Moderate vulnerability (Sandbox Breakout / Arbitrart Code Execution):
Moderate Sandbox Breakout / Arbitrary Code Execution
Package static-eval
Patched in No patch available
Dependency of pdfkit
Path pdfkit > fontkit > brfs > static-module > static-eval
More info https://npmjs.com/advisories/758
Moderate Sandbox Breakout / Arbitrary Code Execution
Package static-eval
Patched in No patch available
Dependency of pdfkit
Path pdfkit > fontkit > unicode-properties > brfs > static-module
static-eval
More info https://npmjs.com/advisories/758
Moderate Sandbox Breakout / Arbitrary Code Execution
Package static-eval
Patched in No patch available
Dependency of pdfkit
Path pdfkit > linebreak > brfs > static-module > static-eval
More info https://npmjs.com/advisories/758
Package manager (npm) telling me that this module have moderate vulnerabilities. It can't be fixed by npm audit fix
npm install pdfkit
Running npm audit fix doesn't work on these and requires manual intervention (tested on linux).
Installing via npm install pdfkit --only=production also causes the same issue.
Cloning the repo and attempting an audit fix in the lib directory results in 9 vulnerabilities.
This appears to be related to browserify. Similar to issue #739
Is the pdfkit project actively maintained any more? There are 241 open issues and 19 pull requests.
Is the pdfkit project actively maintained any more?
Yes. But only a few people do PR.
PR welcome. See contributing
For anyone else wondering about the status of this:
I've looked around a bit and found that fixing this is currently blocked on updates to linebreak and fontkit, both of which have outstanding PRs (https://github.com/foliojs/linebreak/pull/11 and https://github.com/foliojs/fontkit/pull/190 respectively).
I dont have write access to those repositories
@devongovett can you give write access to related dependencies?
What is the real risk of these vulnerabilities for pdfkit?
pdfkit picks up the static-eval vulnerability from 2 places:
This makes me think that the vulnerability is not exploitable via pdfkit, though we would still like to resolve the warnings :-)
There's no risk. Is a false positive because brfs is defined as a devDependency
Most helpful comment
For anyone else wondering about the status of this:
I've looked around a bit and found that fixing this is currently blocked on updates to linebreak and fontkit, both of which have outstanding PRs (https://github.com/foliojs/linebreak/pull/11 and https://github.com/foliojs/fontkit/pull/190 respectively).