@carbon/react
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| install-scripts | install-script:postinstall | AI (install-scripts): IBM telemetry collection via ibmtelemetry; documented, org-owned tool consistent with this package's IBM/Carbon provenance. | ai | |
| phantom-deps | phantom-dep:@ibm/telemetry-js | AI (phantom-deps): Used via postinstall CLI invocation, not direct import; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@carbon/styles | AI (phantom-deps): Re-exported as sass entry point (index.scss), not a direct JS import; stable false positive. | ai | |
| phantom-deps | phantom-dep:@babel/runtime | AI (phantom-deps): Babel runtime helpers injected at build time, not directly imported in source; stable false positive. | ai |
Versions (showing 17 of 17)
| Version | Deps | Published |
|---|---|---|
| 1.108.0 | 17 / 43 | |
| 1.107.1 | 17 / 43 | |
| 1.107.0 | 17 / 43 | |
| 1.106.0 | 17 / 43 | |
| 1.105.0 | 17 / 43 | |
| 1.104.1 | 17 / 43 | |
| 1.99.0 | 17 / 49 | |
| 1.98.0 | 18 / 49 | |
| 1.97.0 | 18 / 56 | |
| 1.96.0 | 18 / 56 | |
| 1.95.0 | 18 / 56 | |
| 1.87.0 | 18 / 56 | |
| 1.85.1 | 18 / 56 | |
| 1.84.0 | 18 / 65 | |
| 1.83.0 | 18 / 63 | |
| 1.82.1 | 19 / 63 | |
| 1.82.0 | 19 / 63 |
v1.108.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.107.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.107.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.105.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.104.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.99.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.98.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.97.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.96.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v0.2). This is the strongest supply chain integrity signal.
v1.95.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v0.2). This is the strongest supply chain integrity signal.
v1.87.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v0.2). This is the strongest supply chain integrity signal.
v1.85.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v0.2). This is the strongest supply chain integrity signal.
v1.84.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v0.2). This is the strongest supply chain integrity signal.
v1.83.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v0.2). This is the strongest supply chain integrity signal.
v1.82.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v0.2). This is the strongest supply chain integrity signal.
v1.82.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v0.2). This is the strongest supply chain integrity signal.