Skip to content

Comments

fix(deps): update dependency jspdf to v4 [security] (release-2.13)#1647

Open
oep-renovate[bot] wants to merge 1 commit intorelease-2.13from
renovate/release-2.13-npm-jspdf-vulnerability
Open

fix(deps): update dependency jspdf to v4 [security] (release-2.13)#1647
oep-renovate[bot] wants to merge 1 commit intorelease-2.13from
renovate/release-2.13-npm-jspdf-vulnerability

Conversation

@oep-renovate
Copy link
Contributor

@oep-renovate oep-renovate bot commented Jan 6, 2026
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
jspdf ^3.0.2^4.0.0 age confidence

GitHub Vulnerability Alerts

CVE-2025-68428

Impact

User control of the first argument of the loadFile method in the node.js build allows local file inclusion/path traversal.

If given the possibility to pass unsanitized paths to the loadFile method, a user can retrieve file contents of arbitrary files in the local file system the node process is running in. The file contents are included verbatim in the generated PDFs.

Other affected methods are: addImage, html, addFont.

Only the node.js builds of the library are affected, namely the dist/jspdf.node.js and dist/jspdf.node.min.js files.

Example attack vector:

import { jsPDF } from "./dist/jspdf.node.js";

const doc = new jsPDF();

doc.addImage("./secret.txt", "JPEG", 0, 0, 10, 10);
doc.save("test.pdf"); // the generated PDF will contain the "secret.txt" file

Patches

The vulnerability has been fixed in jsPDF@4.0.0. This version restricts file system access per default. This semver-major update does not introduce other breaking changes.

Workarounds

With recent node versions, jsPDF recommends using the --permission flag in production. The feature was introduced experimentally in v20.0.0 and is stable since v22.13.0/v23.5.0/v24.0.0. See the node documentation for details.

For older node versions, sanitize user-provided paths before passing them to jsPDF.

Credits

Researcher: kilkat (Kwangwoon Kim)

CVE-2026-24040

Impact

The addJS method in the jspdf Node.js build utilizes a shared module-scoped variable (text) to store JavaScript content. When used in a concurrent environment (e.g., a Node.js web server), this variable is shared across all requests.

If multiple requests generate PDFs simultaneously, the JavaScript content intended for one user may be overwritten by a subsequent request before the document is generated. This results in Cross-User Data Leakage, where the PDF generated for User A contains the JavaScript payload (and any embedded sensitive data) intended for User B.

Typically, this only affects server-side environments, although the same race conditions might occur if jsPDF runs client-side.

import { jsPDF } from "jspdf";

const docA = new jsPDF();
const docB = new jsPDF();

// 1. User A sets their script (stored in shared 'text' variable)
docA.addJS('console.log("Secret A");');

// 2. User B sets their script (overwrites shared 'text' variable)
docB.addJS('console.log("Secret B");');

// 3. User A saves their PDF (reads current 'text' variable)
docA.save("userA.pdf");

// Result: userA.pdf contains "Secret B" instead of "Secret A"

Patches

The vulnerability has been fixed in jspdf@4.0.1. The fix moves the shared variable into the function scope, ensuring isolation between instances.

Workarounds

Avoid using the addJS method in concurrent server-side environments. If usage is required, ensure requests are processed sequentially (e.g., using a queue) rather than in parallel.

CVE-2026-24043

Impact

User control of the first argument of the addMetadata function allows users to inject arbitrary XML.

If given the possibility to pass unsanitized input to the addMetadata method, a user can inject arbitrary XMP metadata into the generated PDF. If the generated PDF is signed, stored or otherwise processed after, the integrity of the PDF can no longer be guaranteed.

Example attack vector:

import { jsPDF } from "jspdf"

const doc = new jsPDF()

// Input a string that closes the current XML tag and opens a new one.
// We are injecting a fake "dc:creator" (Author) to spoof the document source.
const maliciousInput = '</jspdf:metadata></rdf:Description>' +
    '<rdf:Description xmlns:dc="http://purl.org/dc/elements/1.1/">' +
    '<dc:creator>TRUSTED_ADMINISTRATOR</dc:creator>' + // <--- Spoofed Identity
    '</rdf:Description>' +
    '<rdf:Description><jspdf:metadata>'

// The application innocently adds the user's input to the metadata
doc.addMetadata(maliciousInput, "http://valid.namespace")

doc.save("test.pdf")

Patches

The vulnerability has been fixed in jsPDF@4.1.0

Workarounds

Sanitize user input before passing it to the addMetadata method: escape XML entities. For example:

let input = "..."

input = input
    .replace(/&/g, "&amp;")
    .replace(/</g, "&lt;")
    .replace(/>/g, "&gt;")
    .replace(/"/g, "&quot;")
    .replace(/'/g, "&apos;")

doc.addMetadata(input)

CVE-2026-24737

Impact

User control of properties and methods of the Acroform module allows users to inject arbitrary PDF objects, such as JavaScript actions.

If given the possibility to pass unsanitized input to one of the following methods or properties, a user can inject arbitrary PDF objects, such as JavaScript actions, which are executed when the victim opens the document. The vulnerable API members are:

  • AcroformChoiceField.addOption
  • AcroformChoiceField.setOptions
  • AcroFormCheckBox.appearanceState
  • AcroFormRadioButton.appearanceState

Example attack vector:

import { jsPDF } from "jspdf"
const doc = new jsPDF();

var choiceField = new doc.AcroFormChoiceField();
choiceField.T = "VulnerableField";
choiceField.x = 20;
choiceField.y = 20;
choiceField.width = 100;
choiceField.height = 20;

// PAYLOAD:
// 1. Starts with "/" to bypass escaping.
// 2. "dummy]" closes the array.
// 3. "/AA" injects an Additional Action (Focus event).
// 4. "/JS" executes arbitrary JavaScript.
const payload = "/dummy] /AA << /Fo << /S /JavaScript /JS (app.alert('XSS')) >> >> /Garbage [";

choiceField.addOption(payload);
doc.addField(choiceField);

doc.save("test.pdf");

Patches

The vulnerability has been fixed in jsPDF@4.1.0.

Workarounds

Sanitize user input before passing it to the vulnerable API members.

Credits

Research and fix: Ahmet Artuç

CVE-2026-24133

Impact

User control of the first argument of the addImage method results in Denial of Service.

If given the possibility to pass unsanitized image data or URLs to the addImage method, a user can provide a harmful BMP file that results in out of memory errors and denial of service. Harmful BMP files have large width and/or height entries in their headers, wich lead to excessive memory allocation.

Other affected methods are: html.

Example attack vector:

import { jsPDF } from "jspdf" 

// malicious BMP image data with large width/height headers
const payload = ...

const doc = new jsPDF();

doc.addImage(payload, "BMP", 0, 0, 100, 100);

Patches

The vulnerability has been fixed in jsPDF 4.1.0. Upgrade to jspdf@>=4.1.0.

Workarounds

Sanitize image data or URLs before passing it to the addImage method or one of the other affected methods.

CVE-2026-25535

Impact

User control of the first argument of the addImage method results in denial of service.

If given the possibility to pass unsanitized image data or URLs to the addImage method, a user can provide a harmful GIF file that results in out of memory errors and denial of service. Harmful GIF files have large width and/or height entries in their headers, wich lead to excessive memory allocation.

Other affected methods are: html.

Example attack vector:

import { jsPDF } from "jspdf" 

// malicious GIF image data with large width/height headers
const payload = ...

const doc = new jsPDF();

doc.addImage(payload, "GIF", 0, 0, 100, 100);

Patches

The vulnerability has been fixed in jsPDF 4.1.1. Upgrade to jspdf@>=4.2.0.

Workarounds

Sanitize image data or URLs before passing it to the addImage method or one of the other affected methods.

References

https://github.com/ZeroXJacks/CVEs/blob/main/2026/CVE-2026-25535.md

CVE-2026-25755

Impact

User control of the argument of the addJS method allows an attacker to inject arbitrary PDF objects into the generated document. By crafting a payload that escapes the JavaScript string delimiter, an attacker can execute malicious actions or alter the document structure, impacting any user who opens the generated PDF.

import { jsPDF } from "jspdf";
const doc = new jsPDF();
// Payload:
// 1. ) closes the JS string.
// 2. > closes the current dictionary.
// 3. /AA ... injects an "Additional Action" that executes on focus/open.
const maliciousPayload = "console.log('test');) >> /AA << /O << /S /JavaScript /JS (app.alert('Hacked!')) >> >>";

doc.addJS(maliciousPayload);
doc.save("vulnerable.pdf");

Patches

The vulnerability has been fixed in jspdf@4.2.0.

Workarounds

Escape parentheses in user-provided JavaScript code before passing them to the addJS method.

References

https://github.com/ZeroXJacks/CVEs/blob/main/2026/CVE-2026-25755.md

CVE-2026-25940

Impact

User control of properties and methods of the Acroform module allows users to inject arbitrary PDF objects, such as JavaScript actions.

If given the possibility to pass unsanitized input to one of the following property, a user can inject arbitrary PDF objects, such as JavaScript actions, which are executed when the victim hovers over the radio option.

  • AcroformChildClass.appearanceState

Example attack vector:

import { jsPDF } from "jspdf"
const doc = new jsPDF();

const group = new doc.AcroFormRadioButton();
group.x = 10; group.y = 10; group.width = 20; group.height = 10;
doc.addField(group);

const child = group.createOption("opt1");
child.x = 10; child.y = 10; child.width = 20; child.height = 10;
child.appearanceState = "Off /AA << /E << /S /JavaScript /JS (app.alert('XSS')) >> >>";

doc.save("test.pdf");

Patches

The vulnerability has been fixed in jsPDF@4.2.0.

Workarounds

Sanitize user input before passing it to the vulnerable API members.

jsPDF has Local File Inclusion/Path Traversal vulnerability

CVE-2025-68428 / GHSA-f8cm-6447-x5h2

More information

Details

Impact

User control of the first argument of the loadFile method in the node.js build allows local file inclusion/path traversal.

If given the possibility to pass unsanitized paths to the loadFile method, a user can retrieve file contents of arbitrary files in the local file system the node process is running in. The file contents are included verbatim in the generated PDFs.

Other affected methods are: addImage, html, addFont.

Only the node.js builds of the library are affected, namely the dist/jspdf.node.js and dist/jspdf.node.min.js files.

Example attack vector:

import { jsPDF } from "./dist/jspdf.node.js";

const doc = new jsPDF();

doc.addImage("./secret.txt", "JPEG", 0, 0, 10, 10);
doc.save("test.pdf"); // the generated PDF will contain the "secret.txt" file
Patches

The vulnerability has been fixed in jsPDF@4.0.0. This version restricts file system access per default. This semver-major update does not introduce other breaking changes.

Workarounds

With recent node versions, jsPDF recommends using the --permission flag in production. The feature was introduced experimentally in v20.0.0 and is stable since v22.13.0/v23.5.0/v24.0.0. See the node documentation for details.

For older node versions, sanitize user-provided paths before passing them to jsPDF.

Credits

Researcher: kilkat (Kwangwoon Kim)

Severity

  • CVSS Score: 9.2 / 10 (Critical)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

jsPDF Vulnerable to Denial of Service (DoS) via Unvalidated BMP Dimensions in BMPDecoder

CVE-2026-24133 / GHSA-95fx-jjr5-f39c

More information

Details

Impact

User control of the first argument of the addImage method results in Denial of Service.

If given the possibility to pass unsanitized image data or URLs to the addImage method, a user can provide a harmful BMP file that results in out of memory errors and denial of service. Harmful BMP files have large width and/or height entries in their headers, wich lead to excessive memory allocation.

Other affected methods are: html.

Example attack vector:

import { jsPDF } from "jspdf" 

// malicious BMP image data with large width/height headers
const payload = ...

const doc = new jsPDF();

doc.addImage(payload, "BMP", 0, 0, 100, 100);
Patches

The vulnerability has been fixed in jsPDF 4.1.0. Upgrade to jspdf@>=4.1.0.

Workarounds

Sanitize image data or URLs before passing it to the addImage method or one of the other affected methods.

Severity

  • CVSS Score: 8.7 / 10 (High)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

jsPDF Vulnerable to Stored XMP Metadata Injection (Spoofing & Integrity Violation)

CVE-2026-24043 / GHSA-vm32-vv63-w422

More information

Details

Impact

User control of the first argument of the addMetadata function allows users to inject arbitrary XML.

If given the possibility to pass unsanitized input to the addMetadata method, a user can inject arbitrary XMP metadata into the generated PDF. If the generated PDF is signed, stored or otherwise processed after, the integrity of the PDF can no longer be guaranteed.

Example attack vector:

import { jsPDF } from "jspdf"

const doc = new jsPDF()

// Input a string that closes the current XML tag and opens a new one.
// We are injecting a fake "dc:creator" (Author) to spoof the document source.
const maliciousInput = '</jspdf:metadata></rdf:Description>' +
    '<rdf:Description xmlns:dc="http://purl.org/dc/elements/1.1/">' +
    '<dc:creator>TRUSTED_ADMINISTRATOR</dc:creator>' + // <--- Spoofed Identity
    '</rdf:Description>' +
    '<rdf:Description><jspdf:metadata>'

// The application innocently adds the user's input to the metadata
doc.addMetadata(maliciousInput, "http://valid.namespace")

doc.save("test.pdf")
Patches

The vulnerability has been fixed in jsPDF@4.1.0

Workarounds

Sanitize user input before passing it to the addMetadata method: escape XML entities. For example:

let input = "..."

input = input
    .replace(/&/g, "&amp;")
    .replace(/</g, "&lt;")
    .replace(/>/g, "&gt;")
    .replace(/"/g, "&quot;")
    .replace(/'/g, "&apos;")

doc.addMetadata(input)

Severity

  • CVSS Score: 6.9 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

jsPDF has PDF Injection in AcroFormChoiceField that allows Arbitrary JavaScript Execution

CVE-2026-24737 / GHSA-pqxr-3g65-p328

More information

Details

Impact

User control of properties and methods of the Acroform module allows users to inject arbitrary PDF objects, such as JavaScript actions.

If given the possibility to pass unsanitized input to one of the following methods or properties, a user can inject arbitrary PDF objects, such as JavaScript actions, which are executed when the victim opens the document. The vulnerable API members are:

  • AcroformChoiceField.addOption
  • AcroformChoiceField.setOptions
  • AcroFormCheckBox.appearanceState
  • AcroFormRadioButton.appearanceState

Example attack vector:

import { jsPDF } from "jspdf"
const doc = new jsPDF();

var choiceField = new doc.AcroFormChoiceField();
choiceField.T = "VulnerableField";
choiceField.x = 20;
choiceField.y = 20;
choiceField.width = 100;
choiceField.height = 20;

// PAYLOAD:
// 1. Starts with "/" to bypass escaping.
// 2. "dummy]" closes the array.
// 3. "/AA" injects an Additional Action (Focus event).
// 4. "/JS" executes arbitrary JavaScript.
const payload = "/dummy] /AA << /Fo << /S /JavaScript /JS (app.alert('XSS')) >> >> /Garbage [";

choiceField.addOption(payload);
doc.addField(choiceField);

doc.save("test.pdf");
Patches

The vulnerability has been fixed in jsPDF@4.1.0.

Workarounds

Sanitize user input before passing it to the vulnerable API members.

Credits

Research and fix: Ahmet Artuç

Severity

  • CVSS Score: 8.1 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

jsPDF has Shared State Race Condition in addJS Plugin

CVE-2026-24040 / GHSA-cjw8-79x6-5cj4

More information

Details

Impact

The addJS method in the jspdf Node.js build utilizes a shared module-scoped variable (text) to store JavaScript content. When used in a concurrent environment (e.g., a Node.js web server), this variable is shared across all requests.

If multiple requests generate PDFs simultaneously, the JavaScript content intended for one user may be overwritten by a subsequent request before the document is generated. This results in Cross-User Data Leakage, where the PDF generated for User A contains the JavaScript payload (and any embedded sensitive data) intended for User B.

