@jsreport/jsreport-docx

jsreport recipe rendering docx files

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

pofiderbjrmatos

Keywords

jsreportdocx

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
publish-pattern	new-deps-added	AI (publish-pattern): exifreader is a legitimate EXIF parsing library; addition is consistent with image handling in a docx renderer.	ai	2026/05/21
dependencies	unvetted-dep:exifreader	AI (dependencies): Used for reading image metadata in docx image handling; purpose-appropriate for this package.	ai	2026/05/17
dependencies	unvetted-dep:style-attr	AI (dependencies): CSS style attribute parsing utility; fits docx rendering use case.	ai	2026/05/17
semgrep	semgrep:base64-decode	AI (semgrep): Base64 decoding is used for image data URI parsing in docx rendering — benign and stable for this package.	ai	2026/05/17
dependencies	unvetted-dep:string-replace-async	AI (dependencies): Async string replacement utility; fits template rendering use case.	ai	2026/05/17
dependencies	unvetted-dep:js-excel-date-convert	AI (dependencies): Excel date conversion utility; fits docx/Office document rendering use case.	ai	2026/05/17
dependencies	unvetted-dep:parse-css-sides	AI (dependencies): CSS sides parsing utility; fits docx layout/styling use case.	ai	2026/05/17