{"id":11185,"library":"jspdf","title":"jsPDF","description":"jsPDF is a client-side JavaScript library for generating PDF documents. The current stable version is 4.2.1, with frequent patch and minor releases primarily addressing security vulnerabilities and bug fixes, indicating an active maintenance and development cadence. It enables developers to create PDFs directly in the browser or Node.js environment, supporting various paper sizes, orientations, and units (e.g., millimeters, inches). Key differentiators include its pure JavaScript nature, allowing it to run without server-side dependencies, and its robust API for adding text, images, and other content. It bundles different module formats (ESM, UMD, Node) to support diverse environments, often requiring no explicit path specification in imports as build tools handle it. The project has recently focused heavily on fixing various security-related issues, emphasizing the importance of sanitizing all user input.","status":"active","version":"4.2.1","language":"javascript","source_language":"en","source_url":"https://github.com/parallax/jsPDF","tags":["javascript","pdf","typescript"],"install":[{"cmd":"npm install jspdf","lang":"bash","label":"npm"},{"cmd":"yarn add jspdf","lang":"bash","label":"yarn"},{"cmd":"pnpm add jspdf","lang":"bash","label":"pnpm"}],"dependencies":[{"reason":"Used internally by the `html` function for sanitizing HTML input to prevent XSS and other injection attacks. It is an optional dependency, but highly recommended for security.","package":"dompurify","optional":true}],"imports":[{"note":"jsPDF is exported as a named export. Default imports are incorrect.","wrong":"import jspdf from 'jspdf';\nimport { default as jsPDF } from 'jspdf';","symbol":"jsPDF","correct":"import { jsPDF } from 'jspdf';"},{"note":"When using CommonJS in Node.js, `jsPDF` is a named property of the module export.","wrong":"const jsPDF = require('jspdf');","symbol":"jsPDF","correct":"const { jsPDF } = require('jspdf');"},{"note":"For browser script-tag usage, the library populates a global `window.jspdf` object, which contains `jsPDF` as a named property.","wrong":"const jsPDF = window.jspdf;","symbol":"jsPDF","correct":"const { jsPDF } = window.jspdf;"}],"quickstart":{"code":"import { jsPDF } from 'jspdf';\n\n// Create a new PDF document with default settings (A4, portrait, millimeters)\nconst doc = new jsPDF();\n\n// Add text to the document\ndoc.text('Hello, jsPDF World!', 10, 10); // 'Hello, jsPDF World!' at x=10mm, y=10mm\n\n// Add another line of text with a different font size\ndoc.setFontSize(16);\ndoc.text('This is a test document generated by jsPDF.', 10, 20);\n\n// Add a rectangle (x, y, width, height, style)\ndoc.rect(10, 30, 50, 20, 'S'); // 'S' for stroke\n\n// Save the document, triggering a download in browsers or writing to file in Node.js\ndoc.save('my-first-document.pdf');\n\nconsole.log('PDF document generated and saved!');","lang":"typescript","description":"This quickstart code demonstrates how to initialize a jsPDF document, add basic text and shapes, and save the resulting PDF file. It uses the default A4 portrait format and millimeters for units, then outputs 'my-first-document.pdf'."},"warnings":[{"fix":"Ensure your target browser environment is modern (not IE) or use appropriate polyfills if compatibility with very old browsers is essential, though not officially supported.","message":"jsPDF v3.0.0 officially dropped support for Internet Explorer. Code relying on IE-specific features or older JavaScript environments may break.","severity":"breaking","affected_versions":">=3.0.0"},{"fix":"To enable file system access, use Node.js's `--permission` flag or set `jsPDF.allowFsRead` property to `true`. Exercise caution and validate all file paths if enabling this feature: `const doc = new jsPDF(); doc.allowFsRead = true;`","message":"In Node.js builds, v4.0.0 introduced a critical path traversal/local file inclusion fix. File system access is now restricted by default. Attempts to read local files via paths outside explicit allowances will fail.","severity":"breaking","affected_versions":">=4.0.0"},{"fix":"Always use the latest stable version of jsPDF. Critically, **sanitize all user-provided input** before passing it to any jsPDF method, especially `text`, `html`, `addImage`, `addSvgAsImage`, and form-related functions. Consider using DOMPurify explicitly if you are handling untrusted HTML input.","message":"jsPDF has had numerous security vulnerabilities related to PDF Object Injection, HTML Injection, JavaScript Execution, and Denial of Service (DoS) in various modules (AcroForm, addImage, addJS, output methods) across versions 3.0.1, 3.0.2, 4.1.0, 4.2.0, and 4.2.1.","severity":"gotcha","affected_versions":">=3.0.1"},{"fix":"Ensure `dompurify` is installed as a dependency and that you are using a recent version of jsPDF (v4.2.1 or newer is recommended) to benefit from the latest security patches for HTML rendering.","message":"Starting with v3.0.0, the `html` function relies on an updated `dompurify` dependency (v3.2.4+). Older versions of `dompurify` (or not having it installed) may leave `html` function susceptible to XSS vulnerabilities. Later versions (v4.1.0 and v4.2.x) also explicitly upgrade `dompurify` due to further vulnerabilities.","severity":"gotcha","affected_versions":">=3.0.0"}],"env_vars":null,"last_verified":"2026-04-19T00:00:00.000Z","next_check":"2026-07-18T00:00:00.000Z","problems":[{"fix":"Use named import: `import { jsPDF } from 'jspdf';` for ESM or `const { jsPDF } = require('jspdf');` for CommonJS.","cause":"Attempting to instantiate `jsPDF` using a default import or incorrect CommonJS `require` statement, when it is exported as a named export.","error":"TypeError: jsPDF is not a constructor"},{"fix":"Ensure your build system is configured to use the browser-compatible UMD or ES builds (e.g., `jspdf.umd.min.js` or `jspdf.es.min.js`). If in Node.js, ensure `jspdf` is resolving to its `jspdf.node.js` variant.","cause":"This error can occur in browser environments if you are trying to use features of the Node.js specific build (e.g., saving to local file paths directly without browser download prompts) or if the build tool incorrectly bundles the Node.js version.","error":"Error: fs.readFileSync is not a function"},{"fix":"Ensure your application is served over HTTPS and not running in a highly restricted sandbox. Test in a standard browser environment. Some browser extensions might also interfere with file downloads.","cause":"When trying to save a PDF in a browser environment, this can happen if the browser's security policies (e.g., related to iframes or sandboxed environments) prevent file downloads or local storage operations.","error":"SecurityError: The operation is insecure."},{"fix":"If you genuinely need file system access, set `jsPDF.allowFsRead = true;` after `const doc = new jsPDF();` or enable Node.js `--permission` flag. **Only do this if you fully trust the file paths being accessed.**","cause":"This warning/error occurs in Node.js environments with jsPDF v4.0.0+ when an operation attempts to access the file system without explicit permission, due to the new security restrictions.","error":"UnhandledPromiseRejectionWarning: Error: Path traversal detected. Access to file system denied."}],"ecosystem":"npm"}