| Version | Supported |
|---|---|
| 1.x | Yes |
| < 1.0 | No |
If you discover a security vulnerability, please report it privately:
- Do not open a public GitHub issue
- Email the maintainer or use GitHub's private vulnerability reporting
- Include steps to reproduce the issue
You can expect a response within 7 days. If confirmed, a fix will be released as soon as possible.
Picoloom processes Markdown files and generates PDFs using headless Chrome.
- File path handling: Asset names are validated to prevent path traversal attacks.
- HTML/CSS injection: User-provided content is escaped in generated output.
- Dependencies: go-rod (browser automation), Goldmark (markdown parsing).
The tool may make network requests in these cases:
- Cover logo: When
cover.logois a URL (e.g.,https://example.com/logo.png) - Markdown images: When image sources are URLs (e.g.,
) - Chromium download: On first run, go-rod may download Chromium from Google's mirrors if not present
These requests are initiated by the headless Chrome browser, not the Go code directly.
- Generates a local YAML config file only (default:
./picoloom.yaml). - Does not perform network requests.
- Uses destination lock files to avoid concurrent write corruption.
- Uses explicit
--forcefor overwrite and applies backup/rollback safeguards to recover interrupted writes. - Respects normal OS file permissions and does not elevate privileges.
- The tool does not handle authentication
- The tool does not store or transmit user data
- Temporary files (HTML, screenshots) are created in the system temp directory and cleaned up after conversion