pdfjs-dist
Generic build of Mozilla's PDF.js library.
26
Versions
Apache-2.0
License
No
Install Scripts
Verified
Provenance
Supply chain provenance
Status for the latest visible version.
SLSA provenance attestation
npm registry signatures
gitHead linked
Maintainers
yurydelendikpdfjsbotbrendandahlcalixtemanpdfjs-release-automation
Keywords
Mozillapdfpdf.js
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:wasm/jbig2_nowasm_fallback.js | AI (source-diff): Emscripten-generated WASM fallback; expected pattern for this package. | ai | |
| source-diff | encoded-string-file:wasm/openjpeg_nowasm_fallback.js | AI (source-diff): Emscripten-generated WASM fallback with base64 binary data; stable pattern. | ai | |
| dependencies | unvetted-dep:canvas | AI (dependencies): Optional dependency for Node.js PDF rendering; legitimate native binding with appropriate version constraint. | ai | |
| dependencies | unvetted-dep:path2d | AI (dependencies): Optional dependency for PDF path rendering; legitimate native binding with appropriate version constraint. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): calixteman and pdfjs-release-automation are legitimate Mozilla PDF.js project maintainers. The transition to GitHub Actions publishing with SLSA attestation confirms legitimacy. | ai | |
| source-diff | encoded-string-file:build/pdf.min.mjs | AI (source-diff): build/pdf.min.mjs is a standard minified bundle for Mozilla's PDF.js library. Long strings are minified JS constants/data, not obfuscated payloads. Stable for this package. | ai | |
| provenance | publisher-changed | AI (provenance): pdfjs-dist transitioned from pdfjsbot to GitHub Actions CI/CD with SLSA provenance attestation — a legitimate and security-improving change for Mozilla's PDF.js project. | ai | |
| semgrep | semgrep:new-function-constructor | AI (semgrep): Pattern occurs in minified build output from official Mozilla build pipeline; expected for distribution packages and not a security concern. | ai | |
| source-diff | encoded-string-file:legacy/build/pdf.min.mjs | AI (source-diff): legacy/build/pdf.min.mjs is a standard minified legacy bundle for Mozilla's PDF.js library. Long strings are minified JS, not obfuscated payloads. Stable for this package. | ai |
Versions (showing 26 of 26)
| Version | Deps | Published |
|---|---|---|
| 6.0.227 | 0 / 0 | |
| 5.7.284 | 0 / 0 | |
| 5.6.205 | 0 / 0 | |
| 5.5.207 | 0 / 0 | |
| 5.4.624 | 0 / 0 | |
| 5.4.530 | 0 / 0 | |
| 5.4.449 | 0 / 0 | |
| 5.4.394 | 0 / 0 | |
| 5.4.296 | 0 / 0 | |
| 5.4.149 | 0 / 0 | |
| 5.4.54 | 0 / 0 | |
| 5.3.93 | 0 / 0 | |
| 5.3.31 | 0 / 0 | |
| 5.2.133 | 0 / 0 | |
| 5.1.91 | 0 / 0 | |
| 5.0.375 | 0 / 0 | |
| 4.10.38 | 0 / 0 | |
| 4.9.155 | 0 / 0 | |
| 4.9.124 | 0 / 0 | |
| 4.8.69 | 0 / 0 | |
| 4.7.76 | 0 / 0 | |
| 4.6.82 | 0 / 0 | |
| 4.5.136 | 0 / 0 | |
| 4.4.168 | 0 / 0 | |
| 4.3.136 | 2 / 0 | |
| 4.2.67 | 2 / 0 |
v6.0.227
1 finding
INFO
Has SLSA provenance attestation
provenance
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.7.284
3 findings
HIGH
New obfuscated file: wasm/jbig2_nowasm_fallback.js
source-diff
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
HIGH
Long encoded string in modified file: wasm/openjpeg_nowasm_fallback.js
source-diff
Modified file contains 4 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
INFO
Has SLSA provenance attestation
provenance
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.