chore(deps): update dependency jspdf to v4 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
jspdf	^3.0.2 → ^4.0.0

GitHub Vulnerability Alerts

CVE-2025-68428

Impact

User control of the first argument of the loadFile method in the node.js build allows local file inclusion/path traversal.

If given the possibility to pass unsanitized paths to the loadFile method, a user can retrieve file contents of arbitrary files in the local file system the node process is running in. The file contents are included verbatim in the generated PDFs.

Other affected methods are: addImage, html, addFont.

Only the node.js builds of the library are affected, namely the dist/jspdf.node.js and dist/jspdf.node.min.js files.

Example attack vector:

import { jsPDF } from "./dist/jspdf.node.js";

const doc = new jsPDF();

doc.addImage("./secret.txt", "JPEG", 0, 0, 10, 10);
doc.save("test.pdf"); // the generated PDF will contain the "secret.txt" file

Patches

The vulnerability has been fixed in [email protected]. This version restricts file system access per default. This semver-major update does not introduce other breaking changes.

Workarounds

With recent node versions, jsPDF recommends using the --permission flag in production. The feature was introduced experimentally in v20.0.0 and is stable since v22.13.0/v23.5.0/v24.0.0. See the node documentation for details.

For older node versions, sanitize user-provided paths before passing them to jsPDF.

Credits

Researcher: kilkat (Kwangwoon Kim)

---

Release Notes

parallax/jsPDF (jspdf)

v4.0.0

Compare Source

This release fixes a critical path traversal/local file inclusion security vulnerability in the jsPDF Node.js build. File system access is now restricted by default and can be enabled by either using node's --permission flag or the new jsPDF.allowFsRead property.

There are no other breaking changes.

v3.0.4

Compare Source

This release includes a bunch of bugfixes. Thanks to all contributors!

What's Changed

• [Snyk] Upgrade @​babel/runtime from 7.28.3 to 7.28.4 by @​MrRio in #​3895
• fix: cell function now properly accepts align parameter by @​vishal-rathod-07 in #​3896
• Remove duplicated function "ga" from WebPDecoder.js by @​jvdp in #​3902
• Fix font state management issue #​3890 by @​srikanth-s2003 in #​3891
• Fix pages property to always return current array reference ( #​3898 ) by @​Opineppes in #​3899
• Fix jsPDF + Vite compatibility issue #​3851 by @​tishajain25 in #​3903
• Do not add pages dynamically unless autoPaging is enabled by @​anmiles in #​3915
• Fix: Context2d font regex too restrictive ( #​3904 ) by @​Opineppes in #​3906
• Fix Incorrect Typing for Margins in the TableConfig Interface Definition by @​Maito1794 in #​3816

New Contributors

• @​survivant made their first contribution in #​3897
• @​vishal-rathod-07 made their first contribution in #​3896
• @​jvdp made their first contribution in #​3902
• @​srikanth-s2003 made their first contribution in #​3891
• @​Opineppes made their first contribution in #​3899
• @​tishajain25 made their first contribution in #​3903
• @​anmiles made their first contribution in #​3915
• @​josephyi made their first contribution in #​3907
• @​Maito1794 made their first contribution in #​3816

Full Changelog: parallax/jsPDF@v3.0.3...v3.1.0

v3.0.3

Compare Source

This release fixes regressions with PNG encoding that were introduced in v3.0.2.

What's Changed

• Fix division by zero when calculating word spacing by @​alxndr-pggm in #​3879
• fix scaling of form object bounding boxes by @​HackbrettXXX in #​3888
• fix regressions in PNG encoding that were introduced in 3.0.2 by @​HackbrettXXX in #​3887

New Contributors

• @​alxndr-pggm made their first contribution in #​3879

Full Changelog: parallax/jsPDF@v3.0.2...v3.0.3

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.