Vulnerabilities

DepShield reports that this application's usage of lodash:4.17.20 results in the following vulnerability(s):

• (CVSS 5.3) [CVE-2020-28500] All versions of package lodash; all versions of package org.fujion.webjars:lodas...

Occurrences

lodash:4.17.20 is a transitive dependency introduced by the following direct dependency(s):

• mocha:7.2.0
        └─ yargs-unparser:1.6.0
              └─ lodash:4.17.20

• node-sass:4.14.1
        └─ gaze:1.1.3
              └─ globule:1.3.1
                    └─ lodash:4.17.20
        └─ lodash:4.17.20
        └─ sass-graph:2.2.5
              └─ lodash:4.17.20

• sinon:6.3.5
        └─ nise:1.4.10
              └─ @sinonjs/formatio:3.2.1
                    └─ @sinonjs/samsam:3.3.1
                          └─ lodash:4.17.20

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Vulnerabilities

DepShield reports that this application's usage of elliptic:6.5.2 results in the following vulnerability(s):

• (CVSS 5.6) CWE-190: Integer Overflow or Wraparound

Occurrences

elliptic:6.5.2 is a transitive dependency introduced by the following direct dependency(s):

• webpack:4.43.0
        └─ node-libs-browser:2.2.1
              └─ crypto-browserify:3.12.0
                    └─ browserify-sign:4.2.0
                          └─ elliptic:6.5.2
                    └─ create-ecdh:4.0.3
                          └─ elliptic:6.5.2

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

I am seeing an issue where the nextPage api is moving me to the next chapter while viewing a paginate reflowable book and not at the end of the chapter. The error seems to be stemming from here:

It appears that the rightWidth is 0 in my case. I'm not totally sure what the rightWidth is? Is it the amount of remaining chapter?

You can see this by running the example: npm run example:reader-class in my branch fix/next-page and then clicking next page a few times. It's always going by chapter

https://brilliantov-screens.s3.eu-central-1.amazonaws.com/screencast_2021-07-12_00-27-45.mp4

something wrong with container height

Hello!

first off all, thanks for awesome work!

I have a question: i'm trying to use your reader for my pet project for mobile devices.
I had disabled scroll view and use only paginated behaviour.

is it possible to use goTo using result.displayInfo.resourceScreenIndex ?

Vulnerabilities

DepShield reports that this application's usage of xmldom:0.6.0 results in the following vulnerability(s):

• (CVSS 5.3) [CVE-2021-32796] xmldom is an open source pure JavaScript W3C standard-based (XML DOM Level 2 Cor...

Occurrences

xmldom:0.6.0 is a transitive dependency introduced by the following direct dependency(s):

• r2-shared-js:1.0.51
        └─ xmldom:0.6.0

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Vulnerabilities

DepShield reports that this application's usage of hosted-git-info:2.8.8 results in the following vulnerability(s):

• (CVSS 5.3) [CVE-2021-23362] The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression De...

Occurrences

hosted-git-info:2.8.8 is a transitive dependency introduced by the following direct dependency(s):

• node-sass:6.0.0
        └─ meow:3.7.0
              └─ normalize-package-data:2.5.0
                    └─ hosted-git-info:2.8.8

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Vulnerabilities

DepShield reports that this application's usage of kind-of:6.0.2 results in the following vulnerability(s):

• (CVSS 7.5) [CVE-2019-20149] ctorName in index.js in kind-of v6.0.2 allows external user input to overwrite c...
• (CVSS 5.3) CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Occurrences

kind-of:6.0.2 is a transitive dependency introduced by the following direct dependency(s):

• cpx:1.5.0
        └─ chokidar:1.7.0
              └─ anymatch:1.3.2
                    └─ micromatch:2.3.11
                          └─ braces:1.8.5
                                └─ expand-range:1.8.2
                                      └─ fill-range:2.2.4
                                            └─ randomatic:3.1.1
                                                  └─ kind-of:6.0.2
              └─ readdirp:2.2.1
                    └─ micromatch:3.1.10
                          └─ extglob:2.0.4
                                └─ define-property:1.0.0
                                      └─ is-descriptor:1.0.2
                                            └─ is-accessor-descriptor:1.0.0
                                                  └─ kind-of:6.0.2
                                            └─ is-data-descriptor:1.0.0
                                                  └─ kind-of:6.0.2
                                            └─ kind-of:6.0.2
                          └─ kind-of:6.0.2

• ts-loader:5.4.5
        └─ micromatch:3.1.10
              └─ define-property:2.0.2
                    └─ is-descriptor:1.0.2
                          └─ is-accessor-descriptor:1.0.0
                                └─ kind-of:6.0.2
                          └─ is-data-descriptor:1.0.0
                                └─ kind-of:6.0.2
                          └─ kind-of:6.0.2
              └─ nanomatch:1.2.13
                    └─ kind-of:6.0.2
              └─ snapdragon:0.8.2
                    └─ base:0.11.2
                          └─ define-property:1.0.0
                                └─ is-descriptor:1.0.2
                                      └─ is-accessor-descriptor:1.0.0
                                            └─ kind-of:6.0.2
                                      └─ is-data-descriptor:1.0.0
                                            └─ kind-of:6.0.2
                                      └─ kind-of:6.0.2
              └─ braces:2.3.2
                    └─ snapdragon-node:2.1.1
                          └─ define-property:1.0.0
                                └─ is-descriptor:1.0.2
                                      └─ is-accessor-descriptor:1.0.0
                                            └─ kind-of:6.0.2
                                      └─ is-data-descriptor:1.0.0
                                            └─ kind-of:6.0.2
                                      └─ kind-of:6.0.2
              └─ extglob:2.0.4
                    └─ define-property:1.0.0
                          └─ is-descriptor:1.0.2
                                └─ is-accessor-descriptor:1.0.0
                                      └─ kind-of:6.0.2
                                └─ is-data-descriptor:1.0.0
                                      └─ kind-of:6.0.2
                                └─ kind-of:6.0.2
              └─ kind-of:6.0.2

• webpack:4.41.2
        └─ watchpack:1.6.0
              └─ chokidar:2.1.8
                    └─ anymatch:2.0.0
                          └─ micromatch:3.1.10
                                └─ extglob:2.0.4
                                      └─ define-property:1.0.0
                                            └─ is-descriptor:1.0.2
                                                  └─ is-accessor-descriptor:1.0.0
                                                        └─ kind-of:6.0.2
                                                  └─ is-data-descriptor:1.0.0
                                                        └─ kind-of:6.0.2
                                                  └─ kind-of:6.0.2
                                └─ kind-of:6.0.2
        └─ micromatch:3.1.10
              └─ extglob:2.0.4
                    └─ define-property:1.0.0
                          └─ is-descriptor:1.0.2
                                └─ is-accessor-descriptor:1.0.0
                                      └─ kind-of:6.0.2
                                └─ is-data-descriptor:1.0.0
                                      └─ kind-of:6.0.2
                                └─ kind-of:6.0.2
              └─ kind-of:6.0.2

• webpack-cli:3.3.9
        └─ findup-sync:3.0.0
              └─ micromatch:3.1.10
                    └─ extglob:2.0.4
                          └─ define-property:1.0.0
                                └─ is-descriptor:1.0.2
                                      └─ is-accessor-descriptor:1.0.0
                                            └─ kind-of:6.0.2
                                      └─ is-data-descriptor:1.0.0
                                            └─ kind-of:6.0.2
                                      └─ kind-of:6.0.2
                    └─ kind-of:6.0.2
        └─ global-modules:2.0.0
              └─ global-prefix:3.0.0
                    └─ kind-of:6.0.2

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Vulnerabilities

DepShield reports that this application's usage of acorn:6.3.0 results in the following vulnerability(s):

• (CVSS 7.5) CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')

Occurrences

acorn:6.3.0 is a transitive dependency introduced by the following direct dependency(s):

• webpack:4.41.2
        └─ acorn:6.3.0

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

This is a ticket to make findRequiredElement generic so that we don't have to type cast the return value everywhere

