testacular
This project has been renamed to Karma.
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | net-exec-file:adapter/lib/require.js | AI (source-diff): File is a vendored copy of RequireJS 2.1.1 (MIT/BSD license, Dojo Foundation). Network loading and eval/exec are core RequireJS functionality, not malware indicators. | ai | |
| source-diff | net-exec-file:adapter/lib/angular-scenario.js | AI (source-diff): Network + code execution pattern in angular-scenario.js is standard jQuery/Angular framework behavior (AJAX + JSON eval fallback), not dropper/loader malware. | ai | |
| source-diff | obfuscated-file:adapter/lib/angular-scenario.js | AI (source-diff): angular-scenario.js is the standard minified AngularJS scenario runner adapter bundled with jQuery. Minification is expected; this is not obfuscation or malware. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): mime and log4js are well-established, benign packages entirely consistent with a test runner's needs (file serving and logging). No malicious history. | ai | |
| provenance | no-provenance | AI (provenance): Package predates Sigstore provenance by many years; absence of attestation is expected and not a risk signal for this established package. | ai | |
| semgrep | semgrep:eval-usage | AI (semgrep): eval() in adapter/lib/require.js is part of a browser-side CommonJS module loader (req.exec pattern), intentional and documented with jslint comment. Not a supply-chain risk for this test runner. | ai | |
| dependencies | unvetted-dep:http-proxy | AI (dependencies): http-proxy is a legitimate reverse proxy library; its use in a browser test runner that proxies connections is expected and appropriate. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Dynamic require() in bundled Mocha adapter is standard module resolution code, not arbitrary code loading. | ai | |
| semgrep | semgrep:new-function-constructor | AI (semgrep): new Function() in bundled angular-scenario.js is a well-known JSON parse fallback pattern in older Angular code, not a malware indicator. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): Testacular/Karma is a browser test runner; spawning child processes to launch browsers is core functionality, not a security risk. | ai | |
| install-scripts | install-script:install | AI (install-scripts): Install script runs 'node show-deprecated.js' — a benign deprecation notice telling users to migrate to the 'karma' package. This is the intended behavior of this tombstone package. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Signals (no deps, tiny payload, minimal README) are all expected for a legitimate deprecation stub package published by the original trusted maintainer. | ai | |
| source-diff | source-size-dropped | AI (source-diff): Size drop is intentional: testacular was renamed to karma, and this version is a deliberate minimal stub/redirect with no runtime deps by design. | ai |
Versions (showing 24 of 24)
| Version | Deps | Published |
|---|---|---|
| 0.6.1 | 19 / 13 | |
| 0.6.0 | 19 / 13 | |
| 0.5.10 | 19 / 13 | |
| 0.5.9 | 19 / 13 | |
| 0.5.8 | 19 / 12 | |
| 0.5.7 | 17 / 12 | |
| 0.5.6 | 17 / 5 | |
| 0.5.5 | 15 / 5 | |
| 0.5.4 | 15 / 6 | |
| 0.5.3 | 14 / 6 | |
| 0.3.8 | 8 / 3 | |
| 0.1.1 | 6 / 3 | |
| 0.1.0 | 6 / 3 | |
| 0.0.17 | 5 / 3 | |
| 0.0.16 | 5 / 3 | |
| 0.0.15 | 2 / 3 | |
| 0.0.14 | 2 / 3 | |
| 0.0.13 | 2 / 3 | |
| 0.0.12 | 2 / 3 | |
| 0.0.11 | 2 / 3 | |
| 0.0.10 | 2 / 3 | |
| 0.0.9 | 2 / 3 | |
| 0.0.8 | 2 / 3 | |
| 0.0.7 | 1 / 3 |
v0.6.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.10
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.9
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.8
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.4
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.3
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.8
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.0
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.17
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.16
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.15
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.14
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.13
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.12
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.11
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.10
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.9
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.8
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.