Webhook URLs were being fetched without validating whether they
resolved to private/loopback addresses, exposing the server to SSRF.
Current SSRF is best effort and fail open, you should never host
services that
you cant risk exposure of.
This extracts webhook execution into a shared module that validates
URLs against private IP ranges (including DNS resolution), enforces
timeouts, and disables redirect following. The resend route now
queues through the job system instead of calling fetch inline.
Upgrade @libpdf/core from 0.2.12 to 0.3.3, which includes:
- WebCrypto SHA-256 replacing pure-JS @noble/hashes (10x signing
speedup)
- Iterative collectReachableRefs (fixes stack overflow on large PDFs)
- Iterative Math.max helpers in xref writer (fixes remaining stack
overflow)
Extract duplicated FontLibrary.use() calls from render-certificate,
render-audit-logs, and insert-field-in-pdf-v2 into a shared
ensureFontLibrary() helper with has() guards so fonts are only
registered once per process.
## Description
Replace the PDF renderer with an custom image renderer.
This allows us to remove the "react-pdf" dependency and allows us to use
a virtual list to improve performance.
Migrate from @documenso/pdf-sign and @cantoo/pdf-lib to @libpdf/core
for all PDF manipulation and signing operations. This includes:
- New signing transports for Google Cloud KMS and local certificates
- Consolidated PDF operations using libpdf API
- Added TSA (timestamp authority) helper for digital signatures
- Removed deprecated flatten and insert utilities
- Updated tests to use new PDF library
The v9 packages are deprecated. This updates to v13 which includes
breaking API changes: optionsJSON wrapper for auth functions,
renamed properties (authenticator→credential), and base64 encoding
for credential IDs via isoBase64URL helper.
When using an API key created in a team context, the
documents/templates’ owner always defaults to the team API token
creator, rather than the actual uploader.
For example, John creates the API key for the team "Lawyers". Tom and
Maria use the API key to upload documents. All the uploaded documents
are attributed to John.
This makes it impossible to see who actually uploaded a document.
The new feature allows users to enable document ownership delegation
from the organization/team settings.
Upgrade the `@react-email/render` package to handle
suspense during renders.
We could have just swapped to `renderAsync` for the 0.0.x
version of the package but it's better to upgrade as part
of this change.
CI has been run locally and emails have been verified to
work and render as expected in our local mail trap.
