← Home

@carbon/ibm-products

npm Repository Homepage

Carbon for IBM Products

7
Versions
Apache-2.0
License
Yes
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

leechasecarbon-botelycheeatay1orjones

Keywords

carboncarbon design systemcarbon communitycarbon for cloud & cognitivecarbon for ibm products

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
publish-pattern new-deps-added AI (publish-pattern): New dep is same-org @carbon scoped package; low risk for this established IBM design system library. ai
dependencies unvetted-dep:@carbon/ibm-products-utilities AI (dependencies): Same org scope (@carbon); consistent with this package's established pattern of intra-monorepo deps. ai
publish-pattern dormant-publish AI (publish-pattern): Established IBM/Carbon org package with SLSA provenance; CI/CD publisher via GitHub Actions is consistent with org release cadence. ai
dependencies unvetted-dep:@carbon/utilities-react AI (dependencies): Same Carbon/IBM org scope; consistent with this package's dependency pattern. ai
dependencies unvetted-dep:@carbon-labs/react-resizer AI (dependencies): Carbon Labs org; expected dependency for IBM Products component library. ai
install-scripts install-script:postinstall AI (install-scripts): IBM telemetry collection via ibmtelemetry CLI; documented pattern for all @carbon packages, stable across versions. ai
phantom-deps phantom-dep:@carbon/telemetry AI (phantom-deps): Used via telemetry.yml config and postinstall CLI, not direct import; stable false positive for this package. ai
phantom-deps phantom-dep:@carbon/ibm-products-styles AI (phantom-deps): Companion styles package loaded by consumers via CSS/SCSS, not direct JS import; stable false positive. ai
phantom-deps phantom-dep:@ibm/telemetry-js AI (phantom-deps): Referenced in config files as documented; not a direct import by design. ai
phantom-deps phantom-dep:@babel/runtime AI (phantom-deps): Framework-scoped Babel runtime; loaded by convention in transpiled output, not direct import. ai

Versions (showing 7 of 7)

Version Deps Published
2.92.0 16 / 44
2.91.0 15 / 44
2.90.0 15 / 44
2.89.0 15 / 44
2.88.0 15 / 44
2.87.1 15 / 44
2.87.0 15 / 44

v2.92.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.91.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.90.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.88.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.87.1

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.87.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.