Skip to content

[stable30] fix: Pin pdfjs-dist to exact 4.0.189 #1166

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Feb 26, 2025
Merged

[stable30] fix: Pin pdfjs-dist to exact 4.0.189 #1166

merged 1 commit into from
Feb 26, 2025

Conversation

@danxuliu
Copy link
Member

Backport of PR #1163

@danxuliu
fix: Pin pdfjs-dist to exact 4.0.189
70004c8 
The PDF viewer explicitly sets "isEvalSupported" to "false", so it is
not affected by the security issue reported for versions <= 4.1.392,
which assume the default value of "true".

pdfjs-dist is the main dependency of the PDF viewer, and any version
update requires additional work in the PDF viewer, it is not just
increasing the version and that is it.

Due to all of the above, the pdfjs-dist version is pinned for now to
exact 4.0.189 to avoid dealing again and again with incorrect updates
after running "npm audit fix".

Signed-off-by: Daniel Calviño Sánchez <danxuliu@gmail.com>
@danxuliu danxuliu added 3. to review dependencies Pull requests that update a dependency file labels Feb 26, 2025
@danxuliu danxuliu added this to the Nextcloud 30.0.7 milestone Feb 26, 2025
@danxuliu danxuliu requested a review from szaimen February 26, 2025 12:09
@danxuliu danxuliu enabled auto-merge February 26, 2025 12:10
@danxuliu danxuliu merged commit 3b0cc2b into stable30 Feb 26, 2025
34 checks passed
@blizzz blizzz mentioned this pull request Mar 4, 2025
Merged
13 tasks
@danxuliu danxuliu deleted the backport/1163/stable30-pin-pdfjs-dist-to-exact-4.0.189 branch May 6, 2025 09:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@szaimen szaimen szaimen approved these changes

Assignees

No one assigned

Labels

3. to review dependencies Pull requests that update a dependency file

Projects

None yet

Milestone

Nextcloud 30.0.7

Development

Successfully merging this pull request may close these issues.

3 participants

@danxuliu @szaimen