@tantainnovative/ndpr-toolkit 5.0.1 → 5.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +19 -0
- package/README.md +13 -2
- package/dist/policy.d.mts +5 -0
- package/dist/policy.d.ts +5 -0
- package/dist/server.d.mts +5 -0
- package/dist/server.d.ts +5 -0
- package/package.json +2 -2
package/CHANGELOG.md
CHANGED
|
@@ -2,6 +2,25 @@
|
|
|
2
2
|
|
|
3
3
|
All notable changes to this project will be documented in this file. See [commit-and-tag-version](https://github.com/absolute-version/commit-and-tag-version) for commit guidelines.
|
|
4
4
|
|
|
5
|
+
## [5.1.0](https://github.com/mr-tanta/ndpr-toolkit/compare/v5.0.1...v5.1.0) (2026-05-28)
|
|
6
|
+
|
|
7
|
+
Security hygiene for the optional PDF-export peer. No change to the toolkit's own code — peer range + docs only.
|
|
8
|
+
|
|
9
|
+
### Changed
|
|
10
|
+
|
|
11
|
+
- **`jspdf` peer range widened: `^3.0.3` → `^3.0.3 || ^4.2.1`.** jspdf ≤ 4.2.0 carries three advisories — `GHSA-67pg-wm7f-q7fj` (High, CVSS 8.7: `addImage` GIF out-of-memory DoS), `GHSA-cjw8-79x6-5cj4` (Medium: `addJS` shared-state cross-user data leakage in concurrent server-side use), and a Critical path-traversal/LFI item. jspdf **4.2.1** clears all of them (`npm audit`: 0 vulnerabilities). The old `^3.0.3` peer pinned consumers to vulnerable 3.x; the widened range lets them install the patched 4.2.1+.
|
|
12
|
+
|
|
13
|
+
The toolkit's `exportPDF` only uses core jsPDF text/vector primitives — it never calls `addImage`, `addJS`, or `.html()` — so the toolkit's own PDF path was never a sink for these CVEs. The bump is for consumers who install jspdf and want a clean audit. jspdf stays an **optional** peer (dynamic `import('jspdf')`); consumers who don't export PDFs never install it.
|
|
14
|
+
|
|
15
|
+
### Docs
|
|
16
|
+
|
|
17
|
+
- README + `exportPDF` JSDoc now note that PDF export needs **jspdf ≥ 4.2.1**, and that installing it with `--omit=optional` (npm) / `--no-optional` (pnpm) drops jspdf's optional deps (`canvg`, `core-js`, `dompurify`, `html2canvas`) for a dependency-free PDF surface — the toolkit uses none of them.
|
|
18
|
+
|
|
19
|
+
### Verification
|
|
20
|
+
|
|
21
|
+
- `npm audit` against `jspdf@4.2.1` — 0 vulnerabilities
|
|
22
|
+
- `pnpm jest --no-coverage`, `pnpm verify:tarball`, `npx tsc --noEmit -p tsconfig.json` — all green
|
|
23
|
+
|
|
5
24
|
## [5.0.1](https://github.com/mr-tanta/ndpr-toolkit/compare/v5.0.0...v5.0.1) (2026-05-28)
|
|
6
25
|
|
|
7
26
|
Docs-only patch. No runtime code change.
|
package/README.md
CHANGED
|
@@ -394,7 +394,7 @@ const stale = errors.find((e) => e.code === 'consent_stale');
|
|
|
394
394
|
if (stale) showRefreshBanner();
|
|
395
395
|
```
|
|
396
396
|
|
|
397
|
-
|
|
397
|
+
Each validator's emitted `code` values are documented in its JSDoc (and listed in the [CHANGELOG 5.0 entry](https://github.com/mr-tanta/ndpr-toolkit/blob/main/CHANGELOG.md#500-2026-05-27)). The legacy string-returning shapes (`validateConsent`, `validateDsrSubmission`, `formatDSRRequest`, `validateConsentOptions`) were removed in 5.0 — see the [4.1 → 5.0 migration guide](https://ndprtoolkit.com.ng/docs/guides/migrating-4-1-to-5-0) if you're upgrading.
