Bump @xmldom/xmldom and pdf2json in /node

[dependabot]

Removes @xmldom/xmldom. It's no longer used after updating ancestor dependency pdf2json. These dependencies need to be updated together.

Removes @xmldom/xmldom

Updates pdf2json from 2.1.0 to 4.0.3

Release notes

Sourced from pdf2json's releases.

Stable Build v4.0.3

pdf2json v4.0.3 Release Notes

---

Bug Fixes

• Text reading order — Added spatial sort (lib/pdftextsorter.js) to getRawTextContent() so multi-column and complex-layout PDFs return text in correct top-to-bottom, left-to-right order instead of internal PDF object order. (modesty/pdf2json#422)

---

CLI Improvements (modesty/pdf2json#423)

• New --json flag — Emits a structured JSON summary to stdout (version, output file paths, stats, errors, elapsed time) for programmatic and scripted consumption.
• New --quiet flag — Suppresses all non-error output (timer, status messages).
• Granular exit codes — 0 success · 1 parse failure · 2 argument error · 3 I/O error (previously only 0 or 1).
• Fixed --singleton / -si flags — Parser instance is now correctly shared at the CLI level; previously
  broken.
• Directory filter — Only skips dotfiles now; previously silently skipped files starting with -, _, or
  whitespace.
• 7 internal bug fixes — Eliminated Promise constructor anti-pattern, replaced callback-style fs.writeFile/fs.readdir with fs.promises, fixed addResultCount type mismatch, removed dead warningCount,
  and resolved a TOCTOU race condition in validateParams.

---

Build & Configuration

• tsconfig.json: Removed dead decorator options; updated moduleResolution/module to node16.
• package.json: Fixed exports map with proper types entries for ESM and CJS TypeScript consumers; removed unused tslib dependency; added test:coverage script.
• rollup.config.js: Enabled tree-shaking for CLI bundle; documented build order dependency.
• CI: Upgraded to actions/checkout@v4; added tsc --noEmit type-check step; bumped Node.js to 22.x.

---

Tests

• 3 new test suites, 22 new tests — CLI integration (_test_cli.cjs), Stream API (_test_stream.cjs), and error paths (_test_errors.cjs); all previously had zero coverage.
• Total: 74 tests / 7 suites (up from 52 / 4).
• Fixed listener leak in multi-parse test; standardized on Jest expect() over Node assert.
• Renamed _test_getRawTextContent.cjs → _test_sortBidiTexts.cjs to reflect actual coverage.
• Regenerated 37 baseline JSON files to reflect current parser output (baselines were stale since v0.6.8).

---

Full Changelog

modesty/pdf2json@b0067d7...eed63fb

... (truncated)

Commits

• 8554a3a chore: update publishConfig with registry url
• eed63fb refactor: update for build, config, CLI and tests: (#423)
• b0067d7 fix: add spatial sort in getRawTextContent to ensure reading order (#422)
• 48b50bf feat: add support for transparent groups, ensure endGroup would merge sub-can...
• de176e5 fix: issue #418: resolve obj ref before invoking getAll (#418)
• 399f9cb fix: correct circular dependency without dup (#415)
• 96493fc doc: update readme with v4.0.0 breaking changes
• c8b372b fix: unify error and exception handling for cli start with invalid in… (#414)
• b9d5cb9 maint: prep major release with version bumps for both self and dev dependenci...
• b193d9f fix: #355, #361, #319: calculate text block gap and spacewidth from fontMatri...
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.