docx No license 8 versions

docx

npm Repository Homepage

8

Versions

—

License

No

Install Scripts

Verified

Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

dolanmiu

Keywords

docxofficewordgeneratecreatorcreatedocumentdocofficegenclippy

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
provenance	publisher-changed	AI (provenance): Transition to GitHub Actions publisher is consistent with CI/CD automation; SLSA attestation confirms build integrity.	ai	2026/05/02
publish-pattern	dormant-publish	AI (publish-pattern): SLSA provenance attestation and clean diff rule out account takeover; dormancy is benign for this established package.	ai	2026/05/02
phantom-deps	phantom-dep:nanoid	AI (phantom-deps): nanoid is a declared runtime dep; phantom-dep heuristic misfires on bundled ESM output.	ai	2026/04/28
typosquat	typosquat.levenshtein:mobx	AI (typosquat): docx and mobx are completely unrelated packages; Levenshtein proximity is coincidental.	ai	2026/04/28
phantom-deps	phantom-dep:@types/node	AI (phantom-deps): Framework-scoped type package; phantom-dep correctly notes it's loaded by convention.	ai	2026/04/28
phantom-deps	phantom-dep:hash.js	AI (phantom-deps): hash.js is a declared runtime dep; phantom-dep heuristic misfires on bundled ESM output.	ai	2026/04/28
phantom-deps	phantom-dep:xml	AI (phantom-deps): xml is a declared runtime dep; phantom-dep heuristic misfires on bundled ESM output.	ai	2026/04/28

Versions (showing 8 of 8)

Version	Deps	Published
9.7.1	6 / 35	2026-05-27
9.7.0	6 / 34	2026-05-24
9.6.1	6 / 35	2026-03-10
9.6.0	6 / 35	2026-02-24
9.5.3	6 / 37	2026-02-15
9.5.2	6 / 37	2026-02-13
9.5.1	6 / 37	2025-06-16
9.5.0	6 / 37	2025-05-05

v9.7.1

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v9.7.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v9.6.1

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v9.6.0

2 findings

HIGH Publisher changed: dolanmiu → GitHub Actions (on 2026-02-24) provenance

This version was published by a different npm account than previous versions on 2026-02-24. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v9.5.3

2 findings

HIGH Publisher changed: dolanmiu → GitHub Actions (on 2026-02-15) provenance

This version was published by a different npm account than previous versions on 2026-02-15. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v9.5.2

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v9.5.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v9.5.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.