Adds inline markdown links, URI scheme allowlisting, basePdf URI link preservation, internal #schemaName PDF links, and planning notes for @pdfme/jsx/md2pdf.
* docs: add list schema implementation plan
* feat(schemas): add list schema
* fix(schemas): improve list form editing
* fix(schemas): localize list editing labels
* fix(schemas): align table control buttons
* fix(schemas): keep list designer editing during actions
* fix(tsconfig): resolve list schema subpath
* fix(schemas): keep list action clicks isolated
* fix(schemas): support empty list state
* fix(schemas): allow editing list items in designer
* fix(schemas): keep list designer editing on enter
* fix(schemas): ignore IME enter in list editor
* fix(schemas): make enter insert list item line breaks
* test(generator): add list plugin to playground snapshots
* refactor(schemas): render list items with text ui
* fix(schemas): adapt list prop panel fields by style
* fix(schemas): simplify list options and nested numbering
* Reorder import statements in generate-templates-thumbnail
* Reorder List plugin in getPlugins function
* fix(ui): reflow schemas after dynamic list resize
* chore: remove obsolete list plan
* fix(ui): reflow form list height changes
* fix(ui): keep designer height changes local
* fix(schemas): commit list item line breaks immediately
* fix(schemas): restore list focus after line break rerender
* fix(schemas): keep form list focused after enter
* test(generator): update dynamic list snapshots
* fix(schemas): store list content as json arrays
* fix(schemas): address list review cleanup
* test(ui): update designer snapshot
* chore: trim list pr noise
* fix(schemas): align list markers in ui
* fix: two unbounded-cache memory leaks in common and schemas
Two module-level Map caches that never evict and store multi-MB strings
as keys, silently leaking for the entire lifetime of any consumer.
1. packages/common/src/expression.ts — parseDataCache
parseData() was memoized via a module-level parseDataCache keyed by
JSON.stringify(data). replacePlaceholders() calls it with a merged
{ ...schemaNameDefaults, ...variables } object where values may be
arbitrary strings from the caller. Whenever inputs contain base64
(image schemas with embedded data URLs, embedded fonts, large text),
the cache key is a multi-MB JSON string that gets pinned permanently;
every unique inputs state adds its own key, never collected. Parsing
is O(fields) and cheap, so removing the cache is strictly a win.
Regression test: packages/common/__tests__/expression.test.ts
'replacePlaceholders memory safety > does not retain call inputs in
a module-level cache' — runs 30 replacePlaceholders() calls with
unique ~500 KB payloads, captures a V8 heap snapshot via
v8.writeHeapSnapshot, aggregates string nodes >= 200 KB and asserts
the total retained size is below 2 MB. Pre-fix: ~30 MB retained
(FAILS). Post-fix: 0 bytes retained (passes).
2. packages/schemas/src/graphics/image.ts — getCacheKey
getCacheKey(schema, input) returned `${schema.type}${input}`, using
the full base64 bytes of the image as part of the cache key. Every
unique image processed by the PDF render path added a permanent Map
entry whose key byte length matched the image itself.
Replaced with a short fingerprint that samples the total length plus
three 16-char regions (first, middle, last). The middle-region
sample is essential: base64 PNGs share a common header and IEND
trailer, so distinct images of the same size would collide if only
first/last regions were sampled. Middle bytes are pixel data and
differ between distinct images with overwhelming probability. Keys
stay under 80 chars regardless of input size.
Regression tests: packages/schemas/__tests__/image.test.ts
- 'does not pin the full base64 input as a cache key' — asserts
key length < 100 chars. Pre-fix: 139 chars for a minimal PNG and
proportionally more for realistic images (FAILS).
- 'distinguishes different images via the fingerprint' — guards
against future over-shortening of the fingerprint that could
reintroduce collisions between distinct images.
Both leaks were originally identified via a V8 heap-snapshot diff taken
across a UI workload (typing + field tabbing) against a consumer app
with image schemas carrying base64 content. Before the fix, the top two
growing allocations by retained size were multi-MB string entries — one
per module-level cache in this PR — together accounting for hundreds of
MB of retained JS heap in a single 3-iteration run. After the fix, both
string entries disappear from the top 25 growing allocations and
aggregate JS heap is net flat / slightly shrinking across iterations.
No public API change. No behavioral change for consumers. Both caches
were module-local implementation details.
* fix(schemas): harden image cache key with FNV-1a hash; fix stale test comments
Addresses Greptile review on #1426:
- Replace 3-region sampling fingerprint in getCacheKey with an FNV-1a
32-bit hash over the full input. The old first-16 slice was a
constant data-URI prefix for any image of the same MIME type,
contributing no entropy; hashing every byte removes that weakness
at the same O(n) cost without retaining any slice as a Map key.
Key format is now `${type}:${len}:${fnv1a-hex}` (~40 chars).
- Rewrite stale comments in image.test.ts that referred to a
padding/mutation scheme the test never performs, and update the
fingerprint-format comment to match the new hash-based key.
- Add trailing newline to expression.test.ts.
All pre-existing and new tests still pass.
