[Snyk] Fix for 4 vulnerabilities

[bozza-man]

Snyk has created this PR to fix 4 vulnerabilities in the npm dependencies of this project.

Snyk changed the following file(s):

• package.json
• package-lock.json

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score
	External Control of File Name or Path SNYK-JS-JSPDF-14873131	250
	Cross-site Scripting (XSS) SNYK-JS-REMIXRUNROUTER-14908530	134
	Open Redirect SNYK-JS-REACTROUTER-14908286	114
	Open Redirect SNYK-JS-REMIXRUNROUTER-14908287	114

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.
• Snyk has automatically assigned this pull request, set who gets assigned.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
👩‍💻 Set who automatically gets assigned
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Open Redirect
🦉 Cross-site Scripting (XSS)

---

Note

Updates dependencies to remediate vulnerabilities, with no application code changes.

• Upgrade jspdf to ^4.0.0 and react-router-dom to ^6.30.3 (with react-router and @remix-run/router aligned to latest)
• Lockfile refresh introduces/removes transitive deps per upstream: adds fast-png, pako, iobuffer; updates fflate, canvg, and dompurify; removes legacy atob/btoa
• Minor version adjustments to other transitive packages (e.g., @babel/runtime, regenerator-runtime) reflected in package-lock.json

^{Written by Cursor Bugbot for commit 6eef333. This will update automatically on new commits. Configure here.}

[coderabbitai]

Important

Review skipped

Ignore keyword(s) in the title.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[phylum-io]

Phylum OSS Supply Chain Risk Analysis - FAILED

This repository analyzes the risk of new dependencies. An
administrator of this repository has set requirements via Phylum policy.

If you see this comment, one or more dependencies have failed Phylum's risk analysis.

Package: canvg@3.0.11 failed.

canvg@3.0.11 is decoding Base64 strings

Risk Domain: Malicious Code
Risk Level: low

Reason: Obfuscated code

Package: jspdf@4.0.0 failed.

jspdf@4.0.0 is decoding Base64 strings

Risk Domain: Malicious Code
Risk Level: low

Reason: Obfuscated code

View this project in the Phylum UI

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.}

[cursor]

Incompatible jspdf-autotable peer dependency with jspdf upgrade

High Severity

The upgrade of jspdf from v2.5.1 to v4.0.0 creates a peer dependency conflict with jspdf-autotable@3.8.2, which requires jspdf: "^2.5.1". The codebase uses both libraries together for PDF table generation via doc.autoTable(). This version mismatch will likely cause runtime failures when generating PDFs, as jspdf-autotable v3.x was not designed to work with jspdf v4.x. The jspdf-autotable package needs to be upgraded to v5.x for compatibility.

Additional Locations (1)

• package-lock.json#L5645-L5652