Security Vulnerability

[k-yle]

Will the fix for CVE-2024-4367 be backported to v3? (#18015) There are significantly more users on v3 compared to v4¹, and v4 is a major breaking change, so it likely that many people will remain on v3 and remain vulnerable to this exploit.

Separately, it seems like https://github.com/mozilla/pdfjs-dist is no longer being updated. If this repo has been abandoned, could it be marked as "Archived"? Or alternatively, could a warning be added to the README? This would prevent a lot of confusion.

Footnotes

1. https://www.npmjs.com/package/pdfjs-dist?activeTab=versions ↩

[Snuffleupagus]

Will the fix for CVE-2024-4367 be backported to v3? (#18015)

No, that's unfortunately not planned. Please note that there's a bunch of manual work involved in creating releases, and the 3.x branch has been completely unsupported for quite some time.
Also, as outlined in the advisory, it's trivial to workaround the problem in older PDF.js versions simply by setting isEvalSupported: false in the getDocument-call.

Separately, it seems like https://github.com/mozilla/pdfjs-dist is no longer being updated.

Yes, that's unfortunately a known problem but we're not sure how/why it broke. The intention is to fix this, but it depends on issue #11851 being implemented.
However, please note that https://www.npmjs.com/package/pdfjs-dist is still updating correctly.