[Bug][PDFViewer] Bump PDF.js version

[filipKovachev]

I'm submitting a...

• Bug report

Current behavior

Currently running npm audit results in the following error:

This is an issue with PDF.js, it seems that bumping the version to 4.2.67 should resolve it: GHSA-wgrm-67xf-hhpq

Expected behavior

When running npm audit this error should not appear.

Minimal reproduction of the problem with instructions

1. Open this example: https://stackblitz.com/edit/react-z8v7d5?file=app%2Fmain.tsx
2. Download it and run npm audit
3. Observe the error

Reported in Ticket ID: 1651157

[jamesryan-dev]

+1 - this is halting our deployments to production

[jamesryan-dev]

From my investigation is appears to be @progress/kendo-pdfviewer-common peer dependency which is still using pdfjs-dist which contains the vulnerability.

[jamesryan-dev]

does version 8.0.0 of both react-pdf-viewer and react-common now resolve this issue?

Many thanks,
James

[filipKovachev]

Hello, James,

We have bumped the version of kendo-pdfviewer-common to 0.2.10 in order to avoid the vulnerability

We've decided to postpone the update to 4.x due to compatibility issues that break user applications. We'll be able to proceed once mozilla/pdf.js#18051 is merged and released.

For the time being, we've mitigated the security vulnerability by setting isEvalSupported: false, as suggested in the CVE-2024-4367 security advisory, the fix will be available in the newest version

[jamesryan-dev]

Hey @filipKovachev thank you for getting in touch and clarifying the roadmap for the fix, hopefully Mozilla address ASAP.

Despite installing version 8 of react-pdf-viewer, which includes the peer dependency of [email protected], my npm audit command will continue to flag the package as a vulnerability, correct?

Will this be the case until the upgrade to 4.x has taken place in kendo-pdfviewer-common?

[jamesryan-dev]

@filipKovachev

Upgrading to v8.0.0 is breaking our react v17` Next App.

Upgrading to 18 / 19 isn't viable or possible.

In the package.json of your Kendo React Package you're stating 16 || 17 || 18 and despite your conditional check for version value the import of "react-dom/client" is breaking as 17 and below don't have this..

C:\Users\svc_appsrdp\Documents\Code\Journey\aadigital.journey.fe\node_modules\@progress\kendo-react-pdf\grid\provideSaveGridPDF.mjs Seems to be the file with the import

error - ./node_modules/@progress/kendo-react-pdf/grid/provideSaveGridPDF.mjs:11:0
Module not found: Can't resolve 'react-dom/client'

Import trace for requested module:
./node_modules/@progress/kendo-react-pdf/grid/GridPDFExport.mjs
./node_modules/@progress/kendo-react-pdf/index.mjs
./src/components/organisms/HiddenPDF.tsx
./src/components/layouts/DetailsLayout.tsx
./src/pages/details/[jurisdiction].tsx

https://nextjs.org/docs/messages/module-not-found
error - Error: Cannot find module 'C:\Users\svc_appsrdp\Documents\Code\Journey\aadigital.journey.fe\node_modules\react-dom\server' imported from C:\Users\svc_appsrdp\Documents\Code\Journey\aadigital.journey.fe\node_modules\@progress\kendo-react-pdf\KendoDrawingAdapter.m
js
Did you mean to import react-dom/server.js?
    at new NodeError (node:internal/errors:399:5)
    at finalizeResolution (node:internal/modules/esm/resolve:326:11)
    at moduleResolve (node:internal/modules/esm/resolve:945:10)
    at defaultResolve (node:internal/modules/esm/resolve:1153:11)
    at nextResolve (node:internal/modules/esm/loader:163:28)
    at ESMLoader.resolve (node:internal/modules/esm/loader:838:30)
    at ESMLoader.getModuleJob (node:internal/modules/esm/loader:424:18)
    at ModuleWrap.<anonymous> (node:internal/modules/esm/module_job:77:40)
    at link (node:internal/modules/esm/module_job:76:36) {
  code: 'ERR_MODULE_NOT_FOUND',
  page: '/details/[jurisdiction]'
}