Update dependency pypdf to v6.4.0 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Update	Change	OpenSSF
pypdf (changelog)	minor	==6.1.3 -> ==6.4.0

GitHub Vulnerability Alerts

GHSA-m449-cwjh-6pw7

Impact

An attacker who uses this vulnerability can craft a PDF which leads to a memory usage of up to 1 GB per stream. This requires parsing the content stream of a page using the LZWDecode filter.

This is a follow up to GHSA-jfx9-29x2-rv3j to align the default limit with the one for zlib.

Patches

This has been fixed in pypdf==6.4.0.

Workarounds

If users cannot upgrade yet, use the line below to overwrite the default in their code:

pypdf.filters.LZW_MAX_OUTPUT_LENGTH = 75_000_000

---

pypdf's LZWDecode streams be manipulated to exhaust RAM

GHSA-m449-cwjh-6pw7

More information

Details

Impact

An attacker who uses this vulnerability can craft a PDF which leads to a memory usage of up to 1 GB per stream. This requires parsing the content stream of a page using the LZWDecode filter.

This is a follow up to GHSA-jfx9-29x2-rv3j to align the default limit with the one for zlib.

Patches

This has been fixed in pypdf==6.4.0.

Workarounds

If users cannot upgrade yet, use the line below to overwrite the default in their code:

pypdf.filters.LZW_MAX_OUTPUT_LENGTH = 75_000_000

Severity

• CVSS Score: 6.6 / 10 (Medium)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U

References

• https://github.com/py-pdf/pypdf/security/advisories/GHSA-jfx9-29x2-rv3j
• https://github.com/py-pdf/pypdf/security/advisories/GHSA-m449-cwjh-6pw7
• https://github.com/py-pdf/pypdf/commit/96186725e5e6f237129a58a97cd19204a9ce40b2
• https://github.com/py-pdf/pypdf
• https://github.com/py-pdf/pypdf/releases/tag/6.4.0

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

py-pdf/pypdf (pypdf)

v6.4.0

Compare Source

Security (SEC)

• Reduce default limit for LZW decoding

New Features (ENH)

• Parse and format comb fields in text widget annotations (#​3519)

Robustness (ROB)

• Silently ignore Adobe Ascii85 whitespace for suffix detection (#​3528)

Full Changelog

v6.3.0

Compare Source

New Features (ENH)

• Wrap and align text in flattened PDF forms (#​3465)

Bug Fixes (BUG)

• Fix missing "PreventGC" when cloning (#​3520)
• Preserve JPEG image quality by default (#​3516)

Full Changelog

v6.2.0

Compare Source

New Features (ENH)

• Add 'strict' parameter to PDFWriter (#​3503)

Bug Fixes (BUG)

• PdfWriter.append fails when there are articles being None (#​3509)

Documentation (DOC)

• Execute docs examples in CI (#​3507)

Full Changelog

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[thomasht86]

can't merge this as it breaks the colpali-demo unfortunately

[renovate]

Renovate Ignore Notification

Because you closed this PR without merging, Renovate will ignore this update (==6.4.0). You will get a PR once a newer version is released. To ignore this dependency forever, add it to the ignoreDeps array of your Renovate config.

If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.