Vulnerabilities

DepShield reports that this application's usage of acorn:6.4.1 results in the following vulnerability(s):

• (CVSS 7.5) CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')

Occurrences

acorn:6.4.1 is a transitive dependency introduced by the following direct dependency(s):

• webpack:4.43.0
        └─ acorn:6.4.1

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

On a related note, I had to include all of these properties in the D2Reader.load call in order to satisfy the typings. I assume most of them should actually be optional?

const reader = await D2Reader.load({
      url,
      injectables: injectables as any,
      api: {
        getContent,
      },
      // all of these were required
      userSettings: undefined,
      initialAnnotations: undefined,
      lastReadingPosition: undefined,
      upLinkUrl: undefined,
      material: {
        settings: {
          fontOverride: false,
          advancedSettings: false,
          pageMargins: false,
          lineHeight: false,
        },
      },
      rights: {},
      tts: undefined,
      search: { color: 'red', current: 'blah' },
      annotations: { initialAnnotationColor: 'blue' },
      highlighter: { selectionMenuItems: [] },
      useLocalStorage: false,
      attributes: { margin: 2 },
    });

Originally posted by @kristojorg in #153 (comment)

Vulnerabilities

DepShield reports that this application's usage of minimist:0.0.8 results in the following vulnerability(s):

• (CVSS 8.8) CWE-94: Improper Control of Generation of Code ('Code Injection')

Occurrences

minimist:0.0.8 is a transitive dependency introduced by the following direct dependency(s):

• cpx:1.5.0
        └─ chokidar:1.7.0
              └─ fsevents:1.2.9
                    └─ node-pre-gyp:0.12.0
                          └─ mkdirp:0.5.1
                                └─ minimist:0.0.8
        └─ mkdirp:0.5.1
              └─ minimist:0.0.8

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Currently modules have Config and Properties. I'm not totally sure of the difference between the two, but it seems like there should be one type for the options you can pass in to instantiate the class, and another type for the settings of an instance. Thus it could be optional to pass in a certain config value, but required on the actual class. So the constructor would take care of setting defaults when no value is passed in. That way, once it is instantiated, we always have a well defined set of settings.

This would mean we don't have to do this:

(this.rights?.autoGeneratePositions ?? false)

because this.rights.autoGeneratePositions would always be defined. If you don't pass in a value for that option, the constructor will set it to a default (false in this case).

Vulnerabilities

DepShield reports that this application's usage of lodash.get:4.4.2 results in the following vulnerability(s):

• (CVSS 7.4) CWE-471: Modification of Assumed-Immutable Data (MAID)
• (CVSS 6.5) [CVE-2018-3721] lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutabl...

Occurrences

lodash.get:4.4.2 is a transitive dependency introduced by the following direct dependency(s):

• sinon:6.3.5
        └─ lodash.get:4.4.2

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Vulnerabilities

DepShield reports that this application's usage of lodash:4.17.15 results in the following vulnerability(s):

• (CVSS 7.4) [CVE-2020-8203] Prototype pollution attack when using _.zipObjectDeep in lodash <= 4.17.15.
• (CVSS 7.4) CWE-770: Allocation of Resources Without Limits or Throttling

Occurrences

lodash:4.17.15 is a transitive dependency introduced by the following direct dependency(s):

• mocha:7.2.0
        └─ yargs-unparser:1.6.0
              └─ lodash:4.17.15

• node-sass:4.14.1
        └─ gaze:1.1.3
              └─ globule:1.3.1
                    └─ lodash:4.17.15
        └─ lodash:4.17.15
        └─ sass-graph:2.2.5
              └─ lodash:4.17.15

• sinon:6.3.5
        └─ nise:1.4.10
              └─ @sinonjs/formatio:3.2.1
                    └─ @sinonjs/samsam:3.3.1
                          └─ lodash:4.17.15

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Vulnerabilities

DepShield reports that this application's usage of materialize-css:1.0.0 results in the following vulnerability(s):

• (CVSS 6.1) [CVE-2019-11002] Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting")
• (CVSS 6.1) [CVE-2019-11004] Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting")
• (CVSS 6.1) [CVE-2019-11003] Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting")

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Vulnerabilities

DepShield reports that this application's usage of yargs-parser:13.1.1 results in the following vulnerability(s):

• (CVSS 7.5) [CVE-2020-7608] yargs-parser could be tricked into adding or modifying properties of Object.prot...

