-
Notifications
You must be signed in to change notification settings - Fork 6
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(deps): update dependency react-pdf to v7 [security] #62
Open
renovate
wants to merge
1
commit into
master
Choose a base branch
from
renovate/npm-react-pdf-vulnerability
base: master
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
renovate
bot
force-pushed
the
renovate/npm-react-pdf-vulnerability
branch
from
May 10, 2024 17:57
e30f5bd
to
0916db9
Compare
renovate
bot
changed the title
fix(deps): update dependency react-pdf to v7 [security]
fix(deps): update dependency react-pdf to v8 [security]
May 10, 2024
renovate
bot
force-pushed
the
renovate/npm-react-pdf-vulnerability
branch
from
May 11, 2024 14:57
0916db9
to
2d66a36
Compare
renovate
bot
changed the title
fix(deps): update dependency react-pdf to v8 [security]
fix(deps): update dependency react-pdf to v7 [security]
May 11, 2024
renovate
bot
force-pushed
the
renovate/npm-react-pdf-vulnerability
branch
from
May 22, 2024 23:26
2d66a36
to
fccdc8f
Compare
renovate
bot
changed the title
fix(deps): update dependency react-pdf to v7 [security]
fix(deps): update dependency react-pdf to v8 [security]
May 22, 2024
renovate
bot
force-pushed
the
renovate/npm-react-pdf-vulnerability
branch
from
May 23, 2024 20:42
fccdc8f
to
63f63f5
Compare
renovate
bot
changed the title
fix(deps): update dependency react-pdf to v8 [security]
fix(deps): update dependency react-pdf to v7 [security]
May 23, 2024
renovate
bot
force-pushed
the
renovate/npm-react-pdf-vulnerability
branch
from
June 5, 2024 05:43
63f63f5
to
5f2992c
Compare
renovate
bot
changed the title
fix(deps): update dependency react-pdf to v7 [security]
fix(deps): update dependency react-pdf to v9 [security]
Jun 5, 2024
renovate
bot
force-pushed
the
renovate/npm-react-pdf-vulnerability
branch
from
June 6, 2024 02:27
5f2992c
to
9021acf
Compare
renovate
bot
changed the title
fix(deps): update dependency react-pdf to v9 [security]
fix(deps): update dependency react-pdf to v7 [security]
Jun 6, 2024
renovate
bot
force-pushed
the
renovate/npm-react-pdf-vulnerability
branch
from
June 28, 2024 02:34
9021acf
to
b13a3b0
Compare
renovate
bot
changed the title
fix(deps): update dependency react-pdf to v7 [security]
fix(deps): update dependency react-pdf to v9 [security]
Jun 28, 2024
renovate
bot
force-pushed
the
renovate/npm-react-pdf-vulnerability
branch
from
June 29, 2024 05:54
b13a3b0
to
d782963
Compare
renovate
bot
changed the title
fix(deps): update dependency react-pdf to v9 [security]
fix(deps): update dependency react-pdf to v7 [security]
Jun 29, 2024
renovate
bot
force-pushed
the
renovate/npm-react-pdf-vulnerability
branch
from
July 18, 2024 03:00
d782963
to
5403dda
Compare
renovate
bot
changed the title
fix(deps): update dependency react-pdf to v7 [security]
fix(deps): update dependency react-pdf to v9 [security]
Jul 18, 2024
renovate
bot
force-pushed
the
renovate/npm-react-pdf-vulnerability
branch
from
July 20, 2024 14:58
5403dda
to
20adefe
Compare
renovate
bot
changed the title
fix(deps): update dependency react-pdf to v9 [security]
fix(deps): update dependency react-pdf to v7 [security]
Jul 20, 2024
renovate
bot
force-pushed
the
renovate/npm-react-pdf-vulnerability
branch
from
July 22, 2024 05:51
20adefe
to
79aec39
Compare
renovate
bot
changed the title
fix(deps): update dependency react-pdf to v7 [security]
fix(deps): update dependency react-pdf to v9 [security]
Jul 22, 2024
renovate
bot
force-pushed
the
renovate/npm-react-pdf-vulnerability
branch
from
July 24, 2024 11:47
79aec39
to
6ab2224
Compare
renovate
bot
changed the title
fix(deps): update dependency react-pdf to v9 [security]
fix(deps): update dependency react-pdf to v7 [security]
Jul 24, 2024
renovate
bot
force-pushed
the
renovate/npm-react-pdf-vulnerability
branch
from
July 29, 2024 17:39
6ab2224
to
583ab5f
Compare
renovate
bot
changed the title
fix(deps): update dependency react-pdf to v7 [security]
fix(deps): update dependency react-pdf to v9 [security]
Jul 29, 2024
renovate
bot
force-pushed
the
renovate/npm-react-pdf-vulnerability
branch
from
July 31, 2024 02:33
583ab5f
to
f802692
Compare
renovate
bot
changed the title
fix(deps): update dependency react-pdf to v9 [security]
fix(deps): update dependency react-pdf to v7 [security]
Jul 31, 2024
renovate
bot
force-pushed
the
renovate/npm-react-pdf-vulnerability
branch
from
October 10, 2024 03:00
f802692
to
8801342
Compare
renovate
bot
changed the title
fix(deps): update dependency react-pdf to v7 [security]
fix(deps): update dependency react-pdf to v9 [security]
Oct 10, 2024
renovate
bot
force-pushed
the
renovate/npm-react-pdf-vulnerability
branch
from
October 13, 2024 14:20
8801342
to
36a2c01
Compare
renovate
bot
changed the title
fix(deps): update dependency react-pdf to v9 [security]
fix(deps): update dependency react-pdf to v7 [security]
Oct 13, 2024
renovate
bot
force-pushed
the
renovate/npm-react-pdf-vulnerability
branch
from
October 30, 2024 05:39
36a2c01
to
8e29b01
Compare
renovate
bot
changed the title
fix(deps): update dependency react-pdf to v7 [security]
fix(deps): update dependency react-pdf to v9 [security]
Oct 30, 2024
renovate
bot
force-pushed
the
renovate/npm-react-pdf-vulnerability
branch
from
October 31, 2024 23:43
8e29b01
to
a84dbfa
Compare
renovate
bot
changed the title
fix(deps): update dependency react-pdf to v9 [security]
fix(deps): update dependency react-pdf to v7 [security]
Oct 31, 2024
renovate
bot
force-pushed
the
renovate/npm-react-pdf-vulnerability
branch
from
December 3, 2024 02:58
a84dbfa
to
bfdffa7
Compare
renovate
bot
changed the title
fix(deps): update dependency react-pdf to v7 [security]
fix(deps): update dependency react-pdf to v9 [security]
Dec 3, 2024
renovate
bot
force-pushed
the
renovate/npm-react-pdf-vulnerability
branch
from
December 5, 2024 23:45
bfdffa7
to
589ae93
Compare
renovate
bot
changed the title
fix(deps): update dependency react-pdf to v9 [security]
fix(deps): update dependency react-pdf to v7 [security]
Dec 5, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
None yet
0 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
^4.1.0
->^7.7.3
GitHub Vulnerability Alerts
CVE-2024-34342
Summary
If PDF.js is used to load a malicious PDF, and PDF.js is configured with
isEvalSupported
set totrue
(which is the default value), unrestricted attacker-controlled JavaScript will be executed in the context of the hosting domain.Patches
This patch forces
isEvalSupported
tofalse
, removing the attack vector.Workarounds
Set
options.isEvalSupported
tofalse
, whereoptions
isDocument
component prop.References
Release Notes
wojtekmaj/react-pdf (react-pdf)
v7.7.3
Compare Source
Bug fixes
isEvalSupported
tofalse
. Fixes GHSA-87hq-q4gp-9wr4 (caused by GHSA-wgrm-67xf-hhpq).v7.7.2
Compare Source
This version shipped an incorrect fix for a security vulnerability and thus has been deprecated.
Bug fixesisEvalSupported
totrue
. Fixes GHSA-87hq-q4gp-9wr4 (caused by GHSA-wgrm-67xf-hhpq).~~v7.7.1
Compare Source
Bug fixes
Outline
,Page
andThumbnail
components crashing when placed outsideDocument
, but provided withpdf
prop (#1709).vite-plugin-static-copy
suggesting a solution that doesn't work on Windows.v7.7.0
Compare Source
What's new?
What's changed?
renderMode
is deprecated and will be removed in the future.tiny-warning
with more popular (and equally tiny!)warning
.v7.6.0
Compare Source
What's new?
v7.5.1
Compare Source
What's new?
v7.5.0
Compare Source
What's new?
options
prop and usage with Next.js.Bug fixes
v7.4.0
Compare Source
What's new?
Bug fixes
index.test.js
entry not working in pure ESM mode with "moduleResolution": "node16" TypeScript option enabled.v7.3.3
Compare Source
Bug fixes
v7.3.2
Compare Source
Bug fixes
v7.3.1
Compare Source
Bug fixes
v7.3.0
Compare Source
What's new?
What's changed?
Bug fixes
v7.2.0
Compare Source
What's new?
renderMode
:"custom"
. When set, you can pass custom renderer function tocustomRenderer
prop (#1408).'use client';
to the parent component for this component to work.What's changed?
options
prop value (#1567).Bug fixes
@types/react
and@types/react-dom
are now optional peerDependencies, which eliminates errors caused by duplicate typings.v7.1.3
Compare Source
What's changed?
clsx
dependency to2.0.0
to enable ESM support in the near future.v7.1.2
Compare Source
Bug fixes
customTextRenderer
not working on documents without marked content (#1530, #1531). Thanks, @MattL75!v7.1.1
Compare Source
Bug fixes
v7.1.0
Compare Source
Large and exciting release, full of improvements and new features, mainly thanks to our contributors, @kostassite, @iamandrewluca and @MattL75, and sponsors. Become a sponsor and help making React-PDF even better!
What's new?
