@progress/kendo-pdfviewer-common depends on vulnerable packages

Progress® Kendo UI® for jQuery Feedback Portal

Create an account Log In

Back to Feed

Request a Feature Report a Bug

In Development

Last Updated: 28 Apr 2026 14:57 by Michael D

Michael D

Created on: 27 Apr 2026 09:00

Category: Kendo UI for jQuery

Type: Bug Report

@progress/kendo-pdfviewer-common depends on vulnerable packages

The @progress/kendo-ui npm package creates the following dependency tree:

@progress/kendo-ui 2026.1.415
 |
  - @progress/kendo-pdfviewer-common ^0.6.4 -> 0.6.4
    |
     - pdfjs-dist 4.6.82 -> 4.6.82
       |
        - canvas ^2.11.2 -> 2.11.2
          |
           - @mapbox/node-pre-gyp ^1.0.0 -> 1.0.11
             |
              - tar ^6.1.11 -> 6.2.1

All packages have been updated to the latest version possible.

Versions <= 7.5.10 of tar have multiple known vulnerabilities:

node-tar Vulnerable to Arbitrary File Creation/Overwrite via Hardlink Path Traversal - https://github.com/advisories/GHSA-34x7-hfp2-rc4v
node-tar is Vulnerable to Arbitrary File Overwrite and Symlink Poisoning via Insufficient Path Sanitization - https://github.com/advisories/GHSA-8qq5-rm4j-mr97
Arbitrary File Read/Write via Hardlink Target Escape Through Symlink Chain in node-tar Extraction - https://github.com/advisories/GHSA-83g3-92jg-28cx
tar has Hardlink Path Traversal via Drive-Relative Linkpath - https://github.com/advisories/GHSA-qffp-2rhf-9h96
node-tar Symlink Path Traversal via Drive-Relative Linkpath - https://github.com/advisories/GHSA-9ppj-qmqm-q256
Race Condition in node-tar Path Reservations via Unicode Ligature Collisions on macOS APFS - https://github.com/advisories/GHSA-r6q2-hw4h-h46w

2 comments

Michael D

Posted on: 28 Apr 2026 14:57

Thank you vey much for the quick reply! I did not see the override in @progress/kendo-pdfviewer-common.

ADMIN

Georgi Denchev

Posted on: 27 Apr 2026 14:06

Hi Michael,

Thank you for the provided report.

Please check the following Github comment:

https://github.com/telerik/kendo-ui-core/issues/8445#issuecomment-4031870552

In case you are unable to access Github, here are the raw contents:

We have just released `@progress/kendo-pdfviewer-common v0.6.4` which overrides the `tar` dependency to `>=7.5.10` . Reinstalling the latest https://www.npmjs.com/package/@progress/kendo-ui would now install https://www.npmjs.com/package/@progress/kendo-pdfviewer-common `0.6.4` . If there are sill alerts after that, adding the following override rule to your root package.json (or where @progress/kendo-ui is installed) and running `npm i` will resolve the problem for the time being:

{
  "dependencies": {
    "@progress/kendo-ui": "^2026.1.212"
  },
    "overrides": {
    "tar": ">=7.5.10"
  }
}

The override is safe to add and won't break any functionalities in the PDFViewer component.

We are in the process of testing out a bump to the latest pdfjs (v5) version that no longer depends on the outdated canvas v2 library that carries the 'node-tar' dependency. Our next release is scheduled for next month (May) and we would hopefully have the bump by then.

For the time being, please use the provided workaround to manually update the problematic version of the package.

Note: some times you may need to delete the entire node_modules folder and package-lock.json file and then do a clean `npm i` to avoid caching problems.

Please let me know if additional assistance is required.

Best Regards,
Georgi Denchev
Progress Telerik

Love the Telerik and Kendo UI products and believe more people should try them? Invite a fellow developer to become a Progress customer and each of you can get a $50 Amazon gift voucher.