Fix the isEvalSupported security issue for version 6.2.x
NathanJozef opened this issue · comments
Before you start - checklist
- I followed instructions in documentation written for my React-PDF version
- I have checked if this bug is not already reported
- I have checked if an issue is not listed in Known issues
- If I have a problem with PDF rendering, I checked if my PDF renders properly in PDF.js demo
Description
Require a fix for the isEvalSupported security issue. Well documented issue here. This would allow backwards compatibility for users stuck on Node 16.
Steps to reproduce
Run auditing tool on v6.2.2
Expected behavior
Security vulnerability is addressed.
Actual behavior
audit passes with warning. Not error.
Additional information
I have a branch ready to push if you want to review it as a PR. Would need collaborator status to push the branch.
Environment
- Browser (if applicable): N/A
- React-PDF version: 6.2.2
- React version: 17.0.2
- Webpack version (if applicable): N/A
- Node version: 16.20.2
You can manually pass options={{isEvalSupported: false}}
to Document.
Also, the latest version sets it to false automatically, so unless you're overriding it it is also safe:
react-pdf/packages/react-pdf/src/Document.tsx
Line 190 in 6bfef4b
so unless you're overriding it it is also safe:
Even if you're overriding it it's safe, because we're forcing this to be false now. :)
You can manually pass
options={{isEvalSupported: false}}
to Document.
hello, Does this also work with version 6.2.2?I see this option in DocumentInitParameters.But I can not prove it.Because I can not get isEvalSupported with version 6.2.2.How can I know after I set isEvalSupported to false,this option change to false?