Occurrences

yargs-parser:13.1.1 is a transitive dependency introduced by the following direct dependency(s):

• webpack-cli:3.3.9
        └─ yargs:13.2.4
              └─ yargs-parser:13.1.1

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

I'm trying to insert reader inside div that no use 100% of width
is it possible ?

Vulnerabilities

DepShield reports that this application's usage of ecstatic:3.3.2 results in the following vulnerability(s):

• (CVSS 6.1) CWE-601: URL Redirection to Untrusted Site ('Open Redirect')

Occurrences

ecstatic:3.3.2 is a transitive dependency introduced by the following direct dependency(s):

• http-server:0.12.3
        └─ ecstatic:3.3.2

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Vulnerabilities

DepShield reports that this application's usage of tar:6.1.2 results in the following vulnerability(s):

• (CVSS 7.5) CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
• (CVSS 7.5) CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
• (CVSS 7.5) CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Occurrences

tar:6.1.2 is a transitive dependency introduced by the following direct dependency(s):

• node-sass:6.0.1
        └─ node-gyp:7.1.2
              └─ tar:6.1.2

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Vulnerabilities

DepShield reports that this application's usage of express:4.17.1 results in the following vulnerability(s):

• (CVSS 7.5) CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Vulnerabilities

DepShield reports that this application's usage of glob-parent:2.0.0 results in the following vulnerability(s):

• (CVSS 7.5) CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')

Occurrences

glob-parent:2.0.0 is a transitive dependency introduced by the following direct dependency(s):

• cpx:1.5.0
        └─ chokidar:1.7.0
              └─ anymatch:1.3.2
                    └─ micromatch:2.3.11
                          └─ parse-glob:3.0.4
                                └─ glob-base:0.3.0
                                      └─ glob-parent:2.0.0
              └─ glob-parent:2.0.0

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Vulnerabilities

DepShield reports that this application's usage of kind-of:4.0.0 results in the following vulnerability(s):

• (CVSS 5.3) CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Occurrences

kind-of:4.0.0 is a transitive dependency introduced by the following direct dependency(s):

• ts-loader:5.4.5
        └─ micromatch:3.1.10
              └─ snapdragon:0.8.2
                    └─ base:0.11.2
                          └─ cache-base:1.0.1
                                └─ has-value:1.0.0
                                      └─ has-values:1.0.0
                                            └─ kind-of:4.0.0

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Vulnerabilities

DepShield reports that this application's usage of node-sass:4.14.1 results in the following vulnerability(s):

• (CVSS 5.3) [CVE-2020-24025] Certificate validation in node-sass 2.0.0 to 4.14.1 is disabled when requesting ...

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Vulnerabilities

DepShield reports that this application's usage of debug:2.6.9 results in the following vulnerability(s):

• (CVSS 7.5) CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')

Occurrences

debug:2.6.9 is a transitive dependency introduced by the following direct dependency(s):

• cpx:1.5.0
        └─ chokidar:1.7.0
              └─ readdirp:2.2.1
                    └─ micromatch:3.1.10
                          └─ extglob:2.0.4
                                └─ expand-brackets:2.1.4
                                      └─ debug:2.6.9

• express:4.17.1
        └─ body-parser:1.19.0
              └─ debug:2.6.9
        └─ debug:2.6.9
        └─ finalhandler:1.1.2
              └─ debug:2.6.9
        └─ send:0.17.1
              └─ debug:2.6.9

• ts-loader:5.4.5
        └─ micromatch:3.1.10
              └─ snapdragon:0.8.2
                    └─ debug:2.6.9
              └─ extglob:2.0.4
                    └─ expand-brackets:2.1.4
                          └─ debug:2.6.9

