Gathering detailed insights and metrics for @contentful/f36-components
Gathering detailed insights and metrics for @contentful/f36-components
Installations
npm install @contentful/f36-componentsDeveloper Guide
BETA
Typescript
Yes
Module System
CommonJS
Node Version
20.19.1
NPM Version
10.8.2
Score
74.3
Supply Chain
23.9
Quality
93.2
Maintenance
100
Vulnerability
99.6
License
Releases
8,132
@contentful/f36-multiselect@4.26.2
@contentful/f36-multiselect@4.26.2
Updated on Jul 02, 2025
@contentful/f36-components@4.80.3
@contentful/f36-components@4.80.3
Updated on May 19, 2025
@contentful/f36-core@4.80.3
@contentful/f36-core@4.80.3
Updated on May 19, 2025
@contentful/f36-typography@4.80.3
@contentful/f36-typography@4.80.3
Updated on May 19, 2025
@contentful/f36-tooltip@4.80.3
@contentful/f36-tooltip@4.80.3
Updated on May 19, 2025
@contentful/f36-text-link@4.80.3
@contentful/f36-text-link@4.80.3
Updated on May 19, 2025
Languages
6
TypeScript
JavaScript
MDX
CSS
Handlebars
HTML
TypeScript (84.36%)
JavaScript (11.23%)
MDX (3.69%)
CSS (0.56%)
Handlebars (0.15%)
Developer
Download Statistics
Total Downloads
5,747,253
Last Day
414
Last Week
30,946
Last Month
136,480
Last Year
1,592,745
GitHub Statistics
MIT License
348 Stars
3,905 Commits
84 Forks
67 Watchers
58 Branches
323 Contributors
Updated on Jul 03, 2025
Bundle Size
520.77 kB
Minified
143.20 kB
Minified + Gzipped
Maintainers
4
Package Meta Information
Latest Version
4.80.4
Package Id
@contentful/f36-components@4.80.4
Unpacked Size
27.17 kB
Size
5.05 kB
File Count
11
NPM Version
10.8.2
Node Version
20.19.1
Published on
May 30, 2025
Total Downloads
Cumulative downloads
Total Downloads
5,747,253
Dependencies
38
@contentful/f36-accordion@contentful/f36-asset@contentful/f36-autocomplete@contentful/f36-avatar@contentful/f36-badge@contentful/f36-button@contentful/f36-card@contentful/f36-collapse@contentful/f36-copybutton@contentful/f36-core@contentful/f36-datepicker@contentful/f36-datetime@contentful/f36-drag-handle@contentful/f36-empty-state@contentful/f36-entity-list@contentful/f36-forms@contentful/f36-icon@contentful/f36-icons@contentful/f36-image@contentful/f36-header@contentful/f36-list@contentful/f36-menu@contentful/f36-modal@contentful/f36-navbar@contentful/f36-note@contentful/f36-notification@contentful/f36-pagination@contentful/f36-pill@contentful/f36-popover@contentful/f36-skeleton@contentful/f36-spinner@contentful/f36-table@contentful/f36-tabs@contentful/f36-text-link@contentful/f36-tokens@contentful/f36-tooltip@contentful/f36-typography@contentful/f36-utils
Peer Dependencies
4
Dev Dependencies
4
Forma 36 React Components
A React component library for the Forma 36 design system created by Contentful.
Table of contents
Installing package
1yarn add @contentful/f36-components
Or
1npm install @contentful/f36-components
Usage
Import desired component into your project
1import { Button } from '@contentful/f36-components';
Development
For local development, in the root of the repo run npm i to install all dependencies and then npm run-script build to build all packages.
This package depends on several other Forma 36 packages so you will need to build all of them.
Storybook
We use Storybook to create a development environment for our component library. To start it locally run:
1npm run-script storybook
When creating new component, before you start, please have a look at our contribution model for Forma 36.
Example component directory structure
A component's directory should resemble the following:
/my-component
/examples
/src
index.ts // A file for exporting your component
MyComponent.tsx // Your React component
MyComponent.test.tsx // Component tests
MyComponent.styles.ts // Component styles
/stories
# stories for storybook of each component inside the package
README.mdx
package.json
For more detailes you can have a look in document that describes folder structure in details.
If you use
npm run-script generatein the root of the repo, this structure will be created automatically for you
Code Style Guide
Component principles
We follow a number of principles when creating our components:
- A component is responsible for only its internal spacing
Component should only be responsible for its own internal spacing - never external spacing. This means that we're flexible in where our components can be used without having to override margins. The only outlier from this rule are typography components - they can manage their own margins. To handle margins and layout you can use our core components, like:
Adding documentation for component
We would like to make sure that every component contains a README file with recommendations and guidelines. Make sure that your documentation for the component contains following parts:
- A short summary of the component.
- Import - provide example how to import component.
- Examples - try to add couple of examples, both basic and more advanced, where component is used in the context with other components.
- Props (API reference) - Overview of properties
- Content guideliness - try to describe in best practices around content for your component
- Accessibility - If possible, we strongly recommend providing accessibility guidelines.
Testing
We are using Jest and Testing Library to test our components.
Tests are kept next to their components and use the .test.js file extension.
Run tests
1npm run-script test
It is recommended to run tests in development with the optional --watch flag.
1npm run-script test --watch
Building
We are using tsup and esbuild together with Microbundle to build our component library.
Each component builds to its own dist directory with:
index.d.ts– TypeScript type declaration fileindex.js– CJS (CommonJS)index.modern.mjs– Modern output (work in all modern browsers)index.module.js– legacy ESM (ES Modules) output (for bundlers)index.umd.js– legacy UMD (Universal Module Definition) output (for Node & CDN use)
Create a build of the library
1npm run-script build
Commits
This project uses the Angular JS Commit Message Conventions, via semantic-release. See the semantic-release Default Commit Message Format section for more details.
You can commit the changes by running
1npm run-script commit
No vulnerabilities found.
Reason
30 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10
Reason
no dangerous workflow patterns detected
Reason
license file detected
Details
- Info: project has a license file: LICENSE.md:0
- Info: FSF or OSI recognized license: MIT License: LICENSE.md:0
Reason
no binaries found in the repo
Reason
security policy file detected
Details
- Info: security policy file detected: github.com/contentful/.github/SECURITY.md:1
- Info: Found linked content: github.com/contentful/.github/SECURITY.md:1
- Info: Found disclosure, vulnerability, and/or timelines in security policy: github.com/contentful/.github/SECURITY.md:1
- Info: Found text in security policy: github.com/contentful/.github/SECURITY.md:1
Reason
Found 10/13 approved changesets -- score normalized to 7
Reason
branch protection is not maximal on development and all release branches
Details
- Info: 'allow deletion' disabled on branch 'main'
- Info: 'force pushes' disabled on branch 'main'
- Warn: 'branch protection settings apply to administrators' is disabled on branch 'main'
- Warn: 'stale review dismissal' is disabled on branch 'main'
- Warn: required approving review count is 1 on branch 'main'
- Info: codeowner review is required on branch 'main'
- Warn: 'last push approval' is disabled on branch 'main'
- Info: status check found to merge onto on branch 'main'
- Info: PRs are required in order to make changes on branch 'main'
Reason
dependency not pinned by hash detected -- score normalized to 1
Details
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/auto-approve.yml:9: update your workflow using https://app.stepsecurity.io/secureworkflow/contentful/forma-36/auto-approve.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/deploy-cdn.yml:13: update your workflow using https://app.stepsecurity.io/secureworkflow/contentful/forma-36/deploy-cdn.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/deploy-cdn.yml:17: update your workflow using https://app.stepsecurity.io/secureworkflow/contentful/forma-36/deploy-cdn.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/remove-stale.yml:19: update your workflow using https://app.stepsecurity.io/secureworkflow/contentful/forma-36/remove-stale.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/sast.yaml:17: update your workflow using https://app.stepsecurity.io/secureworkflow/contentful/forma-36/sast.yaml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/sast.yaml:22: update your workflow using https://app.stepsecurity.io/secureworkflow/contentful/forma-36/sast.yaml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/size-limit.yml:14: update your workflow using https://app.stepsecurity.io/secureworkflow/contentful/forma-36/size-limit.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/size-limit.yml:19: update your workflow using https://app.stepsecurity.io/secureworkflow/contentful/forma-36/size-limit.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/stale.yml:21: update your workflow using https://app.stepsecurity.io/secureworkflow/contentful/forma-36/stale.yml/main?enable=pin
- Info: 0 out of 5 GitHub-owned GitHubAction dependencies pinned
- Info: 0 out of 4 third-party GitHubAction dependencies pinned
- Info: 1 out of 1 npmCommand dependencies pinned
Reason
detected GitHub workflow tokens with excessive permissions
Details
- Warn: no topLevel permission defined: .github/workflows/auto-approve.yml:1
- Warn: no topLevel permission defined: .github/workflows/deploy-cdn.yml:1
- Warn: no topLevel permission defined: .github/workflows/remove-stale.yml:1
- Warn: no topLevel permission defined: .github/workflows/sast.yaml:1
- Warn: no topLevel permission defined: .github/workflows/size-limit.yml:1
- Warn: no topLevel permission defined: .github/workflows/stale.yml:1
- Info: no jobLevel write permissions found
Reason
no effort to earn an OpenSSF best practices badge detected
Reason
project is not fuzzed
Details
- Warn: no fuzzer integrations found
Reason
SAST tool is not run on all commits -- score normalized to 0
Details
- Warn: 0 commits out of 27 are checked with a SAST tool
Reason
34 existing vulnerabilities detected
Details
- Warn: Project is vulnerable to: GHSA-968p-4wvh-cqc8
- Warn: Project is vulnerable to: GHSA-h5c3-5r3r-rr8q
- Warn: Project is vulnerable to: GHSA-rmvr-2pp2-xj38
- Warn: Project is vulnerable to: GHSA-xx4v-prfh-6cgc
- Warn: Project is vulnerable to: GHSA-pwfr-8pq7-x9qv
- Warn: Project is vulnerable to: GHSA-v6h2-p8h4-qcjw
- Warn: Project is vulnerable to: GHSA-grv7-fg5c-xmjg
- Warn: Project is vulnerable to: GHSA-67mh-4wv8-2f99
- Warn: Project is vulnerable to: GHSA-rc47-6667-2j5j
- Warn: Project is vulnerable to: GHSA-78xj-cgh5-2h22
- Warn: Project is vulnerable to: GHSA-2p57-rm9w-gvfp
- Warn: Project is vulnerable to: GHSA-952p-6rrq-rcjv
- Warn: Project is vulnerable to: GHSA-mwcw-c2x4-8c55
- Warn: Project is vulnerable to: GHSA-c59h-r6p8-q9wc
- Warn: Project is vulnerable to: GHSA-g77x-44xx-532m
- Warn: Project is vulnerable to: GHSA-7gfc-8cq8-jh5f
- Warn: Project is vulnerable to: GHSA-qpjv-v59x-3qc4
- Warn: Project is vulnerable to: GHSA-7fh5-64p2-3v2j
- Warn: Project is vulnerable to: GHSA-x7hr-w5r2-h6wg
- Warn: Project is vulnerable to: GHSA-hrpp-h998-j3pp
- Warn: Project is vulnerable to: GHSA-p8p7-x288-28g6
- Warn: Project is vulnerable to: GHSA-6g33-8w2q-4hxv
- Warn: Project is vulnerable to: GHSA-gcx4-mw62-g8wm
- Warn: Project is vulnerable to: GHSA-c2qf-rxjj-qqgw
- Warn: Project is vulnerable to: GHSA-f5x3-32g6-xq36
- Warn: Project is vulnerable to: GHSA-pq67-2wwv-3xjx
- Warn: Project is vulnerable to: GHSA-8cj5-5rvv-wf4v
- Warn: Project is vulnerable to: GHSA-72xf-g2v4-qvf3
- Warn: Project is vulnerable to: GHSA-w5p7-h5w8-2hfq
- Warn: Project is vulnerable to: GHSA-7p7h-4mm5-852v
- Warn: Project is vulnerable to: GHSA-3mv9-4h5g-vhg3
- Warn: Project is vulnerable to: GHSA-mgfv-m47x-4wqp
- Warn: Project is vulnerable to: GHSA-wr3j-pwj9-hqq6
- Warn: Project is vulnerable to: GHSA-3h5v-q93c-6h6q
Score
5.2
/10
Last Scanned on 2025-06-30
The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.
Learn More