Recent Commits to jsPDF:master

Bump serialize-javascript and @rollup/plugin-terser (#3966)

Bumps [serialize-javascript](https://github.com/yahoo/serialize-javascript) to 7.0.4 and updates ancestor dependency [@rollup/plugin-terser](https://github.com/rollup/plugins/tree/HEAD/packages/terser). These dependencies need to be updated together.


Updates `serialize-javascript` from 6.0.2 to 7.0.4
- [Release notes](https://github.com/yahoo/serialize-javascript/releases)
- [Commits](https://github.com/yahoo/serialize-javascript/compare/v6.0.2...v7.0.4)

Updates `@rollup/plugin-terser` from 0.4.4 to 1.0.0
- [Changelog](https://github.com/rollup/plugins/blob/master/packages/terser/CHANGELOG.md)
- [Commits](https://github.com/rollup/plugins/commits/beep-v1.0.0/packages/terser)

---
updated-dependencies:
- dependency-name: serialize-javascript
  dependency-version: 7.0.4
  dependency-type: indirect
- dependency-name: "@rollup/plugin-terser"
  dependency-version: 1.0.0
  dependency-type: direct:development
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

4.2.1

Merge commit from fork

* Fix FreeText annotation style string escaping

* Remove dist artifacts from FreeText fix PR

* Harden FreeText color: add hex validation, fix double #, expand tests

- Validate color as hex pattern (3-8 hex chars), fallback to 000000
  for non-hex input as defense-in-depth alongside pdfEscape
- Strip leading # before concatenation to prevent double ## in output
- Add tests: injection rejection, backslash bypass, valid hex colors,
  double # prevention, non-hex fallback

* Update freetext.pdf reference for double # fix

The reference file had color:##ff0000 (double #) which was
a pre-existing bug. Now that we strip the leading # before
concatenation, the output is color:#ff0000 and the reference
must match.

* Revert "Update freetext.pdf reference for double # fix"

This reverts commit b6139558ededb872a663f62898d68f0f2d35bde5.

* Revert "Harden FreeText color: add hex validation, fix double #, expand tests"

This reverts commit 0b8baf967c5089ec40f0a86c3d59cb47fcc0823e.

---------

Co-authored-by: Doruk <peak@peaktwilight.com>
Co-authored-by: Lukas Holländer <lukas.hollaender@yworks.com>

Merge commit from fork

* Fix popup rendering for new window outputs

* Encode filename in data URI, add edge case tests

- Encode options.filename in datauristring to prevent data URI
  structure corruption via semicolons/commas
- Add tests: SRI on default pdfobject URL, data URI filename encoding,
  malicious pdfJsUrl attribute injection attempt

* Fix SRI test: split into default and custom URL cases

The previous test claimed to cover both default and custom URL
paths but only checked the default. Now split into two separate
tests that each verify what they claim.

---------

Co-authored-by: Doruk <peak@peaktwilight.com>

Bump minimatch from 3.1.2 to 3.1.5 (#3961)

Bumps [minimatch](https://github.com/isaacs/minimatch) from 3.1.2 to 3.1.5.
- [Changelog](https://github.com/isaacs/minimatch/blob/main/changelog.md)
- [Commits](https://github.com/isaacs/minimatch/compare/v3.1.2...v3.1.5)

---
updated-dependencies:
- dependency-name: minimatch
  dependency-version: 3.1.5
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Lukas Holländer <lukas.hollaender@yworks.com>

Bump rollup from 2.79.2 to 2.80.0 (#3960)

Bumps [rollup](https://github.com/rollup/rollup) from 2.79.2 to 2.80.0.
- [Release notes](https://github.com/rollup/rollup/releases)
- [Changelog](https://github.com/rollup/rollup/blob/v2.80.0/CHANGELOG.md)
- [Commits](https://github.com/rollup/rollup/compare/v2.79.2...v2.80.0)

---
updated-dependencies:
- dependency-name: rollup
  dependency-version: 2.80.0
  dependency-type: direct:development
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

4.2.0

Merge commit from fork

* Sanitize JavaScript input in addJS function

Sanitize input JavaScript to prevent errors with parentheses.

* don't escape already escaped parentheses, add test cases

---------

Co-authored-by: Lukas Holländer <lukas.hollaender@yworks.com>

Merge commit from fork

Merge commit from fork

* fix

* fix

* add regression tests and revert dist changes

* prettier

---------

Co-authored-by: Lukas Holländer <lukas.hollaender@yworks.com>

fix: upgrade @babel/runtime from 7.28.4 to 7.28.6 (#3954)

Snyk has created this PR to upgrade @babel/runtime from 7.28.4 to 7.28.6.

See this package in npm:
@babel/runtime

See this project in Snyk:
https://app.snyk.io/org/mrrio/project/50515eb1-b03b-4f42-9f17-cce1a33d5d1a?utm_source=github&utm_medium=referral&page=upgrade-pr

Co-authored-by: snyk-bot <snyk-bot@snyk.io>

Add default export to package.json (#3953)

4.1.0

Merge commit from fork

* limit buffer allocation size when parsing BMP images

* document addImage might throw errors

Merge commit from fork

Move module-level variables (text, jsNamesObj, jsJsObj) inside addJS
function scope to prevent data leakage when multiple jsPDF instances
call addJS() before save().

Fixes shared state vulnerability where docA.save() would contain
docB's script if docB.addJS() was called after docA.addJS().

Co-authored-by: root <root@DESKTOP-PC8VOAS.localdomain>

Merge commit from fork

Merge commit from fork

* Fix PDF Injection vulnerability in AcroForm (ChoiceField, CheckBox, RadioButton)

* Apply review suggestions: Improved hex escaping

* Test: Add PDF injection tests

* fix test cases, formatting

---------

Co-authored-by: kali <kali@kali.kali>
Co-authored-by: Lukas Holländer <lukas.hollaender@yworks.com>

Bump @koa/cors and local-web-server (#3951)

Bumps [@koa/cors](https://github.com/koajs/cors) to 5.0.0 and updates ancestor dependency [local-web-server](https://github.com/lwsjs/local-web-server). These dependencies need to be updated together.


Updates `@koa/cors` from 3.4.3 to 5.0.0
- [Changelog](https://github.com/koajs/cors/blob/master/History.md)
- [Commits](https://github.com/koajs/cors/compare/3.4.3...5.0.0)

Updates `local-web-server` from 4.2.1 to 5.4.0
- [Release notes](https://github.com/lwsjs/local-web-server/releases)
- [Commits](https://github.com/lwsjs/local-web-server/compare/v4.2.1...v5.4.0)

---
updated-dependencies:
- dependency-name: "@koa/cors"
  dependency-version: 5.0.0
  dependency-type: indirect
- dependency-name: local-web-server
  dependency-version: 5.4.0
  dependency-type: direct:development
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bump tmp, inquirer and karma (#3945)

Bumps [tmp](https://github.com/raszi/node-tmp) to 0.2.5 and updates ancestor dependencies [tmp](https://github.com/raszi/node-tmp), [inquirer](https://github.com/SBoudrias/Inquirer.js) and [karma](https://github.com/karma-runner/karma). These dependencies need to be updated together.


Updates `tmp` from 0.2.1 to 0.2.5
- [Changelog](https://github.com/raszi/node-tmp/blob/master/CHANGELOG.md)
- [Commits](https://github.com/raszi/node-tmp/compare/v0.2.1...v0.2.5)

Updates `inquirer` from 6.5.2 to 13.2.1
- [Release notes](https://github.com/SBoudrias/Inquirer.js/releases)
- [Commits](https://github.com/SBoudrias/Inquirer.js/compare/inquirer@6.5.2...inquirer@13.2.1)

