Bump jspdf and react-to-pdf

[dependabot]

Bumps jspdf to 4.1.0 and updates ancestor dependency react-to-pdf. These dependencies need to be updated together.

Updates jspdf from 1.5.3 to 4.1.0

Release notes

Sourced from jspdf's releases.

v4.1.0

This release fixes several security issues.

What's Changed

• Upgrade optional dompurify dependency to 3.3.1 in parallax/jsPDF#3948
• Fix PDF Injection in AcroForm module allows Arbitrary JavaScript Execution vulnerability
• Fix Stored XMP Metadata Injection (Spoofing & Integrity Violation) vulnerability
• Fix Shared State Race Condition in addJS Method vulnerability
• Fix Denial of Service (DoS) via Unvalidated BMP Dimensions in BMPDecoder vulnerability

Full Changelog: parallax/jsPDF@v4.0.0...v4.1.0

v4.0.0

This release fixes a critical path traversal/local file inclusion security vulnerability in the jsPDF Node.js build. File system access is now restricted by default and can be enabled by either using node's --permission flag or the new jsPDF.allowFsRead property.

There are no other breaking changes.

v3.0.4

This release includes a bunch of bugfixes. Thanks to all contributors!

What's Changed

• [Snyk] Upgrade @​babel/runtime from 7.28.3 to 7.28.4 by @​MrRio in parallax/jsPDF#3895
• fix: cell function now properly accepts align parameter by @​vishal-rathod-07 in parallax/jsPDF#3896
• Remove duplicated function "ga" from WebPDecoder.js by @​jvdp in parallax/jsPDF#3902
• Fix font state management issue #3890 by @​srikanth-s2003 in parallax/jsPDF#3891
• Fix pages property to always return current array reference ( #3898 ) by @​Opineppes in parallax/jsPDF#3899
• Fix jsPDF + Vite compatibility issue #3851 by @​tishajain25 in parallax/jsPDF#3903
• Do not add pages dynamically unless autoPaging is enabled by @​anmiles in parallax/jsPDF#3915
• Fix: Context2d font regex too restrictive ( #3904 ) by @​Opineppes in parallax/jsPDF#3906
• Fix Incorrect Typing for Margins in the TableConfig Interface Definition by @​Maito1794 in parallax/jsPDF#3816

New Contributors

• @​survivant made their first contribution in parallax/jsPDF#3897
• @​vishal-rathod-07 made their first contribution in parallax/jsPDF#3896
• @​jvdp made their first contribution in parallax/jsPDF#3902
• @​srikanth-s2003 made their first contribution in parallax/jsPDF#3891
• @​Opineppes made their first contribution in parallax/jsPDF#3899
• @​tishajain25 made their first contribution in parallax/jsPDF#3903
• @​anmiles made their first contribution in parallax/jsPDF#3915
• @​josephyi made their first contribution in parallax/jsPDF#3907
• @​Maito1794 made their first contribution in parallax/jsPDF#3816

Full Changelog: parallax/jsPDF@v3.0.3...v3.1.0

v3.0.3

This release fixes regressions with PNG encoding that were introduced in v3.0.2.

What's Changed

• Fix division by zero when calculating word spacing by @​alxndr-pggm in parallax/jsPDF#3879
• fix scaling of form object bounding boxes by @​HackbrettXXX in parallax/jsPDF#3888

... (truncated)

Commits

• 0227381 4.1.0
• ae4b93f Merge commit from fork
• 2863e5c Merge commit from fork
• efe54bf Merge commit from fork
• da291a5 Merge commit from fork
• 685e41e Bump @​koa/cors and local-web-server (#3951)
• 8cc22a5 Bump tmp, inquirer and karma (#3945)
• 008b276 Bump sha.js from 2.4.11 to 2.4.12 (#3946)
• ff66d52 Bump vite from 5.4.20 to 5.4.21 in /examples/vite (#3949)
• bcf79f2 Bump cipher-base from 1.0.4 to 1.0.7 (#3942)
• Additional commits viewable in compare view

Updates react-to-pdf from 0.0.8 to 3.0.0

Release notes

Sourced from react-to-pdf's releases.

v3.0.0

3.0.0 (January 5, 2026)

This is a major release following the JsPDF v4 release that updates the dependencies and fixes some security vulnerabilities among other sec fixes related to the dev dependencies that was being by this package.

See https://github.com/parallax/jsPDF/security/advisories/GHSA-9964-cph5-966m for more details about the JsPDF sec fix.

