pandoc: apply patch removing the usage of polyfill.io in the templates

If you output HTML with MathJax content Pandoc might uses a JS library provided by cdn.polyfill.io which is now considered to be a bad actor. https://sansec.io/research/polyfill-supply-chain-attack Pandoc does not use this domain in recent versions but upgrading it seems more complex right now especially if we consider backports to the stable releases.
2024-09-23 05:37:27 +03:00 · 2024-06-26 17:59:01 +02:00 · 2024-06-26 17:59:01 +02:00 · 08c21134cd
commit 08c21134cd
parent 00ba4c2c35
1 changed files with 11 additions and 1 deletions
--- a/pkgs/development/haskell-modules/configuration-common.nix
+++ b/pkgs/development/haskell-modules/configuration-common.nix
@ -1962,7 +1962,17 @@ self: super: {
  readline = appendPatch ./patches/readline-fix-for-cabal-3.patch super.readline;

  # https://github.com/jgm/pandoc/issues/9589
-  pandoc = assert super.pandoc.version == "3.1.11.1"; dontCheck super.pandoc;
+  pandoc = assert super.pandoc.version == "3.1.11.1"; lib.pipe super.pandoc
+    [
+      dontCheck
+      (appendPatch
+        (pkgs.fetchpatch {
+          name = "drop-usage-known-bad-actor-cdn.patch";
+          url = "https://github.com/jgm/pandoc/commit/5877ec546df29115163b36de32837f5e08506092.patch";
+          hash = "sha256-2ffdL2dS/hHWBjJcIHbae5OdL/VKlHNKUMDHRy3hqvc=";
+        })
+      )
+    ];

  # 2020-12-06: Restrictive upper bounds w.r.t. pandoc-types (https://github.com/owickstrom/pandoc-include-code/issues/27)
  pandoc-include-code = doJailbreak super.pandoc-include-code;