chore(deps): update dependency pypdf to v6.13.3 [security]

[renovate]

This PR contains the following updates:

Package	Update	Change	OpenSSF
pypdf (changelog)	patch	==6.13.2 → ==6.13.3

---

pypdf: Missing stream length values ignore defined limits

GHSA-jm82-fx9c-mx94

More information

Details

Impact

An attacker who uses this vulnerability can craft a PDF which leads to large memory usage, as MAX_DECLARED_STREAM_LENGTH is sometimes ignored. This requires parsing a content stream without a /Length value.

Patches

This has been fixed in pypdf==6.13.3.

Workarounds

If you cannot upgrade yet, consider applying the changes from PR #​3871.

Severity

• CVSS Score: 6.9 / 10 (Medium)
• Vector String: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

References

• https://github.com/py-pdf/pypdf/security/advisories/GHSA-jm82-fx9c-mx94
• https://github.com/py-pdf/pypdf/pull/3871
• https://github.com/py-pdf/pypdf/releases/tag/6.13.3
• https://github.com/advisories/GHSA-jm82-fx9c-mx94

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

py-pdf/pypdf (pypdf)

v6.13.3

Compare Source

Security (SEC)

• Apply MAX_DECLARED_STREAM_LENGTH to streams without length as well (#​3871)

Performance Improvements (PI)

• Avoid per-pixel getpixel loop for 1-bit indexed images (#​3854)

Robustness (ROB)

• Several fixes

Maintenance (MAINT)

• Make mypy assert messages consistent (#​3849)

Full Changelog

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.