From 00e06a3b7d58362129031d9a3706dac88fe6edde Mon Sep 17 00:00:00 2001
From: Sal Y <vibecodius@users.noreply.github.com>
Date: Sun, 14 Dec 2025 08:52:09 -0500
Subject: [PATCH] Fix security vulnerability by migrating to
 @turbodocx/html-to-docx

Resolves #5

Migrated from html-to-docx to @turbodocx/html-to-docx v1.18.1 to address
prototype pollution vulnerability (GHSA-rx8g-88g5-qh64) in transitive
dependency min-document.

Changes:
- Updated package dependency from html-to-docx@^1.8.0 to @turbodocx/html-to-docx@^1.18.1
- Updated import statement in exportDocx API route
---
 apps/web/app/api/exportDocx/route.ts | 2 +-
 apps/web/package.json                | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/apps/web/app/api/exportDocx/route.ts b/apps/web/app/api/exportDocx/route.ts
index c926015..4320046 100644
--- a/apps/web/app/api/exportDocx/route.ts
+++ b/apps/web/app/api/exportDocx/route.ts
@@ -1,5 +1,5 @@
 import { NextRequest, NextResponse } from 'next/server';
-import HTMLtoDOCX from 'html-to-docx';
+import HTMLtoDOCX from '@turbodocx/html-to-docx';
 import { JSDOM } from 'jsdom';
 
 // 处理图片：将图片转换为base64
diff --git a/apps/web/package.json b/apps/web/package.json
index c13a702..25a9f64 100644
--- a/apps/web/package.json
+++ b/apps/web/package.json
@@ -70,7 +70,7 @@
     "franc": "^6.2.0",
     "highlight.js": "^11.9.0",
     "html-docx-ts-improve": "^1.1.3",
-    "html-to-docx": "^1.8.0",
+    "@turbodocx/html-to-docx": "^1.18.1",
     "html-to-md": "^0.8.6",
     "idb": "^8.0.0",
     "jsdom": "^25.0.1",