🚀 Socket Launch Week Day 5:Introducing Repository Access Permissions and Custom Roles.Learn more
Sign In

pdfnative-cli

Package Overview
Dependencies
Maintainers
1
Versions
6
Alerts
File Explorer

Advanced tools

Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

pdfnative-cli - npm Package Compare versions

Comparing version
0.3.0
to
1.0.0
+12
-6
package.json
{
"name": "pdfnative-cli",
"version": "0.3.0",
"description": "Official CLI for pdfnative — render JSON to PDF, sign (RSA + ECDSA), inspect, and verify CMS signatures. Zero extra runtime dependencies.",
"version": "1.0.0",
"description": "Official CLI for pdfnative — render JSON to PDF, sign (RSA + ECDSA), inspect, and verify CMS signatures with LTV (RFC 3161 timestamps, OCSP, CRL). Zero extra runtime dependencies.",
"type": "module",

@@ -47,3 +47,9 @@ "bin": {

"rfc3161",
"ltv",
"ocsp",
"crl",
"pades",
"pdf-watch",
"batch",
"shell-completions",
"command-line"

@@ -73,13 +79,13 @@ ],

"dependencies": {
"pdfnative": "^1.1.0"
"pdfnative": "^1.2.0"
},
"devDependencies": {
"@types/node": "^22.0.0",
"@vitest/coverage-v8": "^2.1.9",
"@vitest/coverage-v8": "^4.1.7",
"eslint": "^9.0.0",
"tsup": "^8.0.0",
"typescript": "^5.4.0",
"typescript-eslint": "^8.57.2",
"vitest": "^2.1.9"
"typescript-eslint": "^8.59.2",
"vitest": "^4.1.7"
}
}
+77
-12

@@ -16,3 +16,12 @@ # pdfnative-cli

> **What's new in v0.3.0** — full digital-signature stack: ECDSA-SHA256 signing, end-to-end CMS/PKCS#7 cryptographic verification (RSA + ECDSA), RFC 3161 timestamp recognition, and an automatic AcroForm signature-placeholder injector that lets you sign any `pdfnative render` output in one command. `render` gains `--watch`, `--template`, and `--font latin|emoji` shortcuts. **100 % backward-compatible** with v0.2.0 — see [release notes](release-notes/v0.3.0.md).
> **What's new in v1.0.0** — **Long-Term Validation (LTV) on the verify side**: full
> RFC 3161 timestamp-token validation (PAdES-T), plus OCSP (RFC 6960) and CRL (RFC 5280)
> revocation checking — offline from the embedded `/DSS` by default, with opt-in,
> SSRF-guarded online fetching (`verify --revocation online`). `render` exposes
> pdfnative 1.2.0 **smart tables** (`--table-wrap`, `--repeat-header`, `--zebra`,
> `--cell-padding`, `--min-row-height`) and **page-by-page streaming**
> (`--stream-page-by-page`, TOC-compatible). New **`batch`** and **`completion`** commands,
> a **`.pdfnativerc.json`** config file, and global `--quiet` / `--no-color` /
> `--version --json` flags. Built on **pdfnative 1.2.0**, dropping the last two upstream
> workarounds. See [release notes](release-notes/v1.0.0.md).
>

@@ -31,5 +40,14 @@ > ⭐ Star [`pdfnative`](https://github.com/Nizoka/pdfnative) — the zero-dependency PDF engine that powers this CLI.

metadata. `--verbose`, `--pages`, and `--check pdfa|signed|encrypted` for CI assertions.
- **`verify`** _(new in v0.2.0)_ — verify integrity, certificate chains, and trust roots
of every CMS/PKCS#7 signature embedded in a PDF. JSON & text output, `--strict` mode.
- **`verify`** — verify every CMS/PKCS#7 signature: byte-range integrity, RSA/ECDSA
signature value, certificate chain, trust roots, **RFC 3161 timestamp (PAdES-T)**, and
**OCSP + CRL revocation** (embedded `/DSS` offline by default, opt-in SSRF-guarded online).
JSON & text output, `--strict`, `--revocation`, `--revocation-policy`.
- **`batch`** — render every JSON file in a directory to PDF in parallel, reusing the full
`render` pipeline, with a per-file summary and bounded `--concurrency`.
- **`completion`** — emit `bash`, `zsh`, or `fish` shell-completion scripts.
- **`.pdfnativerc.json`** — optional config file for default flags (global + per-command);
precedence is CLI flags > env > config.
- **Zero extra dependencies** — `pdfnative` is the sole runtime dependency.
- **Offline by default** — no network access unless you explicitly opt in with
`verify --revocation online`, and even then every request passes an SSRF guard.
- **Stdin / stdout by default** — every command is shell-pipeline friendly.

