# Description of Changes
This PR mitigates **CVE-2025-8869** (GHSA-4xh5-x5gv-qwph), a
high-severity vulnerability in `pip` ≤ 25.2 that allows arbitrary file
overwrite via unsafe tar extraction in sdist fallback handling.
**What was changed:**
- Added environment variables to all GitHub Actions (`pre_commit.yml`,
`sync_files.yml`) to **enforce binary-only installs**:
- `PIP_ONLY_BINARY=":all:"`
- `PIP_DISABLE_PIP_VERSION_CHECK="1"`
- Updated multiple `.github/scripts/*.txt` requirements to use Python
3.12 as the generation base.
- Upgraded pinned dependencies to latest secure versions:
- `filelock 3.19.1`, `identify 2.6.15`, `platformdirs 4.4.0`, `pyyaml
6.0.3`, `behave 1.3.3`, `pypdf 6.1.1`, `reportlab 4.4.4`, `requests
2.32.5`
- Adjusted file path formatting (`\` → `/`) for consistent
cross-platform compatibility.
**Why the change was made:**
To prevent exploitation of the tar extraction vulnerability in
vulnerable pip versions when installing from source distributions during
CI runs.
---
## Checklist
### General
- [ ] I have read the [Contribution
Guidelines](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/CONTRIBUTING.md)
- [ ] I have read the [Stirling-PDF Developer
Guide](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/devGuide/DeveloperGuide.md)
(if applicable)
- [ ] I have read the [How to add new languages to
Stirling-PDF](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/devGuide/HowToAddNewLanguage.md)
(if applicable)
- [ ] I have performed a self-review of my own code
- [ ] My changes generate no new warnings
### Documentation
- [ ] I have updated relevant docs on [Stirling-PDF's doc
repo](https://github.com/Stirling-Tools/Stirling-Tools.github.io/blob/main/docs/)
(if functionality has heavily changed)
- [ ] I have read the section [Add New Translation
Tags](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/devGuide/HowToAddNewLanguage.md#add-new-translation-tags)
(for new translation tags only)
### UI Changes (if applicable)
- [ ] Screenshots or videos demonstrating the UI changes are attached
(e.g., as comments or direct attachments in the PR)
### Testing (if applicable)
- [ ] I have tested my changes locally. Refer to the [Testing
Guide](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/devGuide/DeveloperGuide.md#6-testing)
for more details.
# Description of Changes
This pull request adds support for converting CBR (Comic Book RAR) files
to PDF, optimizes CBZ/CBR-to-PDF conversion for e-readers using
Ghostscript, and improves file type detection and image file handling.
It introduces the `CbrUtils` and `PdfToCbrUtils` utility classes,
refactors CBZ conversion logic, and integrates these features into the
API controller. The most important changes are grouped below.
### CBR Support and Conversion:
- Added the `com.github.junrar:junrar` dependency to support RAR/CBR
archive extraction in `build.gradle`. (https://github.com/junrar/junrar
and https://github.com/junrar/junrar?tab=License-1-ov-file#readme for
repo and license)
- Introduced the new utility class `CbrUtils` for converting CBR files
to PDF, including image extraction, sorting, and error handling.
- Added the `PdfToCbrUtils` utility class to convert PDF files into CBR
archives by rendering each page as an image and packaging them.
### CBZ/CBR Conversion Optimization:
- Refactored `CbzUtils.convertCbzToPdf` to support optional Ghostscript
optimization for e-reader compatibility and added a new method for this.
- Added `GeneralUtils.optimizePdfWithGhostscript`, which uses
Ghostscript to optimize PDFs for e-readers, and integrated error
handling.
### API Controller Integration:
- Updated `ConvertImgPDFController` to support CBR conversion, CBZ/CBR
optimization toggling, and Ghostscript availability checks.
### Endpoints
<img width="1298" height="522" alt="image"
src="https://github.com/user-attachments/assets/144d3e03-a637-451a-9c35-f784b2a66dc1"
/>
<img width="1279" height="472" alt="image"
src="https://github.com/user-attachments/assets/879f221d-b775-4224-8edb-a23dbea6a0ca"
/>
### UI
<img width="384" height="105" alt="image"
src="https://github.com/user-attachments/assets/5f861943-0706-4fad-8775-c40a9c1f3170"
/>
### File Type and Image Detection Improvements:
- Improved file extension detection for comic book files and image files
in `CbzUtils` and added a shared regex pattern utility for image files.
### Additional notes:
- Please keep in mind new the dependency, this is not dependency-free
implementation (as opposed to CBZ converter)
- RAR 5 currently not supported. (because JUNRAR does not support it)
- Added the new ebook optimization func to GeneralUtils since we'll soon
(hopefully) at least 3 book/ebook formats (EPUB, CBZ, CBR) all of which
can use it.
