Update dependency html2pdf.js to ^0.14.0 [SECURITY] by renovate[bot] · Pull Request #44 · dobrac/portfolio

renovate · 2026-01-14T18:46:58Z

This PR contains the following updates:

Package	Change	Age	Confidence
html2pdf.js (source)	`^0.9.3` → `^0.14.0`

GitHub Vulnerability Alerts

CVE-2026-22787

Impact

html2pdf.js contains a cross-site scripting (XSS) vulnerability when given a text source rather than an element. This text is not sufficiently sanitized before being attached to the DOM, allowing malicious scripts to be run on the client browser and risking the confidentiality, integrity, and availability of the page's data.

Example attack vector:

import html2pdf from 'html2pdf.js/src/index.js';

const maliciousHTML = '<img src=x onerror="alert(document.cookie)">';
html2pdf(maliciousHTML);
// or html2pdf().from(maliciousHTML);

Patches

This vulnerability has been fixed in html2pdf.js@0.14.0 to sanitize text sources using DOMPurify. There are no other breaking changes in this version.

Workarounds

Users of earlier versions of html2pdf.js must safely sanitize any text before using it as a source in html2pdf.js.

References

Release Notes

eKoopmans/html2pdf.js (html2pdf.js)

`v0.14.0`

Compare Source

Features

Sanitize text sources (#877) (988826e)

`v0.13.0`

Compare Source

Features

build(deps): bump jspdf from 3.0.3 to 4.0.0 (#868) (a4c4916)

`v0.12.1`

Compare Source

Bug Fixes

Include type file in npm package (#814) (3e4bba9)

`v0.12.0`

Compare Source

Features

Improve node cloning using @zumer/snapdom deepClone (#792) (54c50fb)

`v0.11.3`

Compare Source

Bug Fixes

Add typescript support (#795) (110897b)

`v0.11.2`

Compare Source

Bug Fixes

Upgrade dependencies (#784) (c9f6095)

`v0.11.1`

Compare Source

Bug Fixes

Add delay to ensure content is rendered before capturing (#770) (32d006f)

`v0.11.0`

Compare Source

Features

Use native Promises and improve automated tests (#758) (e8c0837)

`v0.10.3`

Compare Source

Bug Fixes

Empty commit to trigger CI (#737) (a4e61ce)

`v0.10.2`

Compare Source

Bug Fixes

Using canvas as a direct source (#701) (5734d5e)

`v0.10.1`

Compare Source

`v0.10.0`

Compare Source

Configuration

📅 Schedule: (UTC)

Branch creation
- ""
Automerge
- At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

vercel · 2026-01-14T18:47:01Z

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
portfolio	Ready	Preview, Comment	Mar 30, 2026 6:06pm

vercel bot deployed to Preview January 14, 2026 18:48 View deployment

renovate bot force-pushed the renovate/npm-html2pdf.js-vulnerability branch from 97b9297 to 006d9f1 Compare January 23, 2026 19:41

vercel bot deployed to Preview January 23, 2026 19:43 View deployment

renovate bot force-pushed the renovate/npm-html2pdf.js-vulnerability branch from 006d9f1 to 5a33380 Compare February 2, 2026 18:49

vercel bot deployed to Preview February 2, 2026 18:51 View deployment

renovate bot force-pushed the renovate/npm-html2pdf.js-vulnerability branch from 5a33380 to e750a34 Compare February 12, 2026 16:42

vercel bot deployed to Preview February 12, 2026 16:43 View deployment

renovate bot force-pushed the renovate/npm-html2pdf.js-vulnerability branch from e750a34 to 72b1bf0 Compare March 5, 2026 17:01

vercel bot deployed to Preview March 5, 2026 17:03 View deployment

renovate bot force-pushed the renovate/npm-html2pdf.js-vulnerability branch from 72b1bf0 to 4ad51c0 Compare March 13, 2026 11:35

vercel bot deployed to Preview March 13, 2026 11:36 View deployment

renovate bot changed the title ~~Update dependency html2pdf.js to ^0.14.0 [SECURITY]~~ Update dependency html2pdf.js to ^0.14.0 [SECURITY] - autoclosed Mar 27, 2026

renovate bot closed this Mar 27, 2026

renovate bot deleted the renovate/npm-html2pdf.js-vulnerability branch March 27, 2026 01:56

Update dependency html2pdf.js to ^0.14.0 [SECURITY]

d1e3942

renovate bot changed the title ~~Update dependency html2pdf.js to ^0.14.0 [SECURITY] - autoclosed~~ Update dependency html2pdf.js to ^0.14.0 [SECURITY] Mar 30, 2026

renovate bot reopened this Mar 30, 2026

renovate bot force-pushed the renovate/npm-html2pdf.js-vulnerability branch 2 times, most recently from 4ad51c0 to d1e3942 Compare March 30, 2026 18:04

vercel bot deployed to Preview March 30, 2026 18:06 View deployment

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Update dependency html2pdf.js to ^0.14.0 [SECURITY]#44

Update dependency html2pdf.js to ^0.14.0 [SECURITY]#44
renovate[bot] wants to merge 1 commit intomainfrom
renovate/npm-html2pdf.js-vulnerability

renovate bot commented Jan 14, 2026 •

edited

Loading

Uh oh!

vercel bot commented Jan 14, 2026 •

edited

Loading

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

renovate bot commented Jan 14, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

GitHub Vulnerability Alerts

Impact

Patches

Workarounds

References

Release Notes

Features

Features

Bug Fixes

Features

Bug Fixes

Bug Fixes

Bug Fixes

Features

Bug Fixes

Bug Fixes

Configuration

Uh oh!

vercel bot commented Jan 14, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

renovate bot commented Jan 14, 2026 •

edited

Loading

vercel bot commented Jan 14, 2026 •

edited

Loading