Security Concern: react-native-pdf v7.0.3 uses outdated native iOS dependency (no newer version available) #997
Description
Hello Maintainers,
During a recent security review of our mobile application, our SCA/SAST tools flagged react-native-pdf (v7.0.3) for using outdated or potentially vulnerable native dependencies on iOS. This library is used solely for PDF viewing functionality, and while the risk is limited, the issue affects compliance requirements because:
Current Version: 7.0.3
Latest Version Available in NPM: 7.0.3
Dependency Source: NPM package + iOS CocoaPod
Usage Type: Runtime dependency
Introduced By: Direct application dependency
Exception Required: Yes
Reason: No newer version exists; the project appears unmaintained.
We cannot upgrade further because 7.0.3 is the latest version published by the maintainer, and no updates have been released.
Steps to reproduce
Create a new React Native project:
Shellnpx react-native init PdfReprocd PdfReproShow more lines
Install react-native-pdf:
Shellyarn add react-native-pdfShow more lines
Install iOS pods:
Shellcd ios && pod installShow more lines
Open the generated Podfile.lock and observe that the PDF-related native dependencies bundled by this library are fixed to the outdated versions included in the 7.0.3 release.
Run any SCA/SAST tool (e.g., Snyk, Mend, BlackDuck, Fortify).
The scanner flags react-native-pdf and its native Pod dependencies as outdated / lacking patches.
Expected behavior
The library should ideally:
Use up-to-date native iOS PDF rendering libraries, or
Provide an updated release in NPM and CocoaPods, or
Confirm that the currently bundled native dependencies are the latest available upstream, and safe to use.
Developers expect react-native-pdf to not introduce outdated or vulnerable iOS native components when installed.
Stacktrace or Logs
There is no runtime crash, but installation and scan logs confirm the issue:
Pod Installation Log
$ pod install
Installing react-native-pdf (7.0.3)
Installing (versions bundled with this package)
Podfile.lock Extract
- react-native-pdf (7.0.3)
Security Scan Output (Example)
[Vulnerability] react-native-pdf 7.0.3 contains outdated native iOS dependencies.
Severity: Medium
Path: react-native-pdf → iOS CocoaPods
Recommendation: Upgrade to a patched version (none available).
Output of npx react-native info
tpt-mp-mobile-app % npx react-native info
info Fetching system and libraries information...
System:
OS: macOS 15.7.2
CPU: (12) x64 Intel(R) Core(TM) i7-9750H CPU @ 2.60GHz
Memory: 32.17 MB / 16.00 GB
Shell:
version: "5.9"
path: /bin/zsh
Binaries:
Node:
version: 22.21.1
path: /usr/local/bin/node
Yarn: Not Found
npm:
version: 11.6.2
path: /Users/neha/Documents/ReactWorkspace/TPT/AndroidTesting/tpt-mp-mobile-app/node_modules/.bin/npm
Watchman: Not Found
Managers:
CocoaPods:
version: 1.16.2
path: /Users/neha/.rbenv/shims/pod
SDKs:
iOS SDK:
Platforms:
- DriverKit 25.2
- iOS 26.2
- macOS 26.2
- tvOS 26.2
- visionOS 26.2
- watchOS 26.2
Android SDK:
API Levels:
- "28"
- "31"
- "33"
- "34"
- "36"
Build Tools:
- 30.0.3
- 33.0.1
- 34.0.0
- 35.0.0
- 36.0.0
System Images:
- android-31 | Google Play Intel x86_64 Atom
- android-34 | Google APIs Intel x86_64 Atom
- android-UpsideDownCakePrivacySandbox | Google Play Intel x86_64 Atom
Android NDK: Not Found
IDEs:
Android Studio: 2022.2 AI-222.4459.24.2221.10121639
Xcode:
version: 26.2/17C52
path: /usr/bin/xcodebuild
Languages:
Java:
version: 17.0.10
path: /usr/bin/javac
Ruby:
version: 3.2.2
path: /Users/neha/.rbenv/shims/ruby
npmPackages:
"@react-native-community/cli": Not Found
react:
installed: 18.2.0
wanted: 18.2.0
react-native:
installed: 0.73.2
wanted: 0.73.2
react-native-macos: Not Found
npmGlobalPackages:
"react-native": Not Found
Android:
hermesEnabled: true
newArchEnabled: false
iOS:
hermesEnabled: true
newArchEnabled: false
Affected React-Native Architecture
New Architecture
Affected Platforms
Android and ios
Reproducer
I cannot share a public repository, but the issue is reproducible in a fresh RN project by installing react-native-pdf@7.0.3 and running cd ios && pod install. The resulting Podfile.lock shows the outdated native iOS components.