• webpack:4.35.0
        └─ watchpack:1.6.0
              └─ chokidar:2.1.6
                    └─ anymatch:2.0.0
                          └─ micromatch:3.1.10
                                └─ extglob:2.0.4
                                      └─ expand-brackets:2.1.4
                                            └─ debug:2.6.9
        └─ micromatch:3.1.10
              └─ extglob:2.0.4
                    └─ expand-brackets:2.1.4
                          └─ debug:2.6.9

• webpack-cli:3.3.5
        └─ findup-sync:3.0.0
              └─ micromatch:3.1.10
                    └─ extglob:2.0.4
                          └─ expand-brackets:2.1.4
                                └─ debug:2.6.9

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Vulnerabilities

DepShield reports that this application's usage of postcss:8.2.8 results in the following vulnerability(s):

• (CVSS 7.5) CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')

Occurrences

postcss:8.2.8 is a transitive dependency introduced by the following direct dependency(s):

• sanitize-html:2.3.3
        └─ postcss:8.2.8

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Vulnerabilities

DepShield reports that this application's usage of yargs-parser:5.0.0 results in the following vulnerability(s):

• (CVSS 7.5) [CVE-2020-7608] yargs-parser could be tricked into adding or modifying properties of Object.prot...

Occurrences

yargs-parser:5.0.0 is a transitive dependency introduced by the following direct dependency(s):

• node-sass:4.13.1
        └─ sass-graph:2.2.4
              └─ yargs:7.1.0
                    └─ yargs-parser:5.0.0

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Vulnerabilities

DepShield reports that this application's usage of kind-of:5.1.0 results in the following vulnerability(s):

• (CVSS 5.3) CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Occurrences

kind-of:5.1.0 is a transitive dependency introduced by the following direct dependency(s):

• cpx:1.5.0
        └─ chokidar:1.7.0
              └─ readdirp:2.2.1
                    └─ micromatch:3.1.10
                          └─ extglob:2.0.4
                                └─ expand-brackets:2.1.4
                                      └─ define-property:0.2.5
                                            └─ is-descriptor:0.1.6
                                                  └─ kind-of:5.1.0

• ts-loader:5.4.5
        └─ micromatch:3.1.10
              └─ snapdragon:0.8.2
                    └─ define-property:0.2.5
                          └─ is-descriptor:0.1.6
                                └─ kind-of:5.1.0
              └─ extglob:2.0.4
                    └─ expand-brackets:2.1.4
                          └─ define-property:0.2.5
                                └─ is-descriptor:0.1.6
                                      └─ kind-of:5.1.0

• webpack:4.41.2
        └─ watchpack:1.6.0
              └─ chokidar:2.1.8
                    └─ anymatch:2.0.0
                          └─ micromatch:3.1.10
                                └─ extglob:2.0.4
                                      └─ expand-brackets:2.1.4
                                            └─ define-property:0.2.5
                                                  └─ is-descriptor:0.1.6
                                                        └─ kind-of:5.1.0
        └─ micromatch:3.1.10
              └─ extglob:2.0.4
                    └─ expand-brackets:2.1.4
                          └─ define-property:0.2.5
                                └─ is-descriptor:0.1.6
                                      └─ kind-of:5.1.0

• webpack-cli:3.3.9
        └─ findup-sync:3.0.0
              └─ micromatch:3.1.10
                    └─ extglob:2.0.4
                          └─ expand-brackets:2.1.4
                                └─ define-property:0.2.5
                                      └─ is-descriptor:0.1.6
                                            └─ kind-of:5.1.0

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

The included Call of the Wild example demonstrates the phenomenon for me with the head of v2 using the "Dita Example:". Both the "Dita Sample Read:" and "Material Example:" seem to be missing files (from injectables) and error out.

To reproduce, simply open the COTW link with the "Dita Example" link, switch to paginated view and carefully navigate forward until one of the chapters is truncated. On my screens this is within the first 3 or so chapters.

