Bump pdf.js version for vulnerability

[mustangJaro]

The pdf.js version should be updated to 4.2.67 in order to address the vulnerability shown below.

[OleksiiHryhorian]

+1

[arichwei]

+1

[tmoran-stenoa]

@ol-th Could you please upgrade the pdf.js dependency version when you find the time? It would be much appreciated. Thank you! (On a semi-related note, I've also opened PR #56 to be able to control whether eval is allowed)

[chefvivica]

+1

[chefvivica]

Hi @ol-th I wonder when we should expect this issue to be resolved? Thanks

[jason1610]

Would be really nice if this gets fixed soon.

[VVill-ga]

+1, this still needs to be resolved

[ADTC]

Same here:

npm audit report

pdfjs-dist <=4.1.392
Severity: high
PDF.js vulnerable to arbitrary JavaScript execution upon opening a malicious PDF - GHSA-wgrm-67xf-hhpq
No fix available
node_modules/pdfjs-dist
pdf-img-convert *
Depends on vulnerable versions of pdfjs-dist
node_modules/pdf-img-convert

If pdf.js is used to load a malicious PDF, and PDF.js is configured with isEvalSupported set to true (which is the default value), unrestricted attacker-controlled JavaScript will be executed in the context of the hosting domain.

The patched version is 4.2.67.

[kaakaa]

This issue seems to be fixed in v2.0.0.

Security: Addressed a critical security vulnerability in previously used npm packages by updating pdfjs-dist to the latest versions.