Nancy-Chauhan opened a new pull request, #37553: URL: https://github.com/apache/superset/pull/37553
## Summary Updates the transitive dependency `jspdf` from `^3.0.2` to `^4.0.0` to fix a critical security vulnerability. **CVE-2025-68428**: Local File Inclusion/Path Traversal vulnerability in jsPDF that could allow arbitrary file reads in Node.js environments. ## Changes - Updated `jspdf` version constraint in `superset-frontend/package.json` from `^3.0.2` to `^4.0.0` ## Impact Assessment **Low risk of breakage:** - Superset uses jspdf indirectly through `dom-to-pdf` for browser-based PDF export - The jspdf v4.0.0 breaking change only affects Node.js file system access (which is the vulnerability fix) - No API changes for browser-based PDF generation - The PDF export functionality (`downloadAsPdf.ts`) should continue working without modification ## Security Advisory - [GHSA-f8cm-6447-x5h2](https://github.com/parallax/jsPDF/security/advisories/GHSA-f8cm-6447-x5h2) - [CVE-2025-68428](https://github.com/advisories/GHSA-f8cm-6447-x5h2) ## Test Plan - [x] Run existing frontend tests - [x] Verify PDF export functionality works (Dashboard → Export to PDF) - [x] Run `npm audit` to confirm vulnerability is resolved -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
