Bump jspdf from 1.3.5 to 4.1.0 by dependabot[bot] · Pull Request #138 · dbca-wa/gokart

dependabot · 2026-02-02T19:01:42Z

Bumps jspdf from 1.3.5 to 4.1.0.

Release notes

v4.1.0

This release fixes several security issues.

What's Changed

Upgrade optional dompurify dependency to 3.3.1 in parallax/jsPDF#3948

Fix PDF Injection in AcroForm module allows Arbitrary JavaScript Execution vulnerability

Fix Stored XMP Metadata Injection (Spoofing & Integrity Violation) vulnerability

Fix Shared State Race Condition in addJS Method vulnerability

Fix Denial of Service (DoS) via Unvalidated BMP Dimensions in BMPDecoder vulnerability

Full Changelog: parallax/jsPDF@v4.0.0...v4.1.0

v4.0.0

This release fixes a critical path traversal/local file inclusion security vulnerability in the jsPDF Node.js build. File system access is now restricted by default and can be enabled by either using node's --permission flag or the new jsPDF.allowFsRead property.

There are no other breaking changes.

v3.0.4

This release includes a bunch of bugfixes. Thanks to all contributors!

What's Changed

[Snyk] Upgrade @babel/runtime from 7.28.3 to 7.28.4 by @MrRio in parallax/jsPDF#3895

fix: cell function now properly accepts align parameter by @vishal-rathod-07 in parallax/jsPDF#3896

Remove duplicated function "ga" from WebPDecoder.js by @jvdp in parallax/jsPDF#3902

Fix font state management issue #3890 by @srikanth-s2003 in parallax/jsPDF#3891

Fix pages property to always return current array reference ( #3898 ) by @Opineppes in parallax/jsPDF#3899

Fix jsPDF + Vite compatibility issue #3851 by @tishajain25 in parallax/jsPDF#3903

Do not add pages dynamically unless autoPaging is enabled by @anmiles in parallax/jsPDF#3915

Fix: Context2d font regex too restrictive ( #3904 ) by @Opineppes in parallax/jsPDF#3906

Fix Incorrect Typing for Margins in the TableConfig Interface Definition by @Maito1794 in parallax/jsPDF#3816

New Contributors

@survivant made their first contribution in parallax/jsPDF#3897

@vishal-rathod-07 made their first contribution in parallax/jsPDF#3896

@jvdp made their first contribution in parallax/jsPDF#3902

@srikanth-s2003 made their first contribution in parallax/jsPDF#3891

@Opineppes made their first contribution in parallax/jsPDF#3899

@tishajain25 made their first contribution in parallax/jsPDF#3903

@anmiles made their first contribution in parallax/jsPDF#3915

@josephyi made their first contribution in parallax/jsPDF#3907

@Maito1794 made their first contribution in parallax/jsPDF#3816

Full Changelog: parallax/jsPDF@v3.0.3...v3.1.0

v3.0.3

This release fixes regressions with PNG encoding that were introduced in v3.0.2.

What's Changed

Fix division by zero when calculating word spacing by @alxndr-pggm in parallax/jsPDF#3879

fix scaling of form object bounding boxes by @HackbrettXXX in parallax/jsPDF#3888

... (truncated)

Commits

0227381 4.1.0
ae4b93f Merge commit from fork
2863e5c Merge commit from fork
efe54bf Merge commit from fork
da291a5 Merge commit from fork
685e41e Bump @koa/cors and local-web-server (#3951)
8cc22a5 Bump tmp, inquirer and karma (#3945)
008b276 Bump sha.js from 2.4.11 to 2.4.12 (#3946)
ff66d52 Bump vite from 5.4.20 to 5.4.21 in /examples/vite (#3949)
bcf79f2 Bump cipher-base from 1.0.4 to 1.0.7 (#3942)
Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot merge will merge this PR after your CI passes on it
@dependabot squash and merge will squash and merge this PR after your CI passes on it
@dependabot cancel merge will cancel a previously requested merge and block automerging
@dependabot reopen will reopen this PR if it is closed
@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the Security Alerts page.

Bumps [jspdf](https://github.com/parallax/jsPDF) from 1.3.5 to 4.1.0. - [Release notes](https://github.com/parallax/jsPDF/releases) - [Changelog](https://github.com/parallax/jsPDF/blob/master/RELEASE.md) - [Commits](parallax/jsPDF@v1.3.5...v4.1.0) --- updated-dependencies: - dependency-name: jspdf dependency-version: 4.1.0 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>

socket-security · 2026-02-02T19:02:41Z

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	jspdf@1.3.5 ⏵ 4.1.0	⁺¹	⁺⁷⁵	⁺²	^-3

