search

telerik / kendo-react

Issue tracker - KendoReact http://www.telerik.com/kendo-react-ui/
https://kendo-react-teal.vercel.app
Other
209 stars 37 forks source link

[Bug][PDFViewer] Bump PDF.js version #2237

Open filipKovachev opened 2 months ago

filipKovachev commented 2 months ago

I'm submitting a...

Current behavior

Currently running npm audit results in the following error:

image

This is an issue with PDF.js, it seems that bumping the version to 4.2.67 should resolve it: https://github.com/advisories/GHSA-wgrm-67xf-hhpq

Expected behavior

When running npm audit this error should not appear.

Minimal reproduction of the problem with instructions

  1. Open this example: https://stackblitz.com/edit/react-z8v7d5?file=app%2Fmain.tsx
  2. Download it and run npm audit
  3. Observe the error

Reported in Ticket ID: 1651157

jamesryan-dev commented 2 months ago

+1 - this is halting our deployments to production

jamesryan-dev commented 2 months ago

From my investigation is appears to be @progress/kendo-pdfviewer-common peer dependency which is still using pdfjs-dist which contains the vulnerability.

jamesryan-dev commented 1 month ago

does version 8.0.0 of both react-pdf-viewer and react-common now resolve this issue?

Many thanks, James

filipKovachev commented 1 month ago

Hello, James,

We have bumped the version of kendo-pdfviewer-common to 0.2.10 in order to avoid the vulnerability

We've decided to postpone the update to 4.x due to compatibility issues that break user applications. We'll be able to proceed once mozilla/pdf.js#18051 is merged and released.

For the time being, we've mitigated the security vulnerability by setting isEvalSupported: false, as suggested in the CVE-2024-4367 security advisory, the fix will be available in the newest version

jamesryan-dev commented 1 month ago

Hey @filipKovachev thank you for getting in touch and clarifying the roadmap for the fix, hopefully Mozilla address ASAP.

Despite installing version 8 of react-pdf-viewer, which includes the peer dependency of kendo-pdfviewer-common@0.2.10, my npm audit command will continue to flag the package as a vulnerability, correct?

Will this be the case until the upgrade to 4.x has taken place in kendo-pdfviewer-common?

jamesryan-dev commented 1 month ago

@filipKovachev

Upgrading to v8.0.0 is breaking our reactv17` Next App.

Upgrading to 18 / 19 isn't viable or possible.

In the package.json of your Kendo React Package you're stating 16 || 17 || 18 and despite your conditional check for version value the import of "react-dom/client" is breaking as 17 and below don't have this..

C:\Users\svc_appsrdp\Documents\Code\Journey\aadigital.journey.fe\node_modules\@progress\kendo-react-pdf\grid\provideSaveGridPDF.mjs Seems to be the file with the import 

error - ./node_modules/@progress/kendo-react-pdf/grid/provideSaveGridPDF.mjs:11:0
Module not found: Can't resolve 'react-dom/client'

Import trace for requested module:
./node_modules/@progress/kendo-react-pdf/grid/GridPDFExport.mjs
./node_modules/@progress/kendo-react-pdf/index.mjs
./src/components/organisms/HiddenPDF.tsx
./src/components/layouts/DetailsLayout.tsx
./src/pages/details/[jurisdiction].tsx

https://nextjs.org/docs/messages/module-not-found
error - Error: Cannot find module 'C:\Users\svc_appsrdp\Documents\Code\Journey\aadigital.journey.fe\node_modules\react-dom\server' imported from C:\Users\svc_appsrdp\Documents\Code\Journey\aadigital.journey.fe\node_modules\@progress\kendo-react-pdf\KendoDrawingAdapter.m
js
Did you mean to import react-dom/server.js?
    at new NodeError (node:internal/errors:399:5)
    at finalizeResolution (node:internal/modules/esm/resolve:326:11)
    at moduleResolve (node:internal/modules/esm/resolve:945:10)
    at defaultResolve (node:internal/modules/esm/resolve:1153:11)
    at nextResolve (node:internal/modules/esm/loader:163:28)
    at ESMLoader.resolve (node:internal/modules/esm/loader:838:30)
    at ESMLoader.getModuleJob (node:internal/modules/esm/loader:424:18)
    at ModuleWrap.<anonymous> (node:internal/modules/esm/module_job:77:40)
    at link (node:internal/modules/esm/module_job:76:36) {
  code: 'ERR_MODULE_NOT_FOUND',
  page: '/details/[jurisdiction]'
}
silviyaboteva commented 1 week ago

Hi @jamesryan-dev I'm sorry for the late reply. The issue upgrading to v8.0.0 is known to us and it's already fixed in version 8.1.0-develop.20. It will be available in the next official version of the @progress\kendo-react-pdf package.

Related issue for more information: https://github.com/telerik/kendo-react/issues/2306