@tantainnovative/ndpr-toolkit 5.0.1 → 5.1.1

package/CHANGELOG.md

@@ -2,6 +2,40 @@
 
 All notable changes to this project will be documented in this file. See [commit-and-tag-version](https://github.com/absolute-version/commit-and-tag-version) for commit guidelines.
 
+## [5.1.1](https://github.com/mr-tanta/ndpr-toolkit/compare/v5.1.0...v5.1.1) (2026-05-28)
+
+Completes the jspdf security fix from 5.1.0.
+
+### Changed
+
+- **`jspdf` peer tightened: `^3.0.3 || ^4.2.1` → `^4.2.1`.** 5.1.0 widened the range but left `^3.0.3` in it — and *every* jspdf 3.x is vulnerable (the advisory is `<=4.2.0`; there is no safe 3.x). Keeping 3.x bought zero compatibility while letting a consumer satisfy the peer with a vulnerable `3.0.4`. Dropping it means the peer range now contains only patched versions, so a vulnerable jspdf can't satisfy it.
+
+  This narrows an **optional** peer range — technically breaking per semver, shipped as a patch because the removed versions are 100% vulnerable with no safe alternative and the toolkit's jspdf API usage (`new jsPDF(...)`, text/vector primitives) is identical across 3↔4. Consumers already on jspdf 4.2.1+ or not using PDF export are unaffected; consumers pinned to jspdf 3.x get a peer-range warning that correctly nudges them to the patched line.
+
+### Verification
+
+- `pnpm jest --no-coverage`, `pnpm verify:tarball`, `npx tsc --noEmit -p tsconfig.json` — all green
+- README + `exportPDF` JSDoc already specified jspdf ≥ 4.2.1 (5.1.0); no doc changes needed
+
+## [5.1.0](https://github.com/mr-tanta/ndpr-toolkit/compare/v5.0.1...v5.1.0) (2026-05-28)
+
+Security hygiene for the optional PDF-export peer. No change to the toolkit's own code — peer range + docs only.
+
+### Changed
+
+- **`jspdf` peer range widened: `^3.0.3` → `^3.0.3 || ^4.2.1`.** jspdf ≤ 4.2.0 carries three advisories — `GHSA-67pg-wm7f-q7fj` (High, CVSS 8.7: `addImage` GIF out-of-memory DoS), `GHSA-cjw8-79x6-5cj4` (Medium: `addJS` shared-state cross-user data leakage in concurrent server-side use), and a Critical path-traversal/LFI item. jspdf **4.2.1** clears all of them (`npm audit`: 0 vulnerabilities). The old `^3.0.3` peer pinned consumers to vulnerable 3.x; the widened range lets them install the patched 4.2.1+.
+
+  The toolkit's `exportPDF` only uses core jsPDF text/vector primitives — it never calls `addImage`, `addJS`, or `.html()` — so the toolkit's own PDF path was never a sink for these CVEs. The bump is for consumers who install jspdf and want a clean audit. jspdf stays an **optional** peer (dynamic `import('jspdf')`); consumers who don't export PDFs never install it.
+
+### Docs
+
+- README + `exportPDF` JSDoc now note that PDF export needs **jspdf ≥ 4.2.1**, and that installing it with `--omit=optional` (npm) / `--no-optional` (pnpm) drops jspdf's optional deps (`canvg`, `core-js`, `dompurify`, `html2canvas`) for a dependency-free PDF surface — the toolkit uses none of them.
+
+### Verification
+
+- `npm audit` against `jspdf@4.2.1` — 0 vulnerabilities
+- `pnpm jest --no-coverage`, `pnpm verify:tarball`, `npx tsc --noEmit -p tsconfig.json` — all green
+
 ## [5.0.1](https://github.com/mr-tanta/ndpr-toolkit/compare/v5.0.0...v5.0.1) (2026-05-28)
 
 Docs-only patch. No runtime code change.

package/README.md

@@ -394,7 +394,7 @@ const stale = errors.find((e) => e.code === 'consent_stale');
 if (stale) showRefreshBanner();
 ```
 
-The full code catalogue lives in the [validator API docs](https://ndprtoolkit.com.ng/docs/server). The legacy string-returning shapes (`validateConsent`, `validateDsrSubmission`, `formatDSRRequest`, `validateConsentOptions`) were removed in 5.0 — see the [4.1 → 5.0 migration guide](https://ndprtoolkit.com.ng/docs/guides/migrating-4-1-to-5-0) if you're upgrading.
+Each validator's emitted `code` values are documented in its JSDoc (and listed in the [CHANGELOG 5.0 entry](https://github.com/mr-tanta/ndpr-toolkit/blob/main/CHANGELOG.md#500-2026-05-27)). The legacy string-returning shapes (`validateConsent`, `validateDsrSubmission`, `formatDSRRequest`, `validateConsentOptions`) were removed in 5.0 — see the [4.1 → 5.0 migration guide](https://ndprtoolkit.com.ng/docs/guides/migrating-4-1-to-5-0) if you're upgrading.
 
 ---
 
@@ -654,7 +654,7 @@ Each component exports its `ClassNames` TypeScript interface for autocomplete. F
 | `/dsr` | DSR components + hook | `react` | No |
 | `/dpia` | DPIA components + hook | `react` | No |
 | `/breach` | Breach components + hook | `react` | No |
-| `/policy` | Policy components + hook | `react`, `jspdf`, `docx` (optional) | No |
+| `/policy` | Policy components + hook | `react`, `jspdf` ≥ 4.2.1, `docx` (both optional) | No |
 | `/lawful-basis` | Lawful basis component + hook | `react` | No |
 | `/lawful-basis/lite` | Read-only `LawfulBasisTrackerLite` — ~65% smaller than `/lawful-basis` | `react` | No |
 | `/cross-border` | Cross-border component + hook | `react` | No |
@@ -666,6 +666,17 @@ Each component exports its `ClassNames` TypeScript interface for autocomplete. F
 
 [^core]: `/core` re-exports the React `NDPRProvider` for backward compatibility. For strictly server-side imports use `/server` — it carries the same pure validators with no React surface.
 
+### PDF / DOCX export peers
+
+`PolicyExporter` (and `exportPDF` / `exportDOCX` from `/policy`) load `jspdf` / `docx` via dynamic `import()` only when you actually export — they're optional peers, so consumers who don't export documents never install them. If you do export to PDF:
+
+```bash
+npm install jspdf@^4.2.1 --omit=optional      # npm
+pnpm add jspdf@^4.2.1 --no-optional           # pnpm
+```
+
+Use **jspdf ≥ 4.2.1** — earlier versions (≤ 4.2.0) carry advisories `GHSA-67pg-wm7f-q7fj` and `GHSA-cjw8-79x6-5cj4`, fixed in 4.2.1. The `--omit=optional` / `--no-optional` flag drops jspdf's own optional deps (`canvg`, `core-js`, `dompurify`, `html2canvas`); the toolkit's PDF export uses only core jsPDF text/vector APIs, so it works without them and you get a leaner, dependency-flag-free install.
+
 ### Bundle size guidance
 
 The toolkit is published with `sideEffects: ["*.css"]`, so a modern bundler (Vite, Next.js / Webpack, esbuild, Bun) will tree-shake unused exports. A few practical rules to keep your bundle small:

package/dist/policy.d.mts

@@ -236,6 +236,11 @@ export declare function exportMarkdown(policy: PrivacyPolicy): string;
 /**
  * Export a PrivacyPolicy to a PDF Blob using jspdf (optional peer dependency).
  *
+ * Requires jspdf >= 4.2.1 (earlier versions carry GHSA-67pg-wm7f-q7fj and
+ * GHSA-cjw8-79x6-5cj4). This function uses only core jsPDF text/vector APIs —
+ * never `addImage`, `addJS`, or `.html()` — so jspdf's optional deps
+ * (canvg, core-js, dompurify, html2canvas) can be omitted (`--omit=optional`).
+ *
  * Features:
  * - Optional cover page with title, organisation, date, version and compliance badge
  * - Optional table of contents page

package/dist/policy.d.ts

@@ -236,6 +236,11 @@ export declare function exportMarkdown(policy: PrivacyPolicy): string;
 /**
  * Export a PrivacyPolicy to a PDF Blob using jspdf (optional peer dependency).
  *
+ * Requires jspdf >= 4.2.1 (earlier versions carry GHSA-67pg-wm7f-q7fj and
+ * GHSA-cjw8-79x6-5cj4). This function uses only core jsPDF text/vector APIs —
+ * never `addImage`, `addJS`, or `.html()` — so jspdf's optional deps
+ * (canvg, core-js, dompurify, html2canvas) can be omitted (`--omit=optional`).
+ *
  * Features:
  * - Optional cover page with title, organisation, date, version and compliance badge
  * - Optional table of contents page

package/dist/server.d.mts

@@ -1134,6 +1134,11 @@ export declare function exportMarkdown(policy: PrivacyPolicy): string;
 /**
  * Export a PrivacyPolicy to a PDF Blob using jspdf (optional peer dependency).
  *
+ * Requires jspdf >= 4.2.1 (earlier versions carry GHSA-67pg-wm7f-q7fj and
+ * GHSA-cjw8-79x6-5cj4). This function uses only core jsPDF text/vector APIs —
+ * never `addImage`, `addJS`, or `.html()` — so jspdf's optional deps
+ * (canvg, core-js, dompurify, html2canvas) can be omitted (`--omit=optional`).
+ *
  * Features:
  * - Optional cover page with title, organisation, date, version and compliance badge
  * - Optional table of contents page

package/dist/server.d.ts

@@ -1134,6 +1134,11 @@ export declare function exportMarkdown(policy: PrivacyPolicy): string;
 /**
  * Export a PrivacyPolicy to a PDF Blob using jspdf (optional peer dependency).
  *
+ * Requires jspdf >= 4.2.1 (earlier versions carry GHSA-67pg-wm7f-q7fj and
+ * GHSA-cjw8-79x6-5cj4). This function uses only core jsPDF text/vector APIs —
+ * never `addImage`, `addJS`, or `.html()` — so jspdf's optional deps
+ * (canvg, core-js, dompurify, html2canvas) can be omitted (`--omit=optional`).
+ *
  * Features:
  * - Optional cover page with title, organisation, date, version and compliance badge
  * - Optional table of contents page

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@tantainnovative/ndpr-toolkit",
-  "version": "5.0.1",
+  "version": "5.1.1",
   "private": false,
   "description": "Nigeria Data Protection Toolkit — enterprise-grade compliance components for the Nigeria Data Protection Act (NDPA) 2023",
   "pnpm": {
@@ -303,7 +303,7 @@
     "class-variance-authority": "^0.7.1",
     "clsx": "^2.1.1",
     "docx": ">=8.0.0",
-    "jspdf": "^3.0.3",
+    "jspdf": "^4.2.1",
     "react": "^18.0.0 || ^19.0.0",
     "react-dom": "^18.0.0 || ^19.0.0",
     "tailwind-merge": "^2.6.0"