
Security News
npm v12 Ships With Install Scripts Off by Default, Begins Deprecating 2FA-Bypass Tokens
npm v12 is generally available, turning install scripts off by default and beginning the deprecation of 2FA-bypass publishing tokens.
@procore/core-react
Advanced tools
A set of React components implementing the design system spec.
Node 16+ YARN 4+
Install @procore/core-react from NPM.
yarn add @procore/core-react
Install the peer dependencies.
yarn add styled-components @procore/globalization-toolkit react-beautiful-dnd react react-dom
Install the optional peer dependencies if necessary.
yarn add formik
Core React's styled components handle all style inclusion except for two cases:
*,
::after,
::before {
box-sizing: border-box;
}
font-family: Inter, 'Noto Sans JP', 'Noto Sans KR', 'Noto Sans SC',
'Noto Sans TC', Arial, sans-serif;
Named imports support tree shaking and types.
import { Button, ButtonProps } from '@procore/core-react'
import { Cog } from '@procore/core-icons'
export function ButtonCustom(props: ButtonProps) {
return <Button {...props} icon={<Cog />} />
}
If your app renders interactive content inside an open shadow root (for example, micro-frontend content in a custom element), enable React Aria shadow-DOM focus traversal for core-react at app bootstrap.
This ensures focus containment and tab order can move through shadow-root content for components that use React Aria focus management, like Tearsheet, Modal, and overlays.
import { enableShadowDOM } from '@procore/core-react'
enableShadowDOM()
Call this once before mounting your app. The call is idempotent, and each application using its own core-react instance should invoke it during bootstrap.
To get started, type the following from the project root directory:
yarn
All commands below will be ran in the package directory:
cd packages/core-react
We use Storybook to develop. Stories are broken into two categories, Demos for interactions and Coverage for displaying variants.
yarn storybook
Testing currently consists of Jest snapshots and React Testing Library tests.
yarn test
Additional testing includes Visual Regression Testing (VRT) that is ran in CI, which compares pixel snapshots of Storybook Coverage stories.
yarn build
Bug reports and pull requests are welcome on GitHub at https://github.com/procore/core. This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the Contributor Covenant code of conduct.
In lieu of a formal styleguide, we use husky to create a precommit hook, which executes lint-staged to automatically format any git staged files using prettier.
The package is available under the Procore Developers License

Procore - building the software that builds the world.
Learn more about the #1 most widely used construction management software at procore.com
FAQs
React library of Procore Design Guidelines
The npm package @procore/core-react receives a total of 2,691 weekly downloads. As such, @procore/core-react popularity was classified as popular.
We found that @procore/core-react demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 308 open source maintainers collaborating on the project.
Did you know?

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Security News
npm v12 is generally available, turning install scripts off by default and beginning the deprecation of 2FA-bypass publishing tokens.

Research
/Security News
Socket tracks the activity as Operation “Muck and Load”: a threat actor uses commit-farming workflows, public dead drops, and protected archives to stage Windows RAT and infostealer malware.

Security News
pnpm 11.10 hardens registry auth to block token redirection, tightens pack-app and deploy, and makes the Rust port (v12) installable.