@kristojorg , this phenomenon is also visible using today's main of NYPL's web-reader.

Vulnerabilities

DepShield reports that this application's usage of lodash:4.17.19 results in the following vulnerability(s):

• (CVSS 7.4) [CVE-2020-8203] Prototype pollution attack when using _.zipObjectDeep in lodash <= 4.17.15.

Occurrences

lodash:4.17.19 is a transitive dependency introduced by the following direct dependency(s):

• mocha:7.2.0
        └─ yargs-unparser:1.6.0
              └─ lodash:4.17.19

• node-sass:4.14.1
        └─ gaze:1.1.3
              └─ globule:1.3.1
                    └─ lodash:4.17.19
        └─ lodash:4.17.19
        └─ sass-graph:2.2.5
              └─ lodash:4.17.19

• sinon:6.3.5
        └─ nise:1.4.10
              └─ @sinonjs/formatio:3.2.1
                    └─ @sinonjs/samsam:3.3.1
                          └─ lodash:4.17.19

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Vulnerabilities

DepShield reports that this application's usage of lodash.flatten:4.4.0 results in the following vulnerability(s):

• (CVSS 7.4) CWE-471: Modification of Assumed-Immutable Data (MAID)
• (CVSS 6.5) [CVE-2018-3721] lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutabl...

Occurrences

lodash.flatten:4.4.0 is a transitive dependency introduced by the following direct dependency(s):

• eslint:7.23.0
        └─ table:6.0.9
              └─ lodash.flatten:4.4.0

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

I have been getting errors of "parent element is null" that seem to come from this line in ReflowableBookView. It appears that isScrollMode() is called too early, and this.iframe.contentDocument is undefined. I made a patch for this to check if this.iframe.contentDocument is defined before trying to find the html element, but that probably won't fix the underlying problem.

My suggestion would be that we turn on strictNullChecks in typescript config and fix all the type errors resulting from that, as that will implicitly force us to deal with this.

With current v2 (using the standard example epub, with index_dita.html), if you:

1. Show a chapter with a small font,
2. Continue to the following chapter using the next button,
3. Increase (by a lot) the font size,
4. Return to the previous chapter using the previous button,

Then the number of pages is not correctly recalculated, and the previous chapter cuts off large segments at the end of the chapters.

The same procedure appears to correctly recalculate using v1.

This is going to be a relatively large piece of work, but the payoff will also be large. We should enable TS strictNullChecks so that TS will warn us when we are accessing a property on a possible null or undefined value, thus eliminated the most common class of JS errors.

Vulnerabilities

DepShield reports that this application's usage of lodash.clonedeep:4.5.0 results in the following vulnerability(s):

• (CVSS 7.4) CWE-471: Modification of Assumed-Immutable Data (MAID)
• (CVSS 6.5) [CVE-2018-3721] lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutabl...

Occurrences

lodash.clonedeep:4.5.0 is a transitive dependency introduced by the following direct dependency(s):

• eslint:7.23.0
        └─ table:6.0.9
              └─ lodash.clonedeep:4.5.0

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

When I instantiate a reader using the following code:

    D2Reader.load({
      url: url,
      injectables: injectables,
    })

I get an error complaining about annotations:

TypeError: undefined is not an object (evaluating 'this.delegate.rights.enableAnnotations')

I can post the HTML I used if that's helpful, but it seems that annotations are assumed to be enabled even though I didn't explicitly ask for them? Just a guess

Vulnerabilities

DepShield reports that this application's usage of kind-of:3.2.2 results in the following vulnerability(s):

• (CVSS 5.3) CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Occurrences

kind-of:3.2.2 is a transitive dependency introduced by the following direct dependency(s):

• cpx:1.5.0
        └─ chokidar:1.7.0
              └─ anymatch:1.3.2
                    └─ micromatch:2.3.11
                          └─ kind-of:3.2.2
                          └─ braces:1.8.5
                                └─ expand-range:1.8.2
                                      └─ fill-range:2.2.4
                                            └─ is-number:2.1.0
                                                  └─ kind-of:3.2.2
              └─ readdirp:2.2.1
                    └─ micromatch:3.1.10
                          └─ braces:2.3.2
                                └─ fill-range:4.0.0
                                      └─ is-number:3.0.0
                                            └─ kind-of:3.2.2
                          └─ extglob:2.0.4
                                └─ expand-brackets:2.1.4
                                      └─ define-property:0.2.5
                                            └─ is-descriptor:0.1.6
                                                  └─ is-accessor-descriptor:0.1.6
                                                        └─ kind-of:3.2.2
                                                  └─ is-data-descriptor:0.1.4
                                                        └─ kind-of:3.2.2

• ts-loader:5.4.5
        └─ micromatch:3.1.10
              └─ snapdragon:0.8.2
                    └─ base:0.11.2
                          └─ cache-base:1.0.1
                                └─ has-value:1.0.0
                                      └─ has-values:1.0.0
                                            └─ is-number:3.0.0
                                                  └─ kind-of:3.2.2
                                └─ to-object-path:0.3.0
                                      └─ kind-of:3.2.2
                          └─ class-utils:0.3.6
                                └─ static-extend:0.1.2
                                      └─ object-copy:0.1.0
                                            └─ kind-of:3.2.2
                    └─ define-property:0.2.5
                          └─ is-descriptor:0.1.6
                                └─ is-accessor-descriptor:0.1.6
                                      └─ kind-of:3.2.2
                                └─ is-data-descriptor:0.1.4
                                      └─ kind-of:3.2.2
              └─ braces:2.3.2
                    └─ snapdragon-node:2.1.1
                          └─ snapdragon-util:3.0.1
                                └─ kind-of:3.2.2
                    └─ fill-range:4.0.0
                          └─ to-regex-range:2.1.1
                                └─ is-number:3.0.0
                                      └─ kind-of:3.2.2
                          └─ is-number:3.0.0
                                └─ kind-of:3.2.2
              └─ extglob:2.0.4
                    └─ expand-brackets:2.1.4
                          └─ define-property:0.2.5
                                └─ is-descriptor:0.1.6
                                      └─ is-accessor-descriptor:0.1.6
                                            └─ kind-of:3.2.2
                                      └─ is-data-descriptor:0.1.4
                                            └─ kind-of:3.2.2

• webpack:4.41.2
        └─ watchpack:1.6.0
              └─ chokidar:2.1.8
                    └─ anymatch:2.0.0
                          └─ micromatch:3.1.10
                                └─ extglob:2.0.4
                                      └─ expand-brackets:2.1.4
                                            └─ define-property:0.2.5
                                                  └─ is-descriptor:0.1.6
                                                        └─ is-accessor-descriptor:0.1.6
                                                              └─ kind-of:3.2.2
                                                        └─ is-data-descriptor:0.1.4
                                                              └─ kind-of:3.2.2
                    └─ braces:2.3.2
                          └─ fill-range:4.0.0
                                └─ is-number:3.0.0
                                      └─ kind-of:3.2.2
        └─ micromatch:3.1.10
              └─ braces:2.3.2
                    └─ fill-range:4.0.0
                          └─ is-number:3.0.0
                                └─ kind-of:3.2.2
              └─ extglob:2.0.4
                    └─ expand-brackets:2.1.4
                          └─ define-property:0.2.5
                                └─ is-descriptor:0.1.6
                                      └─ is-accessor-descriptor:0.1.6
                                            └─ kind-of:3.2.2
                                      └─ is-data-descriptor:0.1.4
                                            └─ kind-of:3.2.2

• webpack-cli:3.3.9
        └─ findup-sync:3.0.0
              └─ micromatch:3.1.10
                    └─ braces:2.3.2
                          └─ fill-range:4.0.0
                                └─ is-number:3.0.0
                                      └─ kind-of:3.2.2
                    └─ extglob:2.0.4
                          └─ expand-brackets:2.1.4
                                └─ define-property:0.2.5
                                      └─ is-descriptor:0.1.6
                                            └─ is-accessor-descriptor:0.1.6
                                                  └─ kind-of:3.2.2
                                            └─ is-data-descriptor:0.1.4
                                                  └─ kind-of:3.2.2

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Vulnerabilities

DepShield reports that this application's usage of lodash.memoize:4.1.2 results in the following vulnerability(s):

• (CVSS 7.4) CWE-471: Modification of Assumed-Immutable Data (MAID)
• (CVSS 6.5) [CVE-2018-3721] lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutabl...

