Warning
This release addresses the security vulnerability GHSA-6vh8-4frx-647f which affects all versions including and prior to v2.8.2.
All users of BentoPDF are recommended to upgrade immediately to the latest version 2.8.3
A note of thanks
A huge thank you to @Astaruf for discovering this vulnerability and reporting it to us through responsible disclosure. Independent security researchers like Lorenzo are what keep open source software trustworthy, and we are genuinely grateful for the care and professionalism shown throughout the process. This is exactly how coordinated vulnerability disclosure should work, and BentoPDF is safer today because of it. Thank you. ❤️
What's Changed
- Update common.json - Dutch language by @Stephan-P in #641
- build(deps-dev): bump vite from 7.3.1 to 7.3.2 by @dependabot[bot] in #642
- static.yml: fix static workflow regression from commit 1fc9620 by @ntfreak in #648
- build(deps): bump dompurify from 3.3.3 to 3.4.0 by @dependabot[bot] in #660
- Added Ukrainian translation by @SerhiiZahuba in #628
- Add Japanese translation by @tkymmm in #650
- Belarusian translation update by @pavel-miniutka in #666
- build(deps-dev): bump vite from 7.3.2 to 8.0.5 by @dependabot[bot] in #643
New Contributors
- @ntfreak made their first contribution in #648
- @SerhiiZahuba made their first contribution in #628
- @tkymmm made their first contribution in #650
A note from the developer
BentoPDF is maintained by a single developer. While every effort is made to ensure the codebase is reviewed, scanned, and hardened before each release, the reality of a solo-maintained project is that comprehensive security coverage is not achievable without external input. The surface area of a modern document-processing tool is substantial, and no individual reviewer can reasonably cover all of it alone.
This disclosure has been a humbling reminder that no codebase is perfect, and that security is a process and not a milestone. Going forward, BentoPDF will be putting more active investment into security hardening: stricter reviews for anything touching untrusted input, expanded automated scanning in CI, and faster turnaround on reports.
If you find something that looks off like a bug, a misconfiguration, an edge case that feels risky then please tell us. Report privately through GitHub Security Advisories or email contact@bentopdf.com. You do not need a working exploit, proof of impact, or a perfectly written report. A description and a hint is enough, and we will take it from there. Every report genuinely helps, and every reporter gets credited.
Thank you for using BentoPDF, and thank you for helping us make it safer.
Full Changelog: v2.8.2...v2.8.3