← Home

@carbon/icons

npm Repository Homepage

Icons for digital and software products using the Carbon Design System

4
Versions
Apache-2.0
License
Yes
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

carbon-design-systemcarbon-botalisonjosephleechasejeffreychewsstrubbergtay1orjones

Keywords

ibmelementscarboncarbon-elementscarbon-design-systemcomponentsreact

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
source-diff large-new-source-files AI (source-diff): Icon library regularly adds new SVG/source files with each release; large file additions are expected for this package. ai
install-scripts install-script:postinstall AI (install-scripts): IBM telemetry postinstall is standard across Carbon Design System packages; not malicious. ai
phantom-deps phantom-dep:@ibm/telemetry-js AI (phantom-deps): @ibm/telemetry-js is consumed by the postinstall script at runtime, not imported in source; stable pattern for this package. ai
typosquat typosquat.levenshtein:cors AI (typosquat): @carbon/icons is a well-established IBM scoped package; Levenshtein match to 'cors' is a false positive. ai

Versions (showing 4 of 4)

Version Deps Published
11.81.0 1 / 3
11.79.0 1 / 3
11.78.0 1 / 3
11.77.1 1 / 3

v11.81.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v11.79.0

3 findings
HIGH Package has 'postinstall' script install-scripts

Script: ibmtelemetry --config=telemetry.yml

HIGH Phantom dependency: @ibm/telemetry-js phantom-deps

Declared in package.json dependencies but never imported in source code. Phantom dependencies may exist solely to execute install scripts or inject transitive malicious code. This was the exact attack vector in the axios compromise (plain-crypto-js).

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v11.78.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v11.77.1

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.