@carbon-labs/wc-date-picker

Carbon Labs - date-picker component

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

carbon-design-systemtay1orjonescarbon-botibmdesignjeffreychew

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
source-diff	obfuscated-file:es/components/date-picker/date-picker.scss.js	AI (source-diff): Minified CSS-in-JS build artifact (lit css template); standard output for Carbon web components packages.	ai	2026/05/23
source-diff	obfuscated-file:lib/components/date-picker/date-picker.scss.js	AI (source-diff): CJS equivalent of the same minified CSS-in-JS artifact; expected build output.	ai	2026/05/23
phantom-deps	phantom-dep:@babel/runtime	AI (phantom-deps): Framework-scoped transitive dep; stable false positive for Carbon component packages.	ai	2026/04/29
phantom-deps	phantom-dep:@carbon-labs/utilities	AI (phantom-deps): Same-org utility package; phantom-dep heuristic unreliable for monorepo siblings.	ai	2026/04/29
phantom-deps	phantom-dep:uuid	AI (phantom-deps): Declared runtime dep; config-file reference pattern is a known false positive.	ai	2026/04/29
phantom-deps	phantom-dep:@js-temporal/polyfill	AI (phantom-deps): Declared runtime dep for Temporal API polyfill; config-file reference is a known false positive.	ai	2026/04/29

Versions (showing 12 of 12)

Version	Deps	Published
0.13.0	6 / 0	2026-05-15
0.12.0	6 / 0	2026-05-14
0.11.0	6 / 0	2026-05-13
0.10.0	6 / 0	2026-05-12
0.9.0	6 / 0	2026-05-11
0.8.0	6 / 0	2026-05-08
0.7.0	6 / 0	2026-05-06
0.6.0	6 / 0	2026-05-06
0.5.0	6 / 0	2026-04-27
0.4.0	6 / 0	2026-04-14
0.3.0	5 / 0	2026-03-25
0.2.0	5 / 0	2026-03-24

v0.13.0

3 findings

HIGH New obfuscated file: es/components/date-picker/date-picker.scss.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: lib/components/date-picker/date-picker.scss.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.12.0

3 findings

HIGH New obfuscated file: es/components/date-picker/date-picker.scss.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: lib/components/date-picker/date-picker.scss.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.11.0

3 findings

HIGH New obfuscated file: es/components/date-picker/date-picker.scss.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: lib/components/date-picker/date-picker.scss.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.10.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.9.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.8.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.7.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.6.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.4.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.3.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.2.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.