{"id":12748,"library":"pdfmake","title":"pdfmake","description":"pdfmake is a JavaScript library for generating PDF documents on both client and server sides. It is currently at version 0.3.7 and maintains an active release cadence, with multiple minor updates released recently addressing features, fixes, and security patches. Key features include advanced text layout with line-wrapping and alignments, support for bulleted and numbered lists, comprehensive table layouts with features like col-spans, row-spans, and repeating headers, and the new snaking columns for newspaper-style content. It also handles images, vector graphics, and provides a powerful styling system with inheritance. The library supports dynamic page headers/footers, background layers, custom page breaks, and outlines/bookmarks for generated PDFs. Differentiating itself through its pure JavaScript implementation, pdfmake provides a unified, promise-based interface for both Node.js and browser environments, simplifying PDF generation workflows across different platforms.","status":"active","version":"0.3.7","language":"javascript","source_language":"en","source_url":"git://github.com/bpampuch/pdfmake","tags":["javascript","pdf","printing","layout"],"install":[{"cmd":"npm install pdfmake","lang":"bash","label":"npm"},{"cmd":"yarn add pdfmake","lang":"bash","label":"yarn"},{"cmd":"pnpm add pdfmake","lang":"bash","label":"pnpm"}],"dependencies":[{"reason":"Core PDF generation engine that pdfmake builds upon. Reverted to the original pdfkit package in v0.3.0.","package":"pdfkit","optional":false},{"reason":"Used for converting SVG content into PDF-compatible elements.","package":"svg-to-pdfkit","optional":false}],"imports":[{"note":"Since v0.3.0, pdfmake is primarily designed for ES Modules and uses a promise-based API. The recommended import path for both Node.js and browser environments often targets the `build/pdfmake` file explicitly, as shown in official documentation. Attempting to use `require()` will likely fail in modern setups.","wrong":"const pdfMake = require('pdfmake');","symbol":"pdfMake","correct":"import * as pdfMake from 'pdfmake/build/pdfmake';"},{"note":"Font definitions (`vfs_fonts`) are crucial for pdfmake to render text. They are typically imported separately and assigned to `pdfMake.vfs`. Incorrectly importing or omitting font definitions will lead to rendering issues.","wrong":"import { vfs_fonts } from 'pdfmake';","symbol":"pdfFonts","correct":"import * as pdfFonts from 'pdfmake/build/vfs_fonts';"},{"note":"This method is directly available on the `pdfMake` object for configuring URL access for external resources (e.g., images). It should be called before generating PDFs that might fetch external content.","symbol":"setUrlAccessPolicy","correct":"pdfMake.setUrlAccessPolicy((url) => { /* ... */ });"}],"quickstart":{"code":"import * as pdfMake from 'pdfmake/build/pdfmake';\nimport * as pdfFonts from 'pdfmake/build/vfs_fonts';\nimport * as fs from 'fs'; // For Node.js file system operations\n\n// Assign fonts (crucial for pdfmake to work)\npdfMake.vfs = pdfFonts.pdfMake.vfs;\n\n// Define an optional URL access policy for external images/resources\n// This is critical since v0.3.6 (CVE-2026-26801 fix)\npdfMake.setUrlAccessPolicy((url) => {\n // Only allow access to URLs from example.com\n return url.startsWith(\"https://example.com/\");\n});\n\nconst docDefinition = {\n content: [\n { text: 'Hello, pdfmake!', style: 'header' },\n 'This is an example PDF generated using pdfmake version 0.3.7.',\n { text: 'Features showcased:', margin: [0, 15, 0, 5] },\n {\n ul: [\n 'Structured content with text and lists.',\n 'Basic styling with custom font sizes and bold text.',\n 'Uses the modern promise-based API for generation.'