@carbon-labs/wc-empty-state
Carbon Labs - empty-state component
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| publish-pattern | new-deps-added | AI (publish-pattern): @ibm/telemetry-js is IBM's own telemetry library, consistent with Carbon Design System telemetry rollout. | ai | |
| source-diff | obfuscated-file:es/components/empty-state/src/empty-state.scss.js | AI (source-diff): Minified CSS-in-JS (lit css template) — standard build output for Carbon web component packages. | ai | |
| source-diff | obfuscated-file:lib/components/empty-state/src/empty-state.scss.js | AI (source-diff): Minified CSS-in-JS (lit css template) — standard build output for Carbon web component packages. | ai | |
| install-scripts | install-script:postinstall | AI (install-scripts): IBM telemetry postinstall is standard across Carbon Labs packages; not arbitrary code execution. | ai | |
| phantom-deps | phantom-dep:@babel/runtime | AI (phantom-deps): Framework-scoped runtime dep loaded by convention in Carbon build pipeline. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Component library sub-package; sparse README and no keywords are expected for scoped monorepo packages. | ai | |
| phantom-deps | phantom-dep:@ibm/telemetry-js | AI (phantom-deps): Used via telemetry.yml config, not direct import; stable false positive for this package. | ai |
Versions (showing 12 of 12)
| Version | Deps | Published |
|---|---|---|
| 0.18.0 | 5 / 0 | |
| 0.15.0 | 5 / 0 | |
| 0.14.0 | 5 / 0 | |
| 0.13.0 | 5 / 0 | |
| 0.12.0 | 5 / 0 | |
| 0.11.0 | 5 / 0 | |
| 0.8.0 | 5 / 0 | |
| 0.7.0 | 4 / 0 | |
| 0.6.0 | 4 / 0 | |
| 0.5.0 | 4 / 0 | |
| 0.4.0 | 4 / 0 | |
| 0.3.0 | 3 / 0 |
v0.18.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.14.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.13.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.12.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.11.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.8.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v0.2). This is the strongest supply chain integrity signal.
v0.7.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v0.2). This is the strongest supply chain integrity signal.
v0.6.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v0.2). This is the strongest supply chain integrity signal.
v0.5.0
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v0.2). This is the strongest supply chain integrity signal.
v0.4.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v0.2). This is the strongest supply chain integrity signal.
v0.3.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v0.2). This is the strongest supply chain integrity signal.