@@ -49,3 +67,6 @@ - **Secret-safe** — signing keys, certs, encryption passwords never appear in error

| `inspect` PDF metadata | ✅ | `--verbose`, `--pages`, `--check pdfa\|signed\|encrypted` |
| `verify` signature verification (v0.2.0) | ✅ | Integrity + chain + trust; `--strict`, `--trust` |
| `verify` signature verification | ✅ | Integrity + chain + trust + timestamp + revocation; `--strict` |
| `batch` parallel rendering | ✅ | Directory → PDFs, `--concurrency`, `--fail-fast` |
| `completion` shell scripts | ✅ | `bash` / `zsh` / `fish` |
| `.pdfnativerc.json` config file | ✅ | Global + per-command defaults; flags > env > config |
| **Document Blocks** | | |

@@ -83,6 +104,11 @@ | Headings, paragraphs, lists | ✅ | Full text styling support |

| Trust roots | ✅ | `--trust <root.pem>` (repeatable) + self-signed acceptance |
| RFC 3161 timestamp recognition | ✅ | Reported as `timestampPresent` (v0.3.0); full TSA validation pending |
| OCSP / CRL revocation | ⚠️ | Deferred to v0.4.0+ |
| Full RFC 3161 token validation | ⚠️ | Deferred to v0.4.0+ |
| **Render iteration (v0.3.0)** | | |
| RFC 3161 timestamp recognition | ✅ | Reported as `timestampPresent` |
| RFC 3161 timestamp validation (PAdES-T) | ✅ | TSA signature, messageImprint binding, chain, `genTime` |
| OCSP revocation (RFC 6960) | ✅ | Embedded `/DSS` + opt-in online via AIA (SSRF-guarded) |
| CRL revocation (RFC 5280) | ✅ | Embedded `/DSS` + opt-in online via CDP (SSRF-guarded) |
| Revocation policy | ✅ | `--revocation offline\|online\|disabled`, `--revocation-policy soft-fail\|strict` |
| Sign-side LTV (timestamp embedding / DSS) | ⚠️ | Upstream-blocked in pdfnative; `sign --timestamp` reserved |
| **Render iteration** | | |
| Smart tables | ✅ | `--table-wrap`, `--repeat-header`, `--zebra`, `--cell-padding`, `--min-row-height` |
| Page-by-page streaming | ✅ | `--stream-page-by-page` (TOC- and `{pages}`-compatible) |
| `--watch` re-render on file change | ✅ | 200 ms debounce, requires file `--output` |

@@ -279,3 +305,3 @@ | `--template <file.json>` | ✅ | Deep-merge base under input (caller wins) |

### `pdfnative verify` _(new in v0.2.0)_
### `pdfnative verify`

@@ -288,9 +314,48 @@ | Flag | Default | Description |

| `--trust <root.pem>` _(repeatable)_ | _self-signed only_ | Trusted root certificates (PEM) |
| `--revocation offline\|online\|disabled` | `offline` | Revocation source: embedded `/DSS` only, also fetch online (SSRF-guarded), or skip |
| `--revocation-policy soft-fail\|strict` | `soft-fail` | `strict` fails the signature on any non-`good` status; `soft-fail` only fails on explicit `revoked` |
**Scope (v0.2.0):** integrity (byte-range SHA-256) + certificate chain signatures + trust
evaluation. Full CMS-signature-value verification, OCSP/CRL revocation, and RFC 3161
timestamp validation are deferred — see [ROADMAP.md](ROADMAP.md).
**Scope (v1.0.0):** byte-range integrity (SHA-256), full CMS signature value
(RSA-PKCS#1 v1.5 SHA-256 + ECDSA-SHA256 over P-256), certificate chain + trust,
**RFC 3161 timestamp validation (PAdES-T)**, and **OCSP (RFC 6960) + CRL (RFC 5280)
revocation** — embedded from the PDF `/DSS` offline by default, with opt-in online
fetching through an SSRF-guarded HTTP client. Sign-side LTV (embedding timestamps /
DSS at signing time) is upstream-blocked in pdfnative — see [ROADMAP.md](ROADMAP.md)
and [SECURITY.md](SECURITY.md#network-access-revocation-checking).
### `pdfnative batch`
| Flag | Default | Description |
|------|---------|-------------|
| `--input-dir <dir>` | _required_ | Directory of `*.json` document definitions |
| `--output-dir <dir>` | _required_ | Output directory for the rendered `*.pdf` (created if absent) |
| `--concurrency <n>` | `4` | Maximum parallel renders |
| `--fail-fast` | false | Stop at the first failure (default: render all, then report) |
| `--format json\|text` | `text` | Summary format |
All other flags are forwarded to each `render`. Exit code 1 if any file fails.
### `pdfnative completion`
```bash
pdfnative completion bash > /etc/bash_completion.d/pdfnative
pdfnative completion zsh > "${fpath[1]}/_pdfnative"
pdfnative completion fish > ~/.config/fish/completions/pdfnative.fish
```
### Global options
| Flag | Description |
|------|-------------|
| `--config <file>` | Use a specific `.pdfnativerc.json` (default: nearest upward from cwd) |
| `--no-config` | Ignore any `.pdfnativerc.json` |
| `--quiet`, `-q` | Suppress progress output on stderr |
| `--no-color` | Disable ANSI colour (also respects the `NO_COLOR` env var) |
| `--version --json` | Machine-readable version output |
## Security
- **Offline by default** — no network access unless you pass `verify --revocation online`.
Online revocation requests pass an **SSRF guard** (scheme allow-list, private/loopback/
link-local/CGNAT address blocking, no redirects, timeout + size caps).
- **Signing keys are never logged** — not in error messages, not in debug output.

@@ -297,0 +362,0 @@ - **Path traversal protection** — all file path arguments are validated against `../` sequences.

Sorry, the diff of this file is too big to display

Sorry, the diff of this file is too big to display

Sorry, the diff of this file is too big to display

Sorry, the diff of this file is too big to display