@carbon-labs/react-style-picker

Carbon Labs - Style Picker

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

carbon-design-systemtay1orjonescarbon-botibmdesignjeffreychew

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
source-diff	obfuscated-file:es/node_modules/@carbon/web-components/es/components/accordion/accordion.scss.js	AI (source-diff): Minified CSS-in-JS from @carbon/web-components; contains only CSS custom properties, no executable payload.	ai	2026/05/18
source-diff	obfuscated-file:lib/node_modules/@carbon/web-components/es/components/layer/layer.scss.js	AI (source-diff): Minified CSS-in-JS from @carbon/web-components; contains only CSS custom properties, no executable payload.	ai	2026/05/18
source-diff	obfuscated-file:es/node_modules/@carbon/web-components/es/components/layer/layer.scss.js	AI (source-diff): Minified CSS-in-JS from @carbon/web-components; contains only CSS custom properties, no executable payload.	ai	2026/05/18
source-diff	obfuscated-file:lib/node_modules/@carbon/web-components/es/components/accordion/accordion.scss.js	AI (source-diff): Minified CSS-in-JS from @carbon/web-components; contains only CSS custom properties, no executable payload.	ai	2026/05/18
publish-pattern	new-deps-added	AI (publish-pattern): @ibm/telemetry-js is IBM's own telemetry library, consistent with Carbon ecosystem practices.	ai	2026/05/03
provenance	publisher-changed	AI (provenance): Transition from carbon-bot to GitHub Actions is consistent with SLSA-attested CI/CD publishing for this org.	ai	2026/05/03
install-scripts	install-script:postinstall	AI (install-scripts): IBM Telemetry postinstall is standard across Carbon Labs packages; not malicious.	ai	2026/04/29
phantom-deps	phantom-dep:@ibm/telemetry-js	AI (phantom-deps): @ibm/telemetry-js is invoked via CLI in postinstall, not imported directly; phantom-dep is a stable false positive here.	ai	2026/04/29
bogus-package	bogus-package	AI (bogus-package): Carbon Labs auto-generated component packages commonly lack keywords and have sparse READMEs.	ai	2026/04/29

Versions (showing 19 of 19)

Version	Deps	Published
0.23.0	2 / 2	2026-05-15
0.22.0	2 / 2	2026-05-14
0.20.0	2 / 2	2026-05-11
0.19.0	2 / 2	2026-05-08
0.16.0	2 / 2	2026-04-27
0.15.0	2 / 2	2026-04-14
0.14.0	2 / 2	2026-03-25
0.13.0	2 / 2	2026-03-24
0.12.0	2 / 2	2026-03-09
0.11.0	1 / 2	2026-01-14
0.10.0	1 / 2	2026-01-06
0.9.0	1 / 2	2025-12-19
0.8.0	1 / 2	2025-12-17
0.7.0	1 / 2	2025-10-31
0.6.0	1 / 2	2025-10-22
0.4.0	1 / 2	2025-09-22
0.3.0	1 / 2	2025-09-22
0.2.0	1 / 2	2025-09-16
0.1.0	1 / 2	2025-09-12

v0.23.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.22.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.20.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.19.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.15.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.14.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.13.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.12.0

2 findings

HIGH Publisher changed: carbon-bot → GitHub Actions (on 2026-03-09) provenance

This version was published by a different npm account than previous versions on 2026-03-09. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.11.0

2 findings

HIGH Publisher changed: carbon-bot → GitHub Actions (on 2026-01-14) provenance

This version was published by a different npm account than previous versions on 2026-01-14. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.10.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.9.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.8.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.7.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.6.0

5 findings

HIGH New obfuscated file: es/node_modules/@carbon/web-components/es/components/accordion/accordion.scss.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: lib/node_modules/@carbon/web-components/es/components/accordion/accordion.scss.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: es/node_modules/@carbon/web-components/es/components/layer/layer.scss.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: lib/node_modules/@carbon/web-components/es/components/layer/layer.scss.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.4.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.3.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.2.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v0.2). This is the strongest supply chain integrity signal.

v0.1.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v0.2). This is the strongest supply chain integrity signal.