chore(deps): update dependency pypdf to v6

[mend-for-github-com]

This PR contains the following updates:

Package	Update	Change
pypdf (changelog)	major	==5.5.0 → ==6.10.0

By merging this PR, the below vulnerabilities will be automatically resolved:

Severity	CVSS Score	Vulnerability	Reachability
High	7.5	CVE-2025-55197
High	7.5	CVE-2025-62707
High	7.5	CVE-2025-62708
High	7.5	CVE-2025-66019
High	7.5	CVE-2026-27888
High	7.5	CVE-2026-33699
Medium	6.2	CVE-2026-27024
Medium	6.2	CVE-2026-27025
Medium	6.2	CVE-2026-27026
Medium	5.5	CVE-2026-31826
Medium	5.3	CVE-2026-22690
Medium	5.3	CVE-2026-22691
Medium	5.3	CVE-2026-28351
Medium	5.3	CVE-2026-28804
Medium	5.3	CVE-2026-40260
Medium	4.3	CVE-2026-27628
Medium	4.0	CVE-2026-33123

---

Release Notes

py-pdf/pypdf (pypdf)

v6.10.0

Compare Source

Security (SEC)

• Limit the allowed size of xref and object streams (#​3733)

Robustness (ROB)

• Consider strict mode setting for decryption errors (#​3731)

Documentation (DOC)

• Use new parameter names for compress_identical_objects

Full Changelog

v6.9.2

Compare Source

Security (SEC)

• Disallow custom XML entity declarations for XMP metadata (#​3724)

New Features (ENH)

• Skip MD5 key derivation for AES-256 encrypted PDFs (#​3694)

Bug Fixes (BUG)

• Use remove_orphans in compress_identical_objects (#​3310)
• Fix PdfReadError when xref table contains comments before trailer (#​3710)
• Correctly verify AES padding during decryption (#​3699)
• Fix stale object cache from non-authoritative object streams (#​3698)
• Fix extract_links pairing when annotations include non-links (#​3687)

Documentation (DOC)

• Add AI policy (#​3717)

Full Changelog

v6.9.1

Compare Source

Security (SEC)

• Avoid infinite loop in read_from_stream for broken files (#​3693)

Robustness (ROB)

• Resolve UnboundLocalError for xobjs in _get_image (#​3684)

Full Changelog

v6.9.0

Compare Source

Security (SEC)

• Improve performance and limit length of array-based content streams (#​3686)

Full Changelog

v6.8.0

Compare Source

New Features (ENH)

• Expose /Perms verification result on Encryption object (#​3672)

Performance Improvements (PI)

• Fix O(n²) performance in NameObject read/write (#​3679)
• Batch-parse all objects in ObjStm on first access (#​3677)

Bug Fixes (BUG)

• Avoid sharing array-based content streams between pages (#​3681)
• Avoid accessing invalid page when inserting blank page under some conditions (#​3529)

Full Changelog

v6.7.5

Compare Source

Security (SEC)

• Limit allowed /Length value of stream (#​3675)

New Features (ENH)

• Add /IRT (in-reply-to) support for markup annotations (#​3631)

Documentation (DOC)

• Avoid using PageObject.replace_contents on PdfReader (#​3669)
• Document how to disable jbig2dec calls

Full Changelog

v6.7.4

Compare Source

Security (SEC)

• Improve the performance of the ASCIIHexDecode filter (#​3666)

Full Changelog

v6.7.3

Compare Source

Security (SEC)

• Allow limiting output length for RunLengthDecode filter (#​3664)

Robustness (ROB)

• Deal with invalid annotations in extract_links (#​3659)

Full Changelog

v6.7.2

Compare Source

Security (SEC)

• Use zlib decompression limit when retrieving XFA data (#​3658)

Full Changelog

v6.7.1

Compare Source

Security (SEC)

• Prevent infinite loop from circular xref /Prev references (#​3655)

Bug Fixes (BUG)

• Fix wrong LUT size error (#​3651)
• Fix handling of page boxes defined on /Pages (#​3650)

Full Changelog

v6.7.0

Compare Source

Security (SEC)

• Detect cyclic references when accessing TreeObject.children (#​3645)
• Limit size of /ToUnicode entries (#​3646)
• Limit FlateDecode recovery attempts (#​3644)

