@embedpdf/snippet
<div align="center"> <a href="https://www.embedpdf.com"> <img alt="EmbedPDF logo" src="https://www.embedpdf.com/logo-192.png" height="96"> </a>
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | net-exec-file:dist/worker-engine-Bavu2VBD.js | AI (source-diff): WebWorker postMessage + WASM init pattern; not dropper behavior. | ai | |
| source-diff | net-exec-file:dist/direct-engine-B8Y1coUd.js | AI (source-diff): Network calls are WASM binary fetches; dynamic execution is WASM instantiation — standard pattern for pdfium WASM engine. | ai | |
| source-diff | obfuscated-file:dist/embedpdf-DM0Wgh5n.js | AI (source-diff): Standard Rollup minified bundle for a PDF viewer library; not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/browser-BKLM0ThC-BV1_qgB9.js | AI (source-diff): Standard Rollup minified bundle; content is legitimate task-queue/PDF viewer code. | ai | |
| source-diff | obfuscated-file:dist/direct-engine-B8Y1coUd.js | AI (source-diff): Minified WASM engine bundle with EPDF API symbols; expected build artifact. | ai | |
| source-diff | obfuscated-file:dist/worker-engine-Bavu2VBD.js | AI (source-diff): Minified WebWorker bundle for PDF rendering; expected build artifact. | ai | |
| source-diff | net-exec-file:dist/worker-engine-7ImTik9Y.js | AI (source-diff): Worker postMessage + WASM URL fetch is the documented worker-engine pattern for this PDF SDK. | ai | |
| source-diff | obfuscated-file:dist/browser-BKLM0ThC-DR-w7ZZG.js | AI (source-diff): Standard Rollup minified output for a PDF viewer SDK; content is readable PDF/UI logic. | ai | |
| source-diff | obfuscated-file:dist/direct-engine-B_w0Ka7Y.js | AI (source-diff): Minified WASM engine bundle with visible EPDF API symbols; expected build artifact. | ai | |
| source-diff | obfuscated-file:dist/embedpdf-Ds41aXHo.js | AI (source-diff): Minified shared library bundle; content shows standard JS utility helpers, not malware. | ai | |
| source-diff | obfuscated-file:dist/worker-engine-7ImTik9Y.js | AI (source-diff): Minified Web Worker engine; content shows RemoteExecutor/WASM init pattern, expected for PDF SDK. | ai | |
| source-diff | net-exec-file:dist/direct-engine-B_w0Ka7Y.js | AI (source-diff): Network calls are WASM binary fetches; dynamic execution is WASM instantiation — standard PDF engine pattern. | ai | |
| phantom-deps | phantom-dep:tailwind-merge | AI (phantom-deps): Bundled snippet package; tailwind-merge is likely inlined at build time rather than directly imported. | ai | |
| phantom-deps | phantom-dep:@embedpdf/pdfium | AI (phantom-deps): Same-org dependency; likely used transitively or referenced indirectly in the bundle. | ai |
Versions (showing 5 of 5)
| Version | Deps | Published |
|---|---|---|
| 2.14.3 | 34 / 30 | |
| 2.14.2 | 34 / 30 | |
| 2.14.1 | 34 / 30 | |
| 2.14.0 | 34 / 30 | |
| 2.13.0 | 34 / 30 |
v2.14.3
7 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.14.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.14.1
7 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.14.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.13.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.