Bump itext7 from 9.6.0 to 9.7.0#57
Open
dependabot[bot] wants to merge 1 commit into
Open
Conversation
--- updated-dependencies: - dependency-name: itext7 dependency-version: 9.7.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Updated itext7 from 9.6.0 to 9.7.0.
Release notes
Sourced from itext7's releases.
9.7.0
iText Core/Community 9.7.0
Our third iText Core release of 2026 brings some significant new capabilities. We've added support for the WebP image format, introduced dynamic page margins and footnotes to the layout module, and strengthened decompression bomb protection. We've also improved append mode reliability and updated several security-related dependencies.
WebP Image Format Support
iText now natively supports the WebP image format, developed by Google to provide superior lossless and lossy compression for web images. This new capability allows you to integrate high-quality, highly compressed modern web images directly into your PDF workflows, significantly reducing file sizes without sacrificing visual fidelity.
Our implementation uses SkiaSharp for WebP decoding on .NET and is delivered as a separate, optional module:
webp-image-support. When the module is referenced in your .NET project, iText Core automatically detects and processes WebP images without requiring any additional configuration.Capabilities
Notes/Limitations
Dynamic Margins & Footnotes
We have completely overhauled the way iText handles complex document layouts. This not only allows developers to adjust page margins on the fly, but also includes footnote support with automatic numbering, customizable footnote containers, and intelligent layout logic that ensures footnote anchors and text remain perfectly positioned.
To achieve this, we have introduced a powerful new framework for managing complex document layouts. This overhaul allows developers to adjust page margins on the fly using the new SectionBreak element.
Additionally, we’ve launched comprehensive footnote support, enabling automatic numbering, customizable footnote containers, and intelligent layout logic that ensures footnote anchors and text remain perfectly positioned.
Signatures and Validation
We’ve resolved critical issues related to Append Mode, ensuring that incremental updates to PDF documents are more reliable. This includes better tracking of modified objects and fixing stream inconsistencies, allowing for a more robust document history and preservation of digital signatures.
Page rotation handling for signature layers is also improved, and we fixed some edge-case crashes during form flattening.
To ensure uninterrupted support for digital signature validation, we have released a new version of our EU Trusted Lists resources. This update incorporates the recently updated European Journal sources, maintaining compliance with the latest eIDAS standards.
Security and Stability
iText’s protection against "decompression bombs" inside PDF streams has been enhanced, particularly for single /FlateDecode streams and image-based decompression bombs. The change applies a 100× growth factor limit to all streams by default. Note that the existing API to override protection remains in place, in cases where edge cases may trigger false positives. However, this should be extremely unlikely for real-world uses cases.
Additionally, we have implemented a high-level safety mechanism to detect and terminate infinite layout loops.
Pull Requests
For this release we've incorporated two pull requests. The first is from iText alumni Dmitry Radchuk to add support for the :is() and :where() selectors for the styled-xml-parser module utilized by the pdfHTML add-on. Therefore, full details can be found in the pdfHTML 6.3.3 release notes.
The other pull request comes from Netliomax25 who proposed a way to increase security in iText’s PDF/UA accessibility checks, specifically for rich text inside annotations. The fix swaps in a hardened XML parser to block potential XML External Entity injection attacks.
... (truncated)
Commits viewable in compare view.
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)