fix(deps): update dependency jspdf to v4 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
jspdf	^2.5.1 → ^4.0.0

GitHub Vulnerability Alerts

CVE-2025-29907

Impact

User control of the first argument of the addImage method results in CPU utilization and denial of service.

If given the possibility to pass unsanitized image urls to the addImage method, a user can provide a harmful data-url that results in high CPU utilization and denial of service.

Other affected methods are: html, addSvgAsImage.

Example payload:

import { jsPDF } from "jpsdf" 

const doc = new jsPDF();
const payload = 'data:/charset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=s\x00base64,undefined';

const startTime = performance.now()

try {
 doc.addImage(payload, "PNG", 10, 40, 180, 180, undefined, "SLOW");
} catch (err) {
  const endTime = performance.now()
  console.log(`Call to doc.addImage took ${endTime - startTime} milliseconds`)
}

doc.save("a4.pdf");

Patches

The vulnerability was fixed in jsPDF 3.0.1. Upgrade to jspdf@>=3.0.1

Workarounds

Sanitize image urls before passing it to the addImage method or one of the other affected methods.

Credits

Researcher: Aleksey Solovev (Positive Technologies)

CVE-2025-57810

Impact

User control of the first argument of the addImage method results in CPU utilization and denial of service.

If given the possibility to pass unsanitized image data or URLs to the addImage method, a user can provide a harmful PNG file that results in high CPU utilization and denial of service.

Other affected methods are: html.

Example payload:

import { jsPDF } from "jspdf" 

const payload = new Uint8Array([117, 171, 90, 253, 166, 154, 105, 166, 154])

const doc = new jsPDF();
const startTime = performance.now();
try {
  doc.addImage(payload, "PNG", 10, 40, 180, 180, undefined, "SLOW");
} finally {
  const endTime = performance.now();
  console.log(`Call to doc.addImage took ${endTime - startTime} milliseconds`);
}

Patches

The vulnerability was fixed in jsPDF 3.0.2. Upgrade to jspdf@>=3.0.2.

In jspdf@>=3.0.2, invalid PNG files throw an Error instead of causing very long running loops.

Workarounds

Sanitize image data or URLs before passing it to the addImage method or one of the other affected methods.

Credits

Researcher: Aleksey Solovev (Positive Technologies)

CVE-2025-68428

Impact

User control of the first argument of the loadFile method in the node.js build allows local file inclusion/path traversal.

If given the possibility to pass unsanitized paths to the loadFile method, a user can retrieve file contents of arbitrary files in the local file system the node process is running in. The file contents are included verbatim in the generated PDFs.

Other affected methods are: addImage, html, addFont.

Only the node.js builds of the library are affected, namely the dist/jspdf.node.js and dist/jspdf.node.min.js files.

Example attack vector:

import { jsPDF } from "./dist/jspdf.node.js";

const doc = new jsPDF();

doc.addImage("./secret.txt", "JPEG", 0, 0, 10, 10);
doc.save("test.pdf"); // the generated PDF will contain the "secret.txt" file

Patches

The vulnerability has been fixed in [email protected]. This version restricts file system access per default. This semver-major update does not introduce other breaking changes.

Workarounds

With recent node versions, jsPDF recommends using the --permission flag in production. The feature was introduced experimentally in v20.0.0 and is stable since v22.13.0/v23.5.0/v24.0.0. See the node documentation for details.

For older node versions, sanitize user-provided paths before passing them to jsPDF.

Credits

Researcher: kilkat (Kwangwoon Kim)

---

Release Notes

parallax/jsPDF (jspdf)

v4.0.0

Compare Source

This release fixes a critical path traversal/local file inclusion security vulnerability in the jsPDF Node.js build. File system access is now restricted by default and can be enabled by either using node's --permission flag or the new jsPDF.allowFsRead property.

There are no other breaking changes.

v3.0.4

Compare Source

This release includes a bunch of bugfixes. Thanks to all contributors!

