Update dependency karma to v6 [SECURITY]

[balena-renovate]

This PR contains the following updates:

Package	Type	Update	Change
karma (source)	devDependencies	major	^5.2.3 -> ^6.0.0

GitHub Vulnerability Alerts

CVE-2022-0437

karma prior to version 6.3.14 contains a cross-site scripting vulnerability.

CVE-2021-23495

Karma before 6.3.16 is vulnerable to Open Redirect due to missing validation of the return_url query parameter.

---

Release Notes

karma-runner/karma (karma)

v6.4.4

Compare Source

v6.4.3

Compare Source

Bug Fixes

• add build commits for patch release (d7f2d69)

v6.4.2

Compare Source

Bug Fixes

• few typos (c6a4271)

v6.4.1

Compare Source

Bug Fixes

• pass integrity value (63d86be)

v6.4.0

Compare Source

Features

• support SRI verification of link tags (dc51a2e)
• support SRI verification of script tags (6a54b1c)

6.3.20 (2022-05-13)

Bug Fixes

• prefer IPv4 addresses when resolving domains (e17698f), closes #​3730

6.3.19 (2022-04-19)

Bug Fixes

• client: error out when opening a new tab fails (099b85e)

6.3.18 (2022-04-13)

Bug Fixes

• deps: upgrade socket.io to v4.4.1 (52a30bb)

6.3.17 (2022-02-28)

Bug Fixes

• deps: update colors to maintained version (#​3763) (fca1884)

6.3.16 (2022-02-10)

Bug Fixes

• security: mitigate the "Open Redirect Vulnerability" (ff7edbb)

6.3.15 (2022-02-05)

Bug Fixes

• helper: make mkdirIfNotExists helper resilient to concurrent calls (d9dade2), closes /github.com/karma-runner/karma-coverage/issues/434#issuecomment-1017939333

6.3.14 (2022-02-05)

Bug Fixes

• remove string template from client code (91d5acd)
• warn when singleRun and autoWatch are false (69cfc76)
• security: remove XSS vulnerability in returnUrl query param (839578c)

6.3.13 (2022-01-31)

Bug Fixes

• deps: bump log4js to resolve security issue (5bf2df3), closes #​3751

6.3.12 (2022-01-24)

Bug Fixes

• remove depreciation warning from log4js (41bed33)

6.3.11 (2022-01-13)

Bug Fixes

• deps: pin colors package to 1.4.0 due to security vulnerability (a5219c5)

6.3.10 (2022-01-08)

Bug Fixes

• logger: create parent folders if they are missing (0d24bd9), closes #​3734

6.3.9 (2021-11-16)

Bug Fixes

• restartOnFileChange option not restarting the test run (92ffe60), closes #​27 #​3724

6.3.8 (2021-11-07)

Bug Fixes

• reporter: warning if stack trace contains generated code invocation (4f23b14)

6.3.7 (2021-11-01)

Bug Fixes

• middleware: replace %X_UA_COMPATIBLE% marker anywhere in the file (f1aeaec), closes #​3711

6.3.6 (2021-10-25)

Bug Fixes

• bump vulnerable ua-parser-js version (6f2b2ec), closes #​3713

6.3.5 (2021-10-20)

Bug Fixes

• client: prevent socket.io from hanging due to mocked clocks (#​3695) (105da90)

6.3.4 (2021-06-14)

Bug Fixes

• bump production dependencies within SemVer ranges (#​3682) (36467a8), closes #​3680

6.3.3 (2021-06-01)

Bug Fixes

• server: clean up vestigial code from proxy (#​3640) (f4aeac3), closes /tools.ietf.org/html/std66#section-3

6.3.2 (2021-03-29)

Bug Fixes

• fix running tests in IE9 (#​3668) (0055bc5), closes /github.com/karma-runner/karma/blob/026fff870913fb6cd2858dd962935dc74c92b725/client/main.js#L14 #​3665

6.3.1 (2021-03-24)

Bug Fixes

• client: clearContext after complete sent (#​3657) (c0962e3)

v6.3.20

Compare Source

Bug Fixes

• prefer IPv4 addresses when resolving domains (e17698f), closes #​3730

v6.3.19

Compare Source

Bug Fixes

• client: error out when opening a new tab fails (099b85e)

v6.3.18

Compare Source

Bug Fixes

• deps: upgrade socket.io to v4.4.1 (52a30bb)

v6.3.17

Compare Source

Bug Fixes

• deps: update colors to maintained version (#​3763) (fca1884)

v6.3.16

Compare Source

Bug Fixes

• security: mitigate the "Open Redirect Vulnerability" (ff7edbb)

v6.3.15

Compare Source

Bug Fixes

• helper: make mkdirIfNotExists helper resilient to concurrent calls (d9dade2), closes /github.com/karma-runner/karma-coverage/issues/434#issuecomment-1017939333

v6.3.14

Compare Source

Bug Fixes

• remove string template from client code (91d5acd)
• warn when singleRun and autoWatch are false (69cfc76)
• security: remove XSS vulnerability in returnUrl query param (839578c)

v6.3.13

Compare Source

Bug Fixes

• deps: bump log4js to resolve security issue (5bf2df3), closes #​3751

v6.3.12

Compare Source

Bug Fixes

• remove depreciation warning from log4js (41bed33)

v6.3.11

Compare Source

Bug Fixes

• deps: pin colors package to 1.4.0 due to security vulnerability (a5219c5)

v6.3.10

Compare Source

Bug Fixes

• logger: create parent folders if they are missing (0d24bd9), closes #​3734

v6.3.9

Compare Source

Bug Fixes

• restartOnFileChange option not restarting the test run (92ffe60), closes #​27 #​3724

v6.3.8

Compare Source

Bug Fixes

• reporter: warning if stack trace contains generated code invocation (4f23b14)

v6.3.7

Compare Source

Bug Fixes

• middleware: replace %X_UA_COMPATIBLE% marker anywhere in the file (f1aeaec), closes #​3711

v6.3.6

Compare Source

Bug Fixes

• bump vulnerable ua-parser-js version (6f2b2ec), closes #​3713

v6.3.5

Compare Source

Bug Fixes

• client: prevent socket.io from hanging due to mocked clocks (#​3695) (105da90)

v6.3.4

Compare Source

Bug Fixes

• bump production dependencies within SemVer ranges (#​3682) (36467a8), closes #​3680

v6.3.3

Compare Source

Bug Fixes

• server: clean up vestigial code from proxy (#​3640) (f