- Add Math.max(0, ...) guard when calculating localY in normalizePageSchemas
- Prevents TypeError when schema.position.y < paddingTop
- Fixes issue #1346 where PDF generation crashes with 'Cannot read properties of undefined (reading 'push')'
- Includes explanatory comment for future maintainers
- Add IPv4-mapped IPv6 (::ffff:x.x.x.x), link-local (fe80::/10), and
unique-local (fc00::/7) blocking to isUrlSafeToFetch
- Add defensive assertion in ensureBuffer cap to throw if size < requested
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- GHSA-vrqm-gvq7-rrwh: Add 100MB MAX_DECODED_SIZE limit to DecodeStream.ensureBuffer() to prevent decompression bomb attacks
- GHSA-xgx4-2wgv-4jhm: Replace innerHTML with safe DOM APIs in multiVariableText propPanel to prevent XSS via i18n labels
- GHSA-pgx6-7jcq-2qff: Add URL validation (isUrlSafeToFetch) before fetch() in getB64BasePdf and font loading to prevent SSRF
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix(dynamicTemplate): rewrite layout engine for accurate multi-page table rendering
- Implement sequential offset-based layout algorithm for correct element positioning
- Add floating point tolerance (EPSILON) to prevent precision errors in page break calculations
- Fix __bodyRange indexing to correctly map dynamicHeights to table body data
- Prevent orphaned table headers by moving header with first data row when page breaks
- Fix UI recalculation timing to use immediate input values for dynamic templates
- Update tests to match new layout behavior
* refactor(common): process dynamic template per page and remove duplicate cloneDeep
* refactor(common): process each template page independently regardless of dynamic content
* build(deps): Bump zod from 3.25.76 to 4.1.12 in /packages/common
Bumps [zod](https://github.com/colinhacks/zod) from 3.25.76 to 4.1.12.
- [Release notes](https://github.com/colinhacks/zod/releases)
- [Commits](https://github.com/colinhacks/zod/compare/v3.25.76...v4.1.12)
---
updated-dependencies:
- dependency-name: zod
dependency-version: 4.1.12
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com>
* Fix zod v4 API compatibility issues
- Update z.function() usage to z.any() for Plugin schema (zod v4 changed z.function() to a function factory)
- Update z.record() calls to use two arguments (key schema, value schema) as required by zod v4
- Add type assertions for Object.entries() to fix type inference issues
- Update test error message to match zod v4 format
Co-Authored-By: Kyohei Fukuda <kyoheif@wix.com>
* Update test expectations for zod v4 error message format
- Update error messages in common package tests to match zod v4 format
- 'Expected array, received string' → 'Invalid input: expected array, received string'
- 'Array must contain at least 1 element(s)' → 'Too small: expected array to have >=1 items'
- 'Required' → 'Invalid input: expected {type}, received undefined'
Co-Authored-By: Kyohei Fukuda <kyoheif@wix.com>
---------
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
Co-authored-by: Kyohei Fukuda <kyoheif@wix.com>
Co-authored-by: Kyohei Fukuda <kyouhei.fukuda0729@gmail.com>
* build(deps): bump zod from 3.25.67 to 4.1.11
Bumps [zod](https://github.com/colinhacks/zod) from 3.25.67 to 4.1.11.
- [Release notes](https://github.com/colinhacks/zod/releases)
- [Commits](https://github.com/colinhacks/zod/compare/v3.25.67...v4.1.11)
---
updated-dependencies:
- dependency-name: zod
dependency-version: 4.1.11
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com>
* Fix zod v4 API compatibility issues
- Update z.function() usage to z.any() for Plugin schema (zod v4 changed z.function() to a function factory)
- Update z.record() calls to use two arguments (key schema, value schema) as required by zod v4
- Add type assertions for Object.entries() to fix type inference issues
- Update test error message to match zod v4 format
Co-Authored-By: Kyohei Fukuda <kyoheif@wix.com>
* Update test expectations for zod v4 error message format
- Update error messages in common package tests to match zod v4 format
- 'Expected array, received string' → 'Invalid input: expected array, received string'
- 'Array must contain at least 1 element(s)' → 'Too small: expected array to have >=1 items'
- 'Required' → 'Invalid input: expected {type}, received undefined'
Co-Authored-By: Kyohei Fukuda <kyoheif@wix.com>
---------
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
Co-authored-by: Kyohei Fukuda <kyoheif@wix.com>
Co-authored-by: Kyohei Fukuda <kyouhei.fukuda0729@gmail.com>
* test(expression): add XSS vulnerability prevention tests for replacePlaceholders function
* Update packages/common/src/expression.ts
Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com>
* test: group safe Object method tests into single test case
- Refactored individual tests for Object.keys, Object.values, Object.entries, and Object.assign
- Combined them into a single test case with multiple assertions for better organization
- Addresses code review feedback about test organization
Co-authored-by: Kyohei Fukuda <hand-dot@users.noreply.github.com>
* feat(security): implement safeAssign to prevent prototype pollution and enhance XSS protection
* fix(safeAssign): use object spread for safer target assignment
---------
Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com>
Co-authored-by: claude[bot] <209825114+claude[bot]@users.noreply.github.com>
Co-authored-by: Kyohei Fukuda <hand-dot@users.noreply.github.com>
* remove old japanese template
* Add new image snapshots and update font references in tests
* Refactor code structure for improved readability and maintainability
* Migrate pdf-lib into pdfme monorepo
- Add @pdfme/pdf-lib package to packages/ directory
- Update root package.json to include pdf-lib in workspaces
- Update all package dependencies to use workspace:* for @pdfme/pdf-lib
- Configure TypeScript build targets (cjs, esm, node) for pdf-lib
- Add ESLint configuration with relaxed rules for pdf-lib migration
- Integrate pdf-lib into monorepo build and clean scripts
- Add basic test suite for pdf-lib package
- All lint, build, and test suites pass successfully
This migration improves maintainability by consolidating all PDF operations
into a single repository and unified build/test/release process.
