@ckeditor/ckeditor5-import-word
Import from Word feature for CKEditor 5.
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | large-new-source-files | AI (source-diff): Large file count is expected for a full CKEditor5 plugin package with many source modules. | ai | |
| source-diff | obfuscated-file:src/importwordediting.js | AI (source-diff): CKEditor5 premium plugin ships intentionally obfuscated source; declared in package.json with obfuscated:true. | ai | |
| source-diff | obfuscated-file:src/importwordcommand.js | AI (source-diff): CKSource intentionally obfuscates commercial plugin source; package.json declares 'obfuscated: true'. Copyright header explicitly states proprietary obfuscated code. | ai | |
| source-diff | obfuscated-file:build/import-word.js | AI (source-diff): CKSource intentionally ships obfuscated build artifacts for commercial plugins; package.json declares 'obfuscated: true'. Build directory output is expected. | ai | |
| source-diff | obfuscated-file:src/importwordui.js | AI (source-diff): CKSource intentionally obfuscates commercial plugin source; package.json declares 'obfuscated: true'. Copyright header explicitly states proprietary obfuscated code. | ai | |
| semgrep | semgrep:obfuscation-while-true | AI (semgrep): CKSource commercial plugin with explicit 'obfuscated: true' in package.json. Intentional IP protection, not malware. Stable across all versions of this package. | ai | |
| semgrep | semgrep:obfuscation-hex-functions | AI (semgrep): CKSource commercial plugin with explicit 'obfuscated: true' in package.json. Intentional IP protection, not malware. Stable across all versions of this package. | ai | |
| phantom-deps | phantom-dep:@ckeditor/ckeditor5-ui | AI (phantom-deps): Same-org @ckeditor scoped dep declared for version-pinning in CKEditor's modular architecture. Not a security concern. | ai | |
| phantom-deps | phantom-dep:@ckeditor/ckeditor5-core | AI (phantom-deps): Same-org @ckeditor scoped dep declared for version-pinning in CKEditor's modular architecture. Not a security concern. | ai | |
| phantom-deps | phantom-dep:@ckeditor/ckeditor5-engine | AI (phantom-deps): Same-org @ckeditor scoped dep declared for version-pinning in CKEditor's modular architecture. Not a security concern. | ai | |
| phantom-deps | phantom-dep:@ckeditor/ckeditor5-clipboard | AI (phantom-deps): Same-org @ckeditor scoped dep declared for version-pinning in CKEditor's modular architecture. Not a security concern. | ai | |
| dependencies | unvetted-dep:@ckeditor/ckeditor5-clipboard | AI (dependencies): First-party @ckeditor org dependency at matching version; part of coordinated CKEditor 5 monorepo release. | ai | |
| dependencies | unvetted-dep:@ckeditor/ckeditor5-engine | AI (dependencies): First-party @ckeditor org dependency at matching version; part of coordinated CKEditor 5 monorepo release. | ai | |
| dependencies | unvetted-dep:@ckeditor/ckeditor5-utils | AI (dependencies): First-party @ckeditor org dependency at matching version; part of coordinated CKEditor 5 monorepo release. | ai | |
| dependencies | unvetted-dep:@ckeditor/ckeditor5-core | AI (dependencies): First-party @ckeditor org dependency at matching version; part of coordinated CKEditor 5 monorepo release. | ai | |
| dependencies | unvetted-dep:@ckeditor/ckeditor5-cloud-services | AI (dependencies): First-party @ckeditor org dependency at matching version; part of coordinated CKEditor 5 monorepo release. | ai | |
| phantom-deps | phantom-dep:@ckeditor/ckeditor5-icons | AI (phantom-deps): Same-org phantom dep; common in CKEditor 5 monorepo for transitive/peer resolution. Not a security concern. | ai | |
| phantom-deps | phantom-dep:@ckeditor/ckeditor5-merge-fields | AI (phantom-deps): Same-org phantom dep; common in CKEditor 5 monorepo for transitive/peer resolution. Not a security concern. | ai | |
| dependencies | unvetted-dep:@ckeditor/ckeditor5-merge-fields | AI (dependencies): First-party @ckeditor org dependency at matching version; part of coordinated CKEditor 5 monorepo release. | ai | |
| dependencies | unvetted-dep:@ckeditor/ckeditor5-ui | AI (dependencies): First-party @ckeditor org dependency at matching version; part of coordinated CKEditor 5 monorepo release. | ai |
Versions (showing 15 of 15)
| Version | Deps | Published |
|---|---|---|
| 48.2.0 | 8 / 0 | |
| 48.1.1 | 8 / 0 | |
| 48.1.0 | 8 / 0 | |
| 48.0.1 | 8 / 0 | |
| 48.0.0 | 8 / 0 | |
| 47.7.2 | 9 / 0 | |
| 47.7.1 | 9 / 0 | |
| 47.7.0 | 9 / 0 | |
| 47.6.2 | 9 / 0 | |
| 47.6.1 | 9 / 0 | |
| 47.6.0 | 9 / 0 | |
| 47.5.0 | 9 / 0 | |
| 47.4.0 | 9 / 0 | |
| 47.3.0 | 9 / 0 | |
| 47.2.0 | 9 / 0 |
v48.2.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v48.1.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v48.1.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v48.0.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v48.0.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v47.7.2
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v47.7.1
19 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
while(!![]) loop is a signature of javascript-obfuscator output 21 | * 22 | */ > 23 | var _0x4eb3ab=_0x3340;(function(_0x4aa7d4,_0xb9b008){var _0x55265a=_0x3340,_0x4523ca=_0x4aa7d4();while(!![]){try{var _0x
Hex-prefixed function names (_0x...) are generated by javascript-obfuscator 21 | * 22 | */ > 23 | var _0x4eb3ab=_0x3340;(function(_0x4aa7d4,_0xb9b008){var _0x55265a=_0x3340,_0x4523ca=_0x4aa7d4();while(!![]){try{var _0x
Hex-prefixed function names (_0x...) are generated by javascript-obfuscator 21 | * 22 | */ > 23 | var _0x4eb3ab=_0x3340;(function(_0x4aa7d4,_0xb9b008){var _0x55265a=_0x3340,_0x4523ca=_0x4aa7d4();while(!![]){try{var _0x
while(!![]) loop is a signature of javascript-obfuscator output 21 | * 22 | */ > 23 | const _0x1e196d=_0x4894;(function(_0x1f0636,_0x1b80fa){const _0x5b23ea=_0x4894,_0x318679=_0x1f0636();while(!![]){try{con
Hex-prefixed function names (_0x...) are generated by javascript-obfuscator 21 | * 22 | */ > 23 | const _0x1e196d=_0x4894;(function(_0x1f0636,_0x1b80fa){const _0x5b23ea=_0x4894,_0x318679=_0x1f0636();while(!![]){try{con
Hex-prefixed function names (_0x...) are generated by javascript-obfuscator 21 | * 22 | */ > 23 | const _0x1e196d=_0x4894;(function(_0x1f0636,_0x1b80fa){const _0x5b23ea=_0x4894,_0x318679=_0x1f0636();while(!![]){try{con
while(!![]) loop is a signature of javascript-obfuscator output 21 | * 22 | */ > 23 | const _0x5e6775=_0x5ef8;(function(_0x495811,_0x336f4f){const _0x505728=_0x5ef8,_0x3ea53e=_0x495811();while(!![]){try{con
Hex-prefixed function names (_0x...) are generated by javascript-obfuscator 21 | * 22 | */ > 23 | const _0x5e6775=_0x5ef8;(function(_0x495811,_0x336f4f){const _0x505728=_0x5ef8,_0x3ea53e=_0x495811();while(!![]){try{con
Hex-prefixed function names (_0x...) are generated by javascript-obfuscator 21 | * 22 | */ > 23 | const _0x5e6775=_0x5ef8;(function(_0x495811,_0x336f4f){const _0x505728=_0x5ef8,_0x3ea53e=_0x495811();while(!![]){try{con
Hex-prefixed function names (_0x...) are generated by javascript-obfuscator 21 | * 22 | */ > 23 | const _0x27c238=_0xae6d;function _0xae6d(_0x132441,_0x37b102){const _0x19861d=_0x1986();return _0xae6d=function(_0xae6d2
while(!![]) loop is a signature of javascript-obfuscator output 21 | * 22 | */ > 23 | const _0x27c238=_0xae6d;function _0xae6d(_0x132441,_0x37b102){const _0x19861d=_0x1986();return _0xae6d=function(_0xae6d2
Hex-prefixed function names (_0x...) are generated by javascript-obfuscator 21 | * 22 | */ > 23 | const _0x27c238=_0xae6d;function _0xae6d(_0x132441,_0x37b102){const _0x19861d=_0x1986();return _0xae6d=function(_0xae6d2
while(!![]) loop is a signature of javascript-obfuscator output 21 | * 22 | */ > 23 | (function(_0x554416,_0x402def){var _0x427e24=_0x1136,_0x13dbf7=_0x554416();while(!![]){try{var _0x31a64c=parseInt(_0x427
Hex-prefixed function names (_0x...) are generated by javascript-obfuscator 21 | * 22 | */ > 23 | (function(_0x554416,_0x402def){var _0x427e24=_0x1136,_0x13dbf7=_0x554416();while(!![]){try{var _0x31a64c=parseInt(_0x427
Hex-prefixed function names (_0x...) are generated by javascript-obfuscator 21 | * 22 | */ > 23 | (function(_0x554416,_0x402def){var _0x427e24=_0x1136,_0x13dbf7=_0x554416();while(!![]){try{var _0x31a64c=parseInt(_0x427
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v47.7.0
16 findingswhile(!![]) loop is a signature of javascript-obfuscator output 21 | * 22 | */ > 23 | var _0x83fc7a=_0x3b14;(function(_0x4f555f,_0x1359d5){var _0x42b155=_0x3b14,_0xdb4e7f=_0x4f555f();while(!![]){try{var _0x
Hex-prefixed function names (_0x...) are generated by javascript-obfuscator 21 | * 22 | */ > 23 | var _0x83fc7a=_0x3b14;(function(_0x4f555f,_0x1359d5){var _0x42b155=_0x3b14,_0xdb4e7f=_0x4f555f();while(!![]){try{var _0x
Hex-prefixed function names (_0x...) are generated by javascript-obfuscator 21 | * 22 | */ > 23 | var _0x83fc7a=_0x3b14;(function(_0x4f555f,_0x1359d5){var _0x42b155=_0x3b14,_0xdb4e7f=_0x4f555f();while(!![]){try{var _0x
while(!![]) loop is a signature of javascript-obfuscator output 21 | * 22 | */ > 23 | const _0x543478=_0x1fa1;(function(_0x5887b9,_0x1c96e4){const _0x565f62=_0x1fa1,_0x51ec85=_0x5887b9();while(!![]){try{con
Hex-prefixed function names (_0x...) are generated by javascript-obfuscator 21 | * 22 | */ > 23 | const _0x543478=_0x1fa1;(function(_0x5887b9,_0x1c96e4){const _0x565f62=_0x1fa1,_0x51ec85=_0x5887b9();while(!![]){try{con
Hex-prefixed function names (_0x...) are generated by javascript-obfuscator 21 | * 22 | */ > 23 | const _0x543478=_0x1fa1;(function(_0x5887b9,_0x1c96e4){const _0x565f62=_0x1fa1,_0x51ec85=_0x5887b9();while(!![]){try{con
while(!![]) loop is a signature of javascript-obfuscator output 21 | * 22 | */ > 23 | const _0x5ca319=_0xa57f;(function(_0x411843,_0x183e4d){const _0x3d0bd8=_0xa57f,_0x36691d=_0x411843();while(!![]){try{con
Hex-prefixed function names (_0x...) are generated by javascript-obfuscator 21 | * 22 | */ > 23 | const _0x5ca319=_0xa57f;(function(_0x411843,_0x183e4d){const _0x3d0bd8=_0xa57f,_0x36691d=_0x411843();while(!![]){try{con
Hex-prefixed function names (_0x...) are generated by javascript-obfuscator 21 | * 22 | */ > 23 | const _0x5ca319=_0xa57f;(function(_0x411843,_0x183e4d){const _0x3d0bd8=_0xa57f,_0x36691d=_0x411843();while(!![]){try{con
while(!![]) loop is a signature of javascript-obfuscator output 21 | * 22 | */ > 23 | const _0xdc0f84=_0x282a;(function(_0x1c5f53,_0x1639b6){const _0x87e5f2=_0x282a,_0xc8ce72=_0x1c5f53();while(!![]){try{con
Hex-prefixed function names (_0x...) are generated by javascript-obfuscator 21 | * 22 | */ > 23 | const _0xdc0f84=_0x282a;(function(_0x1c5f53,_0x1639b6){const _0x87e5f2=_0x282a,_0xc8ce72=_0x1c5f53();while(!![]){try{con
Hex-prefixed function names (_0x...) are generated by javascript-obfuscator 21 | * 22 | */ > 23 | const _0xdc0f84=_0x282a;(function(_0x1c5f53,_0x1639b6){const _0x87e5f2=_0x282a,_0xc8ce72=_0x1c5f53();while(!![]){try{con
while(!![]) loop is a signature of javascript-obfuscator output 21 | * 22 | */ > 23 | (function(_0x24a6af,_0x247d32){var _0x6070dc=_0x1a06,_0x2cb7f0=_0x24a6af();while(!![]){try{var _0x1acc37=-parseInt(_0x60
Hex-prefixed function names (_0x...) are generated by javascript-obfuscator 21 | * 22 | */ > 23 | (function(_0x24a6af,_0x247d32){var _0x6070dc=_0x1a06,_0x2cb7f0=_0x24a6af();while(!![]){try{var _0x1acc37=-parseInt(_0x60
Hex-prefixed function names (_0x...) are generated by javascript-obfuscator 21 | * 22 | */ > 23 | (function(_0x24a6af,_0x247d32){var _0x6070dc=_0x1a06,_0x2cb7f0=_0x24a6af();while(!![]){try{var _0x1acc37=-parseInt(_0x60
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v47.6.2
16 findingsHex-prefixed function names (_0x...) are generated by javascript-obfuscator 21 | * 22 | */ > 23 | function _0x38cb(){var _0x4867c9=['307948vyHeXE','isOfficialPlugin','4857TrIElU','631652cRvslM','776gOSlSQ','pluginName'
Hex-prefixed function names (_0x...) are generated by javascript-obfuscator 21 | * 22 | */ > 23 | function _0x38cb(){var _0x4867c9=['307948vyHeXE','isOfficialPlugin','4857TrIElU','631652cRvslM','776gOSlSQ','pluginName'
while(!![]) loop is a signature of javascript-obfuscator output 21 | * 22 | */ > 23 | function _0x38cb(){var _0x4867c9=['307948vyHeXE','isOfficialPlugin','4857TrIElU','631652cRvslM','776gOSlSQ','pluginName'
Hex-prefixed function names (_0x...) are generated by javascript-obfuscator 21 | * 22 | */ > 23 | function _0x1df0(){const _0x47cfe9=['removeMarker','parent','DateTimeFormat','clipboardInput','timeZone','2TTupqP','_abo
while(!![]) loop is a signature of javascript-obfuscator output 21 | * 22 | */ > 23 | function _0x1df0(){const _0x47cfe9=['removeMarker','parent','DateTimeFormat','clipboardInput','timeZone','2TTupqP','_abo
Hex-prefixed function names (_0x...) are generated by javascript-obfuscator 21 | * 22 | */ > 23 | function _0x1df0(){const _0x47cfe9=['removeMarker','parent','DateTimeFormat','clipboardInput','timeZone','2TTupqP','_abo
while(!![]) loop is a signature of javascript-obfuscator output 21 | * 22 | */ > 23 | const _0x58b7ab=_0x2b00;(function(_0x361b80,_0x5ce9b3){const _0x312703=_0x2b00,_0x41ec83=_0x361b80();while(!![]){try{con
Hex-prefixed function names (_0x...) are generated by javascript-obfuscator 21 | * 22 | */ > 23 | const _0x58b7ab=_0x2b00;(function(_0x361b80,_0x5ce9b3){const _0x312703=_0x2b00,_0x41ec83=_0x361b80();while(!![]){try{con
Hex-prefixed function names (_0x...) are generated by javascript-obfuscator 21 | * 22 | */ > 23 | const _0x58b7ab=_0x2b00;(function(_0x361b80,_0x5ce9b3){const _0x312703=_0x2b00,_0x41ec83=_0x361b80();while(!![]){try{con
while(!![]) loop is a signature of javascript-obfuscator output 21 | * 22 | */ > 23 | const _0x5997b4=_0x3bfe;(function(_0x545c99,_0x4d2c98){const _0x2008f8=_0x3bfe,_0x220a18=_0x545c99();while(!![]){try{con
Hex-prefixed function names (_0x...) are generated by javascript-obfuscator 21 | * 22 | */ > 23 | const _0x5997b4=_0x3bfe;(function(_0x545c99,_0x4d2c98){const _0x2008f8=_0x3bfe,_0x220a18=_0x545c99();while(!![]){try{con
Hex-prefixed function names (_0x...) are generated by javascript-obfuscator 21 | * 22 | */ > 23 | const _0x5997b4=_0x3bfe;(function(_0x545c99,_0x4d2c98){const _0x2008f8=_0x3bfe,_0x220a18=_0x545c99();while(!![]){try{con
while(!![]) loop is a signature of javascript-obfuscator output 21 | * 22 | */ > 23 | (function(_0x1f6308,_0x9bb84d){var _0x28a8a4=_0x2f53,_0x5f0d1a=_0x1f6308();while(!![]){try{var _0x3b9f85=-parseInt(_0x28
Hex-prefixed function names (_0x...) are generated by javascript-obfuscator 21 | * 22 | */ > 23 | (function(_0x1f6308,_0x9bb84d){var _0x28a8a4=_0x2f53,_0x5f0d1a=_0x1f6308();while(!![]){try{var _0x3b9f85=-parseInt(_0x28
Hex-prefixed function names (_0x...) are generated by javascript-obfuscator 21 | * 22 | */ > 23 | (function(_0x1f6308,_0x9bb84d){var _0x28a8a4=_0x2f53,_0x5f0d1a=_0x1f6308();while(!![]){try{var _0x3b9f85=-parseInt(_0x28
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v47.6.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v47.6.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v47.5.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v47.4.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v47.3.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v47.2.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.