pandoc: apply patch removing the usage of polyfill.io in the templates

If you output HTML with MathJax content Pandoc might uses a JS library provided by cdn.polyfill.io which is now considered to be a bad actor. https://sansec.io/research/polyfill-supply-chain-attack Pandoc does not use this domain in recent versions but upgrading it seems more complex right now especially if we consider backports to the stable releases. (cherry picked from commit 08c21134cd)
2024-11-29 02:13:23 +00:00 · 2024-06-26 17:59:01 +02:00 · 2024-06-26 17:59:01 +02:00 · 89ad925e05
commit 89ad925e05
parent 66f253e5b2
1 changed files with 11 additions and 1 deletions
--- a/pkgs/development/haskell-modules/configuration-common.nix
+++ b/pkgs/development/haskell-modules/configuration-common.nix
@ -1930,7 +1930,17 @@ self: super: {
  readline = appendPatch ./patches/readline-fix-for-cabal-3.patch super.readline;

  # https://github.com/jgm/pandoc/issues/9589
-  pandoc = assert super.pandoc.version == "3.1.11.1"; dontCheck super.pandoc;
+  pandoc = assert super.pandoc.version == "3.1.11.1"; lib.pipe super.pandoc
+    [
+      dontCheck
+      (appendPatch
+        (pkgs.fetchpatch {
+          name = "drop-usage-known-bad-actor-cdn.patch";
+          url = "https://github.com/jgm/pandoc/commit/5877ec546df29115163b36de32837f5e08506092.patch";
+          hash = "sha256-2ffdL2dS/hHWBjJcIHbae5OdL/VKlHNKUMDHRy3hqvc=";
+        })
+      )
+    ];

  # 2020-12-06: Restrictive upper bounds w.r.t. pandoc-types (https://github.com/owickstrom/pandoc-include-code/issues/27)
  pandoc-include-code = doJailbreak super.pandoc-include-code;