fix(deps): update dependency react-pdf to v7 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
react-pdf (source)	^4.0.5 -> ^7.0.0

GitHub Vulnerability Alerts

CVE-2024-34342

Summary

If PDF.js is used to load a malicious PDF, and PDF.js is configured with isEvalSupported set to true (which is the default value), unrestricted attacker-controlled JavaScript will be executed in the context of the hosting domain.

Patches

This patch forces isEvalSupported to false, removing the attack vector.

Workarounds

Set options.isEvalSupported to false, where options is Document component prop.

References

• GHSA-wgrm-67xf-hhpq
• https://github.com/mozilla/pdf.js/pull/18015
• mozilla/pdf.js@85e64b5
• https://bugzilla.mozilla.org/show_bug.cgi?id=1893645

---

Release Notes

wojtekmaj/react-pdf (react-pdf)

v7.7.3

Compare Source

Bug fixes

• Force isEvalSupported to false. Fixes GHSA-87hq-q4gp-9wr4 (caused by GHSA-wgrm-67xf-hhpq).

v7.7.2

Compare Source

This version shipped an incorrect fix for a security vulnerability and thus has been deprecated.

Bug fixes

• ~~Force isEvalSupported to true. Fixes GHSA-87hq-q4gp-9wr4 (caused by GHSA-wgrm-67xf-hhpq).~~

v7.7.1

Compare Source

Bug fixes

• Fixed Outline, Page and Thumbnail components crashing when placed outside Document, but provided with pdf prop (#​1709).
• Fixed documentation for using vite-plugin-static-copy suggesting a solution that doesn't work on Windows.

v7.7.0

Compare Source

What's new?

• Detect not memoized file and options props.

What's changed?

• Updated documentation to make it clear SVG renderMode is deprecated and will be removed in the future.
• Replaced tiny-warning with more popular (and equally tiny!) warning.

v7.6.0

Compare Source

What's new?

• Improved developer experience by moving prop documentation to JSDoc. This means that you can now see descriptions, default values, and examples for all props in your IDE.
• Improved documentation.

v7.5.1

Compare Source

What's new?

• Package is now published with npm provenance statements.

v7.5.0

Compare Source

What's new?

• Exported PasswordResponses to make it easier to create custom password prompts (#​1615). Thanks, @​pstevovski!
• Updated documentation on options prop and usage with Next.js.

Bug fixes

• Fixed customTextRenderer not called on items outside of marked content (#​1593, #​1623).

v7.4.0

Compare Source

What's new?

• Improved Next.js compatibility.
  • Updated documentation
  • Added samples for Next.js App Router and Next.js Pages Router
• Updated PDF.js to 3.11.174.
  • Accessibility improvements
  • Form rendering improvements
  • Font conversion and substitution improvements
  • Performance improvements
  • Text selection improvements
  • TypeScript improvements
  • Other features/bugfixes

Bug fixes

• Fixed index.test.js entry not working in pure ESM mode with "moduleResolution": "node16" TypeScript option enabled.

v7.3.3

Compare Source

Bug fixes

• Fixed "Cannot set properties of undefined (setting 'workerSrc')" error in legacy Next.js setups (#​1579).

v7.3.2

Compare Source

Bug fixes

• Fixed "Cannot destructure property 'PDFDataRangeTransport' of 'pdfjs' as it is undefined." in legacy Next.js setups.

v7.3.1

Compare Source

Bug fixes

• Fixed "Named export 'PDFDataRangeTransport' not found." error in some environments (#​1578).

v7.3.0

Compare Source

What's new?

• Added support for native ESM modules (#​1574).
• Added documentation on cMaps and standard fonts for Vite.

What's changed?

• Improved propTypes.

Bug fixes

• Fixed propTypes declared twice in every declaration file (#​1542).
• Fixed raw-loader installation instructions using Yarn (#​1569). Thanks, @​felipelssilva!

v7.2.0

Compare Source

What's new?

• Added support for new renderMode: "custom". When set, you can pass custom renderer function to customRenderer prop (#​1408).
• Improved RSC compatibility. You no longer need to add 'use client'; to the parent component for this component to work.

What's changed?

• Improved documentation not to suggest using inline object as options prop value (#​1567).
• Added guidelines for installation in Next.js app (#​1508).

Bug fixes

• @types/react and @types/react-dom are now optional peerDependencies, which eliminates errors caused by duplicate typings.

v7.1.3

Compare Source

What's changed?

• Updated clsx dependency to 2.0.0 to enable ESM support in the near future.

v7.1.2

Compare Source

Bug fixes

• Fixed customTextRenderer not working on documents without marked content (#​1530, #​1531). Thanks, @​MattL75!

v7.1.1

Compare Source

Bug fixes

• Improved performance by avoiding unnecessary re-renders (#​1526).

v7.1.0

Compare Source

Large and exciting release, full of improvements and new features, mainly thanks to our contributors, @​kostassite, @​iamandrewluca and @​MattL75, and sponsors. Become a sponsor and help making React-PDF even better!

What's new?

• Added Thumbnail component which lets you render thumbnails (#​898, #​1519).
• Forms rendered by annotation layer are now using AnnotationStorage. This allows you to hook into pdf.annotationStorage in pdf provided in onDocumentLoadSuccess callback and listen for form data changes (#​1518). Thanks, @​kostassite!
• New hooks: useDocumentContext, useOutlineContext and usePageContext. These hooks allow you to build custom components that hook (pun not intended) into React-PDF API (#​1505). Thanks, @​iamandrewluca!
• If onItemClick was not provided neither to Document nor Outline components, React-PDF will now attempt to navigate to the page of the clicked outline item on its own, just like it does for internal links.

What's changed?

• Improved accessibility by introducing structure tree. This also introduces new props in Page: onGetStructTreeSuccess and onGetStructTreeError (#​1494, #​1498). Thanks, @​MattL75!

Bug fixes

• Fixed onItemClick types incorrectly marking dest as required.
• Fixed onItemClick not passed from Document to Outline. Previously, you had to manually pass onItemClick to Outline component. Now, you only need to pass it to Document.

v7.0.3

Compare Source

Bug fixes

• Allowed all DocumentInitParameters to be passed to options prop.

v7.0.2

Compare Source

Bug fixes

• Fixed "Worker was destroyed" error when Document was unmounted or updated before the worker finished loading the PDF file.
• Fixed annotations not displaying properly when global CSS had section selector styled.

v7.0.1

Compare Source

Bug fixes

• Fixed annotation layer rendered under text layer, resulting in some annotations not clickable (#​1503). Thanks, @​iamandrewluca!

v7.0.0

Compare Source

See Upgrade guide from version 6.x to 7.x.

This is one of the biggest update - for React-PDF and for me personally. React-PDF has been rewritten from scratch using TypeScript and React Hooks. I've put a tremendous amount of effort to modernize the package without introducing any major breaking changes. If, however, something have slipped through 137 unit tests we have, please let me know. I hope you will like it.

❗️ = breaking change

What's new?

• Converted package to TypeScript (#​1420).
• Rewritten package using React Hooks (#​1370).
• Updated PDF.js to 3.6.172.
  • Preparations for editor mode support
  • Removed support for outdated browser versions
  • Font conversion/text selection improvements
  • Annotation improvements
  • Image rendering improvements that allow rendering big images even if they are larger than the canvas limits
  • Accessibility improvements
  • Improved overall performance
  • Reduced memory usage
  • Other features/bugfixes

What's changed?

• React-PDF is now considerably smaller.
• ❗️ Bundler-specific entry points are no longer provided. Don't worry though, the setup should be straightforward.
• ❗️ Dropped support for older browsers.
• ❗️ Removed legacy renderInteractiveForms prop

Bug fixes

• Fixed "The --scale-factor CSS-variable must be set" error.
• Fixed black flicker when rendering canvas (#​1340, #​1279). Thanks, @​MattL75!

v6.2.2

Compare Source

Bug fixes

• Fixed rendering glitches on certain browsers & graphic cards (#​1010).

v6.2.1

Compare Source

What's changed?

• Brought back pageIndex and pageNumber in customTextRenderer args that, despite undocumented, may have been used by some (#​1190).
• Replace typeof window checks with typeof document checks to avoid Deno environment being falsely recognized as browser environment.

Bug fixes

• Fixed onItemClick callback working only once per item (#​997, #​1192).
• Fixed first annotation item not clickable (#​1231).
• Fixed typos in documentation (#​1227). Thanks, @​flaxflour!

v6.2.0

Compare Source

What's new?

• Added support for devicePixelRatio prop in Page component.

Bug fixes

• Pass the actual itemIndex to the customTextRenderer (#​1183). Thanks, @​paescuj!

v6.1.1

Compare Source

Bug fixes

• Fixed text items misaligned when using customTextRenderer and if textContent items have both text and line break (#​1173).

v6.1.0

Compare Source

What's new?

• Improved text selection behavior (#​1034).

v6.0.3

Compare Source

Bug fixes

• Fixed customTextRenderer called too often and potentially with undefined str (#​1151).
• Fixed text layer rendering twice when using React 18 w. StrictMode on.

v6.0.2

Compare Source

Bug fixes

• Fixed Vite specific entry causing fake worker to be initialized (#​1148).

v6.0.1

Compare Source

Bug fixes

• Fixed Vite specific entry causing build to fail (#​1148).

v6.0.0

Compare Source

See Upgrade guide from version 5.x to 6.x.

Note: React <16.8 is not supported. If you're still using React older than 16.8, please use react-pdf@^5.0.0 instead.

❗️ = breaking change

What's new?

• ❗️ Vastly improved performance and bundle size thanks to the modern version of PDF.js that is now used. This drops support for legacy browsers. See README for details.
• Added official support for Vite.
• Updated PDF.js to 2.16.105 (#​1019).
  • Improvements for the text layer (space insertion)
  • Improvements for canvas rendering (thin line rendering)
  • Improvements for forms (printing/saving of choice lists)
  • Improvements for accessibility (sidebar and search results)
  • Bug fixes and optimizations, in particular for annotations, font/image conversion, SMask rendering, text layer rendering and TypeScript definitions
  • Performance improvements for rendering image masks, Type3 fonts and certain drawing instructions
  • Support for specifying custom background/foreground colors for rendering in the viewer (this will be soon be supported in React-PDF)
  • Bugfixes
  • Accessibility improvements
  • Rendering quality improvements.
• Improved documentation.
  • Fixed instructions on PDF.js worker
  • Added missing documentation on onRenderTextLayerError and onRenderTextLayerSuccess
  • Added a note on SVG mode deprecation.
• Refactored TextLayer to use pdfjs.renderTextLayer (#​944).
  • Added support for onRenderTextLayerError prop
  • Added support for onRenderTextLayerSuccess prop.
• React-PDF now warns if required CSS files are not imported.

What's changed?

• ❗️ Minimum React version is now 16.8.
• ❗️ onGetTextSuccess is now called with an object containing items and styles.
• ❗️ TextLayer.css now must be imported manually for TextLayer to work properly.
• ❗️ Dropped support for React content in customTextRenderer (#​1124).
• file-loader is now an optional peerDependency (#​970). Thanks, @​rpaasche!
• Improved documentation on Preact compatibility.
• Replaced merge-class-names with clsx.

Bug fixes

• Fixed crash when attempting to cancel rendering of PageCanvas.
• Fixed crash when text layer in PDFs rendered by React-PDF was used in Preact applications.
• Fixed legacy renderInteractiveForms prop ignored. Thanks, @​liquidautumn!
• Fixed Page wrapper allowing to shrink causing children to overflow (#​1118).

v5.7.2

Compare Source

What's new?

• Added instructions on support for standard fonts.
• Make findDocumentSource cancellable, cancel running tasks in loadDocument before finding source (#​947).

Bug fixes

• Fixed Page not rendering in canvas rendering mode (default) when using React 18 w. StrictMode on (#​972).

v5.7.1

Compare Source

What's changed?

• Replaced deprecated renderInteractiveForms option with annotationMode in page.render call (#​946).

Bug fixes

• Use workerPort instead of workerSrc in Parcel 2 specific entry (#​941). Thanks, @​jamesjessian!
• Fixed regression that caused interactive forms to be always rendered.

v5.7.0

Compare Source

Biggest one in months!

What's new?