Co-Authored-By: Kyohei Fukuda <kyoheif@wix.com>
* Fix TypeScript module resolution for workspace dependencies
- Changed moduleResolution from 'bundler' to 'node' in common package
- This should resolve '@pdfme/pdf-lib' module resolution issues
- Reverted workspace dependency format back to '*' for npm compatibility
Co-Authored-By: Kyohei Fukuda <kyoheif@wix.com>
* Fix pdf-lib package.json exports paths
- Updated main, module, and exports paths to point to correct locations
- Changed from dist/*/index.js to dist/*/src/index.js to match build output
- Fixed TypeScript types path from dist/types/index.d.ts to dist/types/src/index.d.ts
- Resolves Vite package entry resolution errors and TypeScript module resolution issues
Co-Authored-By: Kyohei Fukuda <kyoheif@wix.com>
* Fix CodeQL security alerts in svg.ts
- Add input validation and sanitization for HTML/SVG parsing
- Prevent ReDoS attacks with regex limits and input size checks
- Sanitize font family names to prevent prototype pollution
- Add URL validation for image sources to prevent path traversal
- Limit transformation parsing to prevent infinite loops
- Maintain backward compatibility while improving security
Co-Authored-By: Kyohei Fukuda <kyoheif@wix.com>
* Implement comprehensive security fixes for CodeQL alerts in svg.ts
- Add input validation and sanitization for SVG content
- Implement safe HTML parsing with null checks and size limits
- Add controlled dynamic property access with allowlisted tag names
- Prevent style injection with filtered and limited style entries
- Add regex match limits to prevent ReDoS attacks
- Enhance font selection with input validation and type safety
- Sanitize image sources to prevent path traversal and injection
- Limit CSS style parsing to prevent potential vulnerabilities
These changes address the 2 high-severity CodeQL security alerts while
maintaining backward compatibility and functionality.
Co-Authored-By: Kyohei Fukuda <kyoheif@wix.com>
* Add additional security fixes for CodeQL alerts in svg.ts
- Implement safer property access for polygon node transformation
- Add input validation for points attribute with regex pattern matching
- Replace Object.assign with safer property assignment to prevent prototype pollution
- Add null checks and type validation for node attributes and childNodes
- Implement safer SVG node parsing with comprehensive validation
- Add array type checks for childNodes processing
These changes target the remaining 2 high-severity CodeQL security alerts
by addressing potential prototype pollution and unsafe property access.
Co-Authored-By: Kyohei Fukuda <kyoheif@wix.com>
* Implement comprehensive security hardening for CodeQL alerts in svg.ts
- Add comprehensive SVG content sanitization with allowlist-based tag filtering
- Implement strict input validation with bounds checking for all numeric inputs
- Replace unsafe dynamic property assignment with Object.defineProperty
- Add try-catch error handling for HTML parsing operations
- Restrict allowed style properties and validate string lengths
- Use setAttribute/removeAttribute instead of direct attribute manipulation
- Add type safety checks for all node operations
- Implement safer polygon-to-path conversion with validation
These changes address the 10 high-severity CodeQL security alerts by:
1. Preventing XSS through comprehensive input sanitization
2. Avoiding prototype pollution with safer property assignment
3. Adding bounds checking to prevent DoS attacks
4. Using allowlist-based validation for all user inputs
5. Implementing proper error handling to prevent crashes
Co-Authored-By: Kyohei Fukuda <kyoheif@wix.com>
* Potential fix for code scanning alert no. 32: Incomplete multi-character sanitization
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
* Potential fix for code scanning alert no. 39: Incomplete multi-character sanitization
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
* Fix inefficient regular expression in svg.ts to pass CodeQL
- Changed /([^:\s]+)*\s*:\s*([^;]+)/g to /([^:\s]+)\s*:\s*([^;]+)/g
- Removed the problematic * quantifier that could cause exponential backtracking
- This fixes the "Inefficient regular expression" security alert from GitHub Advanced Security
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
* remove sanitize-html
* move tests
* fix for security
* update dependabot.yml
* organize
---------
Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
Co-authored-by: Kyohei Fukuda <kyouhei.fukuda0729@gmail.com>
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Co-authored-by: Claude <noreply@anthropic.com>
