Update dependency karma to v6 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
karma (source)	~0.13.3 -> ~6.3.16

GitHub Vulnerability Alerts

CVE-2022-0437

karma prior to version 6.3.14 contains a cross-site scripting vulnerability.

CVE-2021-23495

Karma before 6.3.16 is vulnerable to Open Redirect due to missing validation of the return_url query parameter.

---

Release Notes

karma-runner/karma (karma)

v6.3.16

Compare Source

Bug Fixes

• security: mitigate the "Open Redirect Vulnerability" (ff7edbb)

v6.3.15

Compare Source

Bug Fixes

• helper: make mkdirIfNotExists helper resilient to concurrent calls (d9dade2), closes /github.com/karma-runner/karma-coverage/issues/434#issuecomment-1017939333

v6.3.14

Compare Source

Bug Fixes

• remove string template from client code (91d5acd)
• warn when singleRun and autoWatch are false (69cfc76)
• security: remove XSS vulnerability in returnUrl query param (839578c)

v6.3.13

Compare Source

Bug Fixes

• deps: bump log4js to resolve security issue (5bf2df3), closes #​3751

v6.3.12

Compare Source

Bug Fixes

• remove depreciation warning from log4js (41bed33)

v6.3.11

Compare Source

Bug Fixes

• deps: pin colors package to 1.4.0 due to security vulnerability (a5219c5)

v6.3.10

Compare Source

Bug Fixes

• logger: create parent folders if they are missing (0d24bd9), closes #​3734

v6.3.9

Compare Source

Bug Fixes

• restartOnFileChange option not restarting the test run (92ffe60), closes #​27 #​3724

v6.3.8

Compare Source

Bug Fixes

• reporter: warning if stack trace contains generated code invocation (4f23b14)

v6.3.7

Compare Source

Bug Fixes

• middleware: replace %X_UA_COMPATIBLE% marker anywhere in the file (f1aeaec), closes #​3711

v6.3.6

Compare Source

Bug Fixes

• bump vulnerable ua-parser-js version (6f2b2ec), closes #​3713

v6.3.5

Compare Source

Bug Fixes

• client: prevent socket.io from hanging due to mocked clocks (#​3695) (105da90)

v6.3.4

Compare Source

Bug Fixes

• bump production dependencies within SemVer ranges (#​3682) (36467a8), closes #​3680

v6.3.3

Compare Source

Bug Fixes

• server: clean up vestigial code from proxy (#​3640) (f4aeac3), closes /tools.ietf.org/html/std66#section-3

v6.3.2

Compare Source

Bug Fixes

• prefer IPv4 addresses when resolving domains (e17698f), closes #​3730

v6.3.1

Compare Source

Bug Fixes

• client: error out when opening a new tab fails (099b85e)

v6.3.0

Compare Source

Features

• support asynchronous config.set() call in karma.conf.js (#​3660) (4c9097a)

v6.2.0

Compare Source

Features

• plugins: add support wildcard config for scoped package plugin (#​3659) (39831b1)

6.1.2 (2021-03-09)

Bug Fixes

• commitlint: skip task on master (#​3650) (3fc6fda)
• patch karma to allow loading virtual packages (#​3663) (5bfcf5f)

6.1.1 (2021-02-12)

Bug Fixes

• config: check extension before ts-node register (#​3651) (474f4e1), closes #​3329
• report launcher process error when exit event is not emitted (#​3647) (7ab86be)

v6.1.2

Compare Source

Bug Fixes

• commitlint: skip task on master (#​3650) (3fc6fda)
• patch karma to allow loading virtual packages (#​3663) (5bfcf5f)

v6.1.1

Compare Source

Bug Fixes

• config: check extension before ts-node register (#​3651) (474f4e1), closes #​3329
• report launcher process error when exit event is not emitted (#​3647) (7ab86be)

v6.1.0

Compare Source

Features

• config: improve karma.config.parseConfig error handling (#​3635) (9dba1e2)

6.0.4 (2021-02-01)

Bug Fixes

• cli: temporarily disable strict parameters validation (#​3641) (9c755e0), closes #​3625
• client: fix a false positive page reload error in Safari (#​3643) (2a57b23)
• ensure that Karma supports running tests on IE 11 (#​3642) (dbd1943)

6.0.3 (2021-01-27)

Bug Fixes

• plugins: refactor instantiatePlugin from preproprocessor (#​3628) (e02858a)

6.0.2 (2021-01-25)

Bug Fixes

• avoid ES6+ syntax in client scripts (#​3629) (6629e96), closes #​3630

6.0.1 (2021-01-20)

Bug Fixes

• server: set maxHttpBufferSize to the socket.io v2 default (#​3626) (69baddc), closes #​3621
• restore customFileHandlers provider (#​3624) (25d9abb)

v6.0.4

Compare Source

Bug Fixes

• cli: temporarily disable strict parameters validation (#​3641) (9c755e0), closes #​3625
• client: fix a false positive page reload error in Safari (#​3643) (2a57b23)
• ensure that Karma supports running tests on IE 11 (#​3642) (dbd1943)

v6.0.3

Compare Source

Bug Fixes

• plugins: refactor instantiatePlugin from preproprocessor (#​3628) (e02858a)

v6.0.2

Compare Source

Bug Fixes

• avoid ES6+ syntax in client scripts (#​3629) (6629e96), closes #​3630

v6.0.1

Compare Source

Bug Fixes

• server: set maxHttpBufferSize to the socket.io v2 default (#​3626) (69baddc), closes #​3621
• restore customFileHandlers provider (#​3624) (25d9abb)

v6.0.0

Compare Source

Bug Fixes

• ci: abandon browserstack tests for Safari and IE (#​3615) (04a811d)
• client: do not reset karmaNavigating in unload handler (#​3591) (4a8178f), closes #​3482
• context: do not error when karma is navigating (#​3565) (05dc288), closes #​3560
• cve: update ua-parser-js to 0.7.23 to fix CVE-2020-7793 (#​3584) (f819fa8)
• cve: update yargs to 16.1.1 to fix cve-2020-7774 in y18n (#​3578) (3fed0bc), closes #​3577
• deps: bump socket-io to v3 (#​3586) (1b9e1de), closes #​3569
• middleware: catch errors when loading a module (#​3605) (fec972f), closes #​3572
• server: clean up close-server logic (#​3607) (3fca456)
• test: clear up clearContext (#​3597) (8997b74)
• test: mark all second connections reconnects (#​3598) (1c9c2de)

Features

• cli: error out on unexpected options or parameters (#​3589) (603bbc0)
• client: update banner with connection, test status, ping times (#​3611) (4bf90f7)
• server: print stack of unhandledrejections (#​3593) (35a5842)
• server: remove deprecated static methods (#​3595) (1a65bf1)
• remove support for running dart code in the browser (#​3592) (7a3bd55)

BREAKING CHANGES

• server: Deprecated require('karma').server.start() and require('karma').Server.start() variants were removed from the public API. Instead use canonical form:

const { Server } = require('karma');
const server = new Server();
server.start();

• cli: Karma is more strict and will error out if unknown option or argument is passed to CLI.
• Using Karma to run Dart code in the browser is no longer supported. Use your favorite Dart-to-JS compiler instead.

dart file type has been removed without a replacement.

customFileHandlers DI token has been removed. Use middleware to achieve similar functionality.

customScriptTypes DI token has been removed. It had no effect, so no replacement is provided.

• deps: Some projects have socket.io tests that are version sensitive.