• Added support for React 18.
• Added official support for Parcel 2.
• Added new Webpack 5-specific entry file. It uses Webpack's new URL assets instead of worker-loader, which turned out to be quite problematic in the past. Don't worry, if you want to stick to the old Webpack-specific one, it should still work just fine!
• Updated PDF.js to 2.12.313 (#​936).
  • Improved XFA support
  • Improved pattern/tiling support
  • Rich text annotation support
• Added support for externalLinkRel prop.
• Added dest and pageIndex to onItemClick callbacks (#​812, #​924). Thanks, @​malwilley!

What's changed?

• Updated cMaps instructions to work with Yarn PnP.
• Updated PDF.js worker instructions for clarity.
  • Specify how to make it work with Create React App 5.
• Added instructions on how to manually copy cMaps directory.
• Added instructions on how to manually copy pdf.worker.js.
• Added Create React App 5 sample suite.
• Added Parcel 2 sample suite.

v5.6.0

Compare Source

What's new?

• Updated PDF.js to 2.10.377 (#​900).
  • Improved XFA support (#​856).

v5.5.0

Compare Source

What's new?

• Added canvasBackground prop (#​851). Thanks, @​paescuj!

v5.4.1

Compare Source

Bug fixes

• Fixed LinkService crashing given already-resolved dest (#​869).

v5.4.0

Compare Source

What's new?

• Updated PDF.js to 2.9.359 (#​818).
  • Added support for Signatures (#​559, #​691, #​772, #​817).
  • Fixed rendering on Chrome 92 and up (#​819).
• Replaced pdfjs-dist build with legacy ES5 version (#​794). Thanks, @​njleonzhang!
• Changed async/await syntax to Promises, reducing build size significantly (#​807).

Bug fixes

• Fixed annotation links no longer working in some cases (#​816).

v5.3.2

Compare Source

Bug fixes

• Fixed file prop type checker not accepting data as string (#​800).

v5.3.1

Compare Source

What's changed?

• Made documentation on bundler-specific entry files clearer.
• Minor code optimizations for smaller bundle size.

Bug fixes

• Fixed onLoadProgress incorrectly listed as Page prop in README.
• Fixed data URI not parsed properly when having multiple headers (#​784).

v5.3.0

Compare Source

What's new?

• Updated PDF.js from 2.5.207 to 2.6.347 (#​746). Thanks, @​andi-dev!
• Replaced worker-loader with file-loader in Webpack-specific entry file (#​93, #​291, #​496, #​530, #​558, #​613, #​685, #​734, #​756). Webpack-specific entry file now works with Create React App.
• Improved memory management by destroying previous worker when file changes (#​288, #​305, #​755). Thanks, @​jeetiss!

What's changed?

• Replaced PDFLinkService with custom LinkService (#​657, #​659, #​749).
• Use public API for rendering cancellation (#​757). Thanks, @​jeetiss!

Bug fixes

• Fixed file prop checked using function with the same name.

v5.2.0

Compare Source

What's new?

• Allow overriding of imageResourcesPath (#​728). Thanks, @​hchevalier!

v5.1.0

Compare Source

What's new?

• Added React 17 compatibility.
• Updated PDF.js to 2.5.207 (#​686, #​687).

v5.0.0

Compare Source

❗️ = breaking change

What's new?

• ❗️ React-PDF now ships with ES6 Modules along with CommonJS modules. This allows for Webpack and other bundlers to optimize your code better.
• Updated PDF.js from 2.1.266 to 2.4.456. Thanks, @​kylemellander!

What's changed?

• ❗️ Internet Explorer 11 is no longer supported.
• ❗️ Removed renderAnnotations backwards compatibility (#​431).
• ES6 builds of PDF.js are now used since Internet Explorer 11 support was dropped anyway.
• Changed the way PDFDataRangeTransport is imported.
• Explicitly initialize an EventBus instance (#​593). Thanks, @​danieltott!

Bug fixes

• Fixed memory leak after unmounting Document (#​452, #​505). Thanks, @​oze4!
• Fixed error, loading, noData propTypes not accepting functions (#​579).
• Fixed PDF rendering incorrectly if wrapped in an element with dir="rtl" (#​588).
• Added null check before calling destroy() method on loadingTask.

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[sonarcloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud