Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade pdfkit Dependency to Address crypto-js Vulnerability #273

Closed
AngelEscobedo01 opened this issue Dec 19, 2024 · 1 comment
Closed

Upgrade pdfkit Dependency to Address crypto-js Vulnerability #273

AngelEscobedo01 opened this issue Dec 19, 2024 · 1 comment

Comments

@AngelEscobedo01
Copy link

The current version of pdfkit in use (v0.13.0) has a dependency on crypto-js@^4.0.0, which contains a known vulnerability. The pdfkit team has resolved this issue in version v0.14.0 by updating the crypto-js dependency to a secure version.

To mitigate the vulnerability, we need to upgrade pdfkit to at least version v0.14.0 in our project.

pdfkit release: https://github.com/foliojs/pdfkit/releases/tag/v0.14.0

CVE-2023-46233

CVE: https://nvd.nist.gov/vuln/detail/cve-2023-46233

I tried PRing but I have no access =)

This would help resolve some security scans that're being done on our assets
@NathanaelA
Copy link
Owner

@AngelEscobedo01 - I've released v1.4.4 which bumps PDFKit to v0.14.0.

I was unable to bump it to 0.15.x because of this regression: foliojs/pdfkit#1523 which DOES affect all images and breaks any reports that use them.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@NathanaelA @AngelEscobedo01