Skip to content

chore(deps): update dependency pypdf to v6.13.3 [security]#420

Merged
a-klos merged 1 commit into
mainfrom
renovate/pypi-pypdf-vulnerability
Jul 5, 2026
Merged

chore(deps): update dependency pypdf to v6.13.3 [security]#420
a-klos merged 1 commit into
mainfrom
renovate/pypi-pypdf-vulnerability

Conversation

@a-klos

@a-klos a-klos commented Jun 21, 2026

Copy link
Copy Markdown
Member

This PR contains the following updates:

Package Change Age Confidence
pypdf (changelog) 6.13.0 -> 6.13.3 age confidence

GitHub Vulnerability Alerts

GHSA-jm82-fx9c-mx94

Impact

An attacker who uses this vulnerability can craft a PDF which leads to large memory usage, as MAX_DECLARED_STREAM_LENGTH is sometimes ignored. This requires parsing a content stream without a /Length value.

Patches

This has been fixed in pypdf==6.13.3.

Workarounds

If you cannot upgrade yet, consider applying the changes from PR #​3871.


Release Notes

py-pdf/pypdf (pypdf)

v6.13.3

Compare Source

Security (SEC)
  • Apply general limit for requested image size (#​3888)
  • Speed up recovery when reading broken cross-reference table (#​3887)
New Features (ENH)
  • Check whether image is displayed on a given page (#​3738)
Robustness (ROB)
  • Several fixes

Full Changelog

v6.13.2

Compare Source

Security (SEC)
  • Apply MAX_DECLARED_STREAM_LENGTH to streams without length as well (#​3871)
Performance Improvements (PI)
  • Avoid per-pixel getpixel loop for 1-bit indexed images (#​3854)
Robustness (ROB)
  • Several fixes
Maintenance (MAINT)
  • Make mypy assert messages consistent (#​3849)

Full Changelog

v6.13.1

Compare Source

Security (SEC)
  • Detect multi-hop cyclic /Pages trees in _flatten to prevent SIGSEGV (#​3847)
Robustness (ROB)
  • Fix UnboundLocalError in _read_standard_xref_table on a malformed entry (#​3841)
  • Raise PdfStreamError on non-hexadecimal bytes in hex readers (#​3832)

Full Changelog


Configuration

📅 Schedule: Branch creation - "" in timezone UTC, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

@a-klos a-klos added python Pull requests that update python code renovate labels Jun 21, 2026
@a-klos a-klos force-pushed the renovate/pypi-pypdf-vulnerability branch from e45ef38 to 5bb537f Compare June 28, 2026 03:42
@a-klos a-klos merged commit 0ef3206 into main Jul 5, 2026
10 checks passed
@a-klos a-klos deleted the renovate/pypi-pypdf-vulnerability branch July 5, 2026 00:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

python Pull requests that update python code renovate

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants