Skip to content

v0.1.4

Choose a tag to compare

@CognitiveSand CognitiveSand released this 08 Jul 15:35

Security

  • Runtime dependency tree cut from ~110 packages to 11. Mermaid never executes in Node — md2pdf only inlines its prebuilt browser bundle into the generated HTML. The bundle now ships inside the package as a vendored, checksummed asset (mermaid@11.16.0, declared in artifacts.json), and the mermaid npm subtree (source of Socket.dev supply-chain alerts: obfuscated code, shell access, eval, 27 unmaintained packages) is no longer installed on user machines.
  • Transitive dompurify advisories (GHSA-vxr8-fq34-vvx9, GHSA-gvmj-g25r-r7wr, GHSA-cmwh-pvxp-8882) cleared; npm audit reports zero vulnerabilities.

Changed

  • Package renamed to the @cognitivesand scope: install with npm install --global @cognitivesand/md2pdf or run npx @cognitivesand/md2pdf notes.md. Works with Bun via bunx.
  • README restructured: quickstart first, project motivation and objectives, then usage and contribution details.
  • Real-browser Mermaid smoke test now compares against a text-only baseline instead of a Chromium-calibrated byte bound, so it passes on Firefox/cairo too.
  • Publishing is automated: GitHub releases publish to npm via trusted publishing (OIDC) with provenance.