\n ]\n },\n { text: 'A small table:', style: 'subheader', margin: [0, 15, 0, 5] },\n {\n table: {\n headerRows: 1,\n widths: ['*', 'auto', 100],\n body: [\n ['Column 1', 'Column 2', 'Column 3'],\n ['One value', 'Another value', 'Some more text'],\n [{ text: 'Complex cell with span', colSpan: 2 }, {}, 'Last cell']\n ]\n }\n }\n ],\n styles: {\n header: { fontSize: 22, bold: true, alignment: 'center', margin: [0, 0, 0, 20] },\n subheader: { fontSize: 16, bold: true }\n },\n defaultStyle: {\n font: 'Roboto' // Ensure a font is available, Roboto is default via vfs_fonts\n }\n};\n\nasync function generatePdf() {\n try {\n const pdfDoc = pdfMake.createPdf(docDefinition);\n const buffer = await pdfDoc.getBuffer();\n fs.writeFileSync('output.pdf', buffer);\n console.log('PDF generated successfully: output.pdf');\n } catch (error) {\n console.error('Error generating PDF:', error);\n }\n}\n\ngeneratePdf();","lang":"typescript","description":"This quickstart demonstrates how to generate a PDF file using pdfmake in a Node.js environment, showcasing basic text, lists, tables, styles, and the promise-based API. It also includes the crucial step of assigning font definitions and setting a URL access policy."},"warnings":[{"fix":"Update Node.js to >=20. Rewrite code to use ES6+ syntax and `async/await` or `.then()` for all API calls (e.g., `pdfDoc.getBuffer().then(...)` instead of `pdfDoc.getBuffer((buffer) => {...})`). Remove IE11 compatibility code.","message":"Version 0.3.0 introduced significant breaking changes, including dropping support for Internet Explorer 11, requiring Node.js 20 LTS or newer, porting the codebase to ES6+, unifying the interface for Node.js and browser, and changing all methods to return Promises instead of using callbacks.","severity":"breaking","affected_versions":">=0.3.0"},{"fix":"Ensure `pdfMake.vfs = pdfFonts.pdfMake.vfs;` is properly set up after importing `pdfmake` and `vfs_fonts`. Consult the official documentation for specific font embedding strategies for your environment (client-side vs. server-side).","message":"The way virtual font storage is included, especially on the client-side, changed significantly in v0.3.0. This can affect how fonts are loaded and made available to pdfmake.","severity":"breaking","affected_versions":">=0.3.0"},{"fix":"Implement `pdfMake.setUrlAccessPolicy((url) => { /* return true for allowed URLs */ });` to explicitly whitelist domains or protocols from which external resources can be loaded. Failure to do so will result in errors when trying to use external URLs.","message":"A potential server vulnerability (CVE-2026-26801) was addressed in v0.3.6. For security reasons, pdfmake now requires defining a custom URL access policy using `pdfMake.setUrlAccessPolicy()` for any external URLs (e.g., for images) before they can be downloaded and used in PDFs.","severity":"gotcha","affected_versions":">=0.3.6"},{"fix":"Ensure all SVG assets have defined `width` and `height` attributes (e.g., `...`) or provide these properties in the pdfmake document definition for the `svg` node.","message":"SVG validation was enhanced in versions 0.2.23 and 0.3.2. SVG elements used in your document definition must explicitly specify `width` and `height` properties, either within the SVG string/element itself or in the `svg` node properties.","severity":"gotcha","affected_versions":">=0.2.23, >=0.3.2"}],"env_vars":null,"last_verified":"2026-04-19T00:00:00.000Z","next_check":"2026-07-18T00:00:00.000Z","problems":[{"fix":"Change your import statements to use ES Modules syntax: `import * as pdfMake from 'pdfmake/build/pdfmake';`.","cause":"Attempting to use CommonJS `require()` syntax in an ES Module context after pdfmake v0.3.0 transitioned to ES6+.","error":"ReferenceError: require is not defined"},{"fix":"Update your code to use the promise-based API: `const pdfDoc = pdfMake.createPdf(docDefinition); const buffer = await pdfDoc.getBuffer();` or `pdfDoc.getBuffer().then(buffer => ...);`.","cause":"Using the old callback-based API (`getBuffer((buffer) => {})`) with pdfmake versions 0.3.0 or higher, which now use a promise-based API.","error":"TypeError: pdfMake.createPdf(...).getBuffer is not a function (or similar 'callback is not a function')"},{"fix":"Ensure all SVG strings or `svg` nodes in your document definition include defined `width` and `height` properties.","cause":"An SVG image in the document definition is missing explicit `width` and `height` attributes, which are now strictly validated.","error":"Error: SVG must have width and height specified"},{"fix":"Set a URL access policy using `pdfMake.setUrlAccessPolicy((url) => url.startsWith('https://your-allowed-domain.com/'));` before creating the PDF, allowing only trusted URLs.","cause":"Attempting to use an external URL for an image or resource without configuring a URL access policy after the v0.3.6 update.","error":"Error: Unauthorized URL access: [URL]"}],"ecosystem":"npm"}