@carbon/styles Apache-2.0 19 versions

@carbon/styles

npm Repository Homepage

Styles for the Carbon Design System

19

Versions

Apache-2.0

License

Yes

Install Scripts

Verified

Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

carbon-bottay1orjonessstrubberg

Keywords

ibmcarboncarbon-design-systemcomponentsreact

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
dependencies	unvetted-dep:@ibm/plex	AI (dependencies): IBM's own font package; expected dependency for a Carbon styles package across all versions.	ai	2026/05/03
phantom-deps	phantom-dep:@carbon/grid	AI (phantom-deps): SCSS dependency, not a JS import; phantom-dep heuristic is a false positive for this CSS-only package.	ai	2026/04/30
phantom-deps	phantom-dep:@carbon/type	AI (phantom-deps): SCSS dependency; false positive for this CSS-only package.	ai	2026/04/30
phantom-deps	phantom-dep:@carbon/colors	AI (phantom-deps): SCSS dependency; false positive for this CSS-only package.	ai	2026/04/30
phantom-deps	phantom-dep:@carbon/layout	AI (phantom-deps): SCSS dependency; false positive for this CSS-only package.	ai	2026/04/30
phantom-deps	phantom-dep:@carbon/motion	AI (phantom-deps): SCSS dependency; false positive for this CSS-only package.	ai	2026/04/30
phantom-deps	phantom-dep:@carbon/themes	AI (phantom-deps): SCSS dependency; false positive for this CSS-only package.	ai	2026/04/30
phantom-deps	phantom-dep:@carbon/feature-flags	AI (phantom-deps): SCSS dependency; false positive for this CSS-only package.	ai	2026/04/30
phantom-deps	phantom-dep:@ibm/plex	AI (phantom-deps): Font package referenced in SCSS config; not a JS import.	ai	2026/04/30
phantom-deps	phantom-dep:@ibm/plex-sans	AI (phantom-deps): Font package referenced in SCSS config; not a JS import.	ai	2026/04/30
phantom-deps	phantom-dep:@ibm/plex-serif	AI (phantom-deps): Font package referenced in SCSS config; not a JS import.	ai	2026/04/30
phantom-deps	phantom-dep:@ibm/telemetry-js	AI (phantom-deps): Used by postinstall script via CLI; not a direct JS import but legitimately used.	ai	2026/04/30
phantom-deps	phantom-dep:@ibm/plex-sans-thai	AI (phantom-deps): Font package referenced in SCSS config; not a JS import.	ai	2026/04/30
phantom-deps	phantom-dep:@ibm/plex-sans-arabic	AI (phantom-deps): Font package referenced in SCSS config; not a JS import.	ai	2026/04/30
phantom-deps	phantom-dep:@ibm/plex-sans-hebrew	AI (phantom-deps): Font package referenced in SCSS config; not a JS import.	ai	2026/04/30
phantom-deps	phantom-dep:@ibm/plex-sans-devanagari	AI (phantom-deps): Font package referenced in SCSS config; not a JS import.	ai	2026/04/30
phantom-deps	phantom-dep:@ibm/plex-sans-thai-looped	AI (phantom-deps): Font package referenced in SCSS config; not a JS import.	ai	2026/04/30
phantom-deps	phantom-dep:@ibm/plex-mono	AI (phantom-deps): Font package referenced in SCSS config; not a JS import.	ai	2026/04/30
install-scripts	install-script:postinstall	AI (install-scripts): IBM telemetry tool used consistently across all Carbon packages; documented, open-source, non-malicious.	ai	2026/04/29

Versions (showing 19 of 19)

Version	Deps	Published
1.107.0	17 / 9	2026-05-20
1.106.0	17 / 9	2026-05-06
1.105.0	17 / 9	2026-04-22
1.104.0	17 / 9	2026-04-08
1.103.0	17 / 9	2026-03-25
1.101.0	17 / 9	2026-02-25
1.99.0	17 / 9	2026-01-28
1.98.0	17 / 9	2026-01-13
1.94.0	17 / 9	2025-11-06
1.93.1	17 / 9	2025-10-24
1.92.0	17 / 9	2025-10-08
1.90.0	17 / 9	2025-09-10
1.88.0	17 / 9	2025-08-13
1.87.0	17 / 9	2025-07-30
1.86.1	17 / 9	2025-07-24
1.84.0	17 / 9	2025-06-18
1.83.0	17 / 9	2025-06-04
1.82.0	17 / 9	2025-05-21
1.81.0	17 / 9	2025-05-07

v1.107.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.106.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.104.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.103.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.101.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.99.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.98.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.94.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v0.2). This is the strongest supply chain integrity signal.

v1.93.1

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v0.2). This is the strongest supply chain integrity signal.

v1.92.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v0.2). This is the strongest supply chain integrity signal.

v1.90.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v0.2). This is the strongest supply chain integrity signal.

v1.88.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v0.2). This is the strongest supply chain integrity signal.

v1.87.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v0.2). This is the strongest supply chain integrity signal.

v1.86.1

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v0.2). This is the strongest supply chain integrity signal.

v1.84.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v0.2). This is the strongest supply chain integrity signal.

v1.83.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v0.2). This is the strongest supply chain integrity signal.

v1.82.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v0.2). This is the strongest supply chain integrity signal.

v1.81.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v0.2). This is the strongest supply chain integrity signal.