Update pdfjs-dist to 4.2.67 or later

[Tyre88]

Bug Report or Feature Request (mark with an x)

- [ ] Regression (a behavior that used to work and stopped working in a new release)
- [ ] Bug report -> please search issues before submitting
- [x] Feature request
- [ ] Documentation issue or request

[janpapenbrock]

Should be fixed via #1092 I suppose?

[SimonFischer04]

Cve is resolved, but updating would give some other benefits anyway

[shamoon]

Yea, worth noting though that pdfjs 4.x has major breaking changes. When I looked at it, it seemed like it would require major rewrites to this package. Not that it's impossible, of course, but certainly not a quick thing. At the very least though this issue is probably a duplicate of #1078

[SimonFischer04]

Yea, worth noting though that pdfjs 4.x has major breaking changes. When I looked at it, it seemed like it would require major rewrites to this package. Not that it's impossible, of course, but certainly not a quick thing. At the very least though this issue is probably a duplicate of #1078

Yeah,
Upgrading 2->3 was also already a new major version, but I guess there weren't that much (breaking) changes anyway? But now with 3->4 a lot more would be required?

[shamoon]

Yes, 2 -> 3 was a major version in terms of semver, but wasnt too bad. 3 --> 4 is much bigger, imho of course, see https://github.com/mozilla/pdf.js/releases/tag/v4.0.189

I havent looked at it again, again its of course not impossible but unfortunately I think significantly more

[agravity-philipp]

I would also prefer to have it upgraded. Npm still mentioned in version 10.2.2 the high severity vulnerability in pdf.js.

But they mentioned an workaround to set the option isEvalSupported to false.
How would that be applied in ng2-pdf-viewer?

[pavliczandris]

I would also prefer to have it upgraded. Npm still mentioned in version 10.2.2 the high severity vulnerability in pdf.js.

But they mentioned an workaround to set the option isEvalSupported to false. How would that be applied in ng2-pdf-viewer?

In my understanding, it is done in this library to disable this option. This was patched here: #1092

The best and safest would be of course to upgrade the pdfjs-dist to the latest version, but I'm not sure if it's happening anytime soon.

[Tyre88]

It was fixed in this for me, thanks alot! #1092

[Akxe]

Updating to version 4 and above would fix this #624 and possibly also this #824 (Note that 824 is not complete, but a stale bot forced it to be completed anyway...)

---

• [api-major] Remove the SVG back-end (PR 15173 follow-up) by @Snuffleupagus in https://github.com/mozilla/pdf.js/pull/16699[api-major] Output JavaScript modules in the builds (issue 10317) by @Snuffleupagus in [api-major] Output JavaScript modules in the builds (issue 10317) mozilla/pdf.js#17055
• [api-major] Remove various deprecated functionality and options by @Snuffleupagus in [api-major] Remove various deprecated functionality and options mozilla/pdf.js#16774
• [api-major] Output JavaScript modules in the builds (issue 10317) by @Snuffleupagus in [api-major] Output JavaScript modules in the builds (issue 10317) mozilla/pdf.js#17055
• [api-minor] Stop polyfilling structuredClone in legacy builds by @Snuffleupagus in [api-minor] Stop polyfilling structuredClone in legacy builds mozilla/pdf.js#17086
• [api-minor] Move to Fluent for the localization (bug 1858715) by @calixteman in [api-minor] Move to Fluent for the localization (bug 1858715) mozilla/pdf.js#17115

These are possibly breaking changes according to release notes from https://github.com/mozilla/pdf.js/releases/tag/v4.0.189.

I have highlighted (points 3 & 5) that may pose a challenge:

• Output JavaScript modules in the builds - This will require looking at where new ones are and how to load them properly.
• I have no clue how, if at all, translations are handled in this package...