devrafalko / webpack-karma-jasmine Goto Github PK

This package requires an old version of 'karma' (3.1.4) that requires 'set-value' with old version (2.0.0) which has vulnerability issue.
Updating the package to require the latest version of karma (4.2.0) will resolve the issue.

Thanks,
Michal.

There are a slew of problems that would punish an unwitting user simply for trying to follow the instructions in the readme.

To start, /sample/package.json has an outdated version pin:

    "webpack-karma-jasmine": "^2.0.1"

Whereas the latest version on npm is 3.0.0.

Next, when you run npm install in webpack-karma-jasmine/sample, you get;

npm WARN [email protected] requires a peer of webpack@^2.0.0 || ^3.0.0 but none is installed. You must install peer dependencies yourself.

and

found 6 vulnerabilities (1 low, 5 moderate)
run `npm audit fix` to fix them, or `npm audit` for details

Finally, npm test doesn't work at all:

> npm test

> [email protected] test /home/me/javascript/webpack-karma-jasmine/sample
> karma start

(node:9315) DeprecationWarning: Tapable.plugin is deprecated. Use new API on `.hooks` instead
ℹ ｢wdm｣: wait until bundle finished: noop
14 09 2018 21:26:28.072:ERROR [karma]: TypeError: Path must be a string. Received undefined
    at assertPath (path.js:28:11)
    at Object.join (path.js:1236:7)
    at Plugin.<anonymous> (/home/me/javascript/webpack-karma-jasmine/sample/node_modules/karma-webpack/lib/karma-webpack.js:274:66)
    at Plugin.readFile (/home/me/javascript/webpack-karma-jasmine/sample/node_modules/karma-webpack/lib/karma-webpack.js:294:5)
    at _combinedTickCallback (internal/process/next_tick.js:131:7)
    at process._tickCallback (internal/process/next_tick.js:180:9)
✖ ｢wdm｣: 
ERROR in chunk tests/spec_a [entry]
bundled.js
Conflict: Multiple chunks emit assets to the same filename bundled.js (chunks 0 and 1)
ℹ ｢wdm｣: Failed to compile.
npm ERR! Test failed.  See above for more details.

Sadly, updating the version pin in /sample/package.json to 3.0.0 does not really improve things, except that at least then the vulnerabilities are gone.

Currently in a package.json is post-install script:

"postinstall": "npm install karma-cli -g"

I presume that the local package should not try to install some other package globally. This is currently cause me some issues when I try to have this package in my build as it fails the npm install. I do not have permission to install something globally for all the users nor it is the best option. Is it possible to remove a global -g modifier?

Thank you.

Hi,

webpack-karma-jasmine depends on karma 4.2.0, which causes minimist 0.0.10 to be loaded. The chain is:
karma 4.2.0 -> optimist 0.6.1 -> minimist 0.0.10
This reports a security violation https://npmjs.com/advisories/1179 .
This is fixed in karma >= 5.0.0, which no longer depends on optimist. Is it possible to upgrade to karma 5.0.0?

Thanks