View full report

socket-security · 2026-02-02T19:02:43Z

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert (click "▶" to expand/collapse)
Warn		Critical CVE: Prototype Pollution in npm `lodash` CVE: GHSA-jf85-cpcp-j695 Prototype Pollution in lodash (CRITICAL) Affected versions: < 4.17.12 Patched version: 4.17.12 From: package-lock.json → `npm/karma-browserify@4.4.2` → `npm/lodash@3.10.1` ℹ Read more on: This package \| This alert \| What is a critical CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/lodash@3.10.1`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Critical CVE: Prototype Pollution in npm `lodash` CVE: GHSA-jf85-cpcp-j695 Prototype Pollution in lodash (CRITICAL) Affected versions: < 4.17.12 Patched version: 4.17.12 From: package-lock.json → `npm/browserify-css@0.9.2` → `npm/lodash@3.6.0` ℹ Read more on: This package \| This alert \| What is a critical CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/lodash@3.6.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Critical CVE: Prototype Pollution in npm `lodash` CVE: GHSA-jf85-cpcp-j695 Prototype Pollution in lodash (CRITICAL) Affected versions: < 4.17.12 Patched version: 4.17.12 From: package-lock.json → `npm/lodash@4.15.0` ℹ Read more on: This package \| This alert \| What is a critical CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/lodash@4.15.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Critical CVE: Prototype Pollution in npm `minimist` CVE: GHSA-xvch-5gv4-984h Prototype Pollution in minimist (CRITICAL) Affected versions: >= 1.0.0 < 1.2.6; < 0.2.4 Patched version: 0.2.4 From: package-lock.json → `npm/exorcist@0.4.0` → `npm/minimist@0.0.5` ℹ Read more on: This package \| This alert \| What is a critical CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/minimist@0.0.5`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Critical CVE: Prototype Pollution in npm `minimist` CVE: GHSA-xvch-5gv4-984h Prototype Pollution in minimist (CRITICAL) Affected versions: >= 1.0.0 < 1.2.6; < 0.2.4 Patched version: 0.2.4 From: package-lock.json → `npm/eslint@3.19.0` → `npm/babel-core@6.26.3` → `npm/minimist@0.0.8` ℹ Read more on: This package \| This alert \| What is a critical CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/minimist@0.0.8`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Critical CVE: Potential Command Injection in npm `shell-quote` CVE: GHSA-qg8p-v9q4-gh34 Potential Command Injection in shell-quote (CRITICAL) Affected versions: < 1.6.1 Patched version: 1.6.1 From: package-lock.json → `npm/karma-browserify@4.4.2` → `npm/shell-quote@0.0.1` ℹ Read more on: This package \| This alert \| What is a critical CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/shell-quote@0.0.1`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Critical CVE: Arbitrary Code Execution in npm `underscore` CVE: GHSA-cf4h-3jhx-xvhq Arbitrary Code Execution in underscore (CRITICAL) Affected versions: >= 1.3.2 < 1.12.1 Patched version: 1.12.1 From: package-lock.json → `npm/underscore@1.8.3` ℹ Read more on: This package \| This alert \| What is a critical CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/underscore@1.8.3`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm `buffer` is 97.0% likely obfuscated Confidence: 0.97 Location: Package overview From: package-lock.json → `npm/browserify@12.0.2` → `npm/buffer@3.6.2` ℹ Read more on: This package \| This alert \| What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/buffer@3.6.2`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

sentry · 2026-02-02T19:05:05Z

package.json

    "interact.js": "~1.2.6",
    "jcanvas": "~16.7.3",
-    "jspdf": "~1.3.2",
+    "jspdf": "~4.1.0",


Bug: The jsPDF upgrade to v4.1.0 introduces a breaking change. The code still calls the removed setFontType() method, which will cause a crash when printing legends.
_{Severity: CRITICAL}

Suggested Fix

The separate calls to doc.setFont(style.font) and doc.setFontType(style.fontType) should be combined into a single call that is compatible with the new jsPDF API: doc.setFont(style.font, style.fontType).

Prompt for AI Agent

Review the code at the location below. A potential bug has been identified by an AI agent. Verify if this is a real issue. If it is, propose a fix; if not, explain why it's not valid. Location: package.json#L74 Potential issue: The pull request upgrades `jsPDF` from version 1.3.x to 4.1.0. This upgrade introduces a breaking change, as the `setFontType()` method was removed in version 2.0.0. The code in `src/components/layers/layerlegends.vue` at line 269 still calls `doc.setFontType(style.fontType)` when generating a PDF for printing legends. This will result in a `TypeError: doc.setFontType is not a function` and crash the application whenever a user attempts to use the print functionality in the legends panel.

_{Did we get this right? 👍 / 👎 to inform future reviews.}

dependabot bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Feb 2, 2026

dependabot bot mentioned this pull request Feb 2, 2026

Bump jspdf from 1.3.5 to 4.0.0 #137

Closed

sentry bot reviewed Feb 2, 2026

View reviewed changes

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Bump jspdf from 1.3.5 to 4.1.0#138

Bump jspdf from 1.3.5 to 4.1.0#138
dependabot[bot] wants to merge 1 commit intomasterfrom
dependabot/npm_and_yarn/jspdf-4.1.0

dependabot bot commented on behalf of github Feb 2, 2026

Uh oh!

socket-security bot commented Feb 2, 2026

Uh oh!

socket-security bot commented Feb 2, 2026

Uh oh!

sentry bot Feb 2, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

dependabot bot commented on behalf of github Feb 2, 2026

v4.1.0

What's Changed

v4.0.0

v3.0.4

What's Changed

New Contributors

v3.0.3

What's Changed

Uh oh!

socket-security bot commented Feb 2, 2026

Uh oh!

socket-security bot commented Feb 2, 2026

Uh oh!

sentry bot Feb 2, 2026

Choose a reason for hiding this comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants