From 8c257f99b54cbcd5245042dce41a61203d48f5e0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20Calvi=C3=B1o=20S=C3=A1nchez?= Date: Mon, 24 Feb 2025 09:35:15 +0100 Subject: [PATCH] fix: Pin pdfjs-dist to exact 4.0.189 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The PDF viewer explicitly sets "isEvalSupported" to "false", so it is not affected by the security issue reported for versions <= 4.1.392, which assume the default value of "true". pdfjs-dist is the main dependency of the PDF viewer, and any version update requires additional work in the PDF viewer, it is not just increasing the version and that is it. Due to all of the above, the pdfjs-dist version is pinned for now to exact 4.0.189 to avoid dealing again and again with incorrect updates after running "npm audit fix". Signed-off-by: Daniel Calviño Sánchez --- package-lock.json | 2 +- package.json | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/package-lock.json b/package-lock.json index 749f57ba..b4a28932 100644 --- a/package-lock.json +++ b/package-lock.json @@ -16,7 +16,7 @@ "@nextcloud/logger": "^3.0.2", "@nextcloud/router": "^3.0.1", "@nextcloud/sharing": "^0.2.4", - "pdfjs-dist": "^4.0.189" + "pdfjs-dist": "4.0.189" }, "devDependencies": { "@nextcloud/babel-config": "^1.2.0", diff --git a/package.json b/package.json index 9f4725d5..ab0a4645 100644 --- a/package.json +++ b/package.json @@ -34,7 +34,7 @@ "@nextcloud/logger": "^3.0.2", "@nextcloud/router": "^3.0.1", "@nextcloud/sharing": "^0.2.4", - "pdfjs-dist": "^4.0.189" + "pdfjs-dist": "4.0.189" }, "browserslist": [ "extends @nextcloud/browserslist-config"