Thumbnail
component which lets you render thumbnails (#898, #1519).pdf.annotationStorage
inpdf
provided inonDocumentLoadSuccess
callback and listen for form data changes (#1518). Thanks, @kostassite!useDocumentContext
,useOutlineContext
andusePageContext
. These hooks allow you to build custom components that hook (pun not intended) into React-PDF API (#1505). Thanks, @iamandrewluca!onItemClick
was not provided neither toDocument
norOutline
components, React-PDF will now attempt to navigate to the page of the clicked outline item on its own, just like it does for internal links.What's changed?
Page
:onGetStructTreeSuccess
andonGetStructTreeError
(#1494, #1498). Thanks, @MattL75!Bug fixes
onItemClick
types incorrectly markingdest
as required.onItemClick
not passed fromDocument
toOutline
. Previously, you had to manually passonItemClick
toOutline
component. Now, you only need to pass it toDocument
.v7.0.3
Compare Source
Bug fixes
DocumentInitParameters
to be passed tooptions
prop.v7.0.2
Compare Source
Bug fixes
section
selector styled.v7.0.1
Compare Source
Bug fixes
v7.0.0
Compare Source
See Upgrade guide from version 6.x to 7.x.
This is one of the biggest update - for React-PDF and for me personally. React-PDF has been rewritten from scratch using TypeScript and React Hooks. I've put a tremendous amount of effort to modernize the package without introducing any major breaking changes. If, however, something have slipped through 137 unit tests we have, please let me know. I hope you will like it.
❗️ = breaking change
What's new?
What's changed?
renderInteractiveForms
propBug fixes
--scale-factor
CSS-variable must be set" error.v6.2.2
Compare Source
Bug fixes
v6.2.1
Compare Source
What's changed?
pageIndex
andpageNumber
incustomTextRenderer
args that, despite undocumented, may have been used by some (#1190).typeof window
checks withtypeof document
checks to avoid Deno environment being falsely recognized as browser environment.Bug fixes
onItemClick
callback working only once per item (#997, #1192).v6.2.0
Compare Source
What's new?
devicePixelRatio
prop in Page component.Bug fixes
itemIndex
to thecustomTextRenderer
(#1183). Thanks, @paescuj!v6.1.1
Compare Source
Bug fixes
customTextRenderer
and if textContent items have both text and line break (#1173).v6.1.0
Compare Source
What's new?
v6.0.3
Compare Source
Bug fixes
customTextRenderer
called too often and potentially with undefinedstr
(#1151).v6.0.2
Compare Source
Bug fixes
v6.0.1
Compare Source
Bug fixes
v6.0.0
Compare Source
See Upgrade guide from version 5.x to 6.x.
Note: React <16.8 is not supported. If you're still using React older than 16.8, please use react-pdf@^5.0.0 instead.
❗️ = breaking change
What's new?
onRenderTextLayerError
andonRenderTextLayerSuccess
onRenderTextLayerError
proponRenderTextLayerSuccess
prop.What's changed?
onGetTextSuccess
is now called with an object containingitems
andstyles
.TextLayer.css
now must be imported manually for TextLayer to work properly.customTextRenderer
(#1124).file-loader
is now an optional peerDependency (#970). Thanks, @rpaasche!merge-class-names
withclsx
.Bug fixes
renderInteractiveForms
prop ignored. Thanks, @liquidautumn!v5.7.2
Compare Source
What's new?
Bug fixes
canvas
rendering mode (default) when using React 18 w. StrictMode on (#972).v5.7.1
Compare Source
What's changed?
renderInteractiveForms
option withannotationMode
inpage.render
call (#946).Bug fixes
workerPort
instead ofworkerSrc
in Parcel 2 specific entry (#941). Thanks, @jamesjessian!v5.7.0
Compare Source
Biggest one in months!
What's new?
worker-loader
, which turned out to be quite problematic in the past. Don't worry, if you want to stick to the old Webpack-specific one, it should still work just fine!externalLinkRel
prop.dest
andpageIndex
toonItemClick
callbacks (#812, #924). Thanks, @malwilley!What's changed?
pdf.worker.js
.v5.6.0
Compare Source
What's new?
v5.5.0
Compare Source
What's new?
canvasBackground
prop (#851). Thanks, @paescuj!v5.4.1
Compare Source
Bug fixes
v5.4.0
Compare Source
What's new?
Bug fixes
v5.3.2
Compare Source
Bug fixes
file
prop type checker not acceptingdata
as string (#800).v5.3.1
Compare Source
What's changed?
Bug fixes
onLoadProgress
incorrectly listed asPage
prop in README.v5.3.0
Compare Source
What's new?
What's changed?
Bug fixes
v5.2.0
Compare Source
What's new?
imageResourcesPath
(#728). Thanks, @hchevalier!v5.1.0
Compare Source
What's new?
v5.0.0
Compare Source
❗️ = breaking change
What's new?
What's changed?
Bug fixes
error
,loading
,noData
propTypes not accepting functions (#579).dir="rtl"
(#588).v4.2.0
Compare Source
What's new?
What's changed?
Bug fixes
error
,loading
,noData
propTypes not accepting functions (#579).dir="rtl"
(#588).Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.