fix(deps): update dependency pdfkit to ^0.17.0

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
pdfkit (source)	^0.13.0 → ^0.17.0

---

Release Notes

foliojs/pdfkit (pdfkit)

v0.17.2

Compare Source

• Fix rendering lists that spans across pages

v0.17.1

Compare Source

• Fix null values in table cells rendering as [object Object]
• Fix further LineWrapper precision issues
• Optmize standard font handling. Less code, less memory usage

v0.17.0

Compare Source

• Fix precision rounding issues in LineWrapper
• Fix fonts without a postscriptName
• Add support for dynamic sizing
• Add support for rotatable text
• Fix page cascade options when text overflows
• Add table generation
• Fix y position when using image() without x and y coordinates
• Improve Prettier configuration

v0.16.0

Compare Source

• Update fontkit to 2.0
• Update linebreak to 1.1
• Add support for spot colors
• Add support to scale text horizontally
• Add an option to keep the indentation after a new line starts and allow to indent a whole paragraph/text element
• Add Name property for set custom icon for note()
• Fix sets tab order to "Structure" when a document is tagged
• Fix font cache collision for fonts with missing postscript name or bad TTF metadata or identical metadata for different fonts
• Fix for embedding fonts into PDF (font name must not contain spaces)
• Fix measuring text when OpenType features are passed in to .text()

v0.15.2

Compare Source

• Fix index not counting when rendering ordered lists (#​1517)
• Fix PDF/A3 compliance of attachments
• Fix CIDSet generation only for PDF/A1 subset
• Fix missing acroform font dictionary
• Fix modify time comparison check equality embedded files

v0.15.1

Compare Source

• Fix browserify transform sRGB_IEC61966_2_1.icc file
• Fix time comparison check equality embedded files

v0.15.0

Compare Source

• Add subset for PDF/UA
• Fix for line breaks in list items (#​1486)
• Fix for soft hyphen not being replaced by visible hyphen if necessary (#​457)
• Optimize output files by ignoring identity transforms
• Fix for Acroforms - setting an option to false will still apply the flag (#​1495)
• Fix for text extraction in PDFium-based viewers due to invalid ToUnicodeMap (#​1498)
• Remove deprecated write method
• Drop support for Node.js < 18 and for browsers released before 2020

v0.14.0

Compare Source

• Add support for PDF/A-1b, PDF/A-1a, PDF/A-2b, PDF/A-2a, PDF/A-3b, PDF/A-3a

• Update crypto-js to v4.2.0 (properly fix security issue)

• Add support for EXIF orientation on JPEG images (#​626 and #​1353)

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

Summary by CodeRabbit

• Chores
  • Upgraded the PDF library to a newer release.
  • Improves PDF generation stability and compatibility, reducing rendering issues and ensuring more reliable document output across environments.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Warning

Rate limit exceeded

@renovate[bot] has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 7 minutes and 46 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

📥 Commits

Reviewing files that changed from the base of the PR and between 4a2b3cb and 2d03972.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (1)

• package.json

📝 Walkthrough

Walkthrough

The pdfkit dependency in package.json is updated from ^0.13.0 to ^0.17.0. No other files or changes are present in the diff, and there are no modifications to exported or public API signatures.

Pre-merge checks

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	Title accurately describes the main change: a pdfkit dependency upgrade from ^0.13.0 to ^0.17.0, which is the sole modification in the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 0%. Comparing base (b3a35d2) to head (2d03972).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@    Coverage Diff     @@
##   main   #93   +/-   ##
==========================
==========================

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[saltenasl]

package-lock.json wasn't updated

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: ASSERTIVE

Plan: Pro

Disabled knowledge base sources:

• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between a322609 and 3fe1e4b.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (1)

• package.json (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Build & Test

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Disabled knowledge base sources:

• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 3fe1e4b and 5577463.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (1)

• package.json

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Build & Test

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (1)

package.json (1)

2610-2610: Update @types/pdfkit to ^0.17.0 to match runtime version.

pdfkit is now at ^0.17.0, but @types/pdfkit remains at ^0.11.0—a 6-minor-version gap. Compatible type definitions (@types/pdfkit@^0.17.x) exist and should be used to catch breaking changes (like removed PDFDocument#write()) at compile time. Update this dependency and run TypeScript type-check to surface any compatibility issues.

📜 Review details

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Disabled knowledge base sources:

• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between a7fe1da and 4915ded.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (1)

• package.json

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Disabled knowledge base sources:

• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 4915ded and 4a2b3cb.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (1)

• package.json

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: codecov/project
• GitHub Check: Build & Test

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

# Get the actual lines from package.json to verify the versions
sed -n '2541p;2610p' package.json

Repository: deepnote/vscode-deepnote

Length of output: 132

---

🏁 Script executed:

# Also verify what's around these lines for context
sed -n '2539,2543p;2608,2612p' package.json

Repository: deepnote/vscode-deepnote

Length of output: 421

---

🌐 Web query:

@types/pdfkit version 0.17.0 available npm

💡 Result:

Yes — @types/pdfkit v0.17.0 exists on npm. Install with:

npm install --save @types/[email protected]

Sources: npm package page and Snyk package info. [1][2]

References
[1] https://www.npmjs.com/package/%40types/pdfkit
[2] https://security.snyk.io/package/npm/%40types%2Fpdfkit

---

🌐 Web query:

pdfkit breaking changes Node.js 18 v0.15 v0.17

💡 Result:

Short summary of breaking/important changes between pdfkit v0.15 → v0.17 (Node.js 18 context):

• v0.15 (Mar 2024): dropped support for Node.js < 18 (so Node 18+ required) and removed the deprecated PDFDocument.write() method — code calling write() will break. (app.unpkg.com)
• v0.16 (Dec 2024): upgraded fontkit to 2.0 (may affect font loading/metadata behavior and font-related APIs); other internal updates (linebreak, spot colors). If you relied on fontkit internals or older font behavior, test fonts. (github.com)
• v0.17 (Apr–May 2025): added higher-level features (tables, dynamic sizing, rotatable text), fixed layout/precision and font edge-cases — these are mostly additive/bugfixes, but changes to text/layout/line-wrapping and font handling can change rendering output; test documents after upgrade. (github.com)

Recommended upgrade steps:

• Ensure runtime is Node.js 18+.
• Replace any usage of PDFDocument.write() (removed in 0.15) with the current streaming/pipe APIs (doc.pipe / doc.end / stream handling). (app.unpkg.com)
• Run full rendering tests (fonts, lists, tables, images) because fontkit 2.0 and line-wrapping/layout fixes can change output. (github.com)

If you want, I can scan your code for usages of the removed write() method and flag other likely compatibility issues — upload code or paste snippets.

Citations:

• 1: https://app.unpkg.com/pdfkit%400.15.0/files/CHANGELOG.md?utm_source=openai
• 2: https://github.com/foliojs/pdfkit/releases?utm_source=openai
• 3: https://github.com/foliojs/pdfkit/releases?utm_source=openai
• 4: https://app.unpkg.com/pdfkit%400.15.0/files/CHANGELOG.md?utm_source=openai
• 5: https://github.com/foliojs/pdfkit/releases?utm_source=openai

---

🏁 Script executed:

# Check if engines section has explicit Node.js version
grep -A 5 '"engines"' package.json | head -10

Repository: deepnote/vscode-deepnote

Length of output: 196

---

🏁 Script executed:

# Verify there are actual usages of pdfkit in the codebase
fd -e ts -e js -e tsx -e jsx | xargs grep -l "pdfkit\|PDFDocument" | head -20

Repository: deepnote/vscode-deepnote

Length of output: 194

---

🏁 Script executed:

# Check actual pdfkit usage in the code
cat src/webviews/extension-side/plotting/plotViewer.node.ts

Repository: deepnote/vscode-deepnote

Length of output: 3983

---

🏁 Script executed:

# Check the webpack pdfkit config
cat build/webpack/pdfkit.js

Repository: deepnote/vscode-deepnote

Length of output: 566

---

🏁 Script executed:

# Check if there are any write() method calls that were removed in v0.15
rg "\.write\(" --type ts --type js | head -20

Repository: deepnote/vscode-deepnote

Length of output: 50382

---

🏁 Script executed:

# Check actual pdfkit imports and usage more carefully
rg "from\s+['\"]pdfkit" --type ts --type js
rg "require\(['\"]pdfkit" --type ts --type js
rg "import.*pdfkit" --type ts --type js

Repository: deepnote/vscode-deepnote

Length of output: 342

---

🏁 Script executed:

# Check if there's any TypeScript compilation that would fail with mismatched types
fd package.json | xargs grep -l "typescript"

Repository: deepnote/vscode-deepnote

Length of output: 123

---

🏁 Script executed:

# Check the actual Node.js version requirement in engines
cat package.json | grep -A 3 '"engines"'

Repository: deepnote/vscode-deepnote

Length of output: 150

---

🏁 Script executed:

# Search for actual pdfkit method calls to see if any removed APIs are used
rg "PDFDocument|pdfkit\." --type ts -A 2 -B 2 | head -50

Repository: deepnote/vscode-deepnote

Length of output: 1099

---

Update @types/pdfkit to match runtime version.

The runtime update to pdfkit ^0.17.0 creates a 6-minor-version gap with @types/pdfkit@^0.11.0 (line 2610). Update types to ^0.17.0 to maintain type coverage for new features. Also add "node": ">=18.0.0" to engines since pdfkit v0.15 dropped Node.js < 18 support.

🤖 Prompt for AI Agents

In package.json around lines 2541 (pdfkit) and 2610 (@types/pdfkit), the runtime
was updated to pdfkit ^0.17.0 but @types/pdfkit remains ^0.11.0; update the
@types/pdfkit entry to ^0.17.0 to match the runtime and restore accurate typing,
and add an "engines" entry requiring "node": ">=18.0.0" (or update the existing
engines field) to reflect pdfkit v0.15+ Node.js requirements; after editing,
regenerate the lockfile (yarn/npm) if applicable.

[renovate]

Renovate Ignore Notification

Because you closed this PR without merging, Renovate will ignore this update (^0.17.0). You will get a PR once a newer version is released. To ignore this dependency forever, add it to the ignoreDeps array of your Renovate config.

If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.