We actively maintain and provide security updates for the following versions:
| Version | Supported |
|---|---|
| 25.x.x | ✅ |
| 20.x.x | ❌ |
| < 20.x | ❌ |
We take security vulnerabilities seriously. If you discover a security vulnerability in ng2-pdfjs-viewer, please follow these guidelines:
Please do NOT report security vulnerabilities through public GitHub issues, discussions, or pull requests.
Instead, please report security vulnerabilities privately by:
- Email: Send details to codehippie1@gmail.com
- GitHub Security Advisories: Use the "Report a vulnerability" button on the Security tab
- Responsible Disclosure: Follow responsible disclosure practices
When reporting a vulnerability, please include:
- Description: Clear description of the vulnerability
- Steps to Reproduce: Detailed steps to reproduce the issue
- Impact Assessment: Potential impact and affected components
- Environment: Browser, Angular version, ng2-pdfjs-viewer version
- Proof of Concept: If applicable, include a minimal reproduction case
- Suggested Fix: If you have ideas for a fix, please share them
We recognize security researchers who help improve ng2-pdfjs-viewer security:
- [Your Name] - CVE-XXXX-XXXX - Description of contribution
- [Another Researcher] - CVE-XXXX-XXXX - Description of contribution
ng2-pdfjs-viewer is designed to work with strict Content Security Policies:
<meta http-equiv="Content-Security-Policy"
content="default-src 'self';
style-src 'self';
script-src 'self';">Note: v25.0.11+ includes fixes for CSP compliance issues with inline styles.
The component uses iframe sandboxing for security:
<iframe sandbox="allow-forms allow-scripts allow-same-origin allow-modals">ng2-pdfjs-viewer is built on PDF.js, which includes:
- XSS Protection: Built-in protection against malicious PDF content
- Sandboxing: Isolated execution environment
- Regular Updates: Following PDF.js security updates
We take supply-chain integrity seriously, and the published package is intentionally lean:
- Zero runtime dependencies. The published
ng2-pdfjs-viewerpackage ships with no runtimedependencies. The Mozilla PDF.js viewer is bundled as a static asset, not pulled as an npm dependency, so installing this library does not add transitive runtime packages (or their CVEs) to your application. - Provenance / build attestation. Releases are built and published from GitHub Actions using npm trusted publishing (OIDC), and each release carries a verifiable npm provenance attestation. You can confirm on the npm package page that a given version was built from this repository's CI.
- About repository Dependabot alerts. This repository also contains non-shipped projects — the
demo app (
playground/) and the documentation site (docs-website/). Any Dependabot alerts you see on the repository pertain to that tooling, not the published library, and their dependencies never reach consumers of the npm package. Alerts scoped to those paths are auto-triaged so they do not misrepresent the security of the shipped component. - Health metrics. Supply-chain health is tracked publicly via OpenSSF Scorecard.
- Keep Dependencies Updated: Regularly update Angular and PDF.js dependencies
- Use HTTPS: Always serve PDFs over HTTPS in production
- Validate Input: Validate PDF sources and user inputs
- CSP Headers: Implement proper Content Security Policy headers
- Error Handling: Don't expose sensitive information in error messages
- Update Regularly: Keep ng2-pdfjs-viewer updated to the latest version
- Secure Sources: Only load PDFs from trusted sources
- HTTPS: Use HTTPS when serving PDFs
- Review Permissions: Be cautious with PDFs that request special permissions
- CSP Inline Style Violations (v25.0.11): Fixed inline style CSP violations in component template
- XSS Prevention: iframe sandboxing prevents PDF-based XSS attacks
- URL Validation: Built-in URL validation prevents unauthorized file access
- PDF.js Vulnerabilities: Inherits any security issues from PDF.js core
- Browser Security: Relies on browser security for iframe isolation
- Network Security: PDF loading depends on network security
Security updates are typically released as:
- Patch Releases: For critical security fixes (e.g., 25.0.12)
- Minor Releases: For important security improvements (e.g., 25.1.0)
- Major Releases: For significant security architecture changes (e.g., 26.0.0)
- Security Issues: security@example.com
- General Support: GitHub Issues
- Documentation: Documentation Site
We thank the security community for their contributions to making ng2-pdfjs-viewer more secure. Special thanks to:
- The PDF.js team at Mozilla for their security-focused approach
- Angular team for security best practices
- All security researchers who have reported vulnerabilities
Last Updated: October 2025
Version: 25.x