Open filipKovachev opened 2 months ago
+1 - this is halting our deployments to production
From my investigation is appears to be @progress/kendo-pdfviewer-common
peer dependency which is still using pdfjs-dist
which contains the vulnerability.
does version 8.0.0
of both react-pdf-viewer and react-common now resolve this issue?
Many thanks, James
Hello, James,
We have bumped the version of kendo-pdfviewer-common to 0.2.10 in order to avoid the vulnerability
We've decided to postpone the update to 4.x due to compatibility issues that break user applications. We'll be able to proceed once mozilla/pdf.js#18051 is merged and released.
For the time being, we've mitigated the security vulnerability by setting isEvalSupported: false, as suggested in the CVE-2024-4367 security advisory, the fix will be available in the newest version
Hey @filipKovachev thank you for getting in touch and clarifying the roadmap for the fix, hopefully Mozilla address ASAP.
Despite installing version 8 of react-pdf-viewer
, which includes the peer dependency of kendo-pdfviewer-common@0.2.10
, my npm audit
command will continue to flag the package as a vulnerability, correct?
Will this be the case until the upgrade to 4.x has taken place in kendo-pdfviewer-common
?
@filipKovachev
Upgrading to v8.0.0
is breaking our react
v17` Next App.
Upgrading to 18
/ 19
isn't viable or possible.
In the package.json
of your Kendo React Package you're stating 16 || 17 || 18
and despite your conditional check for version value the import of "react-dom/client"
is breaking as 17
and below don't have this..
C:\Users\svc_appsrdp\Documents\Code\Journey\aadigital.journey.fe\node_modules\@progress\kendo-react-pdf\grid\provideSaveGridPDF.mjs
Seems to be the file with the import
error - ./node_modules/@progress/kendo-react-pdf/grid/provideSaveGridPDF.mjs:11:0
Module not found: Can't resolve 'react-dom/client'
Import trace for requested module:
./node_modules/@progress/kendo-react-pdf/grid/GridPDFExport.mjs
./node_modules/@progress/kendo-react-pdf/index.mjs
./src/components/organisms/HiddenPDF.tsx
./src/components/layouts/DetailsLayout.tsx
./src/pages/details/[jurisdiction].tsx
https://nextjs.org/docs/messages/module-not-found
error - Error: Cannot find module 'C:\Users\svc_appsrdp\Documents\Code\Journey\aadigital.journey.fe\node_modules\react-dom\server' imported from C:\Users\svc_appsrdp\Documents\Code\Journey\aadigital.journey.fe\node_modules\@progress\kendo-react-pdf\KendoDrawingAdapter.m
js
Did you mean to import react-dom/server.js?
at new NodeError (node:internal/errors:399:5)
at finalizeResolution (node:internal/modules/esm/resolve:326:11)
at moduleResolve (node:internal/modules/esm/resolve:945:10)
at defaultResolve (node:internal/modules/esm/resolve:1153:11)
at nextResolve (node:internal/modules/esm/loader:163:28)
at ESMLoader.resolve (node:internal/modules/esm/loader:838:30)
at ESMLoader.getModuleJob (node:internal/modules/esm/loader:424:18)
at ModuleWrap.<anonymous> (node:internal/modules/esm/module_job:77:40)
at link (node:internal/modules/esm/module_job:76:36) {
code: 'ERR_MODULE_NOT_FOUND',
page: '/details/[jurisdiction]'
}
Hi @jamesryan-dev
I'm sorry for the late reply. The issue upgrading to v8.0.0 is known to us and it's already fixed in version 8.1.0-develop.20. It will be available in the next official version of the @progress\kendo-react-pdf
package.
Related issue for more information: https://github.com/telerik/kendo-react/issues/2306
I'm submitting a...
Current behavior
Currently running npm audit results in the following error:
This is an issue with PDF.js, it seems that bumping the version to 4.2.67 should resolve it: https://github.com/advisories/GHSA-wgrm-67xf-hhpq
Expected behavior
When running npm audit this error should not appear.
Minimal reproduction of the problem with instructions
npm audit
Reported in Ticket ID: 1651157