@carbon/grid
Grid for digital and software products using the Carbon Design System
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| publish-pattern | dormant-publish | AI (publish-pattern): Carbon monorepo publishes in batches via CI; gaps between releases are normal for this package. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): Transition to GitHub Actions automated publishing explains maintainer removal; SLSA provenance confirms CI integrity. | ai | |
| install-scripts | install-script:postinstall | AI (install-scripts): IBM telemetry postinstall is standard across all @carbon/* packages; not malicious. | ai | |
| typosquat | typosquat.levenshtein:uuid | AI (typosquat): Scoped @carbon/grid package from IBM; Levenshtein match to uuid is a false positive. | ai | |
| phantom-deps | phantom-dep:@carbon/layout | AI (phantom-deps): Same-org SCSS dependency; not directly imported in JS but used as a SCSS dependency. | ai | |
| phantom-deps | phantom-dep:@ibm/telemetry-js | AI (phantom-deps): Referenced in telemetry.yml config for postinstall; not a JS import but legitimately used. | ai |
Versions (showing 15 of 15)
| Version | Deps | Published |
|---|---|---|
| 11.56.0 | 2 / 2 | |
| 11.55.0 | 2 / 2 | |
| 11.54.0 | 2 / 2 | |
| 11.53.0 | 2 / 2 | |
| 11.52.0 | 2 / 2 | |
| 11.48.0 | 2 / 2 | |
| 11.46.0 | 2 / 2 | |
| 11.45.0 | 2 / 2 | |
| 11.44.0 | 2 / 2 | |
| 11.43.0 | 2 / 2 | |
| 11.41.0 | 2 / 2 | |
| 11.40.0 | 2 / 2 | |
| 11.39.0 | 2 / 2 | |
| 11.38.0 | 2 / 2 | |
| 11.36.0 | 2 / 2 |
v11.56.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v11.55.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v11.53.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v11.52.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v11.48.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v11.46.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v11.45.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v0.2). This is the strongest supply chain integrity signal.
v11.44.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v0.2). This is the strongest supply chain integrity signal.
v11.43.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v0.2). This is the strongest supply chain integrity signal.
v11.41.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v0.2). This is the strongest supply chain integrity signal.
v11.40.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v0.2). This is the strongest supply chain integrity signal.
v11.39.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v0.2). This is the strongest supply chain integrity signal.
v11.38.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v0.2). This is the strongest supply chain integrity signal.
v11.36.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v0.2). This is the strongest supply chain integrity signal.