{"id":14990386,"url":"https://github.com/sage/carbon","last_synced_at":"2026-03-02T13:21:48.208Z","repository":{"id":37410148,"uuid":"41923638","full_name":"Sage/carbon","owner":"Sage","description":"Carbon by Sage | ReactJS UI Component Library","archived":false,"fork":false,"pushed_at":"2026-02-06T17:00:27.000Z","size":213116,"stargazers_count":297,"open_issues_count":38,"forks_count":86,"subscribers_count":69,"default_branch":"master","last_synced_at":"2026-02-06T18:24:31.097Z","etag":null,"topics":["carbon","component-library","react","reactjs","ui-components","webcomponents"],"latest_commit_sha":null,"homepage":"https://carbon.sage.com","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Sage.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG-OLD.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":"SECURITY.md","support":null,"governance":null,"roadmap":"docs/roadmap.mdx","authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2015-09-04T15:35:11.000Z","updated_at":"2026-02-06T09:40:52.000Z","dependencies_parsed_at":"2026-01-16T11:08:53.323Z","dependency_job_id":null,"html_url":"https://github.com/Sage/carbon","commit_stats":{"total_commits":14637,"total_committers":163,"mean_commits":89.79754601226993,"dds":0.8995012639202022,"last_synced_commit":"46bef81c8daf1e6a1ad7cea270be1237ad35adaa"},"previous_names":[],"tags_count":1861,"template":false,"template_full_name":null,"purl":"pkg:github/Sage/carbon","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Sage%2Fcarbon","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Sage%2Fcarbon/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Sage%2Fcarbon/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Sage%2Fcarbon/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Sage","download_url":"https://codeload.github.com/Sage/carbon/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Sage%2Fcarbon/sbom","scorecard":{"id":124941,"data":{"date":"2025-08-11","repo":{"name":"github.com/Sage/carbon","commit":"9c0a320cd4ccccd7ea882bdfb0a49f20309e31f9"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":7,"checks":[{"name":"Security-Policy","score":10,"reason":"security policy file detected","details":["Info: security policy file detected: SECURITY.md:1","Info: Found linked content: SECURITY.md:1","Info: Found disclosure, vulnerability, and/or timelines in security policy: SECURITY.md:1","Info: Found text in security policy: SECURITY.md:1"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Code-Review","score":6,"reason":"Found 10/15 approved changesets -- score normalized to 6","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Maintained","score":10,"reason":"30 commit(s) and 14 issue activity found in the last 90 days -- score normalized to 10","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Warn: no topLevel permission defined: .github/workflows/chromatic-push.yml:1","Warn: no topLevel permission defined: .github/workflows/chromatic.yml:1","Warn: no topLevel permission defined: .github/workflows/ci.yml:1","Warn: no topLevel permission defined: .github/workflows/codeql-analysis.yml:1","Warn: no topLevel permission defined: .github/workflows/forked-ci.yml:1","Warn: no topLevel permission defined: .github/workflows/playwright.yml:1","Warn: no topLevel permission defined: .github/workflows/pr.yml:1","Warn: no topLevel permission defined: .github/workflows/semantic-commit-lint.yml:1","Warn: no topLevel permission defined: .github/workflows/semantic-release.yml:1","Warn: no topLevel permission defined: .github/workflows/storybook.yml:1","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: Apache License 2.0: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Pinned-Dependencies","score":4,"reason":"dependency not pinned by hash detected -- score normalized to 4","details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/chromatic-push.yml:17: update your workflow using https://app.stepsecurity.io/secureworkflow/Sage/carbon/chromatic-push.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/chromatic-push.yml:20: update your workflow using https://app.stepsecurity.io/secureworkflow/Sage/carbon/chromatic-push.yml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/chromatic-push.yml:24: update your workflow using https://app.stepsecurity.io/secureworkflow/Sage/carbon/chromatic-push.yml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/chromatic.yml:17: update your workflow using https://app.stepsecurity.io/secureworkflow/Sage/carbon/chromatic.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/chromatic.yml:39: update your workflow using https://app.stepsecurity.io/secureworkflow/Sage/carbon/chromatic.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/chromatic.yml:44: update your workflow using https://app.stepsecurity.io/secureworkflow/Sage/carbon/chromatic.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:10: update your workflow using https://app.stepsecurity.io/secureworkflow/Sage/carbon/ci.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:11: update your workflow using https://app.stepsecurity.io/secureworkflow/Sage/carbon/ci.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:29: update your workflow using https://app.stepsecurity.io/secureworkflow/Sage/carbon/ci.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:30: update your workflow using https://app.stepsecurity.io/secureworkflow/Sage/carbon/ci.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:48: update your workflow using https://app.stepsecurity.io/secureworkflow/Sage/carbon/ci.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:61: update your workflow using https://app.stepsecurity.io/secureworkflow/Sage/carbon/ci.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:80: update your workflow using https://app.stepsecurity.io/secureworkflow/Sage/carbon/ci.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:81: update your workflow using https://app.stepsecurity.io/secureworkflow/Sage/carbon/ci.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:90: update your workflow using https://app.stepsecurity.io/secureworkflow/Sage/carbon/ci.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:19: update your workflow using https://app.stepsecurity.io/secureworkflow/Sage/carbon/codeql-analysis.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:23: update your workflow using https://app.stepsecurity.io/secureworkflow/Sage/carbon/codeql-analysis.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:29: update your workflow using https://app.stepsecurity.io/secureworkflow/Sage/carbon/codeql-analysis.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:32: update your workflow using https://app.stepsecurity.io/secureworkflow/Sage/carbon/codeql-analysis.yml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/forked-ci.yml:12: update your workflow using https://app.stepsecurity.io/secureworkflow/Sage/carbon/forked-ci.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/playwright.yml:22: update your workflow using https://app.stepsecurity.io/secureworkflow/Sage/carbon/playwright.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/playwright.yml:24: update your workflow using https://app.stepsecurity.io/secureworkflow/Sage/carbon/playwright.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/playwright.yml:29: update your workflow using https://app.stepsecurity.io/secureworkflow/Sage/carbon/playwright.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/playwright.yml:49: update your workflow using https://app.stepsecurity.io/secureworkflow/Sage/carbon/playwright.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/playwright.yml:61: update your workflow using https://app.stepsecurity.io/secureworkflow/Sage/carbon/playwright.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/playwright.yml:62: update your workflow using https://app.stepsecurity.io/secureworkflow/Sage/carbon/playwright.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/playwright.yml:69: update your workflow using https://app.stepsecurity.io/secureworkflow/Sage/carbon/playwright.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/playwright.yml:79: update your workflow using https://app.stepsecurity.io/secureworkflow/Sage/carbon/playwright.yml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/pr.yml:13: update your workflow using https://app.stepsecurity.io/secureworkflow/Sage/carbon/pr.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/semantic-commit-lint.yml:12: update your workflow using https://app.stepsecurity.io/secureworkflow/Sage/carbon/semantic-commit-lint.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/semantic-commit-lint.yml:16: update your workflow using https://app.stepsecurity.io/secureworkflow/Sage/carbon/semantic-commit-lint.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/semantic-release.yml:49: update your workflow using https://app.stepsecurity.io/secureworkflow/Sage/carbon/semantic-release.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/semantic-release.yml:53: update your workflow using https://app.stepsecurity.io/secureworkflow/Sage/carbon/semantic-release.yml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/semantic-release.yml:60: update your workflow using https://app.stepsecurity.io/secureworkflow/Sage/carbon/semantic-release.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/semantic-release.yml:19: update your workflow using https://app.stepsecurity.io/secureworkflow/Sage/carbon/semantic-release.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/semantic-release.yml:23: update your workflow using https://app.stepsecurity.io/secureworkflow/Sage/carbon/semantic-release.yml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/semantic-release.yml:28: update your workflow using https://app.stepsecurity.io/secureworkflow/Sage/carbon/semantic-release.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/storybook.yml:12: update your workflow using https://app.stepsecurity.io/secureworkflow/Sage/carbon/storybook.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/storybook.yml:13: update your workflow using https://app.stepsecurity.io/secureworkflow/Sage/carbon/storybook.yml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/storybook.yml:18: update your workflow using https://app.stepsecurity.io/secureworkflow/Sage/carbon/storybook.yml/master?enable=pin","Warn: npmCommand not pinned by hash: .github/workflows/ci.yml:88","Info:   0 out of  33 GitHub-owned GitHubAction dependencies pinned","Info:   0 out of   7 third-party GitHubAction dependencies pinned","Info:  10 out of  11 npmCommand dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Branch-Protection","score":-1,"reason":"internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration","details":null,"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"Packaging","score":10,"reason":"packaging workflow detected","details":["Info: Project packages its releases by way of GitHub Actions.: .github/workflows/semantic-release.yml:14"],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"SAST","score":10,"reason":"SAST tool is run on all commits","details":["Info: SAST configuration detected: CodeQL","Info: all commits (25) are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}},{"name":"Vulnerabilities","score":7,"reason":"3 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: GHSA-xffm-g5w8-qvg7","Warn: Project is vulnerable to: GHSA-v6h2-p8h4-qcjw","Warn: Project is vulnerable to: GHSA-52f5-9888-hmc6"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}}]},"last_synced_at":"2025-08-16T03:34:03.309Z","repository_id":37410148,"created_at":"2025-08-16T03:34:03.309Z","updated_at":"2025-08-16T03:34:03.309Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29299527,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-10T12:55:56.056Z","status":"ssl_error","status_checked_at":"2026-02-10T12:55:55.692Z","response_time":65,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["carbon","component-library","react","reactjs","ui-components","webcomponents"],"created_at":"2024-09-24T14:20:01.480Z","updated_at":"2026-02-10T13:00:43.957Z","avatar_url":"https://github.com/Sage.png","language":"TypeScript","readme":"# Carbon [![npm](https://img.shields.io/npm/v/carbon-react.svg)](https://www.npmjs.com/package/carbon-react) [![Playwright](https://github.com/Sage/carbon/actions/workflows/playwright.yml/badge.svg)](https://github.com/Sage/carbon/actions/workflows/playwright.yml)\n\nCarbon is a [React](https://react.dev/) component library developed by Sage.\n\n## Getting started\n\nOur [getting started guide](https://carbon.sage.com/?path=/docs/getting-started-installation--docs) provides instructions on how to install and use the Carbon library.\n\n## Examples\n\nSee our [docs](https://carbon.sage.com/) for live examples.\n\n## Browser Support\n\nWe support and test the Carbon Library against the latest versions of the following browsers:\n\n- [Chrome](https://www.google.com/chrome/)\n- [Firefox](https://www.mozilla.org/firefox/)\n- [Safari](https://www.apple.com/safari/)\n- [Edge](https://www.microsoft.com/windows/microsoft-edge)\n\nWe provide polyfills for the latest two versions of each of these browsers to give a grace period to update.\n\n## Versioning\n\nWe follow [Semantic Versioning](https://semver.org/) and we use [Conventional Commits](https://www.conventionalcommits.org/en/v1.0.0/).\n\nWhile we make every effort to avoid breaking changes, sometimes they are necessary. We choose to take an overly cautious\napproach to breaking changes. That is we will mark something as a breaking change, even if it is extremely unlikely to affect any consumers.\n\nWe choose to make frequent but small breaking changes to give you the choice of making small incremental updates or by jumping multiple versions\nin one upgrade. Ultimately the amount of breaking changes is the same, but version number increases more frequently.\n\nWe will batch breaking changes into a single version if there is a technical reason why we can't make a small breaking change, or if the impact is extraordinarily low.\n\nWe publish release notes that include the necessary upgrade steps. We also publish a codemod when possible, this will update your code to work with the new version.\n\nFor more information please see the [GitHub releases](https://github.com/Sage/carbon).\n\n## Contributing\n\nRead our [contributing guide](CONTRIBUTING.md) to learn about our development process, how to suggest bugfixes and raise issues.\n\n## Thanks\n\n\u003ca href=\"https://www.chromatic.com/\"\u003e\u003cimg src=\"https://user-images.githubusercontent.com/321738/84662277-e3db4f80-af1b-11ea-88f5-91d67a5e59f6.png\" width=\"153\" height=\"30\" alt=\"Chromatic\" /\u003e\u003c/a\u003e\n\nThanks to [Chromatic](https://www.chromatic.com/) for providing the visual testing platform that helps us review UI changes and catch visual regressions.\n\n## Licence\n\nCarbon is licensed under the [Apache-2.0 licence](LICENSE).\n\nCopyright (c) 2018-2026 Sage Group Plc. All rights reserved.\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsage%2Fcarbon","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsage%2Fcarbon","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsage%2Fcarbon/lists"}