Update Dependency pdfjs-dist to ^4.2.67
beardedphil opened this issue · comments
This version of pdfjs-dist uses an outdated version of pdfjs which includes a high severity vulnerability.
Tried to just fix it myself and PR, but I'm getting a permission denied error. Sorry!
thanks @beardedphil - would definitely like to see this get resolved, as I am sure it is a blocker for many. sharing the vuln details for added context
I also tried updating the dependency but I got various errors, and trying to fix those errors led to new ones, and so on. They all appear to be related to top-level awaits.
PDF.js started using top-level awaits between v2.16.105 and v4.2.67. Luckily Mozilla seems to be working on changing that back. It should be easier to make the change after they're done.
Seems like top-level awaits are removed in v4.3.136:
embroider-build/embroider#1948 (comment)
I tried updating to 4.3.136. The warning about top-level await is removed but the "Cannot destructure property" error is still there. I'm also getting a few warnings in the console:
[vite] warning:
[...]/node_modules/.vite/deps/pdfjs-dist_legacy_web_pdf_viewer_mjs.js
8490| const sandbox = import(
8491| /*webpackIgnore: true*/
8492| sandboxBundleSrc
| ^
8493| );
8494| sandbox.then((pdfjsSandbox) => {
The above dynamic import cannot be analyzed by vite.
See https://github.com/rollup/plugins/tree/master/packages/dynamic-import-vars#limitations for supported dynamic import formats. If this is intended to be left as-is, you can use the /* @vite-ignore */ comment inside the import() call to suppress this warning.
Plugin: vite:import-analysis
File: [...]/node_modules/.vite/deps/pdfjs-dist_legacy_web_pdf_viewer_mjs.js?v=e8179a34
[vite] warning:
[...]/node_modules/.vite/deps/pdfjs-dist.js
11788| const worker = await import(
11789| /*webpackIgnore: true*/
11790| this.workerSrc
| ^
11791| );
11792| return worker.WorkerMessageHandler;
The above dynamic import cannot be analyzed by vite.
See https://github.com/rollup/plugins/tree/master/packages/dynamic-import-vars#limitations for supported dynamic import formats. If this is intended to be left as-is, you can use the /* @vite-ignore */ comment inside the import() call to suppress this warning.
Plugin: vite:import-analysis
File: [...]/node_modules/.vite/deps/pdfjs-dist.js?v=e8179a34
Hey friends, I've just released version 7.0.0
with the latest PDF.js. It will be helpful if you can try it out in your projects.