fix(deps): update dependency jspdf to v3 [security] (23_2) - autoclosed

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
jspdf (source)	2.5.1 -> 3.0.1

GitHub Vulnerability Alerts

CVE-2025-29907

Impact

User control of the first argument of the addImage method results in CPU utilization and denial of service.

If given the possibility to pass unsanitized image urls to the addImage method, a user can provide a harmful data-url that results in high CPU utilization and denial of service.

Other affected methods are: html, addSvgAsImage.

Example payload:

import { jsPDF } from "jpsdf" 

const doc = new jsPDF();
const payload = 'data:/charset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=s\x00base64,undefined';

const startTime = performance.now()

try {
 doc.addImage(payload, "PNG", 10, 40, 180, 180, undefined, "SLOW");
} catch (err) {
  const endTime = performance.now()
  console.log(`Call to doc.addImage took ${endTime - startTime} milliseconds`)
}

doc.save("a4.pdf");

Patches

The vulnerability was fixed in jsPDF 3.0.1. Upgrade to jspdf@>=3.0.1

Workarounds

Sanitize image urls before passing it to the addImage method or one of the other affected methods.

Credits

Researcher: Aleksey Solovev (Positive Technologies)

---

Release Notes

MrRio/jsPDF (jspdf)

v3.0.1

Compare Source

This release fixes two security vulnerabilities:

• Upgrade optional dependency canvg to 3.0.11
• Fix a ReDoS vulnerability in the addImage method and the methods html and addSvgAsImage, which depend on addImage

v3.0.0

Compare Source

This major release officially drops support for Internet Explorer and fixes a security vulnerability in the html function by updating the optional dependency dompurify to v3.2.4. There are no other breaking changes.

New Contributors

• @​nlqivision made their first contribution in https://github.com/parallax/jsPDF/pull/3812
• @​dependabot made their first contribution in https://github.com/parallax/jsPDF/pull/3826
• @​hainenber made their first contribution in https://github.com/parallax/jsPDF/pull/3827

Full Changelog: parallax/jsPDF@v2.5.2...v3.0.0

v2.5.2

Compare Source

This release upgrades the Dompurify dependency to 2.5.4 with fixes a vulnerability with high severity: GHSA-mmhx-hmjr-r674.

It also upgrades fflate, core-js, and @​babel/runtime to more recent versions.

What's Changed

• Implement justifying for unicode fonts by @​owenl131 in https://github.com/parallax/jsPDF/pull/3285
• chore: update dompurify version 2.5.4 by @​MarcioMeier in https://github.com/parallax/jsPDF/pull/3768
• [Snyk] Upgrade fflate from 0.4.8 to 0.8.1 by @​MrRio in https://github.com/parallax/jsPDF/pull/3666
• [Snyk] Upgrade core-js from 3.6.5 to 3.33.0 by @​MrRio in https://github.com/parallax/jsPDF/pull/3664
• [Snyk] Upgrade @​babel/runtime from 7.14.6 to 7.23.2 by @​MrRio in https://github.com/parallax/jsPDF/pull/3665

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.