|
|
398
398
|
|
|
399
399
|
---
|
|
400
400
|
|
|
@@ -654,7 +654,7 @@ Each component exports its `ClassNames` TypeScript interface for autocomplete. F
|
|
|
654
654
|
| `/dsr` | DSR components + hook | `react` | No |
|
|
655
655
|
| `/dpia` | DPIA components + hook | `react` | No |
|
|
656
656
|
| `/breach` | Breach components + hook | `react` | No |
|
|
657
|
-
| `/policy` | Policy components + hook | `react`, `jspdf
|
|
657
|
+
| `/policy` | Policy components + hook | `react`, `jspdf` ≥ 4.2.1, `docx` (both optional) | No |
|
|
658
658
|
| `/lawful-basis` | Lawful basis component + hook | `react` | No |
|
|
659
659
|
| `/lawful-basis/lite` | Read-only `LawfulBasisTrackerLite` — ~65% smaller than `/lawful-basis` | `react` | No |
|
|
660
660
|
| `/cross-border` | Cross-border component + hook | `react` | No |
|
|
@@ -666,6 +666,17 @@ Each component exports its `ClassNames` TypeScript interface for autocomplete. F
|
|
|
666
666
|
|
|
667
667
|
[^core]: `/core` re-exports the React `NDPRProvider` for backward compatibility. For strictly server-side imports use `/server` — it carries the same pure validators with no React surface.
|
|
668
668
|
|
|
669
|
+
### PDF / DOCX export peers
|
|
670
|
+
|
|
671
|
+
`PolicyExporter` (and `exportPDF` / `exportDOCX` from `/policy`) load `jspdf` / `docx` via dynamic `import()` only when you actually export — they're optional peers, so consumers who don't export documents never install them. If you do export to PDF:
|
|
672
|
+
|
|
673
|
+
```bash
|
|
674
|
+
npm install jspdf@^4.2.1 --omit=optional # npm
|
|
675
|
+
pnpm add jspdf@^4.2.1 --no-optional # pnpm
|
|
676
|
+
```
|
|
677
|
+
|
|
678
|
+
Use **jspdf ≥ 4.2.1** — earlier versions (≤ 4.2.0) carry advisories `GHSA-67pg-wm7f-q7fj` and `GHSA-cjw8-79x6-5cj4`, fixed in 4.2.1. The `--omit=optional` / `--no-optional` flag drops jspdf's own optional deps (`canvg`, `core-js`, `dompurify`, `html2canvas`); the toolkit's PDF export uses only core jsPDF text/vector APIs, so it works without them and you get a leaner, dependency-flag-free install.
|
|
679
|
+
|
|
669
680
|
### Bundle size guidance
|
|
670
681
|
|
|
671
682
|
The toolkit is published with `sideEffects: ["*.css"]`, so a modern bundler (Vite, Next.js / Webpack, esbuild, Bun) will tree-shake unused exports. A few practical rules to keep your bundle small:
|
package/dist/policy.d.mts
CHANGED
|
@@ -236,6 +236,11 @@ export declare function exportMarkdown(policy: PrivacyPolicy): string;
|
|
|
236
236
|
/**
|
|
237
237
|
* Export a PrivacyPolicy to a PDF Blob using jspdf (optional peer dependency).
|
|
238
238
|
*
|
|
239
|
+
* Requires jspdf >= 4.2.1 (earlier versions carry GHSA-67pg-wm7f-q7fj and
|
|
240
|
+
* GHSA-cjw8-79x6-5cj4). This function uses only core jsPDF text/vector APIs —
|
|
241
|
+
* never `addImage`, `addJS`, or `.html()` — so jspdf's optional deps
|
|
242
|
+
* (canvg, core-js, dompurify, html2canvas) can be omitted (`--omit=optional`).
|
|
243
|
+
*
|
|
239
244
|
* Features:
|
|
240
245
|
* - Optional cover page with title, organisation, date, version and compliance badge
|
|
241
246
|
* - Optional table of contents page
|
package/dist/policy.d.ts
CHANGED
|
@@ -236,6 +236,11 @@ export declare function exportMarkdown(policy: PrivacyPolicy): string;
|
|
|
236
236
|
/**
|
|
237
237
|
* Export a PrivacyPolicy to a PDF Blob using jspdf (optional peer dependency).
