[Snyk] Security upgrade react-pdf from 7.3.3 to 7.7.3

[idanbe4]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • package.json
  • package-lock.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	641/1000 Why? Recently disclosed, Has a fix available, CVSS 7.1	Arbitrary Code Injection SNYK-JS-REACTPDF-6814518	No	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: react-pdf

The new version differs by 124 commits.

• 1a69776 v7.7.3
• 208f28d Force isEvalSupported to false
• 8ca4d07 v7.7.2
• 260295b Force isEvalSupported to true
• 93b09c3 v7.7.1
• 95b240d Bump ip from 2.0.0 to 2.0.1 in /sample/webpack5 (Update version to 1.0.2-30 Expensify/App#1727)
• 3b6a290 Bump ip from 2.0.0 to 2.0.1 in /sample/vite (Update version to 1.0.2-31 Expensify/App#1730)
• 18b78c5 Bump ip from 2.0.0 to 2.0.1 in /sample/parcel2 (Update version to 1.0.2-29 Expensify/App#1725)
• 1c3ce0a Bump ip from 2.0.0 to 2.0.1 in /sample/next-pages (Pinning icon is not well aligned. Expensify/App#1728)
• cdc04fc Bump ip from 2.0.0 to 2.0.1 in /sample/next-app (Add should deploy to production env variable Expensify/App#1729)
• 88409e5 Bump ip from 2.0.0 to 2.0.1 in /sample/create-react-app-5 (Colorize git Expensify/App#1726)
• 01d30b0 Bump ip from 2.0.0 to 2.0.1 (Update version to 1.0.2-32 Expensify/App#1731)
• f01d41e Bump eslint-config-wojtekmaj from 0.9.0 to 0.11.0
• a9d0b52 Bump eslint from 8.37.0 to 8.56.0
• d4b781a Update Yarn to 4.1.0
• 2706679 Bump vite from 5.0.12 to 5.1.1
• 46aecb9 Bump node-gyp from 9.3.1 to 10.0.1
• 8629bb3 Update @ yarnpkg/plugin-nolyfill
• 57eaaf7 Bump jsdom from 21.1.1 to 24.0.0
• e339525 Fix Outline, Page and Thumbnail components crashing when placed outside Document
• cf5327b Add missing linkService in DocumentContext in unit tests
• aa8c564 Update husky to 9.0.0
• 5895876 Update GitHub Actions actions
• 4e77ef3 Bump vite from 5.0.9 to 5.0.12

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Arbitrary Code Injection

[kodem-security]

Kodem Security Scan 🚨

New security risks were found
Scan Summary:

• Vulnerable packages: 1
• Packages used in Runtime: 0 packages
• CVE severity: 🔴 1 High

Top Severity	Runtime Usage	Package	Version	Fixes	Where to fix
🔴 High 1 High		pdfjs-dist	3.11.174	Fix: 4.2.67: | 1 High CVEs CVE-2024-4367 - PDF.js vulnerable to arbitrary JavaScript execution upon opening a malicious PDF...	Indirect package

---

Resolved security issues

🔨 Fixed CVEs: 🔴 2 High

Fixed CVEs by package:

Package	Fixed CVEs
pdfjs-dist 3.6.172	1 High CVEs CVE-2024-4367 - PDF.js vulnerable to arbitrary JavaScript execution upon opening a malicious PDF...
react-pdf 7.3.3	1 High CVEs CVE-2024-34342 - react-pdf displays PDFs in React apps. If PDF.js is used to load a malicious PDF, and PDF.js is conf...