[Bug][PDFViewer] Bump PDF.js version about kendo-react HOT 6 OPEN

+1 - this is halting our deployments to production

from kendo-react.

From my investigation is appears to be @progress/kendo-pdfviewer-common peer dependency which is still using pdfjs-dist which contains the vulnerability.

from kendo-react.

does version 8.0.0 of both react-pdf-viewer and react-common now resolve this issue?

Many thanks,
James

from kendo-react.

Hello, James,

We have bumped the version of kendo-pdfviewer-common to 0.2.10 in order to avoid the vulnerability

We've decided to postpone the update to 4.x due to compatibility issues that break user applications. We'll be able to proceed once mozilla/pdf.js#18051 is merged and released.

For the time being, we've mitigated the security vulnerability by setting isEvalSupported: false, as suggested in the CVE-2024-4367 security advisory, the fix will be available in the newest version

from kendo-react.

Hey @filipKovachev thank you for getting in touch and clarifying the roadmap for the fix, hopefully Mozilla address ASAP.

Despite installing version 8 of react-pdf-viewer, which includes the peer dependency of [email protected], my npm audit command will continue to flag the package as a vulnerability, correct?

Will this be the case until the upgrade to 4.x has taken place in kendo-pdfviewer-common?

from kendo-react.

@filipKovachev

Upgrading to v8.0.0 is breaking our react v17` Next App.

Upgrading to 18 / 19 isn't viable or possible.

In the package.json of your Kendo React Package you're stating 16 || 17 || 18 and despite your conditional check for version value the import of "react-dom/client" is breaking as 17 and below don't have this..

C:\Users\svc_appsrdp\Documents\Code\Journey\aadigital.journey.fe\node_modules\@progress\kendo-react-pdf\grid\provideSaveGridPDF.mjs Seems to be the file with the import

error - ./node_modules/@progress/kendo-react-pdf/grid/provideSaveGridPDF.mjs:11:0
Module not found: Can't resolve 'react-dom/client'

Import trace for requested module:
./node_modules/@progress/kendo-react-pdf/grid/GridPDFExport.mjs
./node_modules/@progress/kendo-react-pdf/index.mjs
./src/components/organisms/HiddenPDF.tsx
./src/components/layouts/DetailsLayout.tsx
./src/pages/details/[jurisdiction].tsx

https://nextjs.org/docs/messages/module-not-found
error - Error: Cannot find module 'C:\Users\svc_appsrdp\Documents\Code\Journey\aadigital.journey.fe\node_modules\react-dom\server' imported from C:\Users\svc_appsrdp\Documents\Code\Journey\aadigital.journey.fe\node_modules\@progress\kendo-react-pdf\KendoDrawingAdapter.m
js
Did you mean to import react-dom/server.js?
    at new NodeError (node:internal/errors:399:5)
    at finalizeResolution (node:internal/modules/esm/resolve:326:11)
    at moduleResolve (node:internal/modules/esm/resolve:945:10)
    at defaultResolve (node:internal/modules/esm/resolve:1153:11)
    at nextResolve (node:internal/modules/esm/loader:163:28)
    at ESMLoader.resolve (node:internal/modules/esm/loader:838:30)
    at ESMLoader.getModuleJob (node:internal/modules/esm/loader:424:18)
    at ModuleWrap.<anonymous> (node:internal/modules/esm/module_job:77:40)
    at link (node:internal/modules/esm/module_job:76:36) {
  code: 'ERR_MODULE_NOT_FOUND',
  page: '/details/[jurisdiction]'
}

from kendo-react.