Bug Fixes (BUG)

• Avoid own object replacement logic in PageObject.replace_contents (#​3638)
• Fix UnboundLocalError when update_page_form_field_values with /Sig (#​3634)

Robustness (ROB)

• Avoid divison by zero when decoding FlateDecode PNG prediction (#​3641)

Full Changelog

v6.6.2

Compare Source

Deprecations (DEP)

• Deprecate support for abbreviations in decode_stream_data (#​3617)

New Features (ENH)

• Add ability to add font resources for 14 Adobe Core fonts in text widget annotations (#​3624)

Bug Fixes (BUG)

• Avoid invalid load for ICCBased FlateDecode images in mode 1 (#​3619)

Robustness (ROB)

• Fix AESV2 decryption when /Length missing in encrypt dict (#​3629)
• Fix merging when annotations point to NullObject (#​3613)
• Check for self._info being None in compress_identical_objects (#​3612)

Full Changelog

v6.6.1

Compare Source

Security (SEC)

• Detect cyclic references when retrieving outlines (#​3610)

Full Changelog

v6.6.0

Compare Source

Robustness (ROB)

• /AcroForm might be NullObject (#​3601)
• Handle missing font bounding boxes gracefully (#​3600)

Full Changelog

v6.5.0

Compare Source

Security (SEC)

• Improve handling of partially broken PDF files (#​3594)

Deprecations (DEP)

• Block common page content modifications when assigned to reader (#​3582)

New Features (ENH)

• Embellishments to generated text appearance streams (#​3571)

Bug Fixes (BUG)

• Do not consider multi-byte BOM-like sequences as BOMs (#​3589)

Robustness (ROB)

• Avoid empty FlateDecode outputs without warning (#​3579)

Documentation (DOC)

• Add outlines documentation and link it in User Guide (#​3511)

Developer Experience (DEV)

• Add PyPy 3.11 to test matrix and benchmarks (#​3574)

Maintenance (MAINT)

• Fix compatibility with Pillow >= 12.1.0 (#​3590)

Full Changelog

v6.4.2

Compare Source

New Features (ENH)

• Limit jbig2dec memory usage (#​3576)
• FontDescriptor: Initiate from embedded font resource (#​3551)

Robustness (ROB)

• Allow fallback to PBM files for jbig2dec without PNG support (#​3567)
• Use warning instead of error for early EOD for RunLengthDecode (#​3548)

Developer Experience (DEV)

• Test with macOS as well (#​3401)

Full Changelog

v6.4.1

Compare Source

Bug Fixes (BUG)

• Fix KeyError when flattening form field without /Font in resources (#​3554)

Robustness (ROB)

• Allow deleting non-existent annotations (#​3559)

Documentation (DOC)

• Fix level of attachment heading (#​3560)

Full Changelog

v6.4.0

Compare Source

Performance Improvements (PI)

• Optimize loop for layout mode text extraction (#​3543)

Bug Fixes (BUG)

• Do not fail on choice field without /Opt key (#​3540)

Documentation (DOC)

• Document possible issues with merge_page and clipping (#​3546)
• Add some notes about library security (#​3545)

Maintenance (MAINT)

• Use CORE_FONT_METRICS for widths where possible (#​3526)

Full Changelog

v6.3.0

Compare Source

Security (SEC)

• Reduce default limit for LZW decoding

New Features (ENH)

• Parse and format comb fields in text widget annotations (#​3519)

Robustness (ROB)

• Silently ignore Adobe Ascii85 whitespace for suffix detection (#​3528)

Full Changelog

v6.2.0

Compare Source

New Features (ENH)

• Wrap and align text in flattened PDF forms (#​3465)

Bug Fixes (BUG)

• Fix missing "PreventGC" when cloning (#​3520)
• Preserve JPEG image quality by default (#​3516)

Full Changelog

v6.1.3

Compare Source

New Features (ENH)

• Add 'strict' parameter to PDFWriter (#​3503)

Bug Fixes (BUG)

• PdfWriter.append fails when there are articles being None (#​3509)

Documentation (DOC)

• Execute docs examples in CI (#​3507)

Full Changelog

v6.1.2

Compare Source

Security (SEC)

