remove unused pypdf2 for CVE-2023-36464

[aivong-openhands]

Description

pypdf2 has no usage here despite being listed as a dependency. It has a security vulnerability:

NIST https://nvd.nist.gov/vuln/detail/CVE-2023-36464
Security advisory GHSA-4vvm-4w3v-6mr8

Related Issue

Closes OpenHands/OpenHands#13080

Motivation and Context

pypdf2 has a security vulnerability with no planned fix since the project has been deprecated. We are already using its replacement pydpf.

How Has This Been Tested?

Does this PR introduce a breaking change?

Minimal impact expected due to no usage

[aivong-openhands]

@OpenHands verify that there is no usage of PyPDF2 in this repo

[openhands-ai]

I'm on it! aivong-openhands can track my progress at all-hands.dev

[openhands-ai]

Summary: PyPDF2 Usage Verification Complete ✅

I verified that there is no usage of PyPDF2 in this repository.

Verification Details:

1. Import searches: Searched for from pypdf2, import pypdf2, PyPDF2 across all Python files — 0 matches found

2. General string search: Searched for pypdf2 (case-insensitive) across all code files (.py, .toml, .txt, .yaml, .yml) — 0 matches found

3. PDF handling in the codebase: The only PDF-related library actually imported and used is:

   import pdfminer.high_level as high_level  # in openhands_aci/editor/md_converter.py

4. Active PDF dependencies (correctly retained):

   • pdfminer-six — used for PDF text extraction
   • pypdf — the modern successor to PyPDF2 (a different, maintained package)

Conclusion:

PyPDF2 was a dead dependency — listed in pyproject.toml but never imported or used anywhere in the codebase. This PR safely removes it, addressing the security vulnerability (CVE-2023-36464) with zero impact on functionality.

No code changes were made by me — this was a verification task only, and the PR's changes are confirmed to be safe.