Skip to content

Update lopdf dependency to fix RUSTSEC-2026-0187#275

Open
Zynora-fr wants to merge 1 commit into
fschutt:masterfrom
Zynora-fr:fix-lopdf-rustsec-2026-0187
Open

Update lopdf dependency to fix RUSTSEC-2026-0187#275
Zynora-fr wants to merge 1 commit into
fschutt:masterfrom
Zynora-fr:fix-lopdf-rustsec-2026-0187

Conversation

@Zynora-fr

Copy link
Copy Markdown

Summary

Updates the lopdf dependency to resolve RustSec advisory RUSTSEC-2026-0187.

Changes

  • Updated lopdf dependency from 0.39.x to 0.42+
  • Updated Cargo.lock

Security

This fixes a stack overflow vulnerability caused by deeply nested PDF objects during parsing.

Fixes #272

Copilot AI review requested due to automatic review settings July 10, 2026 16:52

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates printpdf’s lopdf dependency to a version that includes the upstream fix for RustSec advisory RUSTSEC-2026-0187 (unbounded recursion / stack overflow DoS in PDF parsing), aligning with the remediation requested in issue #272.

Changes:

  • Bump lopdf dependency from 0.39.0 to 0.42.0.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread Cargo.toml

[dependencies]
lopdf = { version = "0.39.0", default-features = false, features = ["time"]}
lopdf = { version = "0.42.0", default-features = false, features = ["time"]}
Comment thread Cargo.toml

[dependencies]
lopdf = { version = "0.39.0", default-features = false, features = ["time"]}
lopdf = { version = "0.42.0", default-features = false, features = ["time"]}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Bump lopdf to >=0.42.0 to resolve RUSTSEC-2026-0187 (unbounded-recursion DoS)

2 participants