• update jspdf to 4, cypress to 15 and use alternative image comparison for e2e (#175) (24fe10e)
• Bump js-yaml from 4.1.0 to 4.1.1 (#171) (ba1326c)
• update release notes script and changelog (c80acd2)

Full Changelog: ivmarcos/react-to-pdf@2.0.3...3.0.0

v2.0.3

2.0.3 (November 25, 2025)

Updates npm ignore file and some scripts for dev.

• Release 2.0.3 (d623651)
• update CHANGELOG (a9e339d)
• update script to release notes (a91e4cb)
• add script for release notes (ec578c6)
• ignore test tarball folder and update npm ignore (0a23d1a)
• update .npmignore (d3551bb)

Full Changelog: ivmarcos/react-to-pdf@2.0.2...2.0.3

v2.0.2

2.0.2 (November 25, 2025)

This release includes a security fix for JsPDF, see https://github.com/parallax/jsPDF/releases/tag/v3.0.2 among some minor dep updates for dev.

• Release 2.0.2 (683d699)
• upgrade jspdf (#172) (61be78f)
• Bump jspdf from 3.0.1 to 3.0.2 (#170) (5e3843b)
• Bump vite from 6.2.7 to 6.4.1 (#168) (84d4119)
• Bump tar-fs from 2.1.3 to 2.1.4 (#167) (8aed727)
• update changelog (961318d)
• upgrade release-it (e48cb12)

Full Changelog: ivmarcos/react-to-pdf@2.0.1...2.0.2

v2.0.1

2.0.1 (June, 3, 2025)

Fixes security vulnerabilities from tar-fs and some other minor changes related to Vite bumps.

• add nvmrc file (8abe51d)

... (truncated)

Changelog

Sourced from react-to-pdf's changelog.

3.0.0 (January 5, 2026)

This is a major release following the JsPDF v4 release that updates the dependencies and fixes some security vulnerabilities among other sec fixes related to the dev dependencies that was being by this package.

See https://github.com/parallax/jsPDF/security/advisories/GHSA-9964-cph5-966m for more details about the JsPDF sec fix.

• update jspdf to 4, cypress to 15 and use alternative image comparison for e2e (#175) (24fe10e)
• Bump js-yaml from 4.1.0 to 4.1.1 (#171) (ba1326c)
• update release notes script and changelog (c80acd2)

2.0.3 (November 25, 2025)

Updates npm ignore file and some scripts for dev.

• Release 2.0.3 (d623651)
• update CHANGELOG (a9e339d)
• update script to release notes (a91e4cb)
• add script for release notes (ec578c6)
• ignore test tarball folder and update npm ignore (0a23d1a)
• update .npmignore (d3551bb)

2.0.2 (November 25, 2025)

This release includes a security fix for JsPDF, see https://github.com/parallax/jsPDF/releases/tag/v3.0.2 among some minor dep updates for dev.

• Release 2.0.2 (683d699)
• upgrade jspdf (#172) (61be78f)
• Bump jspdf from 3.0.1 to 3.0.2 (#170) (5e3843b)
• Bump vite from 6.2.7 to 6.4.1 (#168) (84d4119)
• Bump tar-fs from 2.1.3 to 2.1.4 (#167) (8aed727)
• update changelog (961318d)
• upgrade release-it (e48cb12)

2.0.1 (June, 3, 2025)

Fixes security vulnerabilities from tar-fs and some other minor changes related to Vite bumps.

• add nvmrc file (8abe51d)
• add nvmrc file (2260c0c)
• Bump tar-fs from 2.1.2 to 2.1.3 (#159) (c1cc4e7)
• Bump vite from 6.2.6 to 6.2.7 (#158) (eee4dc1)
• Bump vite from 6.2.5 to 6.2.6 (#157) (e6a1555)
• Bump vite from 6.2.4 to 6.2.5 (#155) (6fefc56)
• Bump vite from 6.2.3 to 6.2.4 (#154) (0c09957)
• update changelog (f56dd81)

2.0.0 (March, 28, 2025)

This release fix some security vulnerabilities related to jspdf. https://github.com/parallax/jsPDF/releases/tag/v3.0.1. This major release follows jspdf major release v3 which dropped support for Internet Explorer and fixed a security vulnerability in the html function by updating the optional dependency dompurify to v3.2.4.

... (truncated)

Commits

• 3579107 Release 3.0.0
• 24fe10e update jspdf to 4, cypress to 15 and use alternative image comparison for e2e...
• ba1326c Bump js-yaml from 4.1.0 to 4.1.1 (#171)
• c80acd2 update release notes script and changelog
• d623651 Release 2.0.3
• a9e339d update CHANGELOG
• a91e4cb update script to release notes
• ec578c6 add script for release notes
• 0a23d1a ignore test tarball folder and update npm ignore
• d3551bb update .npmignore
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.