Security fixes are applied to the latest commit on main. Older commits and unofficial forks are not maintained by this project.
Please use Report a vulnerability in the repository's GitHub Security tab when private vulnerability reporting is available. Do not publish secrets, private paper contents, or a working exploit in a public issue.
If private reporting is unavailable, open a minimal public issue asking the maintainer for a private contact channel. Include no sensitive reproduction data in that issue.
- Transpaper is not an offline translator. It sends extracted paper text and selected page-render images to OpenAI through either the logged-in Codex CLI or the optional OpenAI API mode.
- Codex calls run with an ephemeral session, a temporary working directory, ignored user rules, and a read-only sandbox. The process receives the translation prompt plus the paper content and review images required by the pipeline.
- Local artifacts can contain the original text, translated text, page images, QA output, and document metadata. They are stored beside the result in a hidden
.<name>.ko.transpaper/directory. - The web UI binds to
127.0.0.1and disables Gradio sharing by default. Do not alter those defaults on a machine or network you do not trust. - PDFs are untrusted input parsed by PyMuPDF. Keep Transpaper and its dependencies updated, and process sensitive files only on a trusted machine.
Review OpenAI's current data controls and your account or workspace policy before translating confidential or regulated documents.