Typically, this only affects server-side environments, although the same race conditions might occur if jsPDF runs client-side.

import { jsPDF } from "jspdf";

const docA = new jsPDF();
const docB = new jsPDF();

// 1. User A sets their script (stored in shared 'text' variable)
docA.addJS('console.log("Secret A");');

// 2. User B sets their script (overwrites shared 'text' variable)
docB.addJS('console.log("Secret B");');

// 3. User A saves their PDF (reads current 'text' variable)
docA.save("userA.pdf");

// Result: userA.pdf contains "Secret B" instead of "Secret A"
Patches

The vulnerability has been fixed in jspdf@4.0.1. The fix moves the shared variable into the function scope, ensuring isolation between instances.

Workarounds

Avoid using the addJS method in concurrent server-side environments. If usage is required, ensure requests are processed sequentially (e.g., using a queue) rather than in parallel.

Severity

  • CVSS Score: 6.3 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

jsPDF has a PDF Injection in AcroForm module allows Arbitrary JavaScript Execution (RadioButton.createOption and "AS" property)

CVE-2026-25940 / GHSA-p5xg-68wr-hm3m

More information

Details

Impact

User control of properties and methods of the Acroform module allows users to inject arbitrary PDF objects, such as JavaScript actions.

If given the possibility to pass unsanitized input to one of the following property, a user can inject arbitrary PDF objects, such as JavaScript actions, which are executed when the victim hovers over the radio option.

  • AcroformChildClass.appearanceState

Example attack vector:

import { jsPDF } from "jspdf"
const doc = new jsPDF();

const group = new doc.AcroFormRadioButton();
group.x = 10; group.y = 10; group.width = 20; group.height = 10;
doc.addField(group);

const child = group.createOption("opt1");
child.x = 10; child.y = 10; child.width = 20; child.height = 10;
child.appearanceState = "Off /AA << /E << /S /JavaScript /JS (app.alert('XSS')) >> >>";

doc.save("test.pdf");
Patches

The vulnerability has been fixed in jsPDF@4.2.0.

Workarounds

Sanitize user input before passing it to the vulnerable API members.

Severity

  • CVSS Score: 8.1 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

jsPDF Affected by Client-Side/Server-Side Denial of Service via Malicious GIF Dimensions

CVE-2026-25535 / GHSA-67pg-wm7f-q7fj

More information

Details

Impact

User control of the first argument of the addImage method results in denial of service.

If given the possibility to pass unsanitized image data or URLs to the addImage method, a user can provide a harmful GIF file that results in out of memory errors and denial of service. Harmful GIF files have large width and/or height entries in their headers, wich lead to excessive memory allocation.

Other affected methods are: html.

Example attack vector:

import { jsPDF } from "jspdf" 

// malicious GIF image data with large width/height headers
const payload = ...

const doc = new jsPDF();

doc.addImage(payload, "GIF", 0, 0, 100, 100);
Patches

The vulnerability has been fixed in jsPDF 4.1.1. Upgrade to jspdf@>=4.2.0.

Workarounds

Sanitize image data or URLs before passing it to the addImage method or one of the other affected methods.

References

https://github.com/ZeroXJacks/CVEs/blob/main/2026/CVE-2026-25535.md

Severity

  • CVSS Score: 8.7 / 10 (High)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

jsPDF has a PDF Object Injection via Unsanitized Input in addJS Method

CVE-2026-25755 / GHSA-9vjf-qc39-jprp

More information

Details

Impact

User control of the argument of the addJS method allows an attacker to inject arbitrary PDF objects into the generated document. By crafting a payload that escapes the JavaScript string delimiter, an attacker can execute malicious actions or alter the document structure, impacting any user who opens the generated PDF.

import { jsPDF } from "jspdf";
const doc = new jsPDF();
// Payload:
// 1. ) closes the JS string.
// 2. > closes the current dictionary.
// 3. /AA ... injects an "Additional Action" that executes on focus/open.
const maliciousPayload = "console.log('test');) >> /AA << /O << /S /JavaScript /JS (app.alert('Hacked!')) >> >>";

doc.addJS(maliciousPayload);
doc.save("vulnerable.pdf");
Patches

The vulnerability has been fixed in jspdf@4.2.0.

Workarounds

Escape parentheses in user-provided JavaScript code before passing them to the addJS method.

References

https://github.com/ZeroXJacks/CVEs/blob/main/2026/CVE-2026-25755.md

Severity

  • CVSS Score: 8.1 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Release Notes

parallax/jsPDF (jspdf)

v4.2.0

Compare Source

This release fixes three security issues.

What's Changed

New Contributors

Full Changelog: parallax/jsPDF@v4.1.0...v4.2.0

v4.1.0

Compare Source

This release fixes several security issues.

What's Changed

Full Changelog: parallax/jsPDF@v4.0.0...v4.1.0

v4.0.0

Compare Source

This release fixes a critical path traversal/local file inclusion security vulnerability in the jsPDF Node.js build. File system access is now restricted by default and can be enabled by either using node's --permission flag or the new jsPDF.allowFsRead property.

There are no other breaking changes.

v3.0.4

Compare Source

This release includes a bunch of bugfixes. Thanks to all contributors!

What's Changed

New Contributors

Full Changelog: parallax/jsPDF@v3.0.3...v3.1.0

v3.0.3

Compare Source

This release fixes regressions with PNG encoding that were introduced in v3.0.2.

What's Changed

New Contributors

Full Changelog: parallax/jsPDF@v3.0.2...v3.0.3

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

@oep-renovate
fix(deps): update dependency jspdf to v4 [security]
62dc879 
Signed-off-by: oep-renovate[bot] <212772560+oep-renovate[bot]@users.noreply.github.com>
@oep-renovate
Copy link
Contributor Author

oep-renovate bot commented Jan 6, 2026

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: web_ui/package-lock.json
npm warn Unknown env config "store". This will stop working in the next major version of npm.
npm error code ERESOLVE
npm error ERESOLVE could not resolve
npm error
npm error While resolving: svg2pdf.js@2.5.0
npm error Found: jspdf@4.0.0
npm error node_modules/jspdf
npm error   jspdf@"^4.0.0" from the root project
npm error
npm error Could not resolve dependency:
npm error peer jspdf@"^3.0.0 || ^2.0.0" from svg2pdf.js@2.5.0
npm error node_modules/svg2pdf.js
npm error   svg2pdf.js@"^2.5.0" from the root project
npm error
npm error Conflicting peer dependency: jspdf@3.0.4
npm error node_modules/jspdf
npm error   peer jspdf@"^3.0.0 || ^2.0.0" from svg2pdf.js@2.5.0
npm error   node_modules/svg2pdf.js
npm error     svg2pdf.js@"^2.5.0" from the root project
npm error
npm error Fix the upstream dependency conflict, or retry
npm error this command with --force or --legacy-peer-deps
npm error to accept an incorrect (and potentially broken) dependency resolution.
npm error
npm error
npm error For a full report see:
npm error /tmp/renovate/cache/others/npm/_logs/2026-01-06T02_54_12_595Z-eresolve-report.txt
npm error A complete log of this run can be found in: /tmp/renovate/cache/others/npm/_logs/2026-01-06T02_54_12_595Z-debug-0.log

@github-actions github-actions bot added the UI label Jan 6, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jpggvilaca jpggvilaca Awaiting requested review from jpggvilaca jpggvilaca is a code owner

@MarkRedeman MarkRedeman Awaiting requested review from MarkRedeman MarkRedeman is a code owner

@camiloHimura camiloHimura Awaiting requested review from camiloHimura camiloHimura is a code owner

@pplaskie pplaskie Awaiting requested review from pplaskie pplaskie is a code owner

@ActiveChooN ActiveChooN Awaiting requested review from ActiveChooN ActiveChooN is a code owner

@romanowska romanowska Awaiting requested review from romanowska romanowska is a code owner

@dwesolow dwesolow Awaiting requested review from dwesolow dwesolow is a code owner

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

UI

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants