From 260295b470cb577baf8c2e27bc9d3990107b8fed Mon Sep 17 00:00:00 2001
From: Wojciech Maj <kontakt@wojtekmaj.pl>
Date: Tue, 7 May 2024 14:20:33 +0200
Subject: [PATCH] Force isEvalSupported to true

Fixes [GHSA-wgrm-67xf-hhpq](https://github.com/mozilla/pdf.js/security/advisories/GHSA-wgrm-67xf-hhpq)
---
 packages/react-pdf/src/Document.tsx | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/packages/react-pdf/src/Document.tsx b/packages/react-pdf/src/Document.tsx
index 0116d681c..31d1d2a4b 100644
--- a/packages/react-pdf/src/Document.tsx
+++ b/packages/react-pdf/src/Document.tsx
@@ -196,6 +196,8 @@ export type DocumentProps = {
    *
    * **Note**: Make sure to define options object outside of your React component, and use `useMemo` if you can't.
    *
+   * **Note**: `isEvalSupported` is forced to `false` to prevent [arbitrary JavaScript execution upon opening a malicious PDF file](https://github.com/mozilla/pdf.js/security/advisories/GHSA-wgrm-67xf-hhpq).
+   *
    * @example { cMapUrl: '/cmaps/' }
    */
   options?: Options;
@@ -516,12 +518,12 @@ const Document = forwardRef(function Document(
       return;
     }
 
-    const documentInitParams = options
-      ? {
-          ...source,
-          ...options,
-        }
-      : source;
+    const optionsWithModifiedIsEvalSupported: Options = { ...options, isEvalSupported: true };
+
+    const documentInitParams: Source = {
+      ...source,
+      ...optionsWithModifiedIsEvalSupported,
+    };
 
     const destroyable = pdfjs.getDocument(documentInitParams);
     if (onLoadProgress) {