Occurrences

lodash.memoize:4.1.2 is a transitive dependency introduced by the following direct dependency(s):

• parcel:2.0.0-beta.2
        └─ @parcel/config-default:2.0.0-beta.2
              └─ @parcel/optimizer-cssnano:2.0.0-beta.2
                    └─ cssnano:4.1.11
                          └─ cssnano-preset-default:4.0.8
                                └─ postcss-merge-rules:4.0.3
                                      └─ caniuse-api:3.0.0
                                            └─ lodash.memoize:4.1.2

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Vulnerabilities

DepShield reports that this application's usage of big-integer:1.6.48 results in the following vulnerability(s):

• (CVSS 9.8) CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')

Occurrences

big-integer:1.6.48 is a transitive dependency introduced by the following direct dependency(s):

• r2-shared-js:1.0.51
        └─ r2-utils-js:1.0.25
              └─ unzipper:0.10.11
                    └─ big-integer:1.6.48

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Vulnerabilities

DepShield reports that this application's usage of http-proxy:1.18.1 results in the following vulnerability(s):

• (CVSS 7.5) CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')

Occurrences

http-proxy:1.18.1 is a transitive dependency introduced by the following direct dependency(s):

• http-server:0.12.3
        └─ http-proxy:1.18.1

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Vulnerabilities

DepShield reports that this application's usage of mocha:5.2.0 results in the following vulnerability(s):

• (CVSS 7.5) CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Just a thought for the future: You could add a log() function that incorporates the IS_DEV check within itself

Originally posted by @kristojorg in #306 (comment)

Vulnerabilities

DepShield reports that this application's usage of acorn:4.0.13 results in the following vulnerability(s):

• (CVSS 7.5) CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')

Occurrences

acorn:4.0.13 is a transitive dependency introduced by the following direct dependency(s):

• jsdom:9.12.0
        └─ acorn:4.0.13
        └─ acorn-globals:3.1.0
              └─ acorn:4.0.13

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

This issue is to mark Publication.readingOrder as a Link[] and remove any manual type casts to Link from the file

This is a ticket to refactor the way we process publication weights so that the map loop doesn't have side effects (a secondary loop modifying the original array inside itself). It appears necessary for now, but we should try to find another way in the future.

Vulnerabilities

DepShield reports that this application's usage of ini:1.3.8 results in the following vulnerability(s):

• (CVSS 7.4) CWE-471: Modification of Assumed-Immutable Data (MAID)

Occurrences

ini:1.3.8 is a transitive dependency introduced by the following direct dependency(s):

• webpack-cli:3.3.9
        └─ findup-sync:3.0.0
              └─ resolve-dir:1.0.1
                    └─ global-modules:1.0.0
                          └─ global-prefix:1.0.2
                                └─ ini:1.3.8
        └─ global-modules:2.0.0
              └─ global-prefix:3.0.0
                    └─ ini:1.3.8

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Vulnerabilities

DepShield reports that this application's usage of node-sass:4.13.1 results in the following vulnerability(s):

• (CVSS 7.5) CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

This is to use the TS getter functionality so that d2Reader.toc() becomes d2Reader.toc for example.

Vulnerabilities

DepShield reports that this application's usage of braces:1.8.5 results in the following vulnerability(s):

• (CVSS 7.5) CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')

Occurrences

braces:1.8.5 is a transitive dependency introduced by the following direct dependency(s):

• cpx:1.5.0
        └─ chokidar:1.7.0
              └─ anymatch:1.3.2
                    └─ micromatch:2.3.11
                          └─ braces:1.8.5

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}