Details

Impact

User control of the first argument of the addImage method results in CPU utilization and denial of service.

If given the possibility to pass unsanitized image urls to the addImage method, a user can provide a harmful data-url that results in high CPU utilization and denial of service.

Other affected methods are: html, addSvgAsImage.

Example payload:

import { jsPDF } from "jpsdf" 

const doc = new jsPDF();
const payload = 'data:/charset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=s\x00base64,undefined';

const startTime = performance.now()

try {
 doc.addImage(payload, "PNG", 10, 40, 180, 180, undefined, "SLOW");
} catch (err) {
  const endTime = performance.now()
  console.log(`Call to doc.addImage took ${endTime - startTime} milliseconds`)
}

doc.save("a4.pdf");

Patches

The vulnerability was fixed in jsPDF 3.0.1. Upgrade to jspdf@>=3.0.1

Workarounds

Sanitize image urls before passing it to the addImage method or one of the other affected methods.

Credits

Researcher: Aleksey Solovev (Positive Technologies)

Severity

• CVSS Score: 8.7 / 10 (High)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

References

• https://github.com/parallax/jsPDF/security/advisories/GHSA-w532-jxjh-hjhj
• https://github.com/parallax/jsPDF/commit/b167c43c27c466eb914b927885b06073708338df
• https://nvd.nist.gov/vuln/detail/CVE-2025-29907
• https://github.com/advisories/GHSA-w532-jxjh-hjhj

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Details

Impact

User control of the first argument of the addImage method results in CPU utilization and denial of service.

If given the possibility to pass unsanitized image data or URLs to the addImage method, a user can provide a harmful PNG file that results in high CPU utilization and denial of service.

Other affected methods are: html.

Example payload:

import { jsPDF } from "jspdf" 

const payload = new Uint8Array([117, 171, 90, 253, 166, 154, 105, 166, 154])

const doc = new jsPDF();
const startTime = performance.now();
try {
  doc.addImage(payload, "PNG", 10, 40, 180, 180, undefined, "SLOW");
} finally {
  const endTime = performance.now();
  console.log(`Call to doc.addImage took ${endTime - startTime} milliseconds`);
}

Patches

The vulnerability was fixed in jsPDF 3.0.2. Upgrade to jspdf@>=3.0.2.

In jspdf@>=3.0.2, invalid PNG files throw an Error instead of causing very long running loops.

Workarounds

Sanitize image data or URLs before passing it to the addImage method or one of the other affected methods.

Credits

Researcher: Aleksey Solovev (Positive Technologies)

Severity

• CVSS Score: 8.7 / 10 (High)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

References

• https://github.com/parallax/jsPDF/security/advisories/GHSA-8mvj-3j78-4qmw
• https://github.com/parallax/jsPDF/commit/4cf3ab619e565d9b88b4b130bff901b91d8688e9
• https://nvd.nist.gov/vuln/detail/CVE-2025-57810
• https://github.com/parallax/jsPDF/pull/3880
• https://github.com/parallax/jsPDF/releases/tag/v3.0.2
• https://github.com/advisories/GHSA-8mvj-3j78-4qmw

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Details

Impact

User control of the first argument of the loadFile method in the node.js build allows local file inclusion/path traversal.

If given the possibility to pass unsanitized paths to the loadFile method, a user can retrieve file contents of arbitrary files in the local file system the node process is running in. The file contents are included verbatim in the generated PDFs.

Other affected methods are: addImage, html, addFont.

Only the node.js builds of the library are affected, namely the dist/jspdf.node.js and dist/jspdf.node.min.js files.

Example attack vector:

import { jsPDF } from "./dist/jspdf.node.js";

const doc = new jsPDF();

doc.addImage("./secret.txt", "JPEG", 0, 0, 10, 10);
doc.save("test.pdf"); // the generated PDF will contain the "secret.txt" file

Patches

The vulnerability has been fixed in jsPDF@4.0.0. This version restricts file system access per default. This semver-major update does not introduce other breaking changes.

Workarounds

With recent node versions, jsPDF recommends using the --permission flag in production. The feature was introduced experimentally in v20.0.0 and is stable since v22.13.0/v23.5.0/v24.0.0. See the node documentation for details.

For older node versions, sanitize user-provided paths before passing them to jsPDF.

