Commit 1b02b4f
authored
![renovate[bot]](https://avatars.githubusercontent.com/in/2740?v=4&size=40){kind=avatar}
chore(deps): update dependency jspdf to v4 [security] (#1969)
This PR contains the following updates:
| Package | Change |
[Age](https://docs.renovatebot.com/merge-confidence/) |
[Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [jspdf](https://redirect.github.com/parallax/jsPDF) | [`^3.0.2` →
`^4.0.0`](https://renovatebot.com/diffs/npm/jspdf/3.0.2/4.0.0) |
|
|
### GitHub Vulnerability Alerts
####
[CVE-2025-68428](https://redirect.github.com/parallax/jsPDF/security/advisories/GHSA-f8cm-6447-x5h2)
### Impact
User control of the first argument of the loadFile method in the node.js
build allows local file inclusion/path traversal.
If given the possibility to pass unsanitized paths to the loadFile
method, a user can retrieve file contents of arbitrary files in the
local file system the node process is running in. The file contents are
included verbatim in the generated PDFs.
Other affected methods are: `addImage`, `html`, `addFont`.
Only the node.js builds of the library are affected, namely the
`dist/jspdf.node.js` and `dist/jspdf.node.min.js` files.
Example attack vector:
```js
import { jsPDF } from "./dist/jspdf.node.js";
const doc = new jsPDF();
doc.addImage("./secret.txt", "JPEG", 0, 0, 10, 10);
doc.save("test.pdf"); // the generated PDF will contain the "secret.txt" file
```
### Patches
The vulnerability has been fixed in [email protected]. This version restricts
file system access per default. This semver-major update does not
introduce other breaking changes.
### Workarounds
With recent node versions, jsPDF recommends using the `--permission`
flag in production. The feature was introduced experimentally in v20.0.0
and is stable since v22.13.0/v23.5.0/v24.0.0. See the [node
documentation](https://nodejs.org/api/permissions.html) for details.
For older node versions, sanitize user-provided paths before passing
them to jsPDF.
### Credits
Researcher: kilkat (Kwangwoon Kim)
---
### Release Notes
<details>
<summary>parallax/jsPDF (jspdf)</summary>
###
[`v4.0.0`](https://redirect.github.com/parallax/jsPDF/releases/tag/v4.0.0)
[Compare
Source](https://redirect.github.com/parallax/jsPDF/compare/v3.0.4...v4.0.0)
This release fixes a critical path traversal/local file inclusion
[security
vulnerability](https://redirect.github.com/parallax/jsPDF/security/advisories/GHSA-f8cm-6447-x5h2)
in the jsPDF Node.js build. File system access is now restricted by
default and can be enabled by either using node's
[`--permission`](https://nodejs.org/api/permissions.html) flag or the
new
[`jsPDF.allowFsRead`](https://raw.githack.com/MrRio/jsPDF/master/docs/module-fileloading.html#~allowFsRead)
property.
There are no other breaking changes.
###
[`v3.0.4`](https://redirect.github.com/parallax/jsPDF/releases/tag/v3.0.4)
[Compare
Source](https://redirect.github.com/parallax/jsPDF/compare/v3.0.3...v3.0.4)
This release includes a bunch of bugfixes. Thanks to all contributors!
#### What's Changed
- \[Snyk] Upgrade
[@​babel/runtime](https://redirect.github.com/babel/runtime) from
7.28.3 to 7.28.4 by [@​MrRio](https://redirect.github.com/MrRio)
in [#​3895](https://redirect.github.com/parallax/jsPDF/pull/3895)
- fix: cell function now properly accepts align parameter by
[@​vishal-rathod-07](https://redirect.github.com/vishal-rathod-07)
in [#​3896](https://redirect.github.com/parallax/jsPDF/pull/3896)
- Remove duplicated function "ga" from WebPDecoder.js by
[@​jvdp](https://redirect.github.com/jvdp) in
[#​3902](https://redirect.github.com/parallax/jsPDF/pull/3902)
- Fix font state management issue
[#​3890](https://redirect.github.com/parallax/jsPDF/issues/3890)
by [@​srikanth-s2003](https://redirect.github.com/srikanth-s2003)
in [#​3891](https://redirect.github.com/parallax/jsPDF/pull/3891)
- Fix pages property to always return current array reference (
[#​3898](https://redirect.github.com/parallax/jsPDF/issues/3898) )
by [@​Opineppes](https://redirect.github.com/Opineppes) in
[#​3899](https://redirect.github.com/parallax/jsPDF/pull/3899)
- Fix jsPDF + Vite compatibility issue
[#​3851](https://redirect.github.com/parallax/jsPDF/issues/3851)
by [@​tishajain25](https://redirect.github.com/tishajain25) in
[#​3903](https://redirect.github.com/parallax/jsPDF/pull/3903)
- Do not add pages dynamically unless autoPaging is enabled by
[@​anmiles](https://redirect.github.com/anmiles) in
[#​3915](https://redirect.github.com/parallax/jsPDF/pull/3915)
- Fix: Context2d font regex too restrictive (
[#​3904](https://redirect.github.com/parallax/jsPDF/issues/3904) )
by [@​Opineppes](https://redirect.github.com/Opineppes) in
[#​3906](https://redirect.github.com/parallax/jsPDF/pull/3906)
- Fix Incorrect Typing for Margins in the TableConfig Interface
Definition by [@​Maito1794](https://redirect.github.com/Maito1794)
in [#​3816](https://redirect.github.com/parallax/jsPDF/pull/3816)
#### New Contributors
- [@​survivant](https://redirect.github.com/survivant) made their
first contribution in
[#​3897](https://redirect.github.com/parallax/jsPDF/pull/3897)
-
[@​vishal-rathod-07](https://redirect.github.com/vishal-rathod-07)
made their first contribution in
[#​3896](https://redirect.github.com/parallax/jsPDF/pull/3896)
- [@​jvdp](https://redirect.github.com/jvdp) made their first
contribution in
[#​3902](https://redirect.github.com/parallax/jsPDF/pull/3902)
- [@​srikanth-s2003](https://redirect.github.com/srikanth-s2003)
made their first contribution in
[#​3891](https://redirect.github.com/parallax/jsPDF/pull/3891)
- [@​Opineppes](https://redirect.github.com/Opineppes) made their
first contribution in
[#​3899](https://redirect.github.com/parallax/jsPDF/pull/3899)
- [@​tishajain25](https://redirect.github.com/tishajain25) made
their first contribution in
[#​3903](https://redirect.github.com/parallax/jsPDF/pull/3903)
- [@​anmiles](https://redirect.github.com/anmiles) made their
first contribution in
[#​3915](https://redirect.github.com/parallax/jsPDF/pull/3915)
- [@​josephyi](https://redirect.github.com/josephyi) made their
first contribution in
[#​3907](https://redirect.github.com/parallax/jsPDF/pull/3907)
- [@​Maito1794](https://redirect.github.com/Maito1794) made their
first contribution in
[#​3816](https://redirect.github.com/parallax/jsPDF/pull/3816)
**Full Changelog**:
<parallax/jsPDF@v3.0.3...v3.1.0>
###
[`v3.0.3`](https://redirect.github.com/parallax/jsPDF/releases/tag/v3.0.3)
[Compare
Source](https://redirect.github.com/parallax/jsPDF/compare/v3.0.2...v3.0.3)
This release fixes regressions with PNG encoding that were introduced in
v3.0.2.
##### What's Changed
- Fix division by zero when calculating word spacing by
[@​alxndr-pggm](https://redirect.github.com/alxndr-pggm) in
[#​3879](https://redirect.github.com/parallax/jsPDF/pull/3879)
- fix scaling of form object bounding boxes by
[@​HackbrettXXX](https://redirect.github.com/HackbrettXXX) in
[#​3888](https://redirect.github.com/parallax/jsPDF/pull/3888)
- fix regressions in PNG encoding that were introduced in 3.0.2 by
[@​HackbrettXXX](https://redirect.github.com/HackbrettXXX) in
[#​3887](https://redirect.github.com/parallax/jsPDF/pull/3887)
##### New Contributors
- [@​alxndr-pggm](https://redirect.github.com/alxndr-pggm) made
their first contribution in
[#​3879](https://redirect.github.com/parallax/jsPDF/pull/3879)
**Full Changelog**:
<parallax/jsPDF@v3.0.2...v3.0.3>
</details>
---
### Configuration
📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no
schedule defined).
🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.
♻ **Rebasing**: Whenever PR is behind base branch, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/splunk/addonfactory-ucc-generator).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0Mi42OS4xIiwidXBkYXRlZEluVmVyIjoiNDIuNjkuMSIsInRhcmdldEJyYW5jaCI6ImRldmVsb3AiLCJsYWJlbHMiOltdfQ==-->
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>1 parent 3ffca42 commit 1b02b4f
2 files changed
+12
-7
lines changed| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
161 | 161 | | |
162 | 162 | | |
163 | 163 | | |
164 | | - | |
| 164 | + | |
165 | 165 | | |
166 | 166 | | |
167 | 167 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
1012 | 1012 | | |
1013 | 1013 | | |
1014 | 1014 | | |
1015 | | - | |
| 1015 | + | |
1016 | 1016 | | |
1017 | 1017 | | |
1018 | 1018 | | |
1019 | 1019 | | |
| 1020 | + | |
| 1021 | + | |
| 1022 | + | |
| 1023 | + | |
| 1024 | + | |
1020 | 1025 | | |
1021 | 1026 | | |
1022 | 1027 | | |
| |||
9270 | 9275 | | |
9271 | 9276 | | |
9272 | 9277 | | |
9273 | | - | |
9274 | | - | |
9275 | | - | |
9276 | | - | |
| 9278 | + | |
| 9279 | + | |
| 9280 | + | |
| 9281 | + | |
9277 | 9282 | | |
9278 | | - | |
| 9283 | + | |
9279 | 9284 | | |
9280 | 9285 | | |
9281 | 9286 | | |
| |||
0 commit comments