graphic-ebook

This code is a utility for deterministic PDF export using a local server and Playwright. There is no direct evidence of intentional malware in the fragment (no exfiltration, credential theft, or backdoor logic). The main security concerns are (1) supply-chain exposure from runtime npm installation and Chromium downloads without pinned/integrity-verified versions, and (2) the local static server’s file path resolution that lacks strong confinement to SERVE_DIR, which could allow path traversal-like reads if the browser requests crafted URLs (or if untrusted HTML manipulates requests). Rendering untrusted HTML also increases risk because any embedded JS will execute in the browser context during export.