@embedpdf/engines
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:dist/direct-engine-B1NNoKt0.cjs | AI (source-diff): Minified Vite/Rollup bundle for PDFium engine; long lines are standard build output, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/direct-engine-DzwAVTnQ.cjs | AI (source-diff): Standard Vite/Rollup minified bundle; content is readable PDF engine logic, not obfuscated malware. | ai | |
| source-diff | obfuscated-file:dist/direct-engine-BaKyNZkO.cjs | AI (source-diff): Standard Vite/Rollup minified bundle output; readable logic, no obfuscation indicators. | ai | |
| source-diff | obfuscated-file:dist/direct-engine-DITdlET4.cjs | AI (source-diff): Vite-bundled minified output; code is readable PDF engine logic with no suspicious payloads. | ai | |
| source-diff | obfuscated-file:dist/direct-engine-IJ8DmFTb.cjs | AI (source-diff): Standard Vite/Rollup minified bundle; content is readable PDF engine logic, not obfuscated malware. | ai | |
| source-diff | obfuscated-file:dist/direct-engine-CDxs18JK.cjs | AI (source-diff): Standard Vite/Rollup minified bundle output; content is readable PDF engine logic, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/direct-engine-BNQEVS9L.cjs | AI (source-diff): Vite/Rollup minified bundle with accompanying source map; code is readable PDF engine logic, not obfuscated malware. | ai | |
| source-diff | obfuscated-file:dist/pdf-engine-BoFryxxe.cjs | AI (source-diff): Same — standard minified build artifact with source map; content is task queue and PDF engine code. | ai | |
| source-diff | obfuscated-file:dist/direct-engine-DDe3a0AP.cjs | AI (source-diff): Standard Vite/Rollup minified bundle output; code samples show legitimate PDF engine logic. | ai | |
| source-diff | obfuscated-file:dist/pdf-engine-BeHgaBOW.cjs | AI (source-diff): Standard Vite/Rollup minified bundle; code is readable task-queue logic, no malicious patterns. | ai | |
| source-diff | obfuscated-file:dist/direct-engine-C29Euebw.cjs | AI (source-diff): Standard Vite/Rollup minified bundle; code is readable PDF engine logic, no malicious patterns. | ai | |
| source-diff | obfuscated-file:dist/pdf-engine-DeyImjZt.cjs | AI (source-diff): Standard Vite/Rollup minified bundle output; readable logic, no obfuscation indicators. | ai | |
| source-diff | obfuscated-file:dist/direct-engine-DQgFpJUz.cjs | AI (source-diff): Standard Vite/Rollup minified bundle output; readable logic, no obfuscation indicators. | ai | |
| source-diff | obfuscated-file:dist/direct-engine-CCVjfywm.cjs | AI (source-diff): Standard Vite/Rollup minified bundle output; content is readable PDF engine logic, not malicious obfuscation. | ai | |
| source-diff | obfuscated-file:dist/pdf-engine-DUjCt3HC.cjs | AI (source-diff): Standard Vite/Rollup minified bundle output; content is readable task queue and PDF engine logic. | ai | |
| source-diff | obfuscated-file:dist/pdf-engine-B4lt8-5f.cjs | AI (source-diff): Standard Vite/Rollup minified bundle output; source maps included, code is readable task queue logic. | ai | |
| source-diff | obfuscated-file:dist/direct-engine-DnHo6z8a.cjs | AI (source-diff): Standard Vite/Rollup minified bundle output; source maps included, code is readable PDF engine logic. | ai | |
| source-diff | obfuscated-file:dist/direct-engine-BHRO233d.cjs | AI (source-diff): Standard Vite-minified CJS bundle; readable shortened vars, no real obfuscation. | ai | |
| source-diff | obfuscated-file:dist/pdf-engine-DeiICuca.cjs | AI (source-diff): Standard Vite-minified CJS bundle; readable shortened vars, no real obfuscation. | ai | |
| source-diff | obfuscated-file:dist/direct-engine-Dwkk7o9U.cjs | AI (source-diff): Standard Vite/Rollup minified bundle with accompanying source map; code content is legitimate PDF engine logic. | ai | |
| source-diff | obfuscated-file:dist/direct-engine-Byh1BweU.cjs | AI (source-diff): Standard Vite/Rollup minified bundle output; source maps included, code is readable PDF engine logic. | ai | |
| source-diff | obfuscated-file:dist/pdf-engine-BXctylEz.cjs | AI (source-diff): Standard Vite/Rollup minified bundle output; source maps included, code is readable task queue logic. | ai | |
| source-diff | obfuscated-file:dist/pdf-engine-BmrecQLq.cjs | AI (source-diff): Standard Vite/Rollup minified bundle output; code is readable task-queue/PDF engine logic, not obfuscated malware. | ai | |
| source-diff | obfuscated-file:dist/direct-engine-BtiOvMLP.cjs | AI (source-diff): Standard Vite/Rollup minified bundle output; code is readable PDF engine logic, not obfuscated malware. | ai | |
| source-diff | obfuscated-file:dist/pdf-engine-DgNNP62W.cjs | AI (source-diff): Standard Vite/Rollup minified bundle; content is readable task-queue/PDF engine logic, not obfuscated malware. | ai | |
| source-diff | obfuscated-file:dist/direct-engine-CGBAQS04.cjs | AI (source-diff): Standard Vite/Rollup minified bundle; content is readable PDF engine logic, not obfuscated malware. | ai | |
| source-diff | obfuscated-file:dist/direct-engine-BeZ18SKz.cjs | AI (source-diff): Minified Vite/Rollup bundle for PDF engine; sample confirms legitimate PDF rendering code, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/direct-engine-B7b7cTsH.cjs | AI (source-diff): Minified Vite/Rollup build output for a PDF engine; content is readable PDF/WASM logic, not obfuscation. | ai |
Versions (showing 30 of 30)
| Version | Deps | Published |
|---|---|---|
| 2.14.3 | 9 / 6 | |
| 2.14.2 | 9 / 6 | |
| 2.14.1 | 9 / 6 | |
| 2.14.0 | 9 / 6 | |
| 2.13.0 | 9 / 6 | |
| 2.12.1 | 9 / 6 | |
| 2.12.0 | 9 / 6 | |
| 2.11.1 | 9 / 6 | |
| 2.11.0 | 9 / 6 | |
| 2.10.1 | 9 / 6 | |
| 2.10.0 | 9 / 6 | |
| 2.9.1 | 9 / 6 | |
| 2.9.0 | 9 / 6 | |
| 2.8.0 | 9 / 6 | |
| 2.7.0 | 9 / 6 | |
| 2.6.2 | 9 / 6 | |
| 2.6.1 | 9 / 6 | |
| 2.6.0 | 9 / 6 | |
| 2.5.0 | 9 / 6 | |
| 2.4.1 | 9 / 6 | |
| 2.4.0 | 9 / 6 | |
| 2.3.0 | 9 / 6 | |
| 2.2.0 | 9 / 6 | |
| 2.1.2 | 9 / 6 | |
| 2.1.1 | 9 / 6 | |
| 2.1.0 | 9 / 6 | |
| 2.0.2 | 2 / 6 | |
| 2.0.1 | 2 / 6 | |
| 2.0.0 | 2 / 6 | |
| 1.5.0 | 2 / 6 |
v2.14.3
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.14.2
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.14.1
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.14.0
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.13.0
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.12.1
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.12.0
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.11.1
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.11.0
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.10.1
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.10.0
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.9.1
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.9.0
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.8.0
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.7.0
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.6.2
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.6.1
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.6.0
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.5.0
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.4.1
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.4.0
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.3.0
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.2.0
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.2
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.1
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.2
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.5.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.