karma-webpack
Use webpack with karma
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:webpack-dev-middleware | AI (phantom-deps): webpack-dev-middleware is a core dependency for karma-webpack's functionality; phantom detection reflects indirect usage pattern. | ai | |
| phantom-deps | phantom-dep:neo-async | AI (phantom-deps): neo-async is a standard webpack ecosystem dependency used indirectly via webpack internals; phantom detection reflects indirect usage pattern, not a security concern. | ai | |
| phantom-deps | phantom-dep:clone-deep | AI (phantom-deps): clone-deep is a well-known utility; phantom detection reflects indirect usage in webpack-contrib tooling, not a security concern. | ai | |
| phantom-deps | phantom-dep:schema-utils | AI (phantom-deps): schema-utils is a standard webpack-contrib dependency used indirectly; phantom detection is a false positive for this package. | ai | |
| phantom-deps | phantom-dep:source-map | AI (phantom-deps): source-map is a standard webpack ecosystem dependency; indirect usage is expected in this package. | ai | |
| phantom-deps | phantom-dep:loader-utils | AI (phantom-deps): loader-utils is a standard webpack-contrib dependency; indirect usage is expected in this package. | ai | |
| dependencies | unvetted-dep:webpack-merge | AI (dependencies): webpack-merge is a well-known, widely-used package from the webpack-contrib org; stable false positive for this package. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): ryanclark is a webpack-contrib org member with 41 approved packages; transition is consistent with webpack-contrib maintainership patterns. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): Cleanup of inactive maintainers during webpack-contrib org consolidation; new publisher is a trusted core maintainer. | ai | |
| publish-pattern | dormant-publish | AI (publish-pattern): Package was stable at v5.0.0; dormancy reflects stability, not abandonment. New publisher is a known webpack-contrib maintainer. | ai | |
| provenance | publisher-changed | AI (provenance): evilebottnawi (Alexander Akait) is a core webpack-contrib maintainer; transition from ryanclark is a legitimate org-level handoff. | ai |
Versions (showing 40 of 40)
| Version | Deps | Published |
|---|---|---|
| 5.0.1 | 3 / 31 | |
| 5.0.0 | 3 / 35 | |
| 4.0.2 | 6 / 32 | |
| 4.0.1 | 6 / 32 | |
| 4.0.0 | 6 / 32 | |
| 3.0.5 | 6 / 20 | |
| 3.0.4 | 6 / 20 | |
| 3.0.3 | 6 / 20 | |
| 3.0.2 | 6 / 20 | |
| 3.0.1 | 6 / 20 | |
| 3.0.0 | 6 / 20 | |
| 2.0.13 | 6 / 20 | |
| 2.0.12 | 5 / 21 | |
| 2.0.11 | 5 / 20 | |
| 2.0.10 | 5 / 20 | |
| 2.0.9 | 5 / 24 | |
| 2.0.8 | 5 / 24 | |
| 2.0.7 | 5 / 24 | |
| 2.0.6 | 5 / 24 | |
| 2.0.5 | 5 / 24 | |
| 2.0.4 | 5 / 24 | |
| 2.0.3 | 5 / 24 | |
| 2.0.2 | 5 / 24 | |
| 2.0.1 | 5 / 27 | |
| 2.0.0 | 5 / 27 | |
| 1.8.1 | 5 / 27 | |
| 1.8.0 | 5 / 27 | |
| 1.7.0 | 5 / 5 | |
| 1.6.0 | 5 / 5 | |
| 1.5.1 | 5 / 4 | |
| 1.5.0 | 4 / 4 | |
| 1.4.0 | 3 / 4 | |
| 1.3.1 | 1 / 3 | |
| 1.3.0 | 1 / 3 | |
| 1.2.2 | 1 / 3 | |
| 1.2.1 | 1 / 3 | |
| 1.1.0 | 1 / 3 | |
| 1.0.2 | 1 / 2 | |
| 1.0.1 | 1 / 2 | |
| 1.0.0 | 1 / 2 |
v5.0.1
2 findingsThis version was published by a different npm account than previous versions on 2024-02-01. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.0.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2021-02-02. This could indicate a legitimate maintainer transition or an account compromise.
v4.0.2
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2019-06-08. This could indicate a legitimate maintainer transition or an account compromise.
v4.0.1
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2019-06-07. This could indicate a legitimate maintainer transition or an account compromise.
v4.0.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2019-06-07. This could indicate a legitimate maintainer transition or an account compromise.