|
|
238
238
|
*
|
|
239
|
+
* Requires jspdf >= 4.2.1 (earlier versions carry GHSA-67pg-wm7f-q7fj and
|
|
240
|
+
* GHSA-cjw8-79x6-5cj4). This function uses only core jsPDF text/vector APIs —
|
|
241
|
+
* never `addImage`, `addJS`, or `.html()` — so jspdf's optional deps
|
|
242
|
+
* (canvg, core-js, dompurify, html2canvas) can be omitted (`--omit=optional`).
|
|
243
|
+
*
|
|
239
244
|
* Features:
|
|
240
245
|
* - Optional cover page with title, organisation, date, version and compliance badge
|
|
241
246
|
* - Optional table of contents page
|
package/dist/server.d.mts
CHANGED
|
@@ -1134,6 +1134,11 @@ export declare function exportMarkdown(policy: PrivacyPolicy): string;
|
|
|
1134
1134
|
/**
|
|
1135
1135
|
* Export a PrivacyPolicy to a PDF Blob using jspdf (optional peer dependency).
|
|
1136
1136
|
*
|
|
1137
|
+
* Requires jspdf >= 4.2.1 (earlier versions carry GHSA-67pg-wm7f-q7fj and
|
|
1138
|
+
* GHSA-cjw8-79x6-5cj4). This function uses only core jsPDF text/vector APIs —
|
|
1139
|
+
* never `addImage`, `addJS`, or `.html()` — so jspdf's optional deps
|
|
1140
|
+
* (canvg, core-js, dompurify, html2canvas) can be omitted (`--omit=optional`).
|
|
1141
|
+
*
|
|
1137
1142
|
* Features:
|
|
1138
1143
|
* - Optional cover page with title, organisation, date, version and compliance badge
|
|
1139
1144
|
* - Optional table of contents page
|
package/dist/server.d.ts
CHANGED
|
@@ -1134,6 +1134,11 @@ export declare function exportMarkdown(policy: PrivacyPolicy): string;
|
|
|
1134
1134
|
/**
|
|
1135
1135
|
* Export a PrivacyPolicy to a PDF Blob using jspdf (optional peer dependency).
|
|
1136
1136
|
*
|
|
1137
|
+
* Requires jspdf >= 4.2.1 (earlier versions carry GHSA-67pg-wm7f-q7fj and
|
|
1138
|
+
* GHSA-cjw8-79x6-5cj4). This function uses only core jsPDF text/vector APIs —
|
|
1139
|
+
* never `addImage`, `addJS`, or `.html()` — so jspdf's optional deps
|
|
1140
|
+
* (canvg, core-js, dompurify, html2canvas) can be omitted (`--omit=optional`).
|
|
1141
|
+
*
|
|
1137
1142
|
* Features:
|
|
1138
1143
|
* - Optional cover page with title, organisation, date, version and compliance badge
|
|
1139
1144
|
* - Optional table of contents page
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@tantainnovative/ndpr-toolkit",
|
|
3
|
-
"version": "5.0
|
|
3
|
+
"version": "5.1.0",
|
|
4
4
|
"private": false,
|
|
5
5
|
"description": "Nigeria Data Protection Toolkit — enterprise-grade compliance components for the Nigeria Data Protection Act (NDPA) 2023",
|
|
6
6
|
"pnpm": {
|
|
@@ -303,7 +303,7 @@
|
|
|
303
303
|
"class-variance-authority": "^0.7.1",
|
|
304
304
|
"clsx": "^2.1.1",
|
|
305
305
|
"docx": ">=8.0.0",
|
|
306
|
-
"jspdf": "^3.0.3",
|
|
306
|
+
"jspdf": "^3.0.3 || ^4.2.1",
|
|
307
307
|
"react": "^18.0.0 || ^19.0.0",
|
|
308
308
|
"react-dom": "^18.0.0 || ^19.0.0",
|
|
309
309
|
"tailwind-merge": "^2.6.0"
|