@carbon/charts
3
Versions
—
License
Yes
Install Scripts
Verified
Provenance
Supply chain provenance
Status for the latest visible version.
SLSA provenance attestation
npm registry signatures
gitHead linked
Maintainers
carbon-bot
Keywords
chartsgraphsradargaugedonutpiesparklinetreetreemapheatmapwordcloudhistogramalluvialgeobarbulletscattermeterlinejavascriptcomponentcarbonibmsvgdatatypescript
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:dist/choropleth-TkZkP8Rn.mjs | AI (source-diff): Vite-bundled minified chart component; long lines are normal for bundled D3 output, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/choropleth-Bn8eKXA6.mjs | AI (source-diff): Standard Vite-minified ESM bundle for choropleth chart; long lines are bundler output, not obfuscation. | ai | |
| phantom-deps | phantom-dep:d3-cloud | AI (phantom-deps): d3-cloud is a legitimate charting dependency referenced in config files. | ai | |
| phantom-deps | phantom-dep:@types/d3 | AI (phantom-deps): Type-only package; framework-scoped, stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:d3-sankey | AI (phantom-deps): Legitimate charting dependency for sankey diagrams; referenced in config files. | ai | |
| phantom-deps | phantom-dep:dompurify | AI (phantom-deps): Legitimate sanitization dependency; referenced in config files. | ai | |
| phantom-deps | phantom-dep:lodash-es | AI (phantom-deps): Utility library; referenced in config files, stable false positive. | ai | |
| install-scripts | install-script:postinstall | AI (install-scripts): IBM telemetry postinstall is standard across Carbon packages; not malicious. | ai | |
| phantom-deps | phantom-dep:@carbon/colors | AI (phantom-deps): Same-org Carbon dependency; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@types/topojson | AI (phantom-deps): Type-only package for geo charts; stable false positive. | ai | |
| phantom-deps | phantom-dep:topojson-client | AI (phantom-deps): Geo chart dependency; referenced in config files. | ai | |
| phantom-deps | phantom-dep:@ibm/telemetry-js | AI (phantom-deps): IBM telemetry package used by postinstall script; stable false positive. | ai | |
| phantom-deps | phantom-dep:html-to-image | AI (phantom-deps): Export feature dependency; referenced in config files. | ai | |
| phantom-deps | phantom-dep:tslib | AI (phantom-deps): tslib is a known implicit runtime dependency for TypeScript-compiled packages. | ai |
v1.27.11
2 findings
HIGH
New obfuscated file: dist/choropleth-Bn8eKXA6.mjs
source-diff
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
INFO
Has SLSA provenance attestation
provenance
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.27.10
2 findings
HIGH
New obfuscated file: dist/choropleth-TkZkP8Rn.mjs
source-diff
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
INFO
Has SLSA provenance attestation
provenance
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.