5.2.3 (2020-09-25)

Bug Fixes

• update us-parser-js dependency (#​3564) (500ed25)

5.2.2 (2020-09-08)

Bug Fixes

• revert source-map update (#​3559) (d9ba284), closes #​3557

5.2.1 (2020-09-02)

Bug Fixes

• remove broken link from docs - 06-angularjs.md (#​3555) (da2f307)
• remove unused JSON utilities and flatted dependency (#​3550) (beed255)

v5.2.3

Compare Source

Bug Fixes

• update us-parser-js dependency (#​3564) (500ed25)

v5.2.2

Compare Source

Bug Fixes

• revert source-map update (#​3559) (d9ba284), closes #​3557

v5.2.1

Compare Source

Bug Fixes

• remove broken link from docs - 06-angularjs.md (#​3555) (da2f307)
• remove unused JSON utilities and flatted dependency (#​3550) (beed255)

v5.2.0

Compare Source

Bug Fixes

• client: avoid race between execute and clearContext (#​3452) (8bc5b46), closes #​3424
• client: check in bundled client code into version control (#​3524) (6cd5a3b), closes /github.com/karma-runner/karma/commit/f5521df7df5cd1201b5dce28dc4e326b1ffc41fd#commitcomment-38967493
• dependencies: update dependencies (#​3543) (5db46b7)
• docs: Update 03-how-it-works.md (#​3539) (e7cf7b1)
• server: log error when file loading or preprocessing fails (#​3540) (fc2fd61)

Features

• server: allow 'exit' listeners to set exit code (#​3541) (7a94d33)

5.1.1 (2020-07-28)

Bug Fixes

• server: echo the hostname rather than listenAddress (#​3532) (ebe7ce4)

v5.1.1

Compare Source

Bug Fixes

• server: echo the hostname rather than listenAddress (#​3532) (ebe7ce4)

v5.1.0

Compare Source

Features

• proxy: use keepAlive agent (#​3527) (b77f94c)

5.0.9 (2020-05-19)

Bug Fixes

• dependencies: update to safe version of http-proxy (#​3519) (00347bb), closes #​3510

5.0.8 (2020-05-18)

Bug Fixes

• dependencies: update and unlock socket.io dependency (#​3513) (b60391f)
• dependencies: update to latest log4js major (#​3514) (47f1cb2)

5.0.7 (2020-05-16)

Bug Fixes

• detect type for URLs with query parameter or fragment identifier (#​3509) (f399063), closes #​3497

5.0.6 (2020-05-16)

Bug Fixes

• dependencies: update production dependencies (#​3512) (0cd696f)

5.0.5 (2020-05-07)

Bug Fixes

• cli: restore command line help contents (#​3502) (e99da31), closes #​3474

5.0.4 (2020-04-30)

Bug Fixes

• browser: make sure that empty results array is still recognized (#​3486) (fa95fa3)

5.0.3 (2020-04-29)

Bug Fixes

• client: flush resultsBuffer on engine upgrade (#​3212) (e44ca94), closes #​3211

5.0.2 (2020-04-16)

Bug Fixes

• ci: stop the proxy before killing the child, handle errors (#​3472) (abe9af6), closes #​3464

5.0.1 (2020-04-10)

Bug Fixes

• file-list: do not define fs.statAsync (#​3467) (55a59e7)

v5.0.9

Compare Source

Bug Fixes

• dependencies: update to safe version of http-proxy (#​3519) (00347bb), closes #​3510

v5.0.8

Compare Source

Bug Fixes

• dependencies: update and unlock socket.io dependency (#​3513) (b60391f)
• dependencies: update to latest log4js major (#​3514) (47f1cb2)

v5.0.7

Compare Source

Bug Fixes

• detect type for URLs with query parameter or fragment identifier (#​3509) (f399063), closes #​3497

v5.0.6

Compare Source

Bug Fixes

• dependencies: update production dependencies (#​3512) (0cd696f)

v5.0.5

Compare Source

Bug Fixes

• cli: restore command line help contents (#​3502) (e99da31), closes #​3474

v5.0.4

Compare Source

Bug Fixes

• browser: make sure that empty results array is still recognized (#​3486) (fa95fa3)

v5.0.3

Compare Source

Bug Fixes

• client: flush resultsBuffer on engine upgrade (#​3212) (e44ca94), closes #​3211

v5.0.2

Compare Source

Bug Fixes

• ci: stop the proxy before killing the child, handle errors (#​3472) (abe9af6), closes #​3464

v5.0.1

Compare Source

Bug Fixes

• file-list: do not define fs.statAsync (#​3467) (55a59e7)

v5.0.0

Compare Source

Bug Fixes

• install semantic-release as a regular dev dependency (#​3455) (1eaf35e)
• ci: echo travis env that gates release after_success (#​3446) (b8b2ed8)
• ci: poll every 10s to avoid rate limit. (#​3388) (91e7e00)
• middleware/runner: handle file list rejections (#​3400) (80febfb), closes #​3396 #​3396
• server: cleanup import of the removed method (#​3439) (cb1bcbf)
• server: createPreprocessor was removed (#​3435) (5c334f5)
• server: detection new MS Edge Chromium (#​3440) (7166ce2)
• server: replace optimist on yargs lib (#​3451) (ec1e69a), closes #​2473
• server: Report original error message (#​3415) (79ee331), closes #​3414

Code Refactoring

• use native Promise instead of Bluebird (#​3436) (33a069f), closes /github.com/karma-runner/karma/pull/3060#discussion_r284797390

Continuous Integration

• drop node 8, adopt node 12 (#​3430) (a673aa8)

Features

• docs: document DEFAULT_LISTEN_ADDR constant (#​3443) (057d527), closes #​2479
• karma-server: added log to the server.js for uncaught exception (#​3399) (adc6a66)
• preprocessor: obey Pattern.isBinary when set (#​3422) (708ae13), closes #​3405

BREAKING CHANGES

• Karma plugins which rely on the fact that Karma uses Bluebird promises may break as Bluebird-specific API is no longer available on Promises returned by the Karma core
• server: Deprecated createPreprocessor removed, karma-browserify < 7 version doesn't work
• no more testing on node 8.

4.4.1 (2019-10-18)

Bug Fixes

• deps: back to karma-browserstack-launcher 1.4 (#​3361) (1cd87ad)
• server: Add test coverage for config.singleRun true branch. (#​3384) (259be0d)
• if preprocessor is async function and doesn't return a content then await donePromise (#​3387) (f91be24)

v4.4.1

Compare Source

Bug Fixes

• deps: back to karma-browserstack-launcher 1.4 (#​3361) (1cd87ad)
• server: Add test coverage for config.singleRun true branch. (#​3384) (259be0d)
• if preprocessor is async function and doesn't return a content then await donePromise (#​3387) (f91be24)

v4.4.0

Compare Source

Bug Fixes

• runner: remove explicit error on all tests failed (#​3369) (f8005c6), closes #​3367

Features

• client: Add trusted types support (#​3360) (019bfd4)
• Preprocessor can return Promise (#​3376) (3ffcd83)
• config: add failOnSkippedTests option. (#​3374) (4ed3af0)
• config: clientDisplayNone sets client elements display none. (#​3348) (6235e68)
• deps: Remove core-js dependency. (#​3379) (0d70809)

v4.3.0

Compare Source

Bug Fixes

• build: switch from yarn to package-lock.json (#​3351) (6c5add2)
• config: Simpilfy error proceesing. (#​3345) (582a406), closes #​3339
• deps: lodash update. (#​3341) (5614c04)
• server: Simplify 'dom' inclusion. (#​3356) (5f13e11)
• test: test:client silently failing on Travis (#​3343) (1489e9a), closes /travis-ci.org/karma-runner/karma/jobs/537027667#L1046
• travis: Pin to trusty (#​3347) (1c6c690)

Features

• async: frameworks can be loaded asynchronously (#​3297) (177e2ef), closes #​851
• config: socket.io server pingTimeout config option. (#​3355) (817fbbd)
• preprocessor: preprocessor_priority execution order. (#​3303) (c5f3560)
• runner: feat(runner): (62d4c5a), closes #​2121 #​2799 #​2121 #​2799

v4.2.0

Compare Source

Bug Fixes

• logging: Util inspect for logging the config. (#​3332) (70b72a9)
• reporter: format stack with 1-based column (#​3325) (182c04d), closes #​3324
• server: Add error handler for webserver socket. (#​3300) (fe9a1dd)

v4.1.0

Compare Source

Bug Fixes

• client: Enable loading different file types when running in parent mode without iframe (#​3289) (7968db6)
• client: Only create the funky object if message is not a string (#​3298) (ce6825f), closes #​3296
• launcher: Log state transitions in debug (#​3294) (6556ab4), closes #​3290
• middleware: log invalid filetype (#​3292) (7eb48c5), closes #​3291

4.0.1 (2019-02-28)

Bug Fixes

• browser: allow updating total specs count (#​3264) (d5df723)
• remove vulnerable dependency combine-lists (#​3273) (c43f584), closes #​3265
• remove vulnerable dependency expand-braces (#​3270) (4ec4f6f), closes #​3268 #​3269
• filelist: correct logger name. (#​3262) (375bb5e)
• launcher: Debug Child Processes exit signal (#​3259) (c277a6b)

v4.0.1

Compare Source

Bug Fixes

• browser: allow updating total specs count (#​3264) (d5df723)
• remove vulnerable dependency combine-lists (#​3273) (c43f584), closes #​3265
• remove vulnerable dependency expand-braces (#​3270) (4ec4f6f), closes #​3268 #​3269
• filelist: correct logger name. (#​3262) (375bb5e)
• launcher: Debug Child Processes exit signal (#​3259) (c277a6b)

v4.0.0

Compare Source

Bug Fixes

• client: fix issue with loaded on safari 10 (#​3252) (571191c), closes #​3198
• config: add test:unit npm script (#​3242) (02f071d)

Chores

• remove support for node 6 (#​3246) (8a83990), closes #​3151

BREAKING CHANGES

• Drop Support for Node 6, to make it possible to use async/await in karma codebase.

3.1.4 (2018-12-17)

Bug Fixes

• file-list: revert "do not preprocess up-to-date files" (#​3226) (#​3230) (bb022a7)
• improve error msg when bin is a directory (#​3231) (584dddc)
• restarted browsers not running tests (#​3233) (cc2eff2)

3.1.3 (2018-12-01)

Bug Fixes

• add missing dep flatted (#​3223) (655d4d2)

3.1.2 (2018-12-01)

Bug Fixes

• browser: report errors to console during singleRun=false (#​3209) (30ff73b), closes #​3131
• changelog: remove release which does not exist (#​3214) (4e87902)
• dep: Bump useragent to fix HeadlessChrome version (#​3201) (240209f), closes #​2762
• deps: upgrade sinon-chai 2.x -> 3.x (#​3207) (dc5f5de)
• file-list: do not preprocess up-to-date files (#​3196) (5334d1a), closes #​2829
• package: bump lodash version (#​3203) (d38f344), closes #​3177
• server: use flatted for json.stringify (#​3220) (fb05fb1), closes #​3215

Features

• docs: callout the key debug strategies. (#​3219) (2682bff)

3.1.1 (2018-10-23)

Bug Fixes

• config: move puppeteer from dependency to dev-dependency (#​3193) (f0d52ad), closes #​3191

v3.1.4

Compare Source

Bug Fixes

• file-list: revert "do not preprocess up-to-date files" (#​3226) (#​3230) (bb022a7)
• improve error msg when bin is a directory (#​3231) ([584dddc](https://redirect.github.com/karma-runner/karma/com

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[secure-code-warrior-for-github]

Micro-Learning Topic: Open redirect (Detected by phrase)

Matched on "Open Redirect"

What is this? (2min video)

This vulnerability refers to the ability of an attacker to arbitrarily perform a redirection (external) or forward (internal) against the system. It arises due to insufficient validation or sanitisation of inputs used to perform a redirect or forward and may result in privilege escalation (in the case of a forward) or may be used to launch phishing attacks against users (in the case of redirects).

Try this challenge in Secure Code Warrior

Micro-Learning Topic: Cross-site scripting (Detected by phrase)

Matched on "cross-site scripting"

What is this? (2min video)

Reflected cross-site scripting vulnerabilities occur when unescaped input is displayed in the resulting page displayed to the user. When HTML or script is included in the input, it will be processed by a user's browser as HTML or script and can alter the appearance of the page or execute malicious scripts in their user context.

Try this challenge in Secure Code Warrior