- Once again this has been thoroughly tested but can't share actual
"real life" file due to copyright.
Closes: #775
<!--
Please provide a summary of the changes, including:
- What was changed
- Why the change was made
- Any challenges encountered
Closes #(issue_number)
-->
---
## Checklist
### General
- [x] I have read the [Contribution
Guidelines](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/CONTRIBUTING.md)
- [x] I have read the [Stirling-PDF Developer
Guide](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/devGuide/DeveloperGuide.md)
(if applicable)
- [ ] I have read the [How to add new languages to
Stirling-PDF](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/devGuide/HowToAddNewLanguage.md)
(if applicable)
- [x] I have performed a self-review of my own code
- [x] My changes generate no new warnings
### Documentation
- [x] I have updated relevant docs on [Stirling-PDF's doc
repo](https://github.com/Stirling-Tools/Stirling-Tools.github.io/blob/main/docs/)
(if functionality has heavily changed)
- [ ] I have read the section [Add New Translation
Tags](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/devGuide/HowToAddNewLanguage.md#add-new-translation-tags)
(for new translation tags only)
### UI Changes (if applicable)
- [x] Screenshots or videos demonstrating the UI changes are attached
(e.g., as comments or direct attachments in the PR)
### Testing (if applicable)
- [x] I have tested my changes locally. Refer to the [Testing
Guide](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/devGuide/DeveloperGuide.md#6-testing)
for more details.
---------
Signed-off-by: Balázs Szücs <bszucs1209@gmail.com>
# Description of Changes
Explanation on try-with-resource:
> Many resources in Java need be closed after they have been used. If
they are not, the garbage collector cannot reclaim the resources'
memory, and they are still considered to be in use by the operating
system. Such resources are considered to be leaked, which can lead to
performance issues.
>
> Java 7 introduced the try-with-resources statement, which guarantees
that the resource in question will be closed.
>
> try (InputStream input = Files.newInputStream(path)) {
> // "input" will be closed after the execution of this block
> }
>
> This syntax is safer than the traditional method using try, catch, and
finally and hence should be preferred.
https://rules.sonarsource.com/java/tag/java8/RSPEC-2093/
<!--
Please provide a summary of the changes, including:
- What was changed
- Why the change was made
- Any challenges encountered
Closes #(issue_number)
-->
---
## Checklist
### General
- [ ] I have read the [Contribution
Guidelines](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/CONTRIBUTING.md)
- [ ] I have read the [Stirling-PDF Developer
Guide](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/devGuide/DeveloperGuide.md)
(if applicable)
- [ ] I have read the [How to add new languages to
Stirling-PDF](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/devGuide/HowToAddNewLanguage.md)
(if applicable)
- [ ] I have performed a self-review of my own code
- [ ] My changes generate no new warnings
### Documentation
- [ ] I have updated relevant docs on [Stirling-PDF's doc
repo](https://github.com/Stirling-Tools/Stirling-Tools.github.io/blob/main/docs/)
(if functionality has heavily changed)
- [ ] I have read the section [Add New Translation
Tags](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/devGuide/HowToAddNewLanguage.md#add-new-translation-tags)
(for new translation tags only)
### UI Changes (if applicable)
- [ ] Screenshots or videos demonstrating the UI changes are attached
(e.g., as comments or direct attachments in the PR)
### Testing (if applicable)
- [ ] I have tested my changes locally. Refer to the [Testing
Guide](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/devGuide/DeveloperGuide.md#6-testing)
for more details.
---------
Signed-off-by: Balázs Szücs <bszucs1209@gmail.com>
[//]: # (dependabot-start)
⚠️ **Dependabot is rebasing this PR** ⚠️
Rebasing might not happen immediately, so don't worry if this takes some
time.
Note: if you make any changes to this PR yourself, they will take
precedence over the rebase.
---
[//]: # (dependabot-end)
Bumps
[org.eclipse.angus:angus-mail](https://github.com/eclipse-ee4j/angus-mail)
from 2.0.4 to 2.0.5.
