@carbon/utilities
Utilities and helpers to drive consistency across software products using the Carbon Design System
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| publish-pattern | dormant-publish | AI (publish-pattern): Carbon monorepo publishes in batches; dormancy is normal for stable utility packages. | ai | |
| source-diff | obfuscated-file:lib/makeDraggable/makeDraggable.test.js | AI (source-diff): esbuild --minify output per package.json build scripts; stable for this package. | ai | |
| source-diff | obfuscated-file:es/makeDraggable/makeDraggable.test.js | AI (source-diff): esbuild --minify output per package.json build scripts; stable for this package. | ai | |
| source-diff | source-size-tripled | AI (source-diff): New utility modules added in normal feature release; stable growth pattern. | ai | |
| source-diff | large-new-source-files | AI (source-diff): New utility modules (carousel, makeDraggable, etc.) added as expected feature growth. | ai | |
| source-diff | obfuscated-file:lib/carousel/carousel.js | AI (source-diff): esbuild --minify output per build scripts; not malicious obfuscation. Stable pattern for this package. | ai | |
| phantom-deps | phantom-dep:@ibm/telemetry-js | AI (phantom-deps): @ibm/telemetry-js is a runtime dep used via CLI in postinstall, not directly imported in source — stable false positive for this package. | ai | |
| install-scripts | install-script:postinstall | AI (install-scripts): IBM telemetry postinstall is standard across all Carbon Design System packages; not malicious. | ai |
Versions (showing 10 of 10)
| Version | Deps | Published |
|---|---|---|
| 0.20.0 | 2 / 3 | |
| 0.19.0 | 2 / 3 | |
| 0.18.0 | 2 / 3 | |
| 0.15.0 | 2 / 4 | |
| 0.14.0 | 2 / 4 | |
| 0.13.0 | 2 / 4 | |
| 0.12.0 | 2 / 4 | |
| 0.9.0 | 2 / 4 | |
| 0.8.0 | 2 / 4 | |
| 0.5.1 | 1 / 4 |
v0.20.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.18.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.15.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.14.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.13.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.12.0
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v0.2). This is the strongest supply chain integrity signal.
v0.9.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v0.2). This is the strongest supply chain integrity signal.
v0.8.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v0.2). This is the strongest supply chain integrity signal.
v0.5.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v0.2). This is the strongest supply chain integrity signal.