What's Changed

• [Snyk] Upgrade @​babel/runtime from 7.28.3 to 7.28.4 by @​MrRio in #​3895
• fix: cell function now properly accepts align parameter by @​vishal-rathod-07 in #​3896
• Remove duplicated function "ga" from WebPDecoder.js by @​jvdp in #​3902
• Fix font state management issue #​3890 by @​srikanth-s2003 in #​3891
• Fix pages property to always return current array reference ( #​3898 ) by @​Opineppes in #​3899
• Fix jsPDF + Vite compatibility issue #​3851 by @​tishajain25 in #​3903
• Do not add pages dynamically unless autoPaging is enabled by @​anmiles in #​3915
• Fix: Context2d font regex too restrictive ( #​3904 ) by @​Opineppes in #​3906
• Fix Incorrect Typing for Margins in the TableConfig Interface Definition by @​Maito1794 in #​3816

New Contributors

• @​survivant made their first contribution in #​3897
• @​vishal-rathod-07 made their first contribution in #​3896
• @​jvdp made their first contribution in #​3902
• @​srikanth-s2003 made their first contribution in #​3891
• @​Opineppes made their first contribution in #​3899
• @​tishajain25 made their first contribution in #​3903
• @​anmiles made their first contribution in #​3915
• @​josephyi made their first contribution in #​3907
• @​Maito1794 made their first contribution in #​3816

Full Changelog: parallax/jsPDF@v3.0.3...v3.1.0

v3.0.3

Compare Source

This release fixes regressions with PNG encoding that were introduced in v3.0.2.

What's Changed

• Fix division by zero when calculating word spacing by @​alxndr-pggm in #​3879
• fix scaling of form object bounding boxes by @​HackbrettXXX in #​3888
• fix regressions in PNG encoding that were introduced in 3.0.2 by @​HackbrettXXX in #​3887

New Contributors

• @​alxndr-pggm made their first contribution in #​3879

Full Changelog: parallax/jsPDF@v3.0.2...v3.0.3

v3.0.2

Compare Source

This release fixes a security issue where parsing of corrupt PNG images could lead to long running loops and denial of service.

What's Changed

• [Snyk] Upgrade @​babel/runtime from 7.26.7 to 7.26.9 by @​MrRio in #​3847
• Fix parsing corrupt PNG images in addImage method by @​HackbrettXXX in #​3880. The atob and btoa dependencies have been removed and the fast-png dependency has been added.

New Contributors

• @​WardenDrew made their first contribution in #​3872

Full Changelog: parallax/jsPDF@v3.0.1...v3.0.2

v3.0.1

Compare Source

This release fixes two security vulnerabilities:

• Upgrade optional dependency canvg to 3.0.11
• Fix a ReDoS vulnerability in the addImage method and the methods html and addSvgAsImage, which depend on addImage

v3.0.0

Compare Source

This major release officially drops support for Internet Explorer and fixes a security vulnerability in the html function by updating the optional dependency dompurify to v3.2.4. There are no other breaking changes.

New Contributors

• @​nlqivision made their first contribution in #​3812
• @​dependabot made their first contribution in #​3826
• @​hainenber made their first contribution in #​3827

Full Changelog: parallax/jsPDF@v2.5.2...v3.0.0

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 18.35%. Comparing base (222042a) to head (e45e627).

Additional details and impacted files

@@           Coverage Diff           @@
##           master    #1334   +/-   ##
=======================================
  Coverage   18.35%   18.35%           
=======================================
  Files         454      454           
  Lines       74865    74865           
  Branches     1594     1597    +3     
=======================================
+ Hits        13743    13744    +1     
+ Misses      61122    61121    -1     

Flag	Coverage Δ
unitTests	18.35% <ø> (+<0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[github-actions]

Playwright test results

 2 failed
 5 skipped

Details

 7 tests across 4 suites
 18 minutes, 6 seconds
 e45e627

Failed tests

chromium-setup › auth.setup.ts › authenticate as user - ( @primary @slow @read @development @staging @production )
chromium-setup › auth.setup.ts › authenticate as admin - ( @primary @slow @read @development @staging @production )

Skipped tests

chromium › authentication.test.ts › Authentication › should load unauthorized routes as expected with and without authentication - ( @slow @primary @development @staging @production )
chromium › authentication.test.ts › Authentication › should redirect from login related unauthorized pages with existing session - ( @slow @primary @development @staging @production )
chromium › basic.test.ts › should have valid title & url - ( @fast @primary @read @development @staging @production )
chromium › basic.test.ts › should have valid localizations - ( @fast @primary @read @development @staging @production )
chromium › pages/dashboard.test.ts › DashboardPage › should have data-testids - ( @fast @primary @read @development @staging @production )