<details>
<summary>Commits</summary>
<ul>
<li><a
href="a7a4a37844"><code>a7a4a37</code></a>
Prepare release org.eclipse.angus:all:2.0.5</li>
<li><a
href="a7d6745aaa"><code>a7d6745</code></a>
activation api 2.1.4, mail api 2.1.5, angus activation 2.0.3</li>
<li><a
href="c93dde0d24"><code>c93dde0</code></a>
Merge pull request <a
href="https://redirect.github.com/eclipse-ee4j/angus-mail/issues/182">#182</a>
from eclipse-ee4j/2.0.4-RELEASE</li>
<li><a
href="ddcc8e3519"><code>ddcc8e3</code></a>
From-Address not parsed correctly <a
href="https://redirect.github.com/eclipse-ee4j/angus-mail/issues/161">#161</a>
(<a
href="https://redirect.github.com/eclipse-ee4j/angus-mail/issues/174">#174</a>)</li>
<li><a
href="c4e72d2a91"><code>c4e72d2</code></a>
Update github action versions</li>
<li><a
href="f1606338a4"><code>f160633</code></a>
OAuth2.md: POP3 works with O365 with towlines</li>
<li><a
href="acbb015dfb"><code>acbb015</code></a>
Update changes files, it was wrong (<a
href="https://redirect.github.com/eclipse-ee4j/angus-mail/issues/177">#177</a>)</li>
<li><a
href="b96c2c32a4"><code>b96c2c3</code></a>
Rename resource files so JakartaMail and JavaMail can co-exist (<a
href="https://redirect.github.com/eclipse-ee4j/angus-mail/issues/171">#171</a>)</li>
<li><a
href="8d4a8ce3d5"><code>8d4a8ce</code></a>
Update CHANGES.txt</li>
<li><a
href="dbd22ec2c2"><code>dbd22ec</code></a>
Remove this-escape compiler warnings <a
href="https://redirect.github.com/eclipse-ee4j/angus-mail/issues/141">#141</a>
(<a
href="https://redirect.github.com/eclipse-ee4j/angus-mail/issues/142">#142</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/eclipse-ee4j/angus-mail/compare/2.0.4...2.0.5">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
[//]: # (dependabot-start)
⚠️ **Dependabot is rebasing this PR** ⚠️
Rebasing might not happen immediately, so don't worry if this takes some
time.
Note: if you make any changes to this PR yourself, they will take
precedence over the rebase.
---
[//]: # (dependabot-end)
Bumps io.swagger.core.v3:swagger-core-jakarta from 2.2.36 to 2.2.38.
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps
[jakarta.mail:jakarta.mail-api](https://github.com/jakartaee/mail-api)
from 2.1.4 to 2.1.5.
<details>
<summary>Commits</summary>
<ul>
<li><a
href="e1873219fe"><code>e187321</code></a>
Prepare release jakarta.mail:jakarta.mail-api:2.1.5</li>
<li><a
href="ef7483e4b3"><code>ef7483e</code></a>
Revert "Multipart performs blocking call in every instantiation <a
href="https://redirect.github.com/jakartaee/mail-api/issues/699">#699</a>
(<a
href="https://redirect.github.com/jakartaee/mail-api/issues/716">#716</a>)"</li>
<li><a
href="abe990f2d4"><code>abe990f</code></a>
Reviews changes</li>
<li><a
href="a10a1733c9"><code>a10a173</code></a>
Improve MimeMessage UTF8 handling</li>
<li><a
href="7a53112b91"><code>7a53112</code></a>
Improve MimeMessage UTF8 handling</li>
<li><a
href="17365200c0"><code>1736520</code></a>
Drop references to the Reference implementation</li>
<li><a
href="f2e6da34c3"><code>f2e6da3</code></a>
Bump nokogiri from 1.16.5 to 1.18.9 in /www</li>
<li><a
href="5488a7ce64"><code>5488a7c</code></a>
<a
href="https://redirect.github.com/jakartaee/mail-api/issues/708">#708</a>
Add missing javadoc for supporting ServiceLoader mechanism (<a
href="https://redirect.github.com/jakartaee/mail-api/issues/726">#726</a>)</li>
<li><a
href="ccbe84bdb5"><code>ccbe84b</code></a>
Bump webrick from 1.8.1 to 1.8.2 in /www</li>
<li><a
href="34f8e9b161"><code>34f8e9b</code></a>
ISSUE-721 - add full Markdown for URLs since Jekyll action doesn't
autolink t...</li>
<li>Additional commits viewable in <a
href="https://github.com/jakartaee/mail-api/compare/2.1.4...2.1.5">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
### Description of Changes
This Pull Request was automatically generated to synchronize updates to
translation files and documentation. Below are the details of the
changes made:
#### **1. Synchronization of Translation Files**
- Updated translation files (`messages_*.properties`) to reflect changes
in the reference file `messages_en_GB.properties`.
- Ensured consistency and synchronization across all supported language
files.
- Highlighted any missing or incomplete translations.
#### **2. Update README.md**
- Generated the translation progress table in `README.md`.
- Added a summary of the current translation status for all supported
languages.
- Included up-to-date statistics on translation coverage.
#### **Why these changes are necessary**
- Keeps translation files aligned with the latest reference updates.
- Ensures the documentation reflects the current translation progress.
---
Auto-generated by [create-pull-request][1].
[1]: https://github.com/peter-evans/create-pull-request
---------
Co-authored-by: stirlingbot[bot] <195170888+stirlingbot[bot]@users.noreply.github.com>
