jsPDF

Security Fixes

Breaking Changes:

• dompurify optional dependency upgraded to 3.3.1

Fixes:

• PDF Injection in AcroForm module — arbitrary JavaScript execution via form fields
• XMP Metadata Injection — stored metadata spoofing and integrity violations
• Race condition in addJS() method with shared state
• DoS via unvalidated BMP image dimensions in BMPDecoder

This release fixes a critical path traversal/local file inclusion security vulnerability in the jsPDF Node.js build. File system access is now restricted by default and can be enabled by either using node's --permission flag or the new [jsPDF.allowFsRead](https://raw.githack....

This release includes a bunch of bugfixes. Thanks to all contributors!

What's Changed

• [Snyk] Upgrade @babel/runtime from 7.28.3 to 7.28.4 by @MrRio in https://github.com/parallax/jsPDF/pull/3895
• fix: cell function now properly accepts align parameter by @vishal-rathod-07 in https://github.com/parallax/jsPDF/pull/3896
• Remove duplicated function "ga" from WebPDecoder.js by @jvdp in ht...

This release fixes regressions with PNG encoding that were introduced in v3.0.2.

What's Changed

• Fix division by zero when calculating word spacing by @alxndr-pggm in https://github.com/parallax/jsPDF/pull/3879
• fix scaling of form object bounding boxes by @HackbrettXXX in https://github.com/parallax/jsPDF/pull/3888
• fix regressions in PNG encoding that were introduced in 3.0.2 by @Hac...

This release fixes a security issue where parsing of corrupt PNG images could lead to long running loops and denial of service.

What's Changed

• [Snyk] Upgrade @babel/runtime from 7.26.7 to 7.26.9 by @MrRio in https://github.com/parallax/jsPDF/pull/3847
• Fix parsing corrupt PNG images in addImage method by @Hackb...

This release fixes two security vulnerabilities:

• Upgrade optional dependency canvg to 3.0.11
• Fix a ReDoS vulnerability in the addImage method and the methods html and addSvgAsImage, which depend on addImage

This major release officially drops support for Internet Explorer and fixes a security vulnerability in the html function by updating the optional dependency dompurify to v3.2.4. There are no other breaking changes.

New Contributors

• @nlqivision made their first contribution in https://github.com/parallax/jsPDF/pull/3812
• @dependab...

This release upgrades the Dompurify dependency to 2.5.4 with fixes a vulnerability with high severity: https://github.com/advisories/GHSA-mmhx-hmjr-r674.

It also upgrades fflate, core-js, and @babel/runtime to more recent versions.

What's Changed

• Implement justifying for unicode fonts by @owenl131 in https://github.com/parallax/jsPDF/pull/3285
• chore: update dompurify version 2.5.4 b...

This release fixes two security related issues.

• #3348: Check integrity when loading the pdfobject lib from CDN in calls to output('pdfobjectnewwindow')
• #3368: Fix inefficient regular expression in setDisplayMode (CWE-1333)

This release adds some minor new features and fixes some bugs, e.g. related to multiline text. Thanks to all contributors!

New Features

• #3324 add getLineWidth function
• #3294: add horizontalScale option to text function

Bugfixes

• #3271: fix html function only rendering on the first invocation per document
• #3304, #3295: fix context2D.closePath (now properly closes...