diff --git a/composer.json b/composer.json
index 4cffeae911e..2aecc528cde 100644
--- a/composer.json
+++ b/composer.json
@@ -38,13 +38,15 @@
       "bash tools/scripts/composer/dompdf-cleanup.sh",
       "bash tools/scripts/composer/tcpdf-cleanup.sh",
       "bash tools/scripts/composer/pear-exception-fix.sh",
-      "bash tools/scripts/composer/net-smtp-fix.sh"
+      "bash tools/scripts/composer/net-smtp-fix.sh",
+      "bash tools/scripts/composer/phpword-jquery.sh"
     ],
     "post-update-cmd": [
       "bash tools/scripts/composer/dompdf-cleanup.sh",
       "bash tools/scripts/composer/tcpdf-cleanup.sh",
       "bash tools/scripts/composer/pear-exception-fix.sh",
-      "bash tools/scripts/composer/net-smtp-fix.sh"
+      "bash tools/scripts/composer/net-smtp-fix.sh",
+      "bash tools/scripts/composer/phpword-jquery.sh"
     ]
   }
 }
diff --git a/tools/scripts/composer/phpword-jquery.sh b/tools/scripts/composer/phpword-jquery.sh
new file mode 100755
index 00000000000..5511f50e07e
--- /dev/null
+++ b/tools/scripts/composer/phpword-jquery.sh
@@ -0,0 +1,25 @@
+#!/bin/bash
+
+## Cleanup the vendor tree. The main issue here is that civi Civi is
+## deployed as a module inside a CMS, so all its source-code gets published.
+## Some libraries distribute admin tools and sample files which should not
+## be published.
+##
+## This script should be idempotent -- if you rerun it several times, it
+## should always produce the same post-condition.
+
+##############################################################################
+## usage: safe_delete <relpath...>
+function safe_delete() {
+  for file in "$@" ; do
+    if [ -z "$file" ]; then
+      echo "Skip: empty file name"
+    elif [ -e "$file" ]; then
+      rm -rf "$file"
+    fi
+  done
+}
+
+##############################################################################
+## Remove example/CLI scripts. They're not needed and increase the attack-surface.
+safe_delete vendor/phpoffice/phpword/samples