karma
Spectacular Test Runner for JavaScript.
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| publish-pattern | new-deps-added | AI (publish-pattern): The colors→@colors/colors swap is a well-known security-motivated migration to the community fork after the colors sabotage incident. This is a security improvement, not a risk. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Dynamic require is an intentional plugin-loading feature (formatError, config files) in karma's CLI. Stable pattern across all versions. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): child_process.exec is used in the karma init wizard for browser detection — expected behavior for a test runner CLI tool. | ai | |
| dependencies | unvetted-dep:http-proxy | AI (dependencies): http-proxy is a well-known package used for karma's proxy server feature; long-standing dependency appropriate for this use case. | ai |
Versions (showing 100 of 145)
| Version | Deps | Published |
|---|---|---|
| 6.4.4 | 24 / 39 | |
| 6.4.3 | 24 / 39 | |
| 6.4.2 | 24 / 39 | |
| 6.4.1 | 24 / 39 | |
| 6.4.0 | 24 / 39 | |
| 6.3.20 | 24 / 39 | |
| 6.3.19 | 24 / 39 | |
| 6.3.18 | 24 / 39 | |
| 6.3.17 | 24 / 39 | |
| 6.3.16 | 24 / 39 | |
| 4.4.1 | 26 / 49 | |
| 4.4.0 | 26 / 49 | |
| 4.3.0 | 27 / 49 | |
| 4.2.0 | 27 / 49 | |
| 4.1.0 | 27 / 64 | |
| 4.0.1 | 27 / 64 | |
| 4.0.0 | 28 / 64 | |
| 3.1.4 | 28 / 64 | |
| 3.1.3 | 28 / 64 | |
| 3.1.2 | 27 / 65 | |
| 3.1.1 | 27 / 65 | |
| 3.1.0 | 28 / 64 | |
| 3.0.0 | 27 / 66 | |
| 2.0.5 | 27 / 66 | |
| 2.0.4 | 27 / 66 | |
| 2.0.3 | 27 / 67 | |
| 2.0.2 | 27 / 66 | |
| 2.0.0 | 28 / 64 | |
| 1.7.1 | 27 / 65 | |
| 1.7.0 | 27 / 65 | |
| 1.6.0 | 27 / 64 | |
| 1.5.0 | 27 / 64 | |
| 1.4.1 | 27 / 66 | |
| 1.4.0 | 27 / 66 | |
| 1.3.0 | 26 / 65 | |
| 1.2.0 | 25 / 65 | |
| 1.1.2 | 25 / 65 | |
| 1.1.1 | 25 / 65 | |
| 1.1.0 | 25 / 65 | |
| 1.0.0 | 25 / 63 | |
| 0.13.22 | 23 / 61 | |
| 0.13.21 | 23 / 61 | |
| 0.13.20 | 23 / 61 | |
| 0.13.19 | 22 / 57 | |
| 0.13.18 | 22 / 57 | |
| 0.13.17 | 22 / 57 | |
| 0.13.16 | 22 / 57 | |
| 0.13.15 | 22 / 57 | |
| 0.13.14 | 22 / 57 | |
| 0.13.13 | 22 / 57 | |
| 0.13.12 | 22 / 57 | |
| 0.13.11 | 21 / 57 | |
| 0.13.10 | 22 / 57 | |
| 0.13.9 | 22 / 52 | |
| 0.13.8 | 22 / 52 | |
| 0.13.7 | 22 / 52 | |
| 0.13.6 | 22 / 52 | |
| 0.13.5 | 22 / 52 | |
| 0.13.4 | 22 / 52 | |
| 0.13.3 | 22 / 51 | |
| 0.13.2 | 22 / 51 | |
| 0.13.1 | 22 / 51 | |
| 0.13.0 | 22 / 51 | |
| 0.12.37 | 17 / 46 | |
| 0.12.36 | 17 / 44 | |
| 0.12.35 | 17 / 44 | |
| 0.12.34 | 17 / 44 | |
| 0.12.33 | 17 / 44 | |
| 0.12.32 | 19 / 44 | |
| 0.12.31 | 17 / 40 | |
| 0.12.30 | 17 / 40 | |
| 0.12.29 | 17 / 40 | |
| 0.12.28 | 17 / 40 | |
| 0.12.27 | 17 / 40 | |
| 0.12.26 | 17 / 40 | |
| 0.12.25 | 17 / 40 | |
| 0.12.24 | 17 / 40 | |
| 0.12.23 | 17 / 40 | |
| 0.12.22 | 17 / 40 | |
| 0.12.21 | 17 / 40 | |
| 0.12.20 | 17 / 40 | |
| 0.12.19 | 17 / 40 | |
| 0.12.18 | 17 / 40 | |
| 0.12.17 | 17 / 40 | |
| 0.12.16 | 17 / 40 | |
| 0.12.15 | 17 / 40 | |
| 0.12.14 | 17 / 40 | |
| 0.12.13 | 17 / 40 | |
| 0.12.12 | 17 / 40 | |
| 0.12.11 | 17 / 40 | |
| 0.12.10 | 17 / 40 | |
| 0.12.9 | 17 / 40 | |
| 0.12.8 | 17 / 40 | |
| 0.12.7 | 17 / 40 | |
| 0.12.6 | 17 / 40 | |
| 0.12.5 | 17 / 40 | |
| 0.12.4 | 17 / 40 | |
| 0.12.3 | 17 / 40 | |
| 0.12.2 | 17 / 40 | |
| 0.12.1 | 17 / 40 |
v6.4.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.4.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.4.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.4.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.4.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.3.20
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.3.19
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.3.18
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.3.17
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.3.16
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.