From 83717e8c332883c58d441e0c2a0cc22200512918 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20Calvi=C3=B1o=20S=C3=A1nchez?= Date: Mon, 24 Feb 2025 09:35:15 +0100 Subject: [PATCH] fix: Pin pdfjs-dist to exact 4.0.189 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The PDF viewer explicitly sets "isEvalSupported" to "false", so it is not affected by the security issue reported for versions <= 4.1.392, which assume the default value of "true". pdfjs-dist is the main dependency of the PDF viewer, and any version update requires additional work in the PDF viewer, it is not just increasing the version and that is it. Due to all of the above, the pdfjs-dist version is pinned for now to exact 4.0.189 to avoid dealing again and again with incorrect updates after running "npm audit fix". Signed-off-by: Daniel Calviño Sánchez --- package-lock.json | 2 +- package.json | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/package-lock.json b/package-lock.json index 464ff7ad..b0927cc9 100644 --- a/package-lock.json +++ b/package-lock.json @@ -15,7 +15,7 @@ "@nextcloud/l10n": "^3.1.0", "@nextcloud/logger": "^3.0.2", "@nextcloud/router": "^3.0.1", - "pdfjs-dist": "^4.0.189" + "pdfjs-dist": "4.0.189" }, "devDependencies": { "@nextcloud/babel-config": "^1.0.0", diff --git a/package.json b/package.json index 4529d8d5..bd1478fb 100644 --- a/package.json +++ b/package.json @@ -32,7 +32,7 @@ "@nextcloud/l10n": "^3.1.0", "@nextcloud/logger": "^3.0.2", "@nextcloud/router": "^3.0.1", - "pdfjs-dist": "^4.0.189" + "pdfjs-dist": "4.0.189" }, "browserslist": [ "extends @nextcloud/browserslist-config"