PkgRadar

Package evidence

@carbon/[email protected]

Install-time lifecycle script: postinstall="ibmtelemetry --config=telemetry.yml"

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads
1,876Niche · −30% score
Versions published
353Mature · −50% score
First published
Jun 2020
Publisher
carbon-bot

Effective trust discount applied: 50% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarballAdd to CI gate
Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@carbon/[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@carbon/[email protected]"],"fail_on":"review"}'
Publishercarbon-bot
Artifact bytes4,386,508
Previous version2.51.0
Published2026-05-15T18:22:46.904Z
SHA-256dd9abbf5ecf9a86266fcd4c5426c0b62a0267d64dab376d03c71c9b8cf545979

Why flagged

What the scanner saw

Install-time lifecycle script: postinstall="ibmtelemetry --config=telemetry.yml"

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review
Last checked
reviewRisk
1Score
2.52.0Version
Status history (1 event)
  1. newavailable · risk review · score 1 · status changed

Evidence

Static findings

3 static · 0 from release diff · showing high-signal first.

No high-signal findings — see all findings below.

Show all 3 findings (low-signal and informational)
SeverityKindPathDetailPoints
lowInstall-time lifecycle scriptpackage.jsonpostinstall="ibmtelemetry --config=telemetry.yml"5
lowLarge Javascript Payloadpackage/dist/index-343fcdf0.js5385195 bytes0
lowLarge Javascript Payloadpackage/dist/index-aabdbccf.js6935822 bytes0

Manifest

Package metadata

Scripts44
  • buildgulp build && yarn wca
  • build-storybookbuild-storybook
  • build-storybook:experimentalcross-env C4D_FLAGS_ALL=true build-storybook -o storybook-static-experimental
  • build-storybook:reactgulp build:modules:react && node --max-old-space-size=8192 node_modules/@storybook/react/bin/build.js -c .storybook/react -o storybook-static-react
  • build-storybook:rtlcross-env STORYBOOK_USE_RTL=true build-storybook -o storybook-static-rtl
  • build:componentsgulp build:components
  • build:distgulp build:dist
  • build:sass:cdngulp build:sass:cdn
  • ci-checkyarn wca && yarn typecheck && yarn build && yarn test:unit
  • cleangulp clean
  • clean:distrimraf dist
  • cypress:verifycypress verify
  • doctocdoctoc --title '## Table of contents' docs && doctoc --title '## Table of contents' README.md
  • postinstallibmtelemetry --config=telemetry.yml
  • startyarn storybook
  • start-dev./update-scss-paths.sh & yarn start
  • storybookstart-storybook -p 9000
  • storybook:reactnode node_modules/@storybook/react/bin/index.js -p 9002 -c .storybook/react
  • telemetry:confignpx -y @ibm/telemetry-js-config-generator generate --wc --id 2a67e3ca-af1a-470d-87e5-474e71848221 --endpoint https://www-api.ibm.com/ibm-telemetry/v1/metrics --files ./src/components
  • testyarn test:unit && yarn test:integration
  • test:a11ygulp test:a11y
  • test:cdn-build:runnpx -y http-server -c-1 tests/cdn-build/app --silent
  • test:cdn-build:testnpx -y start-server-and-test 'yarn test:cdn-build:run' 8080 'cypress run --config-file tests/cdn-build/cypress.json'
  • test:e2e-storybook:browserstack:canarybrowserstack-cypress run --cf tests/e2e-storybook/browserstack.json --ccf tests/e2e-storybook/cypress-canary.json --sync --build-name 'Web Components Storybook Canary'
  • test:e2e-storybook:browserstack:nextbrowserstack-cypress run --cf tests/e2e-storybook/browserstack.json --ccf tests/e2e-storybook/cypress-next.json --sync --build-name 'Web Components Storybook Next'
  • test:e2e-storybook:devcypress open --config-file ./tests/e2e-storybook/cypress-local.json
  • test:e2e-storybook:runnpx -y http-server -c-1 storybook-static --silent -p 8081
  • test:e2e-storybook:testnpx -y start-server-and-test 'yarn test:e2e-storybook:run' 8081 'percy exec --config tests/e2e-storybook/.percy.json -- cypress run --config-file tests/e2e-storybook/cypress.json'
  • test:e2e-storybook:test:debugcross-env NODE_OPTIONS=--max-old-space-size=8192 npx -y start-server-and-test 'yarn test:e2e-storybook:run' 8081 'cypress open --config-file tests/e2e-storybook/cypress.json'
  • test:e2e-storybook:test:no-percycross-env NODE_OPTIONS=--max-old-space-size=8192 npx -y start-server-and-test 'yarn test:e2e-storybook:run' http://0.0.0.0:8081 'cypress run --config-file tests/e2e-storybook/cypress.json'
  • …and 14 more.
Dependencies14
  • @carbon/ibmdotcom-services2.49.0
  • @carbon/ibmdotcom-styles2.49.0
  • @carbon/ibmdotcom-utilities2.49.0
  • @carbon/layout11.49.0
  • @carbon/motion11.43.0
  • @carbon/styles1.65.0
  • @carbon/web-components2.13.1
  • @ibm/telemetry-js^1.10.2
  • lit^2.7.6
  • lodash-es^4.17.21
  • redux^4.0.0
  • redux-logger^3.0.0
  • redux-thunk^2.3.0
  • window-or-global^1.0.1
Optional dependencies6
  • @carbon/icons-react^11.33.0
  • lodash.pickby^4.6.0
  • prop-types^15.7.0
  • react^16.10.0 || ^17.0.0
  • react-dom^16.10.0 || ^17.0.0
  • react-redux^7.2.0