Skip to content

[Snyk] Security upgrade jspdf from 2.5.2 to 4.1.0#18

Open
m1981 wants to merge 1 commit into
mainfrom
snyk-fix-a116ee9052f4e4d47e7b9294ec37fb2d
Open

[Snyk] Security upgrade jspdf from 2.5.2 to 4.1.0#18
m1981 wants to merge 1 commit into
mainfrom
snyk-fix-a116ee9052f4e4d47e7b9294ec37fb2d

Conversation

@m1981
Copy link
Copy Markdown
Owner

@m1981 m1981 commented Feb 9, 2026
edited by ellipsis-dev Bot
Loading

snyk-top-banner

Snyk has created this PR to fix 4 vulnerabilities in the pnpm dependencies of this project.

Snyk changed the following file(s):

  • package.json
⚠️ Warning 
Failed to update the pnpm-lock.yaml, please update manually before merging.

Vulnerabilities that will be fixed with an upgrade:

Issue Score
high severity Allocation of Resources Without Limits or Throttling
SNYK-JS-JSPDF-15182654		   828  
high severity Improper Encoding or Escaping of Output
SNYK-JS-JSPDF-15182650		   813  
medium severity XML Injection
SNYK-JS-JSPDF-15182644		   738  
low severity Race Condition
SNYK-JS-JSPDF-15182647		   401  

Important

  • Check the changes in this PR to ensure they won't cause issues with your project.
  • Max score is 1000. Note that the real score may have changed since the PR was raised.
  • This PR was automatically created by Snyk using the credentials of a real user.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 XML Injection
🦉 Race Condition
🦉 Improper Encoding or Escaping of Output
🦉 More lessons are available in Snyk Learn

Important

Upgrade jspdf to 4.1.0 in package.json to fix security vulnerabilities, with manual pnpm-lock.yaml update needed.

  • Dependencies:
    • Upgrade jspdf from 2.5.2 to 4.1.0 in package.json to fix security vulnerabilities.
  • Vulnerabilities Fixed:
    • Fixes high severity issues: Allocation of Resources Without Limits, Improper Encoding.
    • Fixes medium severity XML Injection and low severity Race Condition.
  • Warnings:
    • pnpm-lock.yaml update failed; requires manual update before merging.

This description was created by Ellipsis for 1b9a2fe. You can customize this summary. It will automatically update as commits are pushed.

@vercel
Copy link
Copy Markdown

vercel Bot commented Feb 9, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
mychat Error Error Feb 9, 2026 11:40am

ellipsis-dev[bot]
ellipsis-dev Bot reviewed Feb 9, 2026
View reviewed changes
Copy link
Copy Markdown

@ellipsis-dev ellipsis-dev Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Important

Looks good to me! 👍

Reviewed everything up to 1b9a2fe in 9 seconds. Click for details.
  • Reviewed 13 lines of code in 1 files
  • Skipped 0 files when reviewing.
  • Skipped posting 0 draft comments. View those below.
  • Modify your settings and rules to customize what types of comments Ellipsis leaves. And don't forget to react with 👍 or 👎 to teach Ellipsis.

Workflow ID: wflow_I8io6Be5xmbWz4iq

You can customize Ellipsis by changing your verbosity settings, reacting with 👍 or 👎, replying to comments, or adding code review rules.

@augmentcode
Copy link
Copy Markdown

augmentcode Bot commented Feb 9, 2026

🤖 Augment PR Summary

Summary: Upgrades jspdf to v4.1.0 to address Snyk-reported vulnerabilities.

Note: The PR only updates package.json; the pnpm-lock.yaml update is still needed before merge.

🤖 Was this summary useful? React with 👍 or 👎

augmentcode[bot]
augmentcode Bot reviewed Feb 9, 2026
View reviewed changes
Copy link
Copy Markdown

@augmentcode augmentcode Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review completed. 2 suggestions posted.

Fix All in Augment

Comment augment review to trigger a new review at any time.

Comment thread package.json
"i18next-browser-languagedetector": "^7.0.1",
"i18next-http-backend": "^2.1.1",
"jspdf": "^2.5.1",
"jspdf": "^4.1.0",
Copy link
Copy Markdown

@augmentcode augmentcode Bot Feb 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The PR description notes pnpm-lock.yaml wasn’t updated; if CI uses --frozen-lockfile, installs will fail or won’t pick up the intended jspdf version. Consider regenerating and committing the lockfile so the upgrade is reproducible.

Severity: high

Fix This in Augment

🤖 Was this useful? React with 👍 or 👎, or 🚀 if it prevented an incident/outage.

Comment thread package.json
"i18next-browser-languagedetector": "^7.0.1",
"i18next-http-backend": "^2.1.1",
"jspdf": "^2.5.1",
"jspdf": "^4.1.0",
Copy link
Copy Markdown

@augmentcode augmentcode Bot Feb 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a major upgrade (jspdf v2 -> v4) which may include breaking API/module-format changes; it’s worth verifying any jspdf usage still builds and works at runtime after the bump.

Severity: medium

Fix This in Augment

🤖 Was this useful? React with 👍 or 👎, or 🚀 if it prevented an incident/outage.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ellipsis-dev ellipsis-dev[bot] ellipsis-dev[bot] left review comments

+1 more reviewer

@augmentcode augmentcode[bot] augmentcode[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@m1981 @snyk-bot