rendering image masks, Type3 fonts and certain drawing instructions
    • Support for specifying custom background/foreground colors for rendering in the viewer (this will be soon be supported in React-PDF)
    • Bugfixes
    • Accessibility improvements
    • Rendering quality improvements.
  • Improved documentation.
    • Fixed instructions on PDF.js worker
    • Added missing documentation on onRenderTextLayerError and onRenderTextLayerSuccess
    • Added a note on SVG mode deprecation.
  • Refactored TextLayer to use pdfjs.renderTextLayer (#​944).
    • Added support for onRenderTextLayerError prop
    • Added support for onRenderTextLayerSuccess prop.
  • React-PDF now warns if required CSS files are not imported.

What's changed?

  • ❗️ Minimum React version is now 16.8.
  • ❗️ onGetTextSuccess is now called with an object containing items and styles.
  • ❗️ TextLayer.css now must be imported manually for TextLayer to work properly.
  • ❗️ Dropped support for React content in customTextRenderer (#​1124).
  • file-loader is now an optional peerDependency (#​970). Thanks, @​rpaasche!
  • Improved documentation on Preact compatibility.
  • Replaced merge-class-names with clsx.

Bug fixes

  • Fixed crash when attempting to cancel rendering of PageCanvas.
  • Fixed crash when text layer in PDFs rendered by React-PDF was used in Preact applications.
  • Fixed legacy renderInteractiveForms prop ignored. Thanks, @​liquidautumn!
  • Fixed Page wrapper allowing to shrink causing children to overflow (#​1118).

v5.7.2

Compare Source

What's new?

  • Added instructions on support for standard fonts.
  • Make findDocumentSource cancellable, cancel running tasks in loadDocument before finding source (#​947).

Bug fixes

  • Fixed Page not rendering in canvas rendering mode (default) when using React 18 w. StrictMode on (#​972).

v5.7.1

Compare Source

What's changed?
  • Replaced deprecated renderInteractiveForms option with annotationMode in page.render call (#​946).
Bug fixes
  • Use workerPort instead of workerSrc in Parcel 2 specific entry (#​941). Thanks, @​jamesjessian!
  • Fixed regression that caused interactive forms to be always rendered.

v5.7.0

Compare Source

Biggest one in months!

What's new?

  • Added support for React 18.
  • Added official support for Parcel 2.
  • Added new Webpack 5-specific entry file. It uses Webpack's new URL assets instead of worker-loader, which turned out to be quite problematic in the past. Don't worry, if you want to stick to the old Webpack-specific one, it should still work just fine!
  • Updated PDF.js to 2.12.313 (#​936).
    • Improved XFA support
    • Improved pattern/tiling support
    • Rich text annotation support
  • Added support for externalLinkRel prop.
  • Added dest and pageIndex to onItemClick callbacks (#​812, #​924). Thanks, @​malwilley!

What's changed?

  • Updated cMaps instructions to work with Yarn PnP.
  • Updated PDF.js worker instructions for clarity.
    • Specify how to make it work with Create React App 5.
  • Added instructions on how to manually copy cMaps directory.
  • Added instructions on how to manually copy pdf.worker.js.
  • Added Create React App 5 sample suite.
  • Added Parcel 2 sample suite.

v5.6.0

Compare Source

What's new?

  • Updated PDF.js to 2.10.377 (#​900).

v5.5.0

Compare Source

What's new?

v5.4.1

Compare Source

Bug fixes

  • Fixed LinkService crashing given already-resolved dest (#​869).

v5.4.0

Compare Source

What's new?

Bug fixes

  • Fixed annotation links no longer working in some cases (#​816).

v5.3.2

Compare Source

Bug fixes

  • Fixed file prop type checker not accepting data as string (#​800).

v5.3.1

Compare Source

What's changed?

  • Made documentation on bundler-specific entry files clearer.
  • Minor code optimizations for smaller bundle size.

Bug fixes

  • Fixed onLoadProgress incorrectly listed as Page prop in README.
  • Fixed data URI not parsed properly when having multiple headers (#​784).

v5.3.0

Compare Source

What's new?

What's changed?

Bug fixes

  • Fixed file prop checked using function with the same name.

v5.2.0

Compare Source

What's new?

v5.1.0

Compare Source

What's new?

  • Added React 17 compatibility.
  • Updated PDF.js to 2.5.207 (#​686, #​687).

v5.0.0

Compare Source

❗️ = breaking change

What's new?

  • ❗️ React-PDF now ships with ES6 Modules along with CommonJS modules. This allows for Webpack and other bundlers to optimize your code better.
  • Updated PDF.js from 2.1.266 to 2.4.456. Thanks, @​kylemellander!

What's changed?

  • ❗️ Internet Explorer 11 is no longer supported.
  • ❗️ Removed renderAnnotations backwards compatibility (#​431).
  • ES6 builds of PDF.js are now used since Internet Explorer 11 support was dropped anyway.
  • Changed the way PDFDataRangeTransport is imported.
  • Explicitly initialize an EventBus instance (#​593). Thanks, @​danieltott!

Bug fixes

  • Fixed memory leak after unmounting Document (#​452, #​505). Thanks, @​oze4!
  • Fixed error, loading, noData propTypes not accepting functions (#​579).
  • Fixed PDF rendering incorrectly if wrapped in an element with dir="rtl" (#​588).
  • Added null check before calling destroy() method on loadingTask.

v4.2.0

Compare Source

What's new?

  • Greatly improved documentation. Thanks, everyone!

What's changed?

  • Development platform upgrade - now v4.x branch uses the same build tools as v5.x branch.

Bug fixes

  • Fixed memory leak after unmounting Document (#​452, #​505). Thanks, @​oze4!
  • Fixed error, loading, noData propTypes not accepting functions (#​579).
  • Fixed PDF rendering incorrectly if wrapped in an element with dir="rtl" (#​588).

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot force-pushed the renovate/npm-react-pdf-vulnerability branch from e30f5bd to 0916db9 Compare May 10, 2024 17:57
@renovate renovate bot changed the title fix(deps): update dependency react-pdf to v7 [security] fix(deps): update dependency react-pdf to v8 [security] May 10, 2024
@renovate renovate bot force-pushed the renovate/npm-react-pdf-vulnerability branch from 0916db9 to 2d66a36 Compare May 11, 2024 14:57
@renovate renovate bot changed the title fix(deps): update dependency react-pdf to v8 [security] fix(deps): update dependency react-pdf to v7 [security] May 11, 2024
@renovate renovate bot force-pushed the renovate/npm-react-pdf-vulnerability branch from 2d66a36 to fccdc8f Compare May 22, 2024 23:26
@renovate renovate bot changed the title fix(deps): update dependency react-pdf to v7 [security] fix(deps): update dependency react-pdf to v8 [security] May 22, 2024
@renovate renovate bot force-pushed the renovate/npm-react-pdf-vulnerability branch from fccdc8f to 63f63f5 Compare May 23, 2024 20:42
@renovate renovate bot changed the title fix(deps): update dependency react-pdf to v8 [security] fix(deps): update dependency react-pdf to v7 [security] May 23, 2024
@renovate renovate bot force-pushed the renovate/npm-react-pdf-vulnerability branch from 63f63f5 to 5f2992c Compare June 5, 2024 05:43
@renovate renovate bot changed the title fix(deps): update dependency react-pdf to v7 [security] fix(deps): update dependency react-pdf to v9 [security] Jun 5, 2024
@renovate renovate bot force-pushed the renovate/npm-react-pdf-vulnerability branch from 5f2992c to 9021acf Compare June 6, 2024 02:27
@renovate renovate bot changed the title fix(deps): update dependency react-pdf to v9 [security] fix(deps): update dependency react-pdf to v7 [security] Jun 6, 2024
@renovate renovate bot force-pushed the renovate/npm-react-pdf-vulnerability branch from 9021acf to b13a3b0 Compare June 28, 2024 02:34
@renovate renovate bot changed the title fix(deps): update dependency react-pdf to v7 [security] fix(deps): update dependency react-pdf to v9 [security] Jun 28, 2024
@renovate renovate bot force-pushed the renovate/npm-react-pdf-vulnerability branch from b13a3b0 to d782963 Compare June 29, 2024 05:54
@renovate renovate bot changed the title fix(deps): update dependency react-pdf to v9 [security] fix(deps): update dependency react-pdf to v7 [security] Jun 29, 2024
@renovate renovate bot force-pushed the renovate/npm-react-pdf-vulnerability branch from d782963 to 5403dda Compare July 18, 2024 03:00
@renovate renovate bot changed the title fix(deps): update dependency react-pdf to v7 [security] fix(deps): update dependency react-pdf to v9 [security] Jul 18, 2024
@renovate renovate bot force-pushed the renovate/npm-react-pdf-vulnerability branch from 5403dda to 20adefe Compare July 20, 2024 14:58
@renovate renovate bot changed the title fix(deps): update dependency react-pdf to v9 [security] fix(deps): update dependency react-pdf to v7 [security] Jul 20, 2024
@renovate renovate bot force-pushed the renovate/npm-react-pdf-vulnerability branch from 20adefe to 79aec39 Compare July 22, 2024 05:51
@renovate renovate bot changed the title fix(deps): update dependency react-pdf to v7 [security] fix(deps): update dependency react-pdf to v9 [security] Jul 22, 2024
@renovate renovate bot force-pushed the renovate/npm-react-pdf-vulnerability branch from 79aec39 to 6ab2224 Compare July 24, 2024 11:47
@renovate renovate bot changed the title fix(deps): update dependency react-pdf to v9 [security] fix(deps): update dependency react-pdf to v7 [security] Jul 24, 2024
@renovate renovate bot force-pushed the renovate/npm-react-pdf-vulnerability branch from 6ab2224 to 583ab5f Compare July 29, 2024 17:39
@renovate renovate bot changed the title fix(deps): update dependency react-pdf to v7 [security] fix(deps): update dependency react-pdf to v9 [security] Jul 29, 2024
@renovate renovate bot force-pushed the renovate/npm-react-pdf-vulnerability branch from 583ab5f to f802692 Compare July 31, 2024 02:33
@renovate renovate bot changed the title fix(deps): update dependency react-pdf to v9 [security] fix(deps): update dependency react-pdf to v7 [security] Jul 31, 2024
@renovate renovate bot force-pushed the renovate/npm-react-pdf-vulnerability branch from f802692 to 8801342 Compare October 10, 2024 03:00
@renovate renovate bot changed the title fix(deps): update dependency react-pdf to v7 [security] fix(deps): update dependency react-pdf to v9 [security] Oct 10, 2024
@renovate renovate bot force-pushed the renovate/npm-react-pdf-vulnerability branch from 8801342 to 36a2c01 Compare October 13, 2024 14:20
@renovate renovate bot changed the title fix(deps): update dependency react-pdf to v9 [security] fix(deps): update dependency react-pdf to v7 [security] Oct 13, 2024
@renovate renovate bot force-pushed the renovate/npm-react-pdf-vulnerability branch from 36a2c01 to 8e29b01 Compare October 30, 2024 05:39
@renovate renovate bot changed the title fix(deps): update dependency react-pdf to v7 [security] fix(deps): update dependency react-pdf to v9 [security] Oct 30, 2024
@renovate renovate bot force-pushed the renovate/npm-react-pdf-vulnerability branch from 8e29b01 to a84dbfa Compare October 31, 2024 23:43
@renovate renovate bot changed the title fix(deps): update dependency react-pdf to v9 [security] fix(deps): update dependency react-pdf to v7 [security] Oct 31, 2024
@renovate renovate bot force-pushed the renovate/npm-react-pdf-vulnerability branch from a84dbfa to bfdffa7 Compare December 3, 2024 02:58
@renovate renovate bot changed the title fix(deps): update dependency react-pdf to v7 [security] fix(deps): update dependency react-pdf to v9 [security] Dec 3, 2024
@renovate renovate bot force-pushed the renovate/npm-react-pdf-vulnerability branch from bfdffa7 to 589ae93 Compare December 5, 2024 23:45
@renovate renovate bot changed the title fix(deps): update dependency react-pdf to v9 [security] fix(deps): update dependency react-pdf to v7 [security] Dec 5, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

0 participants