@carbon/web-components
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:es/components/fluid-form/fluid-form.scss.js | AI (source-diff): Minified CSS-in-JS (Lit css template) from SCSS build pipeline; standard for @carbon/web-components. | ai | |
| source-diff | obfuscated-file:es-custom/components/fluid-combo-box/fluid-combo-box.scss.js | AI (source-diff): Minified CSS-in-JS (Lit css template) from SCSS build pipeline; standard for @carbon/web-components. | ai | |
| source-diff | obfuscated-file:es/components/fluid-combo-box/fluid-combo-box.scss.js | AI (source-diff): Minified CSS-in-JS (Lit css template) from SCSS build pipeline; standard for @carbon/web-components. | ai | |
| source-diff | obfuscated-file:es-custom/components/fluid-form/fluid-form.scss.js | AI (source-diff): Minified CSS-in-JS (Lit css template) from SCSS build pipeline; standard for @carbon/web-components. | ai | |
| install-scripts | install-script:postinstall | AI (install-scripts): IBM telemetry collection standard across Carbon packages; not malicious. | ai | |
| phantom-deps | phantom-dep:tslib | AI (phantom-deps): tslib is a known implicit runtime dependency; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@carbon/styles | AI (phantom-deps): Same-org Carbon package used as a peer/style dep; not a direct import pattern. | ai | |
| phantom-deps | phantom-dep:@ibm/telemetry-js | AI (phantom-deps): Referenced in telemetry.yml config, not imported directly; stable false positive. | ai |
Versions (showing 5 of 5)
| Version | Deps | Published |
|---|---|---|
| 2.55.0 | 11 / 29 | |
| 2.54.0 | 11 / 29 | |
| 2.53.0 | 11 / 28 | |
| 2.52.0 | 10 / 28 | |
| 2.51.1 | 10 / 28 |
v2.55.0
5 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.54.0
5 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.52.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.51.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.