@carbon/ibm-products-web-components
Carbon for IBM Products Web Components
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | publisher-changed | AI (provenance): Package uses GitHub Actions CI with SLSA provenance attestation; automated publisher is expected and documented in publishConfig. | ai | |
| source-diff | obfuscated-file:es-custom/components/checklist/checklist.scss.js | AI (source-diff): Minified CSS-in-JS (Lit css template literal) — standard build output for this web component library. | ai | |
| source-diff | obfuscated-file:es/components/checklist/checklist.scss.js | AI (source-diff): Minified CSS-in-JS (Lit css template literal) — standard build output for this web component library. | ai | |
| source-diff | obfuscated-file:es-custom/components/coachmark/coachmark-beacon/coachmark-beacon.scss.js | AI (source-diff): Minified CSS-in-JS (Lit css template literal) — standard build output for this web component library. | ai | |
| source-diff | obfuscated-file:es/components/coachmark/coachmark-beacon/coachmark-beacon.scss.js | AI (source-diff): Minified CSS-in-JS (Lit css template literal) — standard build output for this web component library. | ai | |
| source-diff | obfuscated-file:es-custom/components/action-set/action-set.scss.js | AI (source-diff): Minified CSS-in-JS (Lit css template literal) — standard build output for this web component library. | ai | |
| source-diff | obfuscated-file:es/components/action-set/action-set.scss.js | AI (source-diff): Minified CSS-in-JS (Lit css template literal) — standard build output for this web component library. | ai | |
| source-diff | obfuscated-file:es-custom/components/big-number/big-number-skeleton.scss.js | AI (source-diff): Minified CSS-in-JS (Lit css template literal) — standard build output for this web component library. | ai | |
| source-diff | obfuscated-file:es/components/big-number/big-number-skeleton.scss.js | AI (source-diff): Minified CSS-in-JS (Lit css template literal) — standard build output for this web component library. | ai | |
| source-diff | obfuscated-file:es-custom/components/big-number/big-number.scss.js | AI (source-diff): Minified CSS-in-JS (Lit css template literal) — standard build output for this web component library. | ai | |
| source-diff | obfuscated-file:es/components/big-number/big-number.scss.js | AI (source-diff): Minified CSS-in-JS (Lit css template literal) — standard build output for this web component library. | ai | |
| phantom-deps | phantom-dep:@ibm/telemetry-js | AI (phantom-deps): Used via CLI (ibmtelemetry) in postinstall script and config files, not direct import; stable false positive. | ai | |
| phantom-deps | phantom-dep:@carbon/styles | AI (phantom-deps): Same-org peer/style dependency; not directly imported but used transitively — stable false positive for Carbon packages. | ai | |
| phantom-deps | phantom-dep:@carbon/ibm-products-styles | AI (phantom-deps): Same-org style package; consumed as CSS/SCSS, not JS import — stable false positive for this package. | ai | |
| install-scripts | install-script:postinstall | AI (install-scripts): IBM telemetry postinstall is standard for Carbon packages; matches declared @ibm/telemetry-js dep and telemetry.yml config. | ai |
Versions (showing 10 of 10)
| Version | Deps | Published |
|---|---|---|
| 0.39.0 | 10 / 38 | |
| 0.38.0 | 10 / 38 | |
| 0.37.0 | 10 / 38 | |
| 0.36.0 | 10 / 38 | |
| 0.20.0 | 6 / 38 | |
| 0.19.0 | 6 / 44 | |
| 0.18.0 | 5 / 44 | |
| 0.17.0 | 5 / 44 | |
| 0.16.0 | 5 / 44 | |
| 0.15.0 | 5 / 44 |
v0.39.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.37.0
12 findingsThis version was published by a different npm account than previous versions on 2026-04-15. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.36.0
10 findingsThis version was published by a different npm account than previous versions on 2026-04-01. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.20.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.19.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.18.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.17.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.16.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.15.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.