Loose pom dependency version pulls in bad release of mozilla pdf viewer

[epricer]

There was a botched release of pdf.js dist, and a subsequent webjar release, which breaks the vaadin pdf viewer. The release has been removed from the github repository, but the webjar is still there. The botched release results in a javascript error of mismatched version numbers between the components of pdf.js.

Here's a discussion on the botched release:
mozilla/pdf.js#10416 (comment)
And you can see that the current pdf.js dist release has been rolled back to 2.0.48:
https://github.com/mozilla/pdfjs-dist

In the POM for vaadin-pdf-viewer the webjar dependency is pulled in with:

<dependency>
    <groupId>org.webjars.bowergithub.mozilla</groupId>
    <artifactId>pdfjs-dist</artifactId>
    <version>[2.0.943,3)</version>
</dependency>

which is very permissive. It matches on the botched version 2.2.2

<dependency>
    <groupId>org.webjars.bowergithub.mozilla</groupId>
    <artifactId>pdfjs-dist</artifactId>
    <version>2.2.2</version>
</dependency>

As a work around, I pinned the resolved version in my project POM

 <dependency>
     <groupId>org.webjars.bowergithub.mozilla</groupId>
     <artifactId>pdfjs-dist</artifactId>
     <version>2.0.943</version>
</dependency>

To fix this for everyone else and to be more conservative with likely-breaking changes, I'd recommend a much more restrictive dependency:

<dependency>
    <groupId>org.webjars.bowergithub.mozilla</groupId>
    <artifactId>pdfjs-dist</artifactId>
    <version>[2.0.943,2.1)</version>
</dependency>

or maybe even on the specific version.