Update pdfjs-dist to 4.2.67 or later about ng2-pdf-viewer HOT 10 OPEN

Should be fixed via #1092 I suppose?

from ng2-pdf-viewer.

Cve is resolved, but updating would give some other benefits anyway

from ng2-pdf-viewer.

Yea, worth noting though that pdfjs 4.x has major breaking changes. When I looked at it, it seemed like it would require major rewrites to this package. Not that it's impossible, of course, but certainly not a quick thing. At the very least though this issue is probably a duplicate of #1078

from ng2-pdf-viewer.

Yea, worth noting though that pdfjs 4.x has major breaking changes. When I looked at it, it seemed like it would require major rewrites to this package. Not that it's impossible, of course, but certainly not a quick thing. At the very least though this issue is probably a duplicate of #1078

Yeah,
Upgrading 2->3 was also already a new major version, but I guess there weren't that much (breaking) changes anyway? But now with 3->4 a lot more would be required?

from ng2-pdf-viewer.

Yes, 2 -> 3 was a major version in terms of semver, but wasnt too bad. 3 --> 4 is much bigger, imho of course, see https://github.com/mozilla/pdf.js/releases/tag/v4.0.189

I havent looked at it again, again its of course not impossible but unfortunately I think significantly more

from ng2-pdf-viewer.

I would also prefer to have it upgraded. Npm still mentioned in version 10.2.2 the high severity vulnerability in pdf.js.

But they mentioned an workaround to set the option isEvalSupported to false.
How would that be applied in ng2-pdf-viewer?

from ng2-pdf-viewer.

I would also prefer to have it upgraded. Npm still mentioned in version 10.2.2 the high severity vulnerability in pdf.js.

But they mentioned an workaround to set the option isEvalSupported to false. How would that be applied in ng2-pdf-viewer?

In my understanding, it is done in this library to disable this option. This was patched here: #1092

The best and safest would be of course to upgrade the pdfjs-dist to the latest version, but I'm not sure if it's happening anytime soon.

from ng2-pdf-viewer.

It was fixed in this for me, thanks alot! #1092

from ng2-pdf-viewer.

Updating to version 4 and above would fix this #624 and possibly also this #824 (Note that 824 is not complete, but a stale bot forced it to be completed anyway...)

• [api-major] Remove the SVG back-end (PR 15173 follow-up) by @Snuffleupagus in https://github.com/mozilla/pdf.js/pull/16699[api-major] Output JavaScript modules in the builds (issue 10317) by @Snuffleupagus in mozilla/pdf.js#17055
• [api-major] Remove various deprecated functionality and options by @Snuffleupagus in mozilla/pdf.js#16774
• [api-major] Output JavaScript modules in the builds (issue 10317) by @Snuffleupagus in mozilla/pdf.js#17055
• [api-minor] Stop polyfilling structuredClone in legacy builds by @Snuffleupagus in mozilla/pdf.js#17086
• [api-minor] Move to Fluent for the localization (bug 1858715) by @calixteman in mozilla/pdf.js#17115

These are possibly breaking changes according to release notes from https://github.com/mozilla/pdf.js/releases/tag/v4.0.189.

I have highlighted (points 3 & 5) that may pose a challenge:

• Output JavaScript modules in the builds - This will require looking at where new ones are and how to load them properly.
• I have no clue how, if at all, translations are handled in this package...

from ng2-pdf-viewer.