pdfmake
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| npm-metadata | url-dep:svg-to-pdfkit | AI (npm-metadata): Long-standing SHA-pinned devDependency for vendored fork; not a runtime risk. | ai | |
| source-diff | encoded-string-file:build/pdfmake.js | AI (source-diff): Webpack bundle embeds base64 font/Unicode data; expected for a PDF library. | ai | |
| source-diff | encoded-string-file:build/pdfmake.min.js | AI (source-diff): Minified build bundle with same embedded font data; stable false positive. | ai | |
| dependencies | unvetted-dep:@foliojs-fork/linebreak | AI (dependencies): @foliojs-fork/linebreak is a known Folio.js fork used by pdfmake for line-breaking logic; stable, legitimate dependency. | ai | |
| dependencies | unvetted-dep:@foliojs-fork/pdfkit | AI (dependencies): @foliojs-fork/pdfkit is pdfmake's long-standing PDF rendering engine dependency; a known, legitimate fork used across versions. | ai | |
| email-domain | unclaimed-email:yandex.ua | AI (email-domain): Historical maintainer email on defunct yandex.ua domain; package published via GitHub Actions with SLSA provenance, not via this maintainer's npm credentials. | ai | |
| semgrep | semgrep:base64-decode | AI (semgrep): Base64 decoding of data-URI embedded images is core PDF generation functionality for pdfmake; not a malicious payload. | ai |
Versions (showing 9 of 9)
| Version | Deps | Published |
|---|---|---|
| 0.3.9 | 3 / 31 | |
| 0.3.8 | 3 / 31 | |
| 0.3.7 | 3 / 31 | |
| 0.3.6 | 3 / 31 | |
| 0.2.23 | 4 / 31 | |
| 0.2.22 | 4 / 31 | |
| 0.2.21 | 4 / 31 | |
| 0.2.20 | 4 / 31 | |
| 0.2.19 | 4 / 31 |
v0.3.9
2 findingsDependency 'svg-to-pdfkit' in `devDependencies` points to 'github:alafr/SVG-to-PDFKit#b091ebd4e7b7d2310eb1003511cd5de480f7e0e1' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.3.8
3 findingsModified file contains 8 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 8 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.3.7
2 findingsMaintainer email '[email protected]' uses domain 'yandex.ua' which has no DNS records. An attacker could register this domain to hijack the maintainer identity.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.3.6
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.2.23
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.22
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.21
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.20
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.19
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.