chore(deps): update dependency jspdf to v4.2.0 [security] (#1991)

This PR contains the following updates:

| Package | Change |
[Age](https://docs.renovatebot.com/merge-confidence/) |
[Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [jspdf](https://redirect.github.com/parallax/jsPDF) | [`4.1.0` →
`4.2.0`](https://renovatebot.com/diffs/npm/jspdf/4.1.0/4.2.0) |
![age](https://developer.mend.io/api/mc/badges/age/npm/jspdf/4.2.0?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/jspdf/4.1.0/4.2.0?slim=true)
|

### GitHub Vulnerability Alerts

####
[CVE-2026-25535](https://redirect.github.com/parallax/jsPDF/security/advisories/GHSA-67pg-wm7f-q7fj)

### Impact

User control of the first argument of the `addImage` method results in
denial of service.

If given the possibility to pass unsanitized image data or URLs to the
`addImage` method, a user can provide a harmful GIF file that results in
out of memory errors and denial of service. Harmful GIF files have large
width and/or height entries in their headers, wich lead to excessive
memory allocation.

Other affected methods are: `html`.

Example attack vector:

```js
import { jsPDF } from "jspdf" 

// malicious GIF image data with large width/height headers
const payload = ...

const doc = new jsPDF();

doc.addImage(payload, "GIF", 0, 0, 100, 100);
```

### Patches

The vulnerability has been fixed in jsPDF 4.1.1. Upgrade to
jspdf@>=4.2.0.

### Workarounds

Sanitize image data or URLs before passing it to the addImage method or
one of the other affected methods.

### References
https://github.com/ZeroXJacks/CVEs/blob/main/2026/CVE-2026-25535.md

####
[CVE-2026-25755](https://redirect.github.com/parallax/jsPDF/security/advisories/GHSA-9vjf-qc39-jprp)

### Impact

User control of the argument of the `addJS` method allows an attacker to
inject arbitrary PDF objects into the generated document. By crafting a
payload that escapes the JavaScript string delimiter, an attacker can
execute malicious actions or alter the document structure, impacting any
user who opens the generated PDF.

```js
import { jsPDF } from "jspdf";
const doc = new jsPDF();
// Payload:
// 1. ) closes the JS string.
// 2. > closes the current dictionary.
// 3. /AA ... injects an "Additional Action" that executes on focus/open.
const maliciousPayload = "console.log('test');) >> /AA << /O << /S /JavaScript /JS (app.alert('Hacked!')) >> >>";

doc.addJS(maliciousPayload);
doc.save("vulnerable.pdf");
```

### Patches
The vulnerability has been fixed in jspdf@4.2.0.

### Workarounds
Escape parentheses in user-provided JavaScript code before passing them
to the `addJS` method.

### References
https://github.com/ZeroXJacks/CVEs/blob/main/2026/CVE-2026-25755.md

####
[CVE-2026-25940](https://redirect.github.com/parallax/jsPDF/security/advisories/GHSA-p5xg-68wr-hm3m)

### Impact

User control of properties and methods of the Acroform module allows
users to inject arbitrary PDF objects, such as JavaScript actions.

If given the possibility to pass unsanitized input to one of the
following property, a user can inject arbitrary PDF objects, such as
JavaScript actions, which are executed when the victim hovers over the
radio option.

* `AcroformChildClass.appearanceState`

Example attack vector:

```js
import { jsPDF } from "jspdf"
const doc = new jsPDF();

const group = new doc.AcroFormRadioButton();
group.x = 10; group.y = 10; group.width = 20; group.height = 10;
doc.addField(group);

const child = group.createOption("opt1");
child.x = 10; child.y = 10; child.width = 20; child.height = 10;
child.appearanceState = "Off /AA << /E << /S /JavaScript /JS (app.alert('XSS')) >> >>";

doc.save("test.pdf");
```

### Patches

The vulnerability has been fixed in jsPDF@4.2.0.

### Workarounds
Sanitize user input before passing it to the vulnerable API members.

---

### Release Notes

<details>
<summary>parallax/jsPDF (jspdf)</summary>

###
[`v4.2.0`](https://redirect.github.com/parallax/jsPDF/releases/tag/v4.2.0)

[Compare
Source](https://redirect.github.com/parallax/jsPDF/compare/v4.1.0...v4.2.0)

This release fixes three security issues.

#### What's Changed

- Fix [PDF Injection in AcroForm module allows Arbitrary JavaScript
Execution (RadioButton
children)](https://redirect.github.com/parallax/jsPDF/security/advisories/GHSA-p5xg-68wr-hm3m)
vulnerability.
- Fix [Client-Side/Server-Side Denial of Service via Malicious GIF
Dimensions](https://redirect.github.com/parallax/jsPDF/security/advisories/GHSA-67pg-wm7f-q7fj)
vulnerability.
- Fix [PDF Object Injection via Unsanitized Input in addJS
Method](https://redirect.github.com/parallax/jsPDF/security/advisories/GHSA-9vjf-qc39-jprp)
vulnerability.
- Add "default" property to export section in package.json by
[@&#8203;stefan-schweiger](https://redirect.github.com/stefan-schweiger)
in [#&#8203;3953](https://redirect.github.com/parallax/jsPDF/pull/3953)

#### New Contributors

-
[@&#8203;stefan-schweiger](https://redirect.github.com/stefan-schweiger)
made their first contribution in
[#&#8203;3953](https://redirect.github.com/parallax/jsPDF/pull/3953)

**Full Changelog**:
<parallax/jsPDF@v4.1.0...v4.2.0>

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no
schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR is behind base branch, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/splunk/addonfactory-ucc-generator).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4yNi41IiwidXBkYXRlZEluVmVyIjoiNDMuMjYuNSIsInRhcmdldEJyYW5jaCI6ImRldmVsb3AiLCJsYWJlbHMiOltdfQ==-->

---------

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: kkedziak-splunk <kkedziak@splunk.com>
Co-authored-by: srv-rr-github-token <94607705+srv-rr-github-token@users.noreply.github.com>

Author: 3 people

poetry.lock

@@ -787,7 +787,6 @@ def remove_hash(filename):
     normalized_files = [remove_hash(f) for f in cleaned_files]
 
     expected_js_files_list = [
-        "ArrowBroadUnderbarDown.js",
         "assets",
         "ConfigurationPage.js",
         "Dashboard.consts.js",
@@ -809,7 +808,7 @@ def remove_hash(filename):
         "purify.es.js",
         "redirect_page.js",
         "Search.js",
-        "Search.js",
+        "toUpper.js",
         "usePlatform.js",
     ]
     assert sorted(normalized_files) == sorted(expected_js_files_list)

tests/smoke/test_ucc_build.py

@@ -30,12 +30,12 @@
     "prepublishOnly": "yarn run build:lib"
   },
   "dependencies": {
-    "@splunk/dashboard-action-buttons": "29.0.0",
-    "@splunk/dashboard-context": "29.0.0",
-    "@splunk/dashboard-core": "29.0.0",
-    "@splunk/dashboard-presets": "29.0.0",
-    "@splunk/dashboard-state": "29.0.0",
-    "@splunk/dashboard-types": "29.0.0",
+    "@splunk/dashboard-action-buttons": "29.4.0",
+    "@splunk/dashboard-context": "29.4.0",
+    "@splunk/dashboard-core": "29.4.0",
+    "@splunk/dashboard-presets": "29.4.0",
+    "@splunk/dashboard-state": "29.4.0",
+    "@splunk/dashboard-types": "29.4.0",
     "@splunk/react-events-viewer": "^28.0.0",
     "@splunk/react-icons": "^5.2.0",
     "@splunk/react-page": "^8.0.0",
@@ -45,7 +45,7 @@
     "@splunk/splunk-utils": "^3.2.0",
     "@splunk/themes": "^1.2.0",
     "@splunk/ui-utils": "^1.10.0",
-    "@splunk/visualization-context": "^28.0.0",
+    "@splunk/visualization-context": "^28.4.0",
     "@storybook/test": "^8.6.14",
     "@testing-library/jest-dom": "^6.6.3",
     "@testing-library/react": "^15.0.6",
@@ -163,23 +163,23 @@
     "axios": "^1.12.0",
     "jspdf": "^4.0.0",
     "http-proxy-middleware": "^3.0.5",
-    "@splunk/dashboard-event-handlers": "29.0.0",
-    "@splunk/dashboard-inputs": "29.0.0",
-    "@splunk/dashboard-search": "29.0.0",
-    "@splunk/datasources": "29.0.0",
-    "@splunk/visualization-schemas": "28.0.0",
-    "@splunk/dashboard-definition": "29.0.0",
-    "@splunk/dashboard-icons": "29.0.0",
-    "@splunk/dashboard-layouts": "29.0.0",
-    "@splunk/dashboard-state": "29.0.0",
-    "@splunk/dashboard-telemetry": "29.0.0",
-    "@splunk/dashboard-ui": "29.0.0",
-    "@splunk/dashboard-utils": "29.0.0",
-    "@splunk/dashboard-validation": "29.0.0",
-    "@splunk/datasource-utils": "29.0.0"
+    "@splunk/dashboard-event-handlers": "29.4.0",
+    "@splunk/dashboard-inputs": "29.4.0",
+    "@splunk/dashboard-search": "29.4.0",
+    "@splunk/datasources": "29.4.0",
+    "@splunk/visualization-schemas": "28.4.0",
+    "@splunk/dashboard-definition": "29.4.0",
+    "@splunk/dashboard-icons": "29.4.0",
+    "@splunk/dashboard-layouts": "29.4.0",
+    "@splunk/dashboard-state": "29.4.0",
+    "@splunk/dashboard-telemetry": "29.4.0",
+    "@splunk/dashboard-ui": "29.4.0",
+    "@splunk/dashboard-utils": "29.4.0",
+    "@splunk/dashboard-validation": "29.4.0",
+    "@splunk/datasource-utils": "29.4.0"
   },
   "engines": {
-    "node": "22.21.0",
+    "node": "22.22.0",
     "yarn": "^1.22.22"
   },
   "msw": {

ui/package.json

@@ -51,7 +51,7 @@ it('render with all default dashboards', async () => {
     render(<DashboardPage />);
     await waitFor(
         () => expect(screen.queryAllByTestId('wait-spinner').length).toBe(0), // no waiting spinner should be present
-        { timeout: 7000 }
+        { timeout: 15000 }
     );
 
     const timeLabels = await screen.findAllByText('Time');
@@ -86,4 +86,4 @@ it('render with all default dashboards', async () => {
 
         expect(elementWithId).toBeInTheDocument();
     });
-}, 8000);
+}, 20000);

ui/src/pages/Dashboard/stories/__images__/DashboardPage-dashboard-page-view-chromium.png

@@ -94,5 +94,5 @@ describe('render data ingestion modal inputs', () => {
                 expect(screen.getByTestId(id)).toBeInTheDocument();
             });
         });
-    });
+    }, 20000);
 });