@carbon/icons-react
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | large-new-source-files | AI (source-diff): Icon library routinely adds many new icon component files per release; not injected code. | ai | |
| install-scripts | install-script:postinstall | AI (install-scripts): IBM telemetry postinstall is a documented, standard pattern across all Carbon Design System packages. Not malicious. | ai | |
| dependencies | unvetted-dep:@ibm/telemetry-js | AI (dependencies): IBM's own telemetry library, used consistently across Carbon packages. Expected dependency for the postinstall telemetry script. | ai | |
| dependencies | unvetted-dep:@carbon/icon-helpers | AI (dependencies): First-party Carbon Design System dependency, entirely expected for @carbon/icons-react. | ai | |
| phantom-deps | phantom-dep:@ibm/telemetry-js | AI (phantom-deps): @ibm/telemetry-js is invoked via postinstall script, not imported in code — phantom-dep finding is a false positive for this usage pattern. | ai |
Versions (showing 19 of 19)
| Version | Deps | Published |
|---|---|---|
| 11.81.0 | 3 / 3 | |
| 11.80.0 | 3 / 3 | |
| 11.79.0 | 3 / 3 | |
| 11.77.0 | 3 / 3 | |
| 11.76.0 | 3 / 3 | |
| 11.75.0 | 3 / 3 | |
| 11.74.0 | 3 / 3 | |
| 11.73.0 | 3 / 3 | |
| 11.72.0 | 3 / 3 | |
| 11.71.0 | 3 / 3 | |
| 11.70.0 | 3 / 3 | |
| 11.68.0 | 3 / 3 | |
| 11.67.0 | 3 / 3 | |
| 11.66.0 | 3 / 3 | |
| 11.65.0 | 3 / 3 | |
| 11.64.0 | 3 / 3 | |
| 11.62.0 | 3 / 3 | |
| 11.61.0 | 3 / 3 | |
| 11.60.0 | 3 / 3 |
v11.81.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v11.80.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v11.79.0
2 findingsScript: ibmtelemetry --config=telemetry.yml
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v11.77.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v11.76.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v11.75.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v11.74.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v11.73.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v11.72.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v11.71.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v11.70.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v0.2). This is the strongest supply chain integrity signal.
v11.62.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v0.2). This is the strongest supply chain integrity signal.