fix(deps): update dependency jspdf to v3 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
jspdf	^2.5.1 -> ^3.0.0

GitHub Vulnerability Alerts

CVE-2025-29907

Impact

User control of the first argument of the addImage method results in CPU utilization and denial of service.

If given the possibility to pass unsanitized image urls to the addImage method, a user can provide a harmful data-url that results in high CPU utilization and denial of service.

Other affected methods are: html, addSvgAsImage.

Example payload:

import { jsPDF } from "jpsdf" 

const doc = new jsPDF();
const payload = 'data:/charset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=s\x00base64,undefined';

const startTime = performance.now()

try {
 doc.addImage(payload, "PNG", 10, 40, 180, 180, undefined, "SLOW");
} catch (err) {
  const endTime = performance.now()
  console.log(`Call to doc.addImage took ${endTime - startTime} milliseconds`)
}

doc.save("a4.pdf");

Patches

The vulnerability was fixed in jsPDF 3.0.1. Upgrade to jspdf@>=3.0.1

Workarounds

Sanitize image urls before passing it to the addImage method or one of the other affected methods.

Credits

Researcher: Aleksey Solovev (Positive Technologies)

CVE-2025-57810

Impact

User control of the first argument of the addImage method results in CPU utilization and denial of service.

If given the possibility to pass unsanitized image data or URLs to the addImage method, a user can provide a harmful PNG file that results in high CPU utilization and denial of service.

Other affected methods are: html.

Example payload:

import { jsPDF } from "jspdf" 

const payload = new Uint8Array([117, 171, 90, 253, 166, 154, 105, 166, 154])

const doc = new jsPDF();
const startTime = performance.now();
try {
  doc.addImage(payload, "PNG", 10, 40, 180, 180, undefined, "SLOW");
} finally {
  const endTime = performance.now();
  console.log(`Call to doc.addImage took ${endTime - startTime} milliseconds`);
}

Patches

The vulnerability was fixed in jsPDF 3.0.2. Upgrade to jspdf@>=3.0.2.

In jspdf@>=3.0.2, invalid PNG files throw an Error instead of causing very long running loops.

Workarounds

Sanitize image data or URLs before passing it to the addImage method or one of the other affected methods.

Credits

Researcher: Aleksey Solovev (Positive Technologies)

---

Release Notes

parallax/jsPDF (jspdf)

v3.0.2

Compare Source

This release fixes a security issue where parsing of corrupt PNG images could lead to long running loops and denial of service.

What's Changed

• [Snyk] Upgrade @​babel/runtime from 7.26.7 to 7.26.9 by @​MrRio in #​3847
• Fix parsing corrupt PNG images in addImage method by @​HackbrettXXX in #​3880. The atob and btoa dependencies have been removed and the fast-png dependency has been added.

New Contributors

• @​WardenDrew made their first contribution in #​3872

Full Changelog: parallax/jsPDF@v3.0.1...v3.0.2

v3.0.1

Compare Source

This release fixes two security vulnerabilities:

• Upgrade optional dependency canvg to 3.0.11
• Fix a ReDoS vulnerability in the addImage method and the methods html and addSvgAsImage, which depend on addImage

v3.0.0

Compare Source

This major release officially drops support for Internet Explorer and fixes a security vulnerability in the html function by updating the optional dependency dompurify to v3.2.4. There are no other breaking changes.

New Contributors

• @​nlqivision made their first contribution in #​3812
• @​dependabot made their first contribution in #​3826
• @​hainenber made their first contribution in #​3827

Full Changelog: parallax/jsPDF@v2.5.2...v3.0.0

v2.5.2

Compare Source

This release upgrades the Dompurify dependency to 2.5.4 with fixes a vulnerability with high severity: GHSA-mmhx-hmjr-r674.

It also upgrades fflate, core-js, and @​babel/runtime to more recent versions.

What's Changed

• Implement justifying for unicode fonts by @​owenl131 in #​3285
• chore: update dompurify version 2.5.4 by @​MarcioMeier in #​3768
• [Snyk] Upgrade fflate from 0.4.8 to 0.8.1 by @​MrRio in #​3666
• [Snyk] Upgrade core-js from 3.6.5 to 3.33.0 by @​MrRio in #​3664
• [Snyk] Upgrade @​babel/runtime from 7.14.6 to 7.23.2 by @​MrRio in #​3665

---

Configuration

📅 Schedule: Branch creation - "" in timezone Europe/Paris, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	jspdf@​2.5.1 ⏵ 3.0.3	+1	+40	+1	-1

View full report

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud