npm audit fix: bump jspdf to 2.3.1

[ghost]

➜  html2pdf.js git:(security-audit-fix) ✗ npm audit

                       === npm audit security report ===

found 0 vulnerabilities
 in 462 scanned packages

[ghost]

@eKoopmans could we get this in? thanks!

[ghost]

@eKoopmans @oschwede @drbeat @ovvn Could anyone of you please help prioritize this?

[eKoopmans]

Hi @ptanaji-cb , agreed this should be high priority. This is a change in major version for jsPDF, so I'll need a bit of testing before I'm confident that this doesn't break anything.

[shaliniM12]

Is there any status on this? As still getting the security issue for html2pdf.js

[Hawxy]

@eKoopmans Any chance of getting this merged in and a pre-release published? It'd allow for easier testing and resolve the security problems for those with auditing requirements.

[samputer]

+1 on this please. It's causing npm audit high severity alerts. Happy to help.

[eKoopmans]

Hi, I'm actively working on this. It's unfortunately not an easy fix - changes in jsPDF 2.0.0+ are directly incompatible with the way html2pdf.js is built/bundled. It looks like it will be impossible to continue using Rollup.

My next step is to switch to Webpack, if everything goes smoothly I'm hoping to have a fix merged in the next week, maybe two.

[samputer]

Thanks @eKoopmans, really appreciate you taking the time for this.

[ghost]

Hi @eKoopmans , The severity of jspdf dependency has risen to "High". Any update on this?

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Regular Expression Denial of Service (ReDoS)                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ jspdf                                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=2.3.1                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ html2pdf.js                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ html2pdf.js > jspdf                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1709                            │
└───────────────┴──────────────────────────────────────────────────────────────┘

[eKoopmans]

Hi everyone, v0.10.0 is now released with all security audits patched. You can access it by updating your dependencies to "html2pdf.js": "^0.10.0" - since the caret locks to a minor version for 0.x releases.

[ghost]

Awesome! thanks a lot @eKoopmans !