Credits

Researcher: kilkat (Kwangwoon Kim)

Severity

• CVSS Score: 9.2 / 10 (Critical)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N

References

• https://github.com/parallax/jsPDF/security/advisories/GHSA-f8cm-6447-x5h2
• https://github.com/parallax/jsPDF/commit/a688c8f479929b24a6543b1fa2d6364abb03066d
• https://github.com/parallax/jsPDF/releases/tag/v4.0.0
• https://nvd.nist.gov/vuln/detail/CVE-2025-68428
• https://github.com/advisories/GHSA-f8cm-6447-x5h2

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Details

Impact

The addJS method in the jspdf Node.js build utilizes a shared module-scoped variable (text) to store JavaScript content. When used in a concurrent environment (e.g., a Node.js web server), this variable is shared across all requests.

If multiple requests generate PDFs simultaneously, the JavaScript content intended for one user may be overwritten by a subsequent request before the document is generated. This results in Cross-User Data Leakage, where the PDF generated for User A contains the JavaScript payload (and any embedded sensitive data) intended for User B.

Typically, this only affects server-side environments, although the same race conditions might occur if jsPDF runs client-side.

import { jsPDF } from "jspdf";

const docA = new jsPDF();
const docB = new jsPDF();

// 1. User A sets their script (stored in shared 'text' variable)
docA.addJS('console.log("Secret A");');

// 2. User B sets their script (overwrites shared 'text' variable)
docB.addJS('console.log("Secret B");');

// 3. User A saves their PDF (reads current 'text' variable)
docA.save("userA.pdf");

// Result: userA.pdf contains "Secret B" instead of "Secret A"

Patches

The vulnerability has been fixed in jspdf@4.0.1. The fix moves the shared variable into the function scope, ensuring isolation between instances.

Workarounds

Avoid using the addJS method in concurrent server-side environments. If usage is required, ensure requests are processed sequentially (e.g., using a queue) rather than in parallel.

Severity

• CVSS Score: 6.3 / 10 (Medium)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

References

• https://github.com/parallax/jsPDF/security/advisories/GHSA-cjw8-79x6-5cj4
• https://github.com/parallax/jsPDF/commit/2863e5c26afef211a545e8c174ab4d5fce3b8c0e
• https://nvd.nist.gov/vuln/detail/CVE-2026-24040
• https://github.com/parallax/jsPDF/releases/tag/v4.1.0
• https://github.com/advisories/GHSA-cjw8-79x6-5cj4

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Details

Impact

User control of the first argument of the addMetadata function allows users to inject arbitrary XML.

If given the possibility to pass unsanitized input to the addMetadata method, a user can inject arbitrary XMP metadata into the generated PDF. If the generated PDF is signed, stored or otherwise processed after, the integrity of the PDF can no longer be guaranteed.

Example attack vector:

import { jsPDF } from "jspdf"

const doc = new jsPDF()

// Input a string that closes the current XML tag and opens a new one.
// We are injecting a fake "dc:creator" (Author) to spoof the document source.
const maliciousInput = '</jspdf:metadata></rdf:Description>' +
    '<rdf:Description xmlns:dc="http://purl.org/dc/elements/1.1/">' +
    '<dc:creator>TRUSTED_ADMINISTRATOR</dc:creator>' + // <--- Spoofed Identity
    '</rdf:Description>' +
    '<rdf:Description><jspdf:metadata>'

// The application innocently adds the user's input to the metadata
doc.addMetadata(maliciousInput, "http://valid.namespace")

doc.save("test.pdf")

Patches

The vulnerability has been fixed in jsPDF@4.1.0

Workarounds

Sanitize user input before passing it to the addMetadata method: escape XML entities. For example:

let input = "..."

input = input
    .replace(/&/g, "&")
    .replace(/</g, "&lt;")
    .replace(/>/g, "&gt;")
    .replace(/"/g, "&quot;")
    .replace(/'/g, "&apos;")

doc.addMetadata(input)

Severity

• CVSS Score: 6.9 / 10 (Medium)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N

References

• https://github.com/parallax/jsPDF/security/advisories/GHSA-vm32-vv63-w422
• https://github.com/parallax/jsPDF/commit/efe54bf50f3f5e5416b2495e3c24624fc80b6cff
• https://nvd.nist.gov/vuln/detail/CVE-2026-24043
• https://github.com/parallax/jsPDF/releases/tag/v4.1.0
• https://github.com/advisories/GHSA-vm32-vv63-w422

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Details

Impact

User control of the first argument of the addImage method results in Denial of Service.

If given the possibility to pass unsanitized image data or URLs to the addImage method, a user can provide a harmful BMP file that results in out of memory errors and denial of service. Harmful BMP files have large width and/or height entries in their headers, wich lead to excessive memory allocation.

Other affected methods are: html.

Example attack vector:

import { jsPDF } from "jspdf" 

// malicious BMP image data with large width/height headers
const payload = ...

const doc = new jsPDF();

doc.addImage(payload, "BMP", 0, 0, 100, 100);

Patches

The vulnerability has been fixed in jsPDF 4.1.0. Upgrade to jspdf@>=4.1.0.

Workarounds

Sanitize image data or URLs before passing it to the addImage method or one of the other affected methods.

Severity

• CVSS Score: 8.7 / 10 (High)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

References

• https://github.com/parallax/jsPDF/security/advisories/GHSA-95fx-jjr5-f39c
• https://github.com/parallax/jsPDF/commit/ae4b93f76d8fc1baa5614bd5fdb5d174c3b85f0d
• https://nvd.nist.gov/vuln/detail/CVE-2026-24133
• https://github.com/parallax/jsPDF/releases/tag/v4.1.0
• https://github.com/advisories/GHSA-95fx-jjr5-f39c

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Details

Impact

User control of properties and methods of the Acroform module allows users to inject arbitrary PDF objects, such as JavaScript actions.

If given the possibility to pass unsanitized input to one of the following methods or properties, a user can inject arbitrary PDF objects, such as JavaScript actions, which are executed when the victim opens the document. The vulnerable API members are:

• AcroformChoiceField.addOption
• AcroformChoiceField.setOptions
• AcroFormCheckBox.appearanceState
• AcroFormRadioButton.appearanceState

Example attack vector:

import { jsPDF } from "jspdf"
const doc = new jsPDF();

var choiceField = new doc.AcroFormChoiceField();
choiceField.T = "VulnerableField";
choiceField.x = 20;
choiceField.y = 20;
choiceField.width = 100;
choiceField.height = 20;

// PAYLOAD:
// 1. Starts with "/" to bypass escaping.
// 2. "dummy]" closes the array.
// 3. "/AA" injects an Additional Action (Focus event).
// 4. "/JS" executes arbitrary JavaScript.
const payload = "/dummy] /AA << /Fo << /S /JavaScript /JS (app.alert('XSS')) >> >> /Garbage [";

choiceField.addOption(payload);
doc.addField(choiceField);

doc.save("test.pdf");

Patches

The vulnerability has been fixed in jsPDF@4.1.0.

Workarounds

Sanitize user input before passing it to the vulnerable API members.

Credits

Research and fix: Ahmet Artuç

Severity

• CVSS Score: 8.1 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

References

• https://github.com/parallax/jsPDF/security/advisories/GHSA-pqxr-3g65-p328
• https://github.com/parallax/jsPDF/commit/da291a5f01b96282545c9391996702cdb8879f79
• https://nvd.nist.gov/vuln/detail/CVE-2026-24737
• https://github.com/parallax/jsPDF/releases/tag/v4.1.0
• https://github.com/advisories/GHSA-pqxr-3g65-p328

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Details

Impact

User control of the argument of the addJS method allows an attacker to inject arbitrary PDF objects into the generated document. By crafting a payload that escapes the JavaScript string delimiter, an attacker can execute malicious actions or alter the document structure, impacting any user who opens the generated PDF.

import { jsPDF } from "jspdf";
const doc = new jsPDF();
// Payload:
// 1. ) closes the JS string.
// 2. > closes the current dictionary.
// 3. /AA ... injects an "Additional Action" that executes on focus/open.
const maliciousPayload = "console.log('test');) >> /AA << /O << /S /JavaScript /JS (app.alert('Hacked!')) >> >>";

doc.addJS(maliciousPayload);
doc.save("vulnerable.pdf");

Patches

The vulnerability has been fixed in jspdf@4.2.0.

Workarounds

Escape parentheses in user-provided JavaScript code before passing them to the addJS method.

References

https://github.com/ZeroXJacks/CVEs/blob/main/2026/CVE-2026-25755.md

Severity

• CVSS Score: 8.1 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

References

• https://github.com/parallax/jsPDF/security/advisories/GHSA-9vjf-qc39-jprp
• https://nvd.nist.gov/vuln/detail/CVE-2026-25755
• https://github.com/parallax/jsPDF/commit/56b46d45b052346f5995b005a34af5dcdddd5437
• https://github.com/ZeroXJacks/CVEs/blob/main/2026/CVE-2026-25755.md
• https://github.com/parallax/jsPDF/releases/tag/v4.2.0
• https://github.com/advisories/GHSA-9vjf-qc39-jprp

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Details

Impact

User control of the first argument of the addImage method results in denial of service.

If given the possibility to pass unsanitized image data or URLs to the addImage method, a user can provide a harmful GIF file that results in out of memory errors and denial of service. Harmful GIF files have large width and/or height entries in their headers, wich lead to excessive memory allocation.

Other affected methods are: html.

Example attack vector:

import { jsPDF } from "jspdf" 

// malicious GIF image data with large width/height headers
const payload = ...

const doc = new jsPDF();

doc.addImage(payload, "GIF", 0, 0, 100, 100);

Patches

The vulnerability has been fixed in jsPDF 4.1.1. Upgrade to jspdf@>=4.2.0.

Workarounds

Sanitize image data or URLs before passing it to the addImage method or one of the other affected methods.

References

https://github.com/ZeroXJacks/CVEs/blob/main/2026/CVE-2026-25535.md

Severity

• CVSS Score: 8.7 / 10 (High)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

References

• https://github.com/parallax/jsPDF/security/advisories/GHSA-67pg-wm7f-q7fj
• https://github.com/parallax/jsPDF/commit/2e5e156e284d92c7d134bce97e6418756941d5e6
• https://github.com/ZeroXJacks/CVEs/blob/main/2026/CVE-2026-25535.md
• https://github.com/parallax/jsPDF/releases/tag/v4.2.0
• https://nvd.nist.gov/vuln/detail/CVE-2026-25535
• https://github.com/advisories/GHSA-67pg-wm7f-q7fj

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Details

Impact

User control of properties and methods of the Acroform module allows users to inject arbitrary PDF objects, such as JavaScript actions.

If given the possibility to pass unsanitized input to the following property, a user can inject arbitrary PDF objects, such as JavaScript actions, which are executed when the victim hovers over the radio option.

• AcroformChildClass.appearanceState

Example attack vector:

import { jsPDF } from "jspdf"
const doc = new jsPDF();

const group = new doc.AcroFormRadioButton();
group.x = 10; group.y = 10; group.width = 20; group.height = 10;
doc.addField(group);

const child = group.createOption("opt1");
child.x = 10; child.y = 10; child.width = 20; child.height = 10;
child.appearanceState = "Off /AA << /E << /S /JavaScript /JS (app.alert('XSS')) >> >>";

doc.save("test.pdf");

Patches

The vulnerability has been fixed in jsPDF@4.2.0.

Workarounds

Sanitize user input before passing it to the vulnerable API members.

Severity

• CVSS Score: 8.1 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

References

• https://github.com/parallax/jsPDF/security/advisories/GHSA-p5xg-68wr-hm3m
• https://nvd.nist.gov/vuln/detail/CVE-2026-25940
• https://github.com/parallax/jsPDF/commit/71ad2dbfa6c7c189ab42b855b782620fa8a38375
• https://github.com/parallax/jsPDF/releases/tag/v4.2.0
• https://github.com/advisories/GHSA-p5xg-68wr-hm3m

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Details

Impact

User control of the options argument of the output function allows attackers to inject arbitrary HTML (such as scripts) into the browser context the created PDF is opened in. The affected overloads and options are:

• "pdfobjectnewwindow": the pdfObjectUrl option and the entire options object, which is JSON-serialized and included verbatim in the generated HTML-string.
• "pdfjsnewwindow": the pdfJsUrl and filename options
• "dataurlnewwindow": the filename option

The vulnerability can be exploited in the following scenario: the attacker provides values for the output options, for example via a web interface. These values are then passed unsanitized (automatically or semi-automatically) to the attack victim. The victim creates and opens a PDF with the attack vector using one of the vulnerable method overloads inside their browser. The attacker can thus inject scripts that run in the victims browser context and can extract or modify secrets from this context.

