jellyfin · renovate · Sep 8, 2024 · Sep 12, 2024 · thornbill · Sep 12, 2024
@@ -3,7 +3,8 @@
     "modules": "false",
     "files": "./dist/**/*.js",
     "not": [
-        "./dist/libraries/pdf.worker.js",
+        "./dist/libraries/pdf.worker.mjs",
+        "./dist/node_modules.pdfjs-dist.*",
         "./dist/libraries/worker-bundle.js",
         "./dist/serviceworker.js"
     ]

@@ -59,6 +59,7 @@
     "stylelint-no-browser-hacks": "1.3.0",
     "stylelint-order": "6.0.4",
     "stylelint-scss": "5.3.2",
+    "transform-async-modules-webpack-plugin": "1.1.1",
     "ts-loader": "9.5.1",
     "typescript": "5.5.4",
     "vitest": "2.0.5",
@@ -111,7 +112,7 @@
     "material-design-icons-iconfont": "6.7.0",
     "material-react-table": "2.13.2",
     "native-promise-only": "0.8.1",
-    "pdfjs-dist": "3.11.174",
+    "pdfjs-dist": "4.2.67",
     "react": "18.3.1",
     "react-blurhash": "0.3.0",
     "react-dom": "18.3.1",

@@ -205,13 +205,10 @@ export class PdfPlayer {
             const downloadHref = apiClient.getItemDownloadUrl(item.Id);
 
             this.bindEvents();
-            GlobalWorkerOptions.workerSrc = appRouter.baseUrl() + '/libraries/pdf.worker.js';
+            GlobalWorkerOptions.workerSrc = appRouter.baseUrl() + '/libraries/pdf.worker.min.mjs';
 
             const downloadTask = getDocument({
-                url: downloadHref,
-                // Disable for PDF.js XSS vulnerability
-                // https://github.com/mozilla/pdf.js/security/advisories/GHSA-wgrm-67xf-hhpq
-                isEvalSupported: false
+                url: downloadHref
             });
             return downloadTask.promise.then(book => {
                 if (this.cancellationToken) return;

@@ -4,6 +4,7 @@ const CopyPlugin = require('copy-webpack-plugin');
 const ForkTsCheckerWebpackPlugin = require('fork-ts-checker-webpack-plugin');
 const HtmlWebpackPlugin = require('html-webpack-plugin');
 const MiniCssExtractPlugin = require('mini-css-extract-plugin');
+const { TransformAsyncModulesPlugin } = require('transform-async-modules-webpack-plugin');
 const { DefinePlugin, IgnorePlugin } = require('webpack');
 const packageJson = require('./package.json');
 
@@ -15,7 +16,7 @@ const Assets = [
     '@jellyfin/libass-wasm/dist/js/subtitles-octopus-worker.js',
     '@jellyfin/libass-wasm/dist/js/subtitles-octopus-worker.wasm',
     '@jellyfin/libass-wasm/dist/js/subtitles-octopus-worker-legacy.js',
-    'pdfjs-dist/build/pdf.worker.js'
+    'pdfjs-dist/build/pdf.worker.min.mjs'
 ];
 
 const DEV_MODE = process.env.NODE_ENV !== 'production';
@@ -109,7 +110,9 @@ const config = {
             typescript: {
                 configFile: path.resolve(__dirname, 'tsconfig.json')
             }
-        })
+        }),
+        // Transform any modules using top-level await (pdf.js)
+        new TransformAsyncModulesPlugin()
     ],
     output: {
         filename: pathData => (
@@ -205,6 +208,7 @@ const config = {
                     path.resolve(__dirname, 'node_modules/markdown-it'),
                     path.resolve(__dirname, 'node_modules/material-react-table'),
                     path.resolve(__dirname, 'node_modules/mdurl'),
+                    path.resolve(__dirname, 'node_modules/pdfjs-dist'),
                     path.resolve(__dirname, 'node_modules/punycode'),
                     path.resolve(__dirname, 'node_modules/react-blurhash'),
                     path.resolve(__dirname, 'node_modules/react-lazy-load-image-component'),
@@ -268,7 +272,6 @@ const config = {
             {
                 test: /\.js$/,
                 include: [
-                    path.resolve(__dirname, 'node_modules/pdfjs-dist'),
                     path.resolve(__dirname, 'node_modules/xmldom')
                 ],
                 use: [{