v1.0.0 — Initial Release
v1.0.0 — Initial Release
pdfnative — Pure native PDF generation. Zero vendor dependencies. ISO 32000-1 (PDF 1.7) compliant.
This is the first stable release of pdfnative, extracted from plika.app where it has
been powering production multi-language PDF generation across 16 Unicode scripts.
Install
npm install pdfnativeSigned provenance — this release is published via GitHub Actions OIDC with
npm --provenance.
Build attestation is verifiable at npmjs.com/package/pdfnative.
What's in this release
Zero-dependency PDF engine
Built from scratch in pure TypeScript — no PDFKit, no Puppeteer, no native binaries, no runtime
dependencies. Works in Node.js ≥ 22, browsers, Deno, Bun, and Web Workers out of the box.
Dual ESM + CJS build, tree-shakeable with sideEffects: false.
16 Unicode scripts with OpenType shaping
Full glyph shaping pipelines for Thai (GSUB + GPOS mark-to-base/mark-to-mark), Arabic
(positional GSUB: isol/init/medi/fina + lam-alef), Devanagari, Bengali, Tamil, and Unicode BiDi
(UAX #9) layout including bracket pairing and punctuation affinity.
Supported scripts: Thai, Japanese, Chinese (SC), Korean, Greek, Devanagari, Turkish, Vietnamese,
Polish, Arabic, Hebrew, Cyrillic, Georgian, Armenian, Bengali, Tamil.
Tagged PDF / PDF/A compliance
| Conformance level | Standard |
|---|---|
| Tagged PDF / PDF/UA | ISO 14289-1 |
| PDF/A-1b | ISO 19005-1 |
| PDF/A-2b (default) | ISO 19005-2 |
| PDF/A-2u | ISO 19005-2 |
| PDF/A-3b + embedded files | ISO 19005-3 |
Full structure tree (/Document → /Table → /TR → /TH|/TD, /H1–H3, /P, /L, /Figure,
/Link, /TOC → /TOCI), /ActualText on every marked content sequence, XMP metadata, sRGB ICC
OutputIntent.
Encryption, Signatures & Forms
- AES-128 / AES-256 (V4/R4, V5/R6) with owner + user passwords and granular permission
bitmask - CMS/PKCS#7 digital signatures (ISO 32000-1 §12.8) — RSA PKCS#1 v1.5 and ECDSA P-256 with
X.509 DER parsing; all crypto is zero-dependency pure TypeScript - AcroForm interactive fields — text, multiline, checkbox, radio, dropdown, listbox with full
/APappearance streams (ISO 32000-1 §12.7)
Document builder
12 block types for free-form document composition:
HeadingBlock, ParagraphBlock, ListBlock, TableBlock, ImageBlock, LinkBlock,
SpacerBlock, PageBreakBlock, TocBlock, BarcodeBlock, SvgBlock, FormFieldBlock.
Header/footer templates with {page} / {pages} / {date} / {title} placeholders, text and
image watermarks with transparency, table of contents with dot leaders and internal /GoTo links.
Barcodes, SVG & Streaming
Five barcode formats as pure PDF path operators (zero image dependency): Code 128, EAN-13, QR Code
(ISO 18004), Data Matrix ECC 200, PDF417. SVG element rendering (7 types). AsyncGenerator
streaming output with configurable chunk size.
PDF Parser & Modifier
Read and incrementally modify existing PDFs — tokenizer, xref table/stream parser, FlateDecode
inflate, object parser with discriminated union type guards, PdfReader, and PdfModifier with
non-destructive incremental /Prev chain.
Security
Three CWE mitigations are included and exposed as public API:
| Mitigation | API | Default |
|---|---|---|
| CWE-674 — parser recursion | MAX_PARSE_DEPTH |
1000 levels |
| CWE-400 — zip-bomb / inflate | setMaxInflateOutputSize() / DEFAULT_MAX_INFLATE_OUTPUT |
100 MB |
| CWE-400 — xref chain DoS | MAX_XREF_CHAIN |
100 hops + cycle detection |
URL validation blocks javascript:, file:, and data: schemes as well as control characters
(U+0000–U+001F, U+007F–U+009F) in link annotations. Color values are validated and sanitized
before interpolation into PDF content streams.
Quality metrics
| Metric | Value |
|---|---|
| Tests | 1588+ across 40 files |
| Statement coverage | 95%+ |
| Fuzz / edge-case scenarios | 48 |
| Runtime dependencies | 0 |
| Node.js requirement | ≥ 22 |
| CI matrix | Node 22 + 24 |
| Provenance | Signed via GitHub Actions OIDC |
| Supply-chain | OpenSSF Scorecard monitored |
Breaking changes
None — this is the initial stable release.
Full changelog
See CHANGELOG.md for the
complete list of added features, fixes, and security hardening details.
Links
- Website & live demos — pdfnative.dev
- npm — npmjs.com/package/pdfnative
- API reference — README.md
- Security policy — SECURITY.md
- Changelog — CHANGELOG.md