Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug][PDFViewer] Bump PDF.js version #2237

Closed
filipKovachev opened this issue May 8, 2024 · 8 comments
Closed

[Bug][PDFViewer] Bump PDF.js version #2237

filipKovachev opened this issue May 8, 2024 · 8 comments
Assignees
@PekoPPT @bptodorova
Labels
Bug Item which indicates that something is not working KendoReact pkg:PdfViewer SEV: High
Milestone
2024 Q4 (Nov)

Comments

@filipKovachev
Copy link
Contributor

I'm submitting a...

  • Bug report

Current behavior

Currently running npm audit results in the following error:

image

This is an issue with PDF.js, it seems that bumping the version to 4.2.67 should resolve it: GHSA-wgrm-67xf-hhpq

Expected behavior

When running npm audit this error should not appear.

Minimal reproduction of the problem with instructions

  1. Open this example: https://stackblitz.com/edit/react-z8v7d5?file=app%2Fmain.tsx
  2. Download it and run npm audit
  3. Observe the error

Reported in Ticket ID: 1651157
@filipKovachev filipKovachev added Bug Item which indicates that something is not working pkg:PdfViewer KendoReact SEV: Medium labels May 8, 2024
@jamesryan-dev
Copy link

+1 - this is halting our deployments to production

@jamesryan-dev
Copy link

From my investigation is appears to be @progress/kendo-pdfviewer-common peer dependency which is still using pdfjs-dist which contains the vulnerability.

@jamesryan-dev
Copy link

does version 8.0.0 of both react-pdf-viewer and react-common now resolve this issue?

Many thanks,
James

@filipKovachev
Copy link
Contributor Author

filipKovachev commented May 15, 2024
edited
Loading

Hello, James,

We have bumped the version of kendo-pdfviewer-common to 0.2.10 in order to avoid the vulnerability

We've decided to postpone the update to 4.x due to compatibility issues that break user applications. We'll be able to proceed once mozilla/pdf.js#18051 is merged and released.

For the time being, we've mitigated the security vulnerability by setting isEvalSupported: false, as suggested in the CVE-2024-4367 security advisory, the fix will be available in the newest version

@jamesryan-dev
Copy link

Hey @filipKovachev thank you for getting in touch and clarifying the roadmap for the fix, hopefully Mozilla address ASAP.

Despite installing version 8 of react-pdf-viewer, which includes the peer dependency of kendo-pdfviewer-common@0.2.10, my npm audit command will continue to flag the package as a vulnerability, correct?

Will this be the case until the upgrade to 4.x has taken place in kendo-pdfviewer-common?

@jamesryan-dev
Copy link

@filipKovachev

Upgrading to v8.0.0 is breaking our react v17` Next App.

Upgrading to 18 / 19 isn't viable or possible.

In the package.json of your Kendo React Package you're stating 16 || 17 || 18 and despite your conditional check for version value the import of "react-dom/client" is breaking as 17 and below don't have this..

C:\Users\svc_appsrdp\Documents\Code\Journey\aadigital.journey.fe\node_modules\@progress\kendo-react-pdf\grid\provideSaveGridPDF.mjs Seems to be the file with the import

error - ./node_modules/@progress/kendo-react-pdf/grid/provideSaveGridPDF.mjs:11:0
Module not found: Can't resolve 'react-dom/client'

Import trace for requested module:
./node_modules/@progress/kendo-react-pdf/grid/GridPDFExport.mjs
./node_modules/@progress/kendo-react-pdf/index.mjs
./src/components/organisms/HiddenPDF.tsx
./src/components/layouts/DetailsLayout.tsx
./src/pages/details/[jurisdiction].tsx

https://nextjs.org/docs/messages/module-not-found
error - Error: Cannot find module 'C:\Users\svc_appsrdp\Documents\Code\Journey\aadigital.journey.fe\node_modules\react-dom\server' imported from C:\Users\svc_appsrdp\Documents\Code\Journey\aadigital.journey.fe\node_modules\@progress\kendo-react-pdf\KendoDrawingAdapter.m
js
Did you mean to import react-dom/server.js?
    at new NodeError (node:internal/errors:399:5)
    at finalizeResolution (node:internal/modules/esm/resolve:326:11)
    at moduleResolve (node:internal/modules/esm/resolve:945:10)
    at defaultResolve (node:internal/modules/esm/resolve:1153:11)
    at nextResolve (node:internal/modules/esm/loader:163:28)
    at ESMLoader.resolve (node:internal/modules/esm/loader:838:30)
    at ESMLoader.getModuleJob (node:internal/modules/esm/loader:424:18)
    at ModuleWrap.<anonymous> (node:internal/modules/esm/module_job:77:40)
    at link (node:internal/modules/esm/module_job:76:36) {
  code: 'ERR_MODULE_NOT_FOUND',
  page: '/details/[jurisdiction]'
}

@silviyaboteva
Copy link
Contributor

Hi @jamesryan-dev
I'm sorry for the late reply. The issue upgrading to v8.0.0 is known to us and it's already fixed in version 8.1.0-develop.20. It will be available in the next official version of the @progress\kendo-react-pdf package.

Related issue for more information: #2306

@silviyaboteva silviyaboteva self-assigned this Jun 27, 2024
@silviyaboteva silviyaboteva added this to the 2024 Q4 (Nov) milestone Jun 28, 2024
@PekoPPT PekoPPT assigned bptodorova and unassigned silviyaboteva Aug 20, 2024
@PekoPPT
Copy link
Contributor

PekoPPT commented Sep 12, 2024

The version of PDF.js is bumped in the latest development version of the @progress/kendo-react-pdf-viewer package. The Kendo React suite's official version will be released next week.

@PekoPPT PekoPPT closed this as completed Sep 12, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@PekoPPT PekoPPT

@bptodorova bptodorova

Labels
Bug Item which indicates that something is not working KendoReact pkg:PdfViewer SEV: High
Projects
None yet
Milestone
2024 Q4 (Nov)
Development

No branches or pull requests
5 participants
@jamesryan-dev @silviyaboteva @PekoPPT @filipKovachev @bptodorova