Pdfmake: Dependency Vulnerability for static-eval

Created on 14 Feb 2019  路  4Comments  路  Source: bpampuch/pdfmake

The dependency static-eval has been flag with a security warning on snyk

An issue has been raised on the static-eval repo
Thanks @pocesar

MODERATE Sandbox Breakout / Arbitrary Code Execution Vulnerability

Advisory Published - Feb 14th, 2019

Reported - Jan 3rd, 2019

Question
Is this package essential?
Is there an Alternative?

p.s Love pdfmake! Keep up the good work.

picture jpldevpub
👍1

Most helpful comment

npm isn't warning us about the dev dependency, but the production dependency on linebreak which itself depends on brfs which depends on static-module which depends on static-eval. I've opened an issue in foliojs/linebreak#12. Ah - also fontkit (used by pdfkit) uses brfs - updated an issue on their tracker too.

picture mclark-newvistas on 20 Feb 2019
👍4

All 4 comments

static-eval is used in brfs. brfs in pdfmake is used only in development for building pdfmake.
In production pdfmake is not brfs and static-eval used.

liborm85 picture liborm85 on 16 Feb 2019
👍1

Can you not remove it in development too ? Just curious

riyazpanarwala picture riyazpanarwala on 18 Feb 2019

No, it is not possible. brfs library is needed.

liborm85 picture liborm85 on 18 Feb 2019
👍1

npm isn't warning us about the dev dependency, but the production dependency on linebreak which itself depends on brfs which depends on static-module which depends on static-eval. I've opened an issue in foliojs/linebreak#12. Ah - also fontkit (used by pdfkit) uses brfs - updated an issue on their tracker too.

mclark-newvistas picture mclark-newvistas on 20 Feb 2019
👍4
Was this page helpful?
0 / 5 - 0 ratings

Related issues

ValeSauer picture ValeSauer  路  3Comments
SummerSonnet picture SummerSonnet  路  3Comments
Christian24 picture Christian24  路  3Comments
jkd003 picture jkd003  路  3Comments
sayjeyhi picture sayjeyhi  路  3Comments