Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Snyk] Security upgrade karma from 2.0.3 to 3.0.0 #132

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

Omrisnyk
Copy link
Owner

This PR was automatically created by Snyk using the credentials of a real user.


Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

  • Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
    • large-file/package.json
    • large-file/package-lock.json

Vulnerabilities that will be fixed

With an upgrade:
Severity Priority Score (*) Issue Breaking Change Exploit Maturity
medium severity 67/1000
Why? Confidentiality impact: None, Integrity impact: None, Availability impact: Low, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.01055, Social Trends: No, Days since published: 0, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: Medium, Package Popularity Score: 99, Impact: 2.35, Likelihood: 2.83, Score Version: V5
Regular Expression Denial of Service (ReDoS)
SNYK-JS-AXIOS-6124857
Yes Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Release notes
Package name: karma
  • 3.0.0 - 2018-08-09

    Bug Fixes

    • config: wait 20s for browser activity. (#3087) (88b977f)
    • config: Wait 30s for browser activity per Travis. (#3091) (f6d2f0e)
    • init: add "ChromeHeadless" to the browsers' options (#3096) (56fda53)
    • server: Exit clean on unhandledRejections. (#3092) (02f54c6), closes #3064
    • travis: Up the socket timeout 2->20s. (#3103) (732396a), closes #3102
    • travis: use the value not the key name. (#3097) (90f5546)
    • travis: validate TRAVIS_COMMIT if TRAVIS_PULL_REQUEST_SHA is not set. (#3094) (fba5d36)
    • travis: Validate TRAVIS_PULL_REQUEST_SHA rather than TRAVIS_COMMIT. (#3093) (a58fa45)

    BREAKING CHANGES

    Drop Support for Nodejs4 (#3082)

  • 2.0.5 - 2018-07-24

    Bug Fixes

    • remove circular reference in Browser (518cb11), closes #3075
    • browser: ensure browser state is EXECUTING when tests start (#3074) (dc7265b), closes #1640
    • doc: Document release steps for admins (#3063) (a701732)
    • middleware: Obey the Promise API. (93ba05a)
    • server: pass bound port to preventEADDRINUSE issue. (#3065) (850a90b)

    Features

    • preprocessor: Allow preprocessor to handle binary files (#3054) (7b66e18)
  • 2.0.4 - 2018-06-21

    Bug Fixes

    • deps: remove babel-core and babel call in wallaby. (#3044) (7da8ca0)
    • events: bind emitters with for..in. (#3059) (b99f03f), closes #3057
    • launcher: Only markCaptured browsers that are launched. (#3047) (f8f3ebc)
    • server: actually call stert(). (#3062) (40d836a)
    • server: Resurrect static function Server.start() lost in 2.0.3 (#3055) (c88ebc6)
  • 2.0.3 - 2018-06-15

    Bug Fixes

    • BaseReporter: log message correctly with just one browser (#3045) (c1eb236)
    • browser: don't add already active socket again on reconnect (37a7958)
    • browser: filter browser logging by level (35965d9), closes #2228
    • browser: nicer "disconnect" - no more "Disconnectedundefined" (a987d63)
    • build: pin npm version in appveyor to v3, compat with node 4 (#2983) (bc1453e)
    • ci: Repaired AppVeyor for Node.js@0.12 (cbfd98c)
    • cli: override if an arg is defined multiple times (31eb2c2), closes #1192
    • cli: print UserAgent string verbatim if from an unknown browser (9d97226)
    • cli: restore shell completion in the npm package (f56b5a5), closes #2351
    • cli: Use bin field in package.json (6823926), closes #1351
    • client: add ES5 shim (14c30b7), closes #1529
    • client: add proxy support to stringify (be10116)
    • client: does not throws an error for non DOM object that has tagName property (ba55afb), closes #2139
    • client: don't crash if receive array-like results (e095411), closes #2061
    • client: dynamic protocol for socket.io (c986eef), closes #1400
    • client: Fix stringify serializing objects (0d0972a)
    • client: Revert back to old reloading detection (f1c22d6), closes #1656
    • client: serialise DOM objects (1f73be4), closes #1106
    • client: Update location detection for socket.io (7a23fa5)
    • client: Use supported shim path. (184f12e)
    • client: Wait for childwindow to load (c1bb15a)
    • client: Wait for iframe to be loaded (1631474), closes #1652
    • client.html: always open debug.html in a new browser process (d176bcf)
    • common: fix AppVeyor build (6c5e7d0)
    • common: more detailed info about error (424aacc)
    • common: Proxy function toString does not contain Proxy. (4fb3484)
    • common: stringify error on 'Cannot convert a Symbol value to a string' (#2990) (65b658a), closes #2856
    • config: #1113 Watching is not working properly on linux (c91ffbc)
    • config: add crossOriginAttribute config option (1e465b1)
    • config: Call debug log methods after setting the loglevel based upon config/cli-options. (a340dae)
    • config: Call debug log methods after setting the loglevel based upon config/cli-options. (99fd3f0)
    • config: corrects spelling in example config template (9fafc60)
    • config: Default remaining client options if any are set (632dd5e), closes #961
    • config: Error when browers option isn't array (b695460)
    • config: Log the final config just before use. (#3041) (05dd09a)
    • config: Retry install with appveyor-retry. (17d5791)
    • config: Workaround npm 5.4 windows bug (ec47d81)
    • context: Updated postMessage listener to stop validating non-Karma messages (306e565)
    • debug-runner: support asynchronous tests in the debug runner (a36f3eb), closes #2811
    • deps: freeze socket.io version (73e300d)
    • deps: Update dependencies (b9a4ce9), closes #1410
    • deps: Update log4js in package.json (#2996) (667b47e)
    • deps: update socket.io to version 2.0.3. (3b7b019), closes #2821 #2777
    • deps: Upgrade connect 3. (b490985), closes #1410
    • docs: fix stopper.stop wrong variable name. closes #2244 (0745a00)
    • docs: Remove mention of pre 1.0.0 version (#3010) (6847ca0)
    • eslint: Fix formatting for the new ESLint 1.8.0 (dc1bbab)
    • executor: ensure run_complete is emitted last (9c894f9), closes #2210
    • file_list: follow symlinks (ee26748)
    • file_list: Incorrect response after remove and add file (0dbc020)
    • file-list: always use file from first matcher (74bfdf3)
    • file-list: Ensure autowatchDelay is working (0f33268), closes #1520
    • file-list: Ensure autowatchDelay is working. (655599a), closes #1520
    • file-list: Ensure files are sorted and unique (9dc5f8b), closes #1498 #1499
    • file-list: ensure patterns are comparable (4d1bf3e), closes #2194
    • file-list: Normalize glob patterns (fb841a7), closes #1494
    • file-list: refresh resolves before 'file_list_modified' event (65f1eca), closes #1550
    • file-list: Stop polluting global environment with core-js (0988022)
    • file-list: Use correct find function (4cfaae9)
    • file-list: use lodash find() (3bd15a7), closes #1533
    • file-list: Use modified throttle instead of debounce (cb2aafb), closes #1545
    • files: Ignore included:false pattern (db42a7f), closes #1530
    • flaky-test: Add time to beforeEach() to allow plugins to load on first pass. (#3025) (31d9a08)
    • helper: Ensure browser detection is handled in the unkown case (9328f67)
    • helper: Patched replaceWinPath from choking on null values (caa4d21)
    • init: fix test-main.(js/coffee) generation (d8521ef), closes #1120 #896
    • init: Make the requirejs config template normalize paths (54dcce3), closes /github.com/karma-runner/karma/issues/513#issuecomment-48616784
    • karma: Escape quotes for file names. This fixes issue #1876. (9dff3f3)
    • launcher: Allow dynamic browser launches (2b7d703)
    • launcher: Continue with exit when SIGKILL fails (1eaccb4)
    • launcher: exclude concurrent browser on launcher restart (96f8f14), closes #2280
    • launcher: send sigkill on timeout when force killing (c615c1f)
    • launchers: Listen to the correct error event. (45a6922)
    • lint: exempt built files (#3024) (bc9acd3)
    • logging: Summarize SKIPPED tests in debug.html. (a01100f), closes #1111
    • logging: Upgrade to log4js 2.x API. (#2868) (f6f8707), closes #2858
    • middleware: Actually serve the favicon. (f12db63)
    • middleware: add file type to absolute urls (bd1f799)
    • middleware: avoid using deprecated Buffer API (018e6be), closes /nodejs.org/api/deprecations.html#deprecations_dep0005
    • middleware: change to use vanilla for loop (ac62cc0), closes #2671
    • middleware: Correct spelling of middleware logger name (9e9e7e6)
    • middleware: does not work with mootools (#2591) (2685e13)
    • middleware: ensure Range headers adhere more closely to RFC 2616 (8b1b4b1), closes #2310
    • middleware: fix WARN log when passing undefined error handler to promise.then (20b87de), closes #2227
    • middleware: Inject config.urlRoot. (569ca0e), closes #1516
    • middleware: update Buffer usage (3d94b8c)
    • package.json: sinon-chai 2.13 is not compatible with sinon 4.x (#2977) (e095b05)
    • preprocessor: Better handling of failing preprocessors (a2376b8), closes #1521
    • preprocessor: calculate sha1 on content returned from a preprocessor (6cf7955), closes #1204
    • preprocessor: Directory names with dots (4b5e094)
    • preprocessor: Improve handling of failed preprocessors (e726d1c), closes #1521
    • preprocessor: Lookup patterns once invoked (00a2781), closes #1340
    • preprocessor: renamed handeFile to readFileCallback (92a8c81)
    • preprocessor: retry if fs.readFile fails (4b60513)
    • preprocessor: Throw error if can't open file (bb4edde)
    • preprocessor: throw if retry fails (2789bf5)
    • preprocessor: treat *.gz files as binary (1b56932)
    • preprocessor: treat *.swf files as binary (62d7d38)
    • preprocessor: treat *.tgz, *.tbz2, *.txz & *.xz as binary (7b64244)
    • proxy: More useful proxyError log message (96640a7)
    • proxy: Pass protocol in target object to enable https requests (142db90)
    • proxy: Port mixup and infinite loop (05616a2), closes #1987
    • proxy: proxy to correct port (a483636)
    • reporter: Better handling of non string error (82f1c12), closes #1969 #1988
    • reporter: Disable source maps for URLs without line number (2080221), closes #1274
    • reporter: do not allow URL domains to span new lines (2c13404)
    • reporter: Enable sourcemaps for errors that without column # (086a542)
    • reporter: Ensure errors use the source map. (0407a22), closes #1495
    • reporter: Fix issue causing error stack not to be parsed correctly (ac4e1a9), closes #2930
    • reporter: inject correct config option (80bd726)
    • reporter: keep users exact formatError result (17c2c43)
    • reporter: preserve base/absolute word in error (b3798df)
    • reporter: remove console.log (b4e3694)
    • reporter: show file path correctly when urlRoot specified (34dc7d3), closes #2897
    • reporter: sourcemap not working in windows (a9516af), closes #1200
    • reporter: strip only hostname/port (fbbeccf), closes #2209
    • reporters: cannot read property map of undefined (305df2c), closes #1662
    • reporters: Fix results not being reported (6303566)
    • reporters: Revert the backwards-incompatible log priority order changes (316b944), closes #2582
    • reporters: Throwing error without loosing stack trace (8a515ae)
    • runner: Fix typo in CSS class name for .idle (fc5a7ce)
    • runner: Make process kill timeout configurable (ffaa054), closes #2447
    • runner: Make process kill timeout configurable - Fix Build (a128e5c), closes #2447
    • runner: Merge config.client.args with client.args provided by run (91de383), closes #1746
    • runner: Remove null characters from terminal output (3481500), closes #1343
    • runner: Test process kill timeout config (99a1d48), closes #2447
    • runner: Wait for file list refresh to finish before running (94cddc0)
    • server: check available port before start server (fix #1476, fix #3011) (a19b8d4)
    • server: complete acknowledgment (f4144b0)
    • server: exit with code 1 when failing due to missing browser (86e2ef2), closes #2403
    • server: Force clients disconnect on Windows (28239f4), closes #1109
    • server: Handle new socket.io internal format. (3ab78d6), closes #1782
    • server: log browser messages to the terminal (d1f924c), closes #2187
    • server: Remove Socket.IO listeners (c3f05ef), closes #2980
    • server: Start webserver and browsers after preprocessing completed (e0d2d23)
    • server: switch to sync write (6ec74ee)
    • server: Update timers for limited execution environments (9cfc1cd), closes #1519
    • socket.io: Force 0.9.16 which works with Chrome (840ee5f)
    • stringify: guard Symobl from IE (#3023) (538081c)
    • invalid characters in the headers on Node 5.6.0 (152337d)
    • test: locale in Expire header (db04cf0), closes #1741
    • test: update bundleResource test timeout (#3038) (d6060d4)
    • travis_ci: converted node versions as string (25ee6fc)
    • filter browser logging by level of LOG (89a7a1c), closes #2228
    • updater: Fix time unit on screen display from 'ms' to 'seconds'. (f39dd04)
    • a missed argument in a debug message (#3009) (af8c6e4)
    • Add crossorigin attribute to script HTML tags (5690ffe)
    • add emscripten memory image as binary suffix (f6b2b56)
    • call .resume to prevent browser output streams filling up (107cd02)
    • catch exceptions from SourceMapConsumer (5d42e64)
    • Change timing on test (0cb6204)
    • ignore jsVersion configuration property in Firefox 59+ (2694d54), closes #2957
    • make window.parent.karma available in debugged context (3e7eaeb)
    • Merge config child nodes on config.set() (65b688a), closes karma-runner/grunt-karma#165 karma-runner/grunt-karma#166
    • Remove inadvertently added dependency to mock-fs (ad5f6b5)
    • remove support of jsVersion configuration property (#3002) (2bb4e36), closes #2911
    • restore backward compatibility for karma@0.13 (648b357)
    • Safeguard IE against console.log (0b5ff8f), closes #1209
    • Setting default value for config in runner and stopper (414db89)
    • Switch all requires from fs to graceful-fs (1e21aaa)
    • upgrade http-proxy module for bug fixes (09c75fe)
    • Upgrade socket.io to 1.4.5 (2f51a9f)
    • UTs: Correct proxy listeners expectation (af9c84a)
    • watcher: Close file watchers on exit event (7181025)
    • watcher: handle paths on Windows (6164d86)
    • web-server: Allow karma to run in project which path contains HTML URL encoded characters. Karma fails on Jenkins when it checks out branches containing '/' as it converts it to '%2F'. Fixes errors seen on #1751, #61. (da1930f)
    • Wrap url.parse to always return an object for query property (72452e9), closes #1182
    • web-server: cache static files (eb5bd53)
    • web-server: Correctly update filesPromise on files updated (32eec8d)
    • web-server: Ensure filesPromise is always resolvable (892fa89), closes #1544
    • web-server: Restart disconnected browser in non-singleRun mode. (f6587dc)
    • web-server: Update config on every request (8ef475f), closes #1972

    Code Refactoring

    • context: Future-proofed context.html and debug.html for modularity (43f6a1a), closes #1984

    Features

    • Add stopper to the public API (3d4fa00)
    • add an option to run the tests by dynamically loading test scripts without iframe (aa42c41)
    • Add engine support for iojs@3. (eb1c8d2)
    • Add possibility to stop a karma server (66ae80b)
    • add support for node 6 (0b8dc2c)
    • add support for node@7 (eb407ab), closes #2559
    • adding support for before middleware (51b4206)
    • Allow custom browser names (60ba85f)
    • allow frameworks to add preprocessors (f6f5eec)
    • Allow frameworks to inject middleware (d972f3d)
    • better string representation of errors (c9e1ca9)
    • deprecate helper._ (5c6b151), closes #1812
    • Do not fail on empty test suite (8004763), closes #926
    • drop core-js and babel where possible (60dfc5c)
    • Fail on launcher-, reporter-, plugin-, or preprocessor-load errors. (fca930e), closes #855
    • serve ePub as binary files (82ed0c6)
    • api: add constants to the public api (ee10977), closes #2361
    • api: expose config.parseConfig on the public api (7d2c1ae)
    • browser: add browser_info event (09ac7d7), closes #2192
    • browser: Emit a browser error when a disconnect occurs. (e36ba6c)
    • ci: disable testing of node versions below 4 (ec92ea9)
    • cli: Add .config/karma.conf.js to the default lookup path (49bf1aa), closes #1387
    • cli: Better CLI args validation (73d31c2), closes #603
    • cli: Warn on commands with underscores. (0801a7f)
    • client: capture confirm & prompt (3a618b3), closes #694
    • client: log global error stack trace (523d608), closes #2812
    • config: Add forceJSONP option (8627d67)
    • config: Add a clearContext config to prevent clearing of context. (5fc8ee7)
    • config: Add configuration for adding javascript version. (0239c75), closes #1719
    • config: add nocache option for file patterns (6ef7e7b)
    • config: add restartOnFileChange option (1082f35)
    • config: add support for TypeScript (6445310)
    • config: allow config to be a default export (9976dce)
    • config: Allow custom context and debug files, with feature test and some specs. (225c0e5)
    • config: allow to use newer versions of CoffeeScript (c1fcf42)
    • config: mime config option support (d562383), closes #1735
    • config: Pass CLI arguments to karma.config.js. (70cf903), closes #1561
    • config: remove polling usage (b0f41c7), closes #2669
    • deps: add support for node@8 (ea32194), closes #2754
    • deps: add support for node@8 (7feaee3), closes #2754
    • deps: update socket.io to 1.7.4 to avoid issue with ws@1.1.2 (264442b), closes #2593
    • file-list: Upgrade bluebird to v.3 (f5c252f)
    • file-list: Use glob.sync for better speed (1b65cde)
    • grunt: run check_clean before starting release. (#2978) (a3ff6c8)
    • init: install coffee-script automatically (e876db6), closes #1152
    • launcher: Add concurrency limit (1741deb), closes #1465
    • launcher: Enable specification of retry-limit (cc5547c), closes #1126
    • launcher: output stderr for failing launchers (7d33398)
    • launcher: trim whitespace in browser name (334f9fb)
    • launcher: trim whitespace in browser name (871d46f)
    • logger: Add date/time stamp to log output (4a59443)
    • logger: Add date/time stamp to log output (a4b5cdd)
    • logging: Add colors and log-level options to run-command (9d4e234), closes #1067
    • logging: Add colors and log-level options to run-command (2d29165), closes #1067
    • logging: Add logging-setup function (d14bd62)
    • logging: Send color option to server (486c4f3), closes #1067
    • logging: Send color option to server (287d0db), closes #1067
    • middleware: added manual file type option (0330cd1), closes #2824
    • preprocessor: add 'mp3' and 'ogg' as binary formats to avoid media corruption in the browser. (65a0767)
    • preprocessor: Capital letters in binary files extenstions (1688689), closes #1508
    • preprocessor: Instantiate preprocessors early to avoid race conditions (8a9c8c7)
    • preprocessors: if a file matches multiple preprocessor patterns, intelligently merge the list of...

… vulnerabilities

The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-AXIOS-6124857
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment