pdf-parse @1.1.2
Pure TypeScript, cross-platform module for extracting text, images, and tabular data from PDFs. Run directly in your browser or in Node!
Maintainers
Keywords
Dependencies (1)
| Package | Constraint | Registry Status |
|---|---|---|
| node-ensure | ^0.0.0 | auto_approved |
Dev Dependencies (1)
| Package | Constraint | Registry Status |
|---|---|---|
| mocha | ^11.7.4 | auto_approved |
Transitive Dependency Tree
Changes from v2.4.5
Dependency Changes
| Change | Package | Version |
|---|---|---|
| added | node-ensure | ^0.0.0 |
| removed | pdfjs-dist | 5.4.296 |
| removed | @napi-rs/canvas | 0.1.80 |
Script Changes
+ pub - lint- pack- bench- build- clean- format- report- test:e- test:i- test:p- test:u- prepare- test:ui- build:ts- coverage- test:all- build:cjs- build:web- build:node- clean:test- format:all- test:watch- clean:build- build:worker- clean:report- clean:test:i- format:check- report:build- bench:install- build:node:ts- typedoc:build- build:node:bundleLicense Changed
Apache-2.0 → MITFile Changes
Risk Dispositions (2 applicable to this version, 0 other)
Accepted rules are downgraded to INFO on future analyses; rejected rules escalate to CRITICAL.
| Rule | Source | Disposition | Author | Reason | |
|---|---|---|---|---|---|
regressed-provenance |
provenance | reject | AI | AI (provenance): Provenance regression is a strong account-compromise signal for this package; should be enforced on all future versions until CI/CD publishing is restored. | |
unvetted-dep:node-ensure |
dependencies | reject | AI | AI (dependencies): node-ensure is not a legitimate replacement for pdfjs-dist; its addition as the sole runtime dep in this version is suspicious and unexplained. |
SAST Findings (13)
This version was published without provenance, but prior versions were published via CI/CD with attestations. This is a strong signal of a potential account compromise or unauthorized publish. The axios attack (March 2026) exhibited exactly this pattern.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Review Summary
Risk score: 100 (capped from 355). Findings: 13 high (+325), 3 medium (+30).
Commit: 0212ed0dd322 Browse source
Published to npm: