Withdrawn: Arbitrary Code Execution in static-eval

[Vinod-Telang1]

pdfmake module having vulnerabilities with following error
Withdrawn: Arbitrary Code Execution in static-eval

Team, can you please provide the solution for this?

[liborm85]

Version of pdfmake is?

[Vinod-Telang1]

@liborm85
its occurring for all from 0.1.70 to latest one 0.2.2

[liborm85]

Vulnerability is only in version 0.1.x.
Version 0.2.x does not contain any vulnerability. Package svg-to-pdfkit install own pdfkit library, but this library is not used by svg-to-pdfkit or pdfmake.

[AxelRothe]

Can we please fix this? NPM will try to fix it by alternatively installing 0.1.72 or 0.2.2. depending on what you have installed.

[liborm85]

How I solve it in pdfmake if vulnerable pdfkit is dependency in svg-to-pdfkit library and this pdfkit is not used by pdfmake or svg-to-pdfkit?

[AxelRothe]

The maintainers need to escalate this to svg-to-pdfkit as one of their dependents. If a package is installed but not used it should be removed by the dependencies maintainers.

[liborm85]

You can create issue here.

[Vinod-Telang1]

You can create issue here.

Opened
alafr/SVG-to-PDFKit#151

[liborm85]

svg-to-pdfkit is in version pdfmake 0.2.3 build-in (without pdfkit dependency) ce50aeb.