@carbon-labs/react-resizer

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

carbon-design-systemtay1orjonescarbon-botibmdesignjeffreychew

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
publish-pattern	new-deps-added	AI (publish-pattern): @ibm/telemetry-js is IBM's own telemetry library, consistent with org-wide instrumentation pattern.	ai	2026/05/14
install-scripts	install-script:postinstall	AI (install-scripts): IBM telemetry postinstall is standard across all @carbon-labs packages; not malicious.	ai	2026/05/10
phantom-deps	phantom-dep:@ibm/telemetry-js	AI (phantom-deps): @ibm/telemetry-js is invoked via postinstall CLI, not imported directly; phantom-dep is a stable false positive here.	ai	2026/05/10
bogus-package	bogus-package	AI (bogus-package): Component library sub-package; README link dump and missing keywords are typical for monorepo sub-packages, not spam.	ai	2026/05/10

Versions (showing 16 of 16)

Version	Deps	Published
0.23.0	2 / 0	2026-05-14
0.20.0	2 / 0	2026-05-08
0.19.0	2 / 0	2026-05-08
0.15.0	1 / 1	2026-04-14
0.14.0	1 / 1	2026-03-25
0.11.0	1 / 1	2025-12-17
0.10.0	1 / 1	2025-09-11
0.9.0	1 / 1	2025-09-10
0.8.0	0 / 1	2025-09-09
0.7.0	0 / 1	2025-08-25
0.6.0	0 / 1	2025-08-05
0.5.0	0 / 1	2025-07-28
0.4.0	0 / 1	2025-07-09
0.3.0	0 / 1	2025-07-02
0.2.0	0 / 1	2025-06-24
0.1.0	0 / 1	2025-06-12

v0.23.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.20.0

2 findings

HIGH Package has 'postinstall' script install-scripts

Script: ibmtelemetry --config=telemetry.yml

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.19.0

2 findings

HIGH Package has 'postinstall' script install-scripts

Script: ibmtelemetry --config=telemetry.yml

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.15.0

2 findings

HIGH Package has 'postinstall' script install-scripts

Script: ibmtelemetry --config=telemetry.yml

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.14.0

2 findings

HIGH Package has 'postinstall' script install-scripts

Script: ibmtelemetry --config=telemetry.yml

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.11.0

2 findings

HIGH Package has 'postinstall' script install-scripts

Script: ibmtelemetry --config=telemetry.yml

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.10.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v0.2). This is the strongest supply chain integrity signal.

v0.9.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v0.2). This is the strongest supply chain integrity signal.

v0.8.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v0.2). This is the strongest supply chain integrity signal.

v0.7.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v0.2). This is the strongest supply chain integrity signal.

v0.6.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v0.2). This is the strongest supply chain integrity signal.

v0.5.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v0.2). This is the strongest supply chain integrity signal.

v0.4.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v0.2). This is the strongest supply chain integrity signal.

v0.3.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v0.2). This is the strongest supply chain integrity signal.

v0.2.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v0.2). This is the strongest supply chain integrity signal.

v0.1.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v0.2). This is the strongest supply chain integrity signal.