fix: bump react-pdf and pdfjs-dist to handle cve

Bumps ReactPDF and pdfjs-dist to avoid the CVE that allows for code execution in pdf's. This change doesn't specifically upgrade to the latest pdfjs-dist due to issues with top level await, instead disabling the evaluation of javascript within the PDF.
2025-11-13 00:03:33 +10:00 · 2024-05-23 14:47:26 +10:00
parent d58a88196a
commit 311328471e
4 changed files with 63 additions and 56646 deletions
--- a/apps/marketing/public/pdf.worker.min.js
+++ b/apps/marketing/public/pdf.worker.min.js
--- a/apps/web/public/pdf.worker.min.js
+++ b/apps/web/public/pdf.worker.min.js
--- a/package-lock.json
+++ b/package-lock.json
@ -17536,6 +17536,7 @@
      "version": "2.0.1",
      "resolved": "https://registry.npmjs.org/path2d-polyfill/-/path2d-polyfill-2.0.1.tgz",
      "integrity": "sha512-ad/3bsalbbWhmBo0D6FZ4RNMwsLsPpL6gnvhuSaU5Vm7b06Kr5ubSltQQ0T7YKsiJQO+g22zJ4dJKNTXIyOXtA==",
+      "optional": true,
      "engines": {
        "node": ">=8"
      }
@ -17580,18 +17581,15 @@
      "integrity": "sha512-Xni35NKzjgMrwevysHTCArtLDpPvye8zV/0E4EyYn43P7/7qvQwPh9BGkHewbMulVntbigmcT7rdX3BNo9wRJg=="
    },
    "node_modules/pdfjs-dist": {
-      "version": "3.6.172",
-      "resolved": "https://registry.npmjs.org/pdfjs-dist/-/pdfjs-dist-3.6.172.tgz",
-      "integrity": "sha512-bfOhCg+S9DXh/ImWhWYTOiq3aVMFSCvzGiBzsIJtdMC71kVWDBw7UXr32xh0y56qc5wMVylIeqV3hBaRsu+e+w==",
-      "dependencies": {
-        "path2d-polyfill": "^2.0.1",
-        "web-streams-polyfill": "^3.2.1"
-      },
+      "version": "3.11.174",
+      "resolved": "https://registry.npmjs.org/pdfjs-dist/-/pdfjs-dist-3.11.174.tgz",
+      "integrity": "sha512-TdTZPf1trZ8/UFu5Cx/GXB7GZM30LT+wWUNfsi6Bq8ePLnb+woNKtDymI2mxZYBpMbonNFqKmiz684DIfnd8dA==",
      "engines": {
-        "node": ">=16"
+        "node": ">=18"
      },
      "optionalDependencies": {
-        "canvas": "^2.11.2"
+        "canvas": "^2.11.2",
+        "path2d-polyfill": "^2.0.1"
      }
    },
    "node_modules/peberminta": {
@ -19011,42 +19009,6 @@
      "resolved": "https://registry.npmjs.org/react-lifecycles-compat/-/react-lifecycles-compat-3.0.4.tgz",
      "integrity": "sha512-fBASbA6LnOU9dOU2eW7aQ8xmYBSXUIWr+UmF9b1efZBazGNO+rcXT/icdKnYm2pTwcRylVUYwW7H1PHfLekVzA=="
    },
-    "node_modules/react-pdf": {
-      "version": "7.3.3",
-      "resolved": "https://registry.npmjs.org/react-pdf/-/react-pdf-7.3.3.tgz",
-      "integrity": "sha512-d7WAxcsjOogJfJ+I+zX/mdip3VjR1yq/yDa4hax4XbQVjbbbup6rqs4c8MGx0MLSnzob17TKp1t4CsNbDZ6GeQ==",
-      "dependencies": {
-        "clsx": "^2.0.0",
-        "make-cancellable-promise": "^1.3.1",
-        "make-event-props": "^1.6.0",
-        "merge-refs": "^1.2.1",
-        "pdfjs-dist": "3.6.172",
-        "prop-types": "^15.6.2",
-        "tiny-invariant": "^1.0.0",
-        "tiny-warning": "^1.0.0"
-      },
-      "funding": {
-        "url": "https://github.com/wojtekmaj/react-pdf?sponsor=1"
-      },
-      "peerDependencies": {
-        "@types/react": "^16.8.0 || ^17.0.0 || ^18.0.0",
-        "react": "^16.8.0 || ^17.0.0 || ^18.0.0",
-        "react-dom": "^16.8.0 || ^17.0.0 || ^18.0.0"
-      },
-      "peerDependenciesMeta": {
-        "@types/react": {
-          "optional": true
-        }
-      }
-    },
-    "node_modules/react-pdf/node_modules/clsx": {
-      "version": "2.0.0",
-      "resolved": "https://registry.npmjs.org/clsx/-/clsx-2.0.0.tgz",
-      "integrity": "sha512-rQ1+kcj+ttHG0MKVGBUXwayCCF1oh39BF5COIpRzuCEv8Mwjv0XucrI2ExNTOn9IlLifGClWQcU9BrZORvtw6Q==",
-      "engines": {
-        "node": ">=6"
-      }
-    },
    "node_modules/react-property": {
      "version": "2.0.0",
      "resolved": "https://registry.npmjs.org/react-property/-/react-property-2.0.0.tgz",
@ -21357,11 +21319,6 @@
      "resolved": "https://registry.npmjs.org/tiny-invariant/-/tiny-invariant-1.3.1.tgz",
      "integrity": "sha512-AD5ih2NlSssTCwsMznbvwMZpJ1cbhkGd2uueNxzv2jDlEeZdU04JQfRnggJQ8DrcVBGjAsCKwFBbDlVNtEMlzw=="
    },
-    "node_modules/tiny-warning": {
-      "version": "1.0.3",
-      "resolved": "https://registry.npmjs.org/tiny-warning/-/tiny-warning-1.0.3.tgz",
-      "integrity": "sha512-lBN9zLN/oAf68o3zNXYrdCt1kP8WsiGW8Oo2ka41b2IM5JL/S1CTyX1rW0mb/zSuJun0ZUrDxx4sqvYS2FWzPA=="
-    },
    "node_modules/tinybench": {
      "version": "2.6.0",
      "resolved": "https://registry.npmjs.org/tinybench/-/tinybench-2.6.0.tgz",
@ -22986,6 +22943,14 @@
        "node": ">=12.0.0"
      }
    },
+    "node_modules/warning": {
+      "version": "4.0.3",
+      "resolved": "https://registry.npmjs.org/warning/-/warning-4.0.3.tgz",
+      "integrity": "sha512-rpJyN222KWIvHJ/F53XSZv0Zl/accqHR8et1kpaMTD/fLCRxtV8iX8czMzY7sVZupTI3zcUTg8eycS2kNF9l6w==",
+      "dependencies": {
+        "loose-envify": "^1.0.0"
+      }
+    },
    "node_modules/watchpack": {
      "version": "2.4.0",
      "resolved": "https://registry.npmjs.org/watchpack/-/watchpack-2.4.0.tgz",
@ -25390,11 +25355,13 @@
        "lucide-react": "^0.279.0",
        "luxon": "^3.4.2",
        "next": "14.0.3",
-        "pdfjs-dist": "3.6.172",
+        "pdfjs-dist": "3.11.174",
+        "react": "18.2.0",
        "react-colorful": "^5.6.1",
        "react-day-picker": "^8.7.1",
+        "react-dom": "18.2.0",
        "react-hook-form": "^7.45.4",
-        "react-pdf": "7.3.3",
+        "react-pdf": "7.7.3",
        "react-rnd": "^10.4.1",
        "tailwind-merge": "^1.12.0",
        "tailwindcss-animate": "^1.0.5",
@ -25411,6 +25378,43 @@
        "typescript": "5.2.2"
      }
    },
+    "packages/ui/node_modules/react-pdf": {
+      "version": "7.7.3",
+      "resolved": "https://registry.npmjs.org/react-pdf/-/react-pdf-7.7.3.tgz",
+      "integrity": "sha512-a2VfDl8hiGjugpqezBTUzJHYLNB7IS7a2t7GD52xMI9xHg8LdVaTMsnM9ZlNmKadnStT/tvX5IfV0yLn+JvYmw==",
+      "dependencies": {
+        "clsx": "^2.0.0",
+        "dequal": "^2.0.3",
+        "make-cancellable-promise": "^1.3.1",
+        "make-event-props": "^1.6.0",
+        "merge-refs": "^1.2.1",
+        "pdfjs-dist": "3.11.174",
+        "prop-types": "^15.6.2",
+        "tiny-invariant": "^1.0.0",
+        "warning": "^4.0.0"
+      },
+      "funding": {
+        "url": "https://github.com/wojtekmaj/react-pdf?sponsor=1"
+      },
+      "peerDependencies": {
+        "@types/react": "^16.8.0 || ^17.0.0 || ^18.0.0",
+        "react": "^16.8.0 || ^17.0.0 || ^18.0.0",
+        "react-dom": "^16.8.0 || ^17.0.0 || ^18.0.0"
+      },
+      "peerDependenciesMeta": {
+        "@types/react": {
+          "optional": true
+        }
+      }
+    },
+    "packages/ui/node_modules/react-pdf/node_modules/clsx": {
+      "version": "2.1.1",
+      "resolved": "https://registry.npmjs.org/clsx/-/clsx-2.1.1.tgz",
+      "integrity": "sha512-eYm0QWBtUrBWZWG0d386OGAw16Z995PiOVo2B7bjWSbHedGl5e0ZWaq65kOGgUSNesEIDkB9ISbTg/JK9dhCZA==",
+      "engines": {
+        "node": ">=6"
+      }
+    },
    "packages/ui/node_modules/typescript": {
      "version": "5.2.2",
      "resolved": "https://registry.npmjs.org/typescript/-/typescript-5.2.2.tgz",
--- a/packages/ui/package.json
+++ b/packages/ui/package.json
@ -63,11 +63,13 @@
    "lucide-react": "^0.279.0",
    "luxon": "^3.4.2",
    "next": "14.0.3",
-    "pdfjs-dist": "3.6.172",
+    "pdfjs-dist": "3.11.174",
+    "react": "18.2.0",
    "react-colorful": "^5.6.1",
    "react-day-picker": "^8.7.1",
+    "react-dom": "18.2.0",
    "react-hook-form": "^7.45.4",
-    "react-pdf": "7.3.3",
+    "react-pdf": "7.7.3",
    "react-rnd": "^10.4.1",
    "tailwind-merge": "^1.12.0",
    "tailwindcss-animate": "^1.0.5",