chore(deps): update dependency pypdf to v6.13.3 [security]

[a-klos]

This PR contains the following updates:

Package	Change	Age	Confidence
pypdf (changelog)	6.13.0 -> 6.13.3

GitHub Vulnerability Alerts

GHSA-jm82-fx9c-mx94

Impact

An attacker who uses this vulnerability can craft a PDF which leads to large memory usage, as MAX_DECLARED_STREAM_LENGTH is sometimes ignored. This requires parsing a content stream without a /Length value.

Patches

This has been fixed in pypdf==6.13.3.

Workarounds

If you cannot upgrade yet, consider applying the changes from PR #​3871.

---

Release Notes

py-pdf/pypdf (pypdf)

v6.13.3

Compare Source

Security (SEC)

• Apply MAX_DECLARED_STREAM_LENGTH to streams without length as well (#​3871)

Performance Improvements (PI)

• Avoid per-pixel getpixel loop for 1-bit indexed images (#​3854)

Robustness (ROB)

• Several fixes

Maintenance (MAINT)

• Make mypy assert messages consistent (#​3849)

Full Changelog

v6.13.2

Compare Source

Security (SEC)

• Apply MAX_DECLARED_STREAM_LENGTH to streams without length as well (#​3871)

Performance Improvements (PI)

• Avoid per-pixel getpixel loop for 1-bit indexed images (#​3854)

Robustness (ROB)

• Several fixes

Maintenance (MAINT)

• Make mypy assert messages consistent (#​3849)

Full Changelog

v6.13.1

Compare Source

Security (SEC)

• Detect multi-hop cyclic /Pages trees in _flatten to prevent SIGSEGV (#​3847)

Robustness (ROB)

• Fix UnboundLocalError in _read_standard_xref_table on a malformed entry (#​3841)
• Raise PdfStreamError on non-hexadecimal bytes in hex readers (#​3832)

Full Changelog

---

Configuration

📅 Schedule: Branch creation - "" in timezone UTC, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.