Bump tecnickcom/tcpdf from 6.6.5 to 6.9.1

[dependabot]

Bumps tecnickcom/tcpdf from 6.6.5 to 6.9.1.

Changelog

Sourced from tecnickcom/tcpdf's changelog.

6.9.0 (2025-04-03)

• Fixed Path Traversal security vulnerability reported by Positive Technologies.

6.9.0 (2025-03-30)

• Added PHP 8.4 testing.
• Removed tcpdf_import.php and tcpdf_parser.php files (for a parser check the tc-lib-pdf-parser project instead).
• Fix composer.json.

6.8.2 (2025-01-26)

• Fix some annotation flags values.
• Remove examples from packaging.

6.8.1 (2025-01-26) - UNTAGGED

• Check relative paths on SVG images.

6.8.0 (2024-12-23)

• Requires PHP 7.1+ and curl extension.
• Escape error message.
• Use strict time-constant function to compare TCPDF-tag hashes.
• Add K_CURLOPTS config array to set custom cURL options (NOTE: some defaults have changed).
• Add some addTTFfont fixes from tc-lib-pdf-font.

6.7.8 (2024-12-13)

• Improve SVG detection by checking for (mandatory) namespace.
• Use late state binding now that minimum PHP version is 5.5.

6.7.7 (2024-10-26)

• Update regular expression to avoid ReDoS (CVE-2024-22641)
• [PHP 8.4] Fix: Curl CURLOPT_BINARYTRANSFER deprecated #675
• SVG detection fix for inline data images #646
• Fix count svg #647
• Since the version 6.7.4, the "0" is considered like empty string and not displayed
• Fixed handling of transparency in PDF/A mode in addExtGState method
• Encrypt /DA string when document is encrypted
• Improve quality of generated seed, avoid potential security pitfall
• Try to use random_bytes() first if it's available
• Do not include the server parameters in the generated seed, as they might contain sensitive data
• Fix bug on _getannotsrefs when there are empty signature appearances but not other annot on a page
• Fix SVG coordinate parser that caused drawing artifacts
• Remove usage of xml_set_object() function

6.7.6 (2024-10-06)

• Forbid access to parent folder in HTML images.

6.7.5 (2024-04-20)

• Update GitHub actions
• fix: CSV-2024-22640 (#712)

6.7.4 (2024-03-24)

• Upgrade tcpdf tag encryption algorithm.

... (truncated)

Commits

• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)