[breaking] Update pdfjs-dist to 4.2.67

[wojtekmaj]

Closes #1664

Breaking changes (on top of #1690):

• Raised minimum version of Safari to 16.4

Blockers:

• No Node.js compatibility at the moment (lack of Promise.withResolvers support), which prevents us from running unit tests

[wojtekmaj]

This PR is currently breaking most setups that do not support top level await (including Vite - see code changes in test app in this PR). I consider this a deal breaker at the moment and therefore postpone merging it.

See https://github.com/mozilla/pdf.js/issues/17349 for more details.

[jacobshirley]

Hi there, thank you for this - with the latest vulernability in pdfjs-dist (https://osv.dev/vulnerability/GHSA-wgrm-67xf-hhpq), would it be possible to get an alpha release of this package from this PR? e.g. 9.0.0-alpha.1

[wojtekmaj]

@jacobshirley version 8.0.2 has been released to address the vulnerability.

[Hcrab2336]

@jacobshirley version 8.0.2 has been released to address the vulnerability.

@wojtekmaj Unfortunately, after updating react-pdf to version 8.0.2, the dependency pdfjs-dist is version 3.11.174 which is a vulnerable version and fails npm audits. Can pdfjs-dist be upgraded to 4.2.67? Thank you.

pdfjs-dist vulnerability Affected versions <= 4.1.392 Patched versions 4.2.67

https://github.com/advisories/GHSA-wgrm-67xf-hhpq

[wojtekmaj]

It's not vulnerable when used with the workaround we're leveraging. And no, we can't update it, reasons stated in the PR.

[codeWriter6]

With your workaround patch, npm audit still fails.

[wojtekmaj]

Without a doubt, because we're using pdfjs-dist version that was still vulnerable, unless a certain feature was disabled, which is exactly what React-PDF 7.7.3 and 8.0.2 are doing. You can safely dismiss the audit.

[vik-buchinski]

Without a doubt, because we're using pdfjs-dist version that was still vulnerable, unless a certain feature was disabled, which is exactly what React-PDF 7.7.3 and 8.0.2 are doing. You can safely dismiss the audit.

Our team use 'npm audit' script to check for vulnerable libraries. It is impossible to 'ignore' specific vulnerability with it. Disabling the audits for the whole project - is not an option.

So, you released the workaround, but it don't fix the audit issue.

We would appreciate if it would be fixed w/o a workaround.

Thank you in advance and have a good day!

[stevelizcano]

@vik-buchinski You are more than welcome to sponsor them to prioritize the fix:

https://github.com/mozilla/pdf.js/issues/17245#issuecomment-2017812624

[wojtekmaj]

Please read my announcement regarding security vulnerability in https://github.com/wojtekmaj/react-pdf/discussions/1786 and please continue discussion regarding it there if needed.

[wojtekmaj]

Superseded by #1809