Fix CVE-2024-4367

[make-github-pseudonymous-again]

By default, pdfjs-dist optimizes some path resolution logic by compiling a JavaScript function on the fly. The function is built using string concatenation and no effort is made at sanitizing the parts it is built from. These parts could contain user-input which leads to a code injection vulnerability. This commit disables this default behavior. An alternative is to upgrade pdfjs-dist to v4.2.67 or later.

See:

• https://bugzilla.mozilla.org/show_bug.cgi?id=1893645
• https://www.cve.org/CVERecord?id=CVE-2024-4367
• https://security.snyk.io/vuln/SNYK-JS-PDFJSDIST-6810403
• https://github.com/advisories/GHSA-wgrm-67xf-hhpq
• https://github.com/mozilla/pdf.js/security/advisories/GHSA-wgrm-67xf-hhpq
• https://github.com/mozilla/pdf.js/pull/18015
• https://github.com/wojtekmaj/react-pdf/discussions/1786
• https://security.stackexchange.com/questions/248462/is-firefoxs-new-javascript-support-within-pdf-files-a-security-concern/248985#248985
• https://stackoverflow.com/questions/49299000/what-are-the-security-implications-of-the-isevalsupported-option-in-pdf-js
• https://github.com/mozilla/pdf.js/issues/10818

[codecov[bot]]

Codecov Report

Attention: Patch coverage is 33.33333% with 2 lines in your changes are missing coverage. Please review.

Project coverage is 64.49%. Comparing base (499fcb7) to head (2d3e1ba). Report is 2 commits behind head on main.

Files	Patch %	Lines
imports/lib/pdf/pdf.ts	33.33%	2 Missing :warning:

Additional details and impacted files

```diff @@ Coverage Diff @@ ## main #935 +/- ## ========================================== + Coverage 64.48% 64.49% +0.01% ========================================== Files 703 703 Lines 9705 9705 Branches 1335 1335 ========================================== + Hits 6258 6259 +1 Misses 3003 3003 + Partials 444 443 -1 ``` | [Flag](https://app.codecov.io/gh/infoderm/patients/pull/935/flags?src=pr&el=flags&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=infoderm) | Coverage Δ | | |---|---|---| | [test](https://app.codecov.io/gh/infoderm/patients/pull/935/flags?src=pr&el=flag&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=infoderm) | `69.78% <33.33%> (+0.01%)` | :arrow_up: | | [test-app](https://app.codecov.io/gh/infoderm/patients/pull/935/flags?src=pr&el=flag&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=infoderm) | `53.77% <33.33%> (ø)` | | Flags with carried forward coverage won't be shown. [Click here](https://docs.codecov.io/docs/carryforward-flags?utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=infoderm#carryforward-flags-in-the-pull-request-comment) to find out more.

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.