• Allow limiting size of LZWDecode streams (#​3502)
• Avoid infinite loop when reading broken DCT-based inline images (#​3501)

Bug Fixes (BUG)

• PageObject.scale() scales media box incorrectly (#​3489)

Robustness (ROB)

• Fail with explicit exception when image mode is an empty array (#​3500)

Full Changelog

v6.1.1

Compare Source

Bug Fixes (BUG)

• Fix handling of zero-length StreamObject (#​3485)

Robustness (ROB)

• Deal with wrong size for incremental PDF files (#​3495)
• Improve handling for malformed cross-reference tables (#​3483)

Developer Experience (DEV)

• Use released Python 3.14
• Use Mapping instead of dict in type hint of update_page_form_field_values (#​3490)

Full Changelog

v6.1.0

Compare Source

Bug Fixes (BUG)

• Insert new embedded files in a sorted manner (#​3477)
• Fix name tree handling for embedded files with Kids-based inputs (#​3475)
• Make embedding files not break PDF/A-3 compliance (#​3472)

Documentation (DOC)

• Document AFRelationship handling for PDF/A and provide constants (#​3478)

Full Changelog

v6.0.0

Compare Source

New Features (ENH)

• Enhance XMP metadata handling with creation and setter methods (#​3410)
• Add all font metrics for base 14 Type 1 PDF fonts (#​3363)
• Allow deleting embedded files (#​3461)
• Add support for Python in FIPS mode for document identifier (#​3438)

Bug Fixes (BUG)

• Fix handling of UTF-16 encoded destination titles (#​3463)
• Guard empty input to prevent IndexError (#​3448)

Developer Experience (DEV)

• Fix type hint for XMP metadata setter to add bytes type (#​3464)

Full Changelog

v5.9.0

Compare Source

Security (SEC)

• Limit decompressed size for FlateDecode filter (#​3430)

Deprecations (DEP)

• Drop Python 3.8 support (#​3412)

New Features (ENH)

• Move BlackIs1 functionality to tiff_header (#​3421)

Robustness (ROB)

• Skip Go-To actions without a destination (#​3420)

Developer Experience (DEV)

• Update code style related libraries (#​3414)
• Update mypy to 1.17.0 (#​3413)
• Stop testing on Python 3.8 and start testing on Python 3.14 (#​3411)

Maintenance (MAINT)

• Cleanup deprecations (#​3424)

Full Changelog

v5.8.0

Compare Source

New Features (ENH)

• Automatically preserve links in added pages (#​3298)
• Allow writing/updating all properties of an embedded file (#​3374)

Bug Fixes (BUG)

• Fix XMP handling dropping indirect references (#​3392)

Robustness (ROB)

• Deal with DecodeParms being empty list (#​3388)

Documentation (DOC)

• Document how to read and modify XMP metadata (#​3383)

Full Changelog

v5.7.0

Compare Source

New Features (ENH)

• Implement flattening for writer (#​3312)

Bug Fixes (BUG)

• Unterminated object when using PdfWriter with incremental=True (#​3345)

Robustness (ROB)

• Resolve some image extraction edge cases (#​3371)
• Ignore faulty trailing newline during RLE decoding (#​3355)
• Gracefully handle odd-length strings in parse_bfchar (#​3348)

Developer Experience (DEV)

• Modernize license specifiers (#​3338)

Maintenance (MAINT)

• Reduce max-complexity of tool.ruff.lint.mccabe (#​3365)
• Refactor text extraction code

Full Changelog

v5.6.1

Compare Source

Performance Improvements (PI)

• Performance optimization for LZW decoding (#​3329)

Robustness (ROB)

• Flate decoding for streams with faulty tail bytes (#​3332)
• dc_creator could be a Bag as well (#​3333)
• Handle tree being NullObject when retrieving named destinations (#​3331)

Maintenance (MAINT)

• Move inline-image mappings to constants (#​3328)

Full Changelog

v5.6.0

Compare Source

New Features (ENH)

• Add PDF/A XMP metadata support (#​3314)

Robustness (ROB)

• Deal with annotations not being lists on merge (#​3321)
• Handle NullObject for cmap encoding Differences entry (#​3317)

Developer Experience (DEV)

• Update ruff to 0.12.0 (#​3316)

Full Changelog

---

• If you want to rebase/retry this PR, check this box