Updates `karma` from 5.1.0 to 6.4.4
- [Release notes](https://github.com/karma-runner/karma/releases)
- [Changelog](https://github.com/karma-runner/karma/blob/master/CHANGELOG.md)
- [Commits](https://github.com/karma-runner/karma/compare/v5.1.0...v6.4.4)

---
updated-dependencies:
- dependency-name: tmp
  dependency-version: 0.2.5
  dependency-type: indirect
- dependency-name: inquirer
  dependency-version: 13.2.1
  dependency-type: direct:development
- dependency-name: karma
  dependency-version: 6.4.4
  dependency-type: direct:development
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Lukas Holländer <lukas.hollaender@yworks.com>

Bump sha.js from 2.4.11 to 2.4.12 (#3946)

Bumps [sha.js](https://github.com/crypto-browserify/sha.js) from 2.4.11 to 2.4.12.
- [Changelog](https://github.com/browserify/sha.js/blob/master/CHANGELOG.md)
- [Commits](https://github.com/crypto-browserify/sha.js/compare/v2.4.11...v2.4.12)

---
updated-dependencies:
- dependency-name: sha.js
  dependency-version: 2.4.12
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Lukas Holländer <lukas.hollaender@yworks.com>

Bump vite from 5.4.20 to 5.4.21 in /examples/vite (#3949)

Bumps [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite) from 5.4.20 to 5.4.21.
- [Release notes](https://github.com/vitejs/vite/releases)
- [Changelog](https://github.com/vitejs/vite/blob/v5.4.21/packages/vite/CHANGELOG.md)
- [Commits](https://github.com/vitejs/vite/commits/v5.4.21/packages/vite)

---
updated-dependencies:
- dependency-name: vite
  dependency-version: 5.4.21
  dependency-type: direct:development
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bump cipher-base from 1.0.4 to 1.0.7 (#3942)

Bumps [cipher-base](https://github.com/crypto-browserify/cipher-base) from 1.0.4 to 1.0.7.
- [Changelog](https://github.com/browserify/cipher-base/blob/master/CHANGELOG.md)
- [Commits](https://github.com/crypto-browserify/cipher-base/compare/v1.0.4...v1.0.7)

---
updated-dependencies:
- dependency-name: cipher-base
  dependency-version: 1.0.7
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bump lodash from 4.17.21 to 4.17.23 (#3943)

Bumps [lodash](https://github.com/lodash/lodash) from 4.17.21 to 4.17.23.
- [Release notes](https://github.com/lodash/lodash/releases)
- [Commits](https://github.com/lodash/lodash/compare/4.17.21...4.17.23)

---
updated-dependencies:
- dependency-name: lodash
  dependency-version: 4.17.23
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

fix: upgrade dompurify from 3.3.0 to 3.3.1 (#3948)

Snyk has created this PR to upgrade dompurify from 3.3.0 to 3.3.1.

See this package in npm:
dompurify

See this project in Snyk:
https://app.snyk.io/org/mrrio/project/50515eb1-b03b-4f42-9f17-cce1a33d5d1a?utm_source=github&utm_medium=referral&page=upgrade-pr

Co-authored-by: snyk-bot <snyk-bot@snyk.io>

fix: upgrade dompurify from 3.2.4 to 3.3.0 (#3928)

Snyk has created this PR to upgrade dompurify from 3.2.4 to 3.3.0.

See this package in npm:
dompurify

See this project in Snyk:
https://app.snyk.io/org/mrrio/project/50515eb1-b03b-4f42-9f17-cce1a33d5d1a?utm_source=github&utm_medium=referral&page=upgrade-pr

Co-authored-by: snyk-bot <snyk-bot@snyk.io>
Co-authored-by: Lukas Holländer <lukas.hollaender@yworks.com>

4.0.0

restrict file system access in node build (#3931)

 - add jsPDF.allowFsRead property as fs read whitelist
 - read files only if node --permission flag or allowFsRead are enabled

3.0.4

Fix Incorrect Typing for Margins in the TableConfig Interface Definition (#3816)

---------

Co-authored-by: Lukas Holländer <lukas.hollaender@yworks.com>

chore: bump checkout, setup-node, and stale actions (#3907)

Co-authored-by: Lukas Holländer <lukas.hollaender@yworks.com>

Fix: Context2d font regex too restrictive ( #3904 ) (#3906)

---------

Co-authored-by: quentin.legrand <quentin.legrand@peoplbrain.com>
Co-authored-by: Lukas Holländer <lukas.hollaender@yworks.com>

Do not add pages dynamically unless autoPaging is enabled (#3915)

add package.json exports field (#3903)

Fix API.internal.pages not being updated when restoring a RenderTarget ( #3898 ) (#3899)

Co-authored-by: quentin.legrand <quentin.legrand@peoplbrain.com>
Co-authored-by: Lukas Holländer <lukas.hollaender@yworks.com>

fix font list cache invalidation issue in context2d module (#3891)

Co-authored-by: Lukas Holländer <lukas.hollaender@yworks.com>

remove duplicate function "ga" in webp decoder (#3902)

fix: cell function now properly accepts align parameter (#3896)

Co-authored-by: Lukas Holländer <lukas.hollaender@yworks.com>

Fix typos and linguistic errors in documentation (#3897)

fix: upgrade @babel/runtime from 7.28.3 to 7.28.4 (#3895)

Snyk has created this PR to upgrade @babel/runtime from 7.28.3 to 7.28.4.

See this package in npm:
@babel/runtime

See this project in Snyk:
https://app.snyk.io/org/mrrio/project/50515eb1-b03b-4f42-9f17-cce1a33d5d1a?utm_source=github&utm_medium=referral&page=upgrade-pr

Co-authored-by: snyk-bot <snyk-bot@snyk.io>

3.0.3

fix regressions in PNG encoding that were introduced in 3.0.2 (#3887)

- fix compression of other than 8-bit images
- fix soft mask for other than 8-bit images
- fix potential byte order issue for 16-bit images
- fix writing an empty mask (error) for indexed images without transparency

fix scaling of form object bounding boxes (#3888)

Fix division by zero when calculating word spacing (#3879)

Co-authored-by: Lukas Holländer <lukas.hollaender@yworks.com>

3.0.2

Fix parsing corrupt PNG images in the addImage method (#3880)

- remove atob and btoa dependencies and use native implementations for node build, as well
- replace built-in PNG parser with the fast-png 3rd party dependency
- consistently support 16bit color spaces
- fix compression being applied with compression="NONE" in some cases

Correct the millimeter unit conversion constant in docs (#3872)

fix: upgrade @babel/runtime from 7.26.7 to 7.26.9 (#3847)

Snyk has created this PR to upgrade @babel/runtime from 7.26.7 to 7.26.9.

See this package in npm:
@babel/runtime

See this project in Snyk:
https://app.snyk.io/org/mrrio/project/50515eb1-b03b-4f42-9f17-cce1a33d5d1a?utm_source=github&utm_medium=referral&page=upgrade-pr

Co-authored-by: snyk-bot <snyk-bot@snyk.io>

3.0.1

fix: upgrade @babel/runtime from 7.26.0 to 7.26.7 (#3832)

Snyk has created this PR to upgrade @babel/runtime from 7.26.0 to 7.26.7.

See this package in npm:
@babel/runtime

See this project in Snyk:
https://app.snyk.io/org/mrrio/project/50515eb1-b03b-4f42-9f17-cce1a33d5d1a?utm_source=github&utm_medium=referral&page=upgrade-pr

Co-authored-by: snyk-bot <snyk-bot@snyk.io>
Co-authored-by: Lukas Holländer <lukas.hollaender@yworks.com>

improve performance of data url parsing in addimage (#3843)

- fix a ReDoS vulnerability

don't use saucelabs in CI to be able to correctly run CI for PRs

Upgrade canvg from 3.0.6 to 3.0.11 (#3836)