Example attack vector:

import { jsPDF } from 'jspdf';
const doc = new jsPDF();

const payload =  'x\"></iframe><script>window.__n=1</script><iframe src="';

doc.output('pdfjsnewwindow', {
  filename: payload,
  pdfJsUrl: 'viewer.html'
});

Patches

The vulnerability has been fixed in jspdf@4.2.1.

Workarounds

Sanitize user input before passing it to the output method.

Severity

• CVSS Score: 9.6 / 10 (Critical)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L

References

• https://github.com/parallax/jsPDF/security/advisories/GHSA-wfv2-pwc8-crg5
• https://github.com/parallax/jsPDF/commit/87a40bbd07e6b30575196370670b41f264aa78d7
• https://github.com/parallax/jsPDF/releases/tag/v4.2.1
• https://nvd.nist.gov/vuln/detail/CVE-2026-31938
• https://github.com/advisories/GHSA-wfv2-pwc8-crg5

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Details

Impact

User control of arguments of the createAnnotation method allows users to inject arbitrary PDF objects, such as JavaScript actions.

If given the possibility to pass unsanitized input to the following method, a user can inject arbitrary PDF objects, such as JavaScript actions, which might trigger when the PDF is opened or interacted with..

• createAnnotation: color parameter

Example attack vector:

import { jsPDF } from 'jspdf'

const doc = new jsPDF();

const payload = '000000) /AA <</E <</S /Launch /F (calc.exe)>>>> (';

doc.createAnnotation({
  type: 'freetext',
  bounds: { x: 10, y: 10, w: 120, h: 20 },
  contents: 'hello',
  color: payload
});

doc.save('test.pdf');

Patches

The vulnerability has been fixed in jsPDF@4.2.1.

Workarounds

Sanitize user input before passing it to the vulnerable API members.

Severity

• CVSS Score: 8.1 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

References

• https://github.com/parallax/jsPDF/security/advisories/GHSA-7x6v-j9x4-qf24
• https://github.com/parallax/jsPDF/commit/4155c4819d5eca284168e51e0e1e81126b4f14b8
• https://github.com/parallax/jsPDF/releases/tag/v4.2.1
• https://nvd.nist.gov/vuln/detail/CVE-2026-31898
• https://github.com/parallax/jsPDF/blob/b1607a9391d4cd65ea7ade25998aea8345ae1be3/src/modules/annotations.js#L193-L208
• https://github.com/advisories/GHSA-7x6v-j9x4-qf24

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

v4.2.1

Compare Source

This release fixes two security issues.

What's Changed

• Fix HTML Injection in output methods vulnerability.
• Fix PDF Object Injection via free text annotation color vulnerability.

Full Changelog: parallax/jsPDF@v4.2.0...v4.2.1

v4.2.0

Compare Source

This release fixes three security issues.

What's Changed

• Fix PDF Injection in AcroForm module allows Arbitrary JavaScript Execution (RadioButton children) vulnerability.
• Fix Client-Side/Server-Side Denial of Service via Malicious GIF Dimensions vulnerability.
• Fix PDF Object Injection via Unsanitized Input in addJS Method vulnerability.
• Add "default" property to export section in package.json by @​stefan-schweiger in #​3953

New Contributors

• @​stefan-schweiger made their first contribution in #​3953

Full Changelog: parallax/jsPDF@v4.1.0...v4.2.0

v4.1.0

Compare Source

This release fixes several security issues.

What's Changed

• Upgrade optional dompurify dependency to 3.3.1 in #​3948
• Fix PDF Injection in AcroForm module allows Arbitrary JavaScript Execution vulnerability
• Fix Stored XMP Metadata Injection (Spoofing & Integrity Violation) vulnerability
• Fix Shared State Race Condition in addJS Method vulnerability
• Fix Denial of Service (DoS) via Unvalidated BMP Dimensions in BMPDecoder vulnerability

Full Changelog: parallax/jsPDF@v4.0.0...v4.1.0

v4.0.0

Compare Source

This release fixes a critical path traversal/local file inclusion security vulnerability in the jsPDF Node.js build. File system access is now restricted by default and can be enabled by either using node's --permission flag or the new jsPDF.allowFsRead property.

There are no other breaking changes.

v3.0.4

Compare Source

This release includes a bunch of bugfixes. Thanks to all contributors!

What's Changed

• [Snyk] Upgrade @​babel/runtime from 7.28.3 to 7.28.4 by @​MrRio in #​3895
• fix: cell function now properly accepts align parameter by @​vishal-rathod-07 in #​3896
• Remove duplicated function "ga" from WebPDecoder.js by @​jvdp in #​3902
• Fix font state management issue #​3890 by @​srikanth-s2003 in #​3891
• Fix pages property to always return current array reference ( #​3898 ) by @​Opineppes in #​3899
• Fix jsPDF + Vite compatibility issue #​3851 by @​tishajain25 in #​3903
• Do not add pages dynamically unless autoPaging is enabled by @​anmiles in #​3915
• Fix: Context2d font regex too restrictive ( #​3904 ) by @​Opineppes in #​3906
• Fix Incorrect Typing for Margins in the TableConfig Interface Definition by @​Maito1794 in #​3816

New Contributors

• @​survivant made their first contribution in #​3897
• @​vishal-rathod-07 made their first contribution in #​3896
• @​jvdp made their first contribution in #​3902
• @​srikanth-s2003 made their first contribution in #​3891
• @​Opineppes made their first contribution in #​3899
• @​tishajain25 made their first contribution in #​3903
• @​anmiles made their first contribution in #​3915
• @​josephyi made their first contribution in #​3907
• @​Maito1794 made their first contribution in #​3816

Full Changelog: parallax/jsPDF@v3.0.3...v3.1.0

v3.0.3

Compare Source

This release fixes regressions with PNG encoding that were introduced in v3.0.2.

What's Changed

• Fix division by zero when calculating word spacing by @​alxndr-pggm in #​3879
• fix scaling of form object bounding boxes by @​HackbrettXXX in #​3888
• fix regressions in PNG encoding that were introduced in 3.0.2 by @​HackbrettXXX in #​3887

New Contributors

• @​alxndr-pggm made their first contribution in #​3879

Full Changelog: parallax/jsPDF@v3.0.2...v3.0.3

v3.0.2

Compare Source

This release fixes a security issue where parsing of corrupt PNG images could lead to long running loops and denial of service.

What's Changed

• [Snyk] Upgrade @​babel/runtime from 7.26.7 to 7.26.9 by @​MrRio in #​3847
• Fix parsing corrupt PNG images in addImage method by @​HackbrettXXX in #​3880. The atob and btoa dependencies have been removed and the fast-png dependency has been added.

New Contributors

• @​WardenDrew made their first contribution in #​3872

Full Changelog: parallax/jsPDF@v3.0.1...v3.0.2

v3.0.1

Compare Source

This release fixes two security vulnerabilities:

• Upgrade optional dependency canvg to 3.0.11
• Fix a ReDoS vulnerability in the addImage method and the methods html and addSvgAsImage, which depend on addImage

v3.0.0

Compare Source

This major release officially drops support for Internet Explorer and fixes a security vulnerability in the html function by updating the optional dependency dompurify to v3.2.4. There are no other breaking changes.

New Contributors

• @​nlqivision made their first contribution in #​3812
• @​dependabot made their first contribution in #​3826
• @​hainenber made their first contribution in #​3827

Full Changelog: parallax/jsPDF@v2.5.2...v3.0.0

v2.5.2

Compare Source

This release upgrades the Dompurify dependency to 2.5.4 with fixes a vulnerability with high severity: GHSA-mmhx-hmjr-r674.

It also upgrades fflate, core-js, and @​babel/runtime to more recent versions.

What's Changed

• Implement justifying for unicode fonts by @​owenl131 in #​3285
• chore: update dompurify version 2.5.4 by @​MarcioMeier in #​3768
• [Snyk] Upgrade fflate from 0.4.8 to 0.8.1 by @​MrRio in #​3666
• [Snyk] Upgrade core-js from 3.6.5 to 3.33.0 by @​MrRio in #​3664
• [Snyk] Upgrade @​babel/runtime from 7.14.6 to 7.23.2 by @​MrRio in #​3665