Update Dependency pdfjs-dist to ^4.2.67

Question

Update Dependency pdfjs-dist to ^4.2.67

beardedphil opened this issue 2 months ago · comments

beardedphil commented 2 months ago

This version of pdfjs-dist uses an outdated version of pdfjs which includes a high severity vulnerability.

beardedphil · Answer 1 · Wed May 08 2024 02:09:07 GMT+0800 (China Standard Time)

Tried to just fix it myself and PR, but I'm getting a permission denied error. Sorry!

tbotk · Answer 2 · Wed May 08 2024 22:16:00 GMT+0800 (China Standard Time)

thanks @beardedphil - would definitely like to see this get resolved, as I am sure it is a blocker for many. sharing the vuln details for added context

Subhasis Chakraborti · Answer 3 · Tue May 14 2024 12:58:55 GMT+0800 (China Standard Time)

I also tried updating the dependency but I got various errors, and trying to fix those errors led to new ones, and so on. They all appear to be related to top-level awaits.

For example:

And:

PDF.js started using top-level awaits between v2.16.105 and v4.2.67. Luckily Mozilla seems to be working on changing that back. It should be easier to make the change after they're done.

Alexander Arvidsson · Answer 4 · Wed Jun 12 2024 23:48:27 GMT+0800 (China Standard Time)

Seems like top-level awaits are removed in v4.3.136:
embroider-build/embroider#1948 (comment)

Subhasis Chakraborti · Answer 5 · Thu Jun 13 2024 02:58:45 GMT+0800 (China Standard Time)

I tried updating to 4.3.136. The warning about top-level await is removed but the "Cannot destructure property" error is still there. I'm also getting a few warnings in the console:

[vite] warning: 
[...]/node_modules/.vite/deps/pdfjs-dist_legacy_web_pdf_viewer_mjs.js
8490|          const sandbox = import(
8491|            /*webpackIgnore: true*/
8492|            sandboxBundleSrc
   |            ^
8493|          );
8494|          sandbox.then((pdfjsSandbox) => {
The above dynamic import cannot be analyzed by vite.
See https://github.com/rollup/plugins/tree/master/packages/dynamic-import-vars#limitations for supported dynamic import formats. If this is intended to be left as-is, you can use the /* @vite-ignore */ comment inside the import() call to suppress this warning.

  Plugin: vite:import-analysis
  File: [...]/node_modules/.vite/deps/pdfjs-dist_legacy_web_pdf_viewer_mjs.js?v=e8179a34

[vite] warning: 
[...]/node_modules/.vite/deps/pdfjs-dist.js
11788|        const worker = await import(
11789|          /*webpackIgnore: true*/
11790|          this.workerSrc
   |          ^
11791|        );
11792|        return worker.WorkerMessageHandler;
The above dynamic import cannot be analyzed by vite.
See https://github.com/rollup/plugins/tree/master/packages/dynamic-import-vars#limitations for supported dynamic import formats. If this is intended to be left as-is, you can use the /* @vite-ignore */ comment inside the import() call to suppress this warning.

  Plugin: vite:import-analysis
  File: [...]/node_modules/.vite/deps/pdfjs-dist.js?v=e8179a34

Artem Tyurin · Answer 6 · Tue Jul 09 2024 18:46:24 GMT+0800 (China Standard Time)

Hey friends, I've just released version 7.0.0 with the latest PDF.js. It will be helpful if you can try it out in your projects.