Skip to content

fix(security): update jspdf to 4.0.0 to address CVE-2025-68428 #37553

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
Nancy-Chauhan wants to merge 1 commit into
base: master
Choose a base branch
from
Open

fix(security): update jspdf to 4.0.0 to address CVE-2025-68428 #37553

Nancy-Chauhan wants to merge 1 commit into from

Conversation

@Nancy-Chauhan
Copy link

@Nancy-Chauhan Nancy-Chauhan commented Jan 29, 2026

Summary

Updates the transitive dependency jspdf from ^3.0.2 to ^4.0.0 to fix a critical security vulnerability.

CVE-2025-68428: Local File Inclusion/Path Traversal vulnerability in jsPDF that could allow arbitrary file reads in Node.js environments.

Changes

  • Updated jspdf version constraint in superset-frontend/package.json from ^3.0.2 to ^4.0.0

Impact Assessment

Low risk of breakage:

  • Superset uses jspdf indirectly through dom-to-pdf for browser-based PDF export
  • The jspdf v4.0.0 breaking change only affects Node.js file system access (which is the vulnerability fix)
  • No API changes for browser-based PDF generation
  • The PDF export functionality (downloadAsPdf.ts) should continue working without modification

Security Advisory

Test Plan

  • Run existing frontend tests
  • Verify PDF export functionality works (Dashboard → Export to PDF)
  • Run npm audit to confirm vulnerability is resolved

@Nancy-Chauhan
fix(security): update jspdf to 4.0.0 to address CVE-2025-68428
195842e 
Updates jspdf from 3.0.4 to 4.0.0 to fix a critical Local File
Inclusion/Path Traversal vulnerability (CVE-2025-68428).

Reference: GHSA-f8cm-6447-x5h2
@bito-code-review
Copy link
Contributor

bito-code-review bot commented Jan 29, 2026
edited
Loading

Bito Automatic Review Skipped - Files Excluded

Bito didn't auto-review this change because all changed files are in the exclusion list for automatic reviews. No action is needed if you didn't intend for the agent to review it. Otherwise, to manually trigger a review, type /review in a comment and save.
You can change the excluded files settings here, or contact your Bito workspace admin at evan@preset.io.

@Nancy-Chauhan Nancy-Chauhan mentioned this pull request Jan 29, 2026
Closed
3 tasks
@hainenber
Copy link
Contributor

hainenber commented Jan 30, 2026

hi @Nancy-Chauhan, thanks for opening the PR. Can you post an after and before screenshot to see if PDF export functionalities are still intact?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies:npm size/XS

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Nancy-Chauhan @hainenber