karma
Spectacular Test Runner for JavaScript.
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| publish-pattern | new-deps-added | AI (publish-pattern): The colors→@colors/colors swap is a well-known security-motivated migration to the community fork after the colors sabotage incident. This is a security improvement, not a risk. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Dynamic require is an intentional plugin-loading feature (formatError, config files) in karma's CLI. Stable pattern across all versions. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): child_process.exec is used in the karma init wizard for browser detection — expected behavior for a test runner CLI tool. | ai | |
| dependencies | unvetted-dep:http-proxy | AI (dependencies): http-proxy is a well-known package used for karma's proxy server feature; long-standing dependency appropriate for this use case. | ai |
Versions (showing 51 of 145)
| Version | Deps | Published |
|---|---|---|
| 6.4.4 | 24 / 39 | |
| 6.4.3 | 24 / 39 | |
| 6.4.2 | 24 / 39 | |
| 6.4.1 | 24 / 39 | |
| 6.4.0 | 24 / 39 | |
| 6.3.20 | 24 / 39 | |
| 6.3.19 | 24 / 39 | |
| 6.3.18 | 24 / 39 | |
| 6.3.17 | 24 / 39 | |
| 6.3.16 | 24 / 39 | |
| 4.4.1 | 26 / 49 | |
| 4.4.0 | 26 / 49 | |
| 4.3.0 | 27 / 49 | |
| 4.2.0 | 27 / 49 | |
| 4.1.0 | 27 / 64 | |
| 4.0.1 | 27 / 64 | |
| 4.0.0 | 28 / 64 | |
| 3.1.4 | 28 / 64 | |
| 3.1.3 | 28 / 64 | |
| 3.1.2 | 27 / 65 | |
| 3.1.1 | 27 / 65 | |
| 3.1.0 | 28 / 64 | |
| 3.0.0 | 27 / 66 | |
| 2.0.5 | 27 / 66 | |
| 2.0.4 | 27 / 66 | |
| 2.0.3 | 27 / 67 | |
| 2.0.2 | 27 / 66 | |
| 2.0.0 | 28 / 64 | |
| 1.7.1 | 27 / 65 | |
| 1.7.0 | 27 / 65 | |
| 1.6.0 | 27 / 64 | |
| 1.5.0 | 27 / 64 | |
| 1.4.1 | 27 / 66 | |
| 1.4.0 | 27 / 66 | |
| 1.3.0 | 26 / 65 | |
| 1.2.0 | 25 / 65 | |
| 1.1.2 | 25 / 65 | |
| 1.1.1 | 25 / 65 | |
| 1.1.0 | 25 / 65 | |
| 1.0.0 | 25 / 63 | |
| 0.13.22 | 23 / 61 | |
| 0.13.21 | 23 / 61 | |
| 0.13.20 | 23 / 61 | |
| 0.13.19 | 22 / 57 | |
| 0.13.18 | 22 / 57 | |
| 0.13.17 | 22 / 57 | |
| 0.13.16 | 22 / 57 | |
| 0.13.15 | 22 / 57 | |
| 0.13.14 | 22 / 57 | |
| 0.13.13 | 22 / 57 | |
| 0.13.12 | 22 / 57 |
v6.4.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.4.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.4.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.4.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.4.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.3.20
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.3.19
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.3.18
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.3.17
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.3.16
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.