chore(deps): bump jspdf from 3.0.3 to 4.2.1

[dependabot]

Bumps jspdf from 3.0.3 to 4.2.1.

Release notes

Sourced from jspdf's releases.

v4.2.1

This release fixes two security issues.

What's Changed

• Fix HTML Injection in output methods vulnerability.
• Fix PDF Object Injection via free text annotation color vulnerability.

Full Changelog: parallax/jsPDF@v4.2.0...v4.2.1

v4.2.0

This release fixes three security issues.

What's Changed

• Fix PDF Injection in AcroForm module allows Arbitrary JavaScript Execution (RadioButton children) vulnerability.
• Fix Client-Side/Server-Side Denial of Service via Malicious GIF Dimensions vulnerability.
• Fix PDF Object Injection via Unsanitized Input in addJS Method vulnerability.
• Add "default" property to export section in package.json by @​stefan-schweiger in parallax/jsPDF#3953

New Contributors

• @​stefan-schweiger made their first contribution in parallax/jsPDF#3953

Full Changelog: parallax/jsPDF@v4.1.0...v4.2.0

v4.1.0

This release fixes several security issues.

What's Changed

• Upgrade optional dompurify dependency to 3.3.1 in parallax/jsPDF#3948
• Fix PDF Injection in AcroForm module allows Arbitrary JavaScript Execution vulnerability
• Fix Stored XMP Metadata Injection (Spoofing & Integrity Violation) vulnerability
• Fix Shared State Race Condition in addJS Method vulnerability
• Fix Denial of Service (DoS) via Unvalidated BMP Dimensions in BMPDecoder vulnerability

Full Changelog: parallax/jsPDF@v4.0.0...v4.1.0

v4.0.0

This release fixes a critical path traversal/local file inclusion security vulnerability in the jsPDF Node.js build. File system access is now restricted by default and can be enabled by either using node's --permission flag or the new jsPDF.allowFsRead property.

There are no other breaking changes.

v3.0.4

This release includes a bunch of bugfixes. Thanks to all contributors!

What's Changed

• [Snyk] Upgrade @​babel/runtime from 7.28.3 to 7.28.4 by @​MrRio in parallax/jsPDF#3895
• fix: cell function now properly accepts align parameter by @​vishal-rathod-07 in parallax/jsPDF#3896
• Remove duplicated function "ga" from WebPDecoder.js by @​jvdp in parallax/jsPDF#3902
• Fix font state management issue #3890 by @​srikanth-s2003 in parallax/jsPDF#3891
• Fix pages property to always return current array reference ( #3898 ) by @​Opineppes in parallax/jsPDF#3899
• Fix jsPDF + Vite compatibility issue #3851 by @​tishajain25 in parallax/jsPDF#3903

... (truncated)

Commits

• 4562ce8 4.2.1
• 4155c48 Merge commit from fork
• 87a40bb Merge commit from fork
• b1607a9 Bump minimatch from 3.1.2 to 3.1.5 (#3961)
• 42ac890 Bump rollup from 2.79.2 to 2.80.0 (#3960)
• 7af912c 4.2.0
• 56b46d4 Merge commit from fork
• 2e5e156 Merge commit from fork
• 71ad2db Merge commit from fork
• 885a777 fix: upgrade @​babel/runtime from 7.28.4 to 7.28.6 (#3954)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

---

Summary by cubic

Upgrade jspdf from 3.0.3 to 4.2.1 to patch multiple security vulnerabilities in PDF generation. Applies to apps/extensions and apps/portal.

• Dependencies

  • Bump jspdf to 4.2.1, which fixes HTML injection, PDF object injection, DoS via image dimensions, and unsafe addJS issues.

• Migration

  • For Node usage only: v4 restricts file system reads by default. If needed, enable Node --permission or set jsPDF.allowFsRead.

^{Written for commit 579af3f. Summary will update on new commits.}

[cla-assistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[cubic-dev-ai]

No issues found across 3 files

[greptile-apps]

Greptile Summary

This PR is a Dependabot security update that bumps jspdf from 3.0.3 to 4.2.1 across both apps/extensions and apps/portal. The update spans multiple releases (v4.0.0 through v4.2.1) and patches seven distinct security vulnerabilities including HTML injection, PDF/JS object injection, arbitrary JavaScript execution via AcroForm, path traversal in Node.js, and DoS via malicious image dimensions.

Key points:

• Both package.json files and pnpm-lock.yaml are correctly and consistently updated.
• The v4.0.0 breaking change (Node.js filesystem access now restricted by default via jsPDF.allowFsRead) does not affect this codebase — all four jspdf usages (apps/portal/app/utilities/images.ts, apps/portal/components/pagesComponents/_editorScreen/editorHelpers/pdf.ts, apps/extensions/src/content/panel/screens/editorScreen/editorHelpers/pdf.ts, apps/extensions/src/app/utilities/pdfFromImageUrl.ts) are browser-side only and use only the unchanged new jsPDF(), addImage(), and output() APIs.
• Lockfile regeneration also pulled in updated metadata that flags next@14.2.33 (already in use) as carrying a security vulnerability — this pre-existing issue should be addressed in a separate PR.
• Several transitive dependencies were also refreshed: dompurify (3.2.7 → 3.3.3), @babel/runtime (7.29.2), core-js (3.49.0), lodash (4.17.23), minimatch (9.0.9), and semver (7.7.4).

Confidence Score: 4/5

• Safe to merge — the update is a critical security fix with no breaking API changes for this codebase's browser-side usage, though the surfaced next@14.2.33 vulnerability warrants a follow-up PR.
• Score of 4 because the jspdf bump is correct, consistent across both package files and the lockfile, and the existing usage is fully compatible with v4.x. The one point deducted reflects the next@14.2.33 security deprecation that was surfaced by this lockfile regeneration and should not be left unaddressed.
• pnpm-lock.yaml — contains a newly surfaced security deprecation notice for next@14.2.33

Important Files Changed

Filename	Overview
apps/extensions/package.json	jspdf bumped from ^3.0.2 to ^4.2.1; the major version jump is security-motivated and the existing API surface used in the codebase (constructor, addImage, output) is unchanged in v4.x.
apps/portal/package.json	jspdf bumped from ^3.0.2 to ^4.2.1, mirroring the extensions package change; both package.json files are explicitly updated as required.
pnpm-lock.yaml	Lockfile correctly resolves jspdf to 4.2.1 in both importers; however, regeneration also surfaced a deprecation notice for next@14.2.33 citing a security vulnerability, and several transitive packages were updated (dompurify, @babel/runtime, core-js, lodash, minimatch, semver).

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[jspdf 3.0.3\nVulnerable] -->|v4.0.0| B[Fix: Path Traversal / LFI\nin Node.js build\nGHSA-f8cm-6447-x5h2]
    B -->|v4.1.0| C[Fix: AcroForm PDF Injection\nXMP Metadata Injection\naddJS Race Condition\nDoS via BMP Decoder]
    C -->|v4.2.0| D[Fix: AcroForm RadioButton Injection\nDoS via GIF Dimensions\naddJS Object Injection]
    D -->|v4.2.1| E[Fix: HTML Injection in output\nFree Text Annotation Color Injection]
    E --> F[jspdf 4.2.1\nAll vulnerabilities patched]

    F --> G[apps/extensions\npackage.json updated]
    F --> H[apps/portal\npackage.json updated]
    G --> I[pnpm-lock.yaml\nresolved to 4.2.1]
    H --> I

Loading

_{Last reviewed commit: 579af3f}

[greptile-apps]

Security vulnerability in next@14.2.33

Regenerating the lockfile for this PR surfaced a deprecation/security notice on the next package currently in use:

deprecated: This version has a security vulnerability. Please upgrade to a patched version.
See https://nextjs.org/blog/security-update-2025-12-11 for more details.

While next itself was not touched by this PR, the lockfile regeneration exposed that next@14.2.33 is now flagged as insecure by the npm registry. It is worth opening a separate PR (or a follow-up Dependabot update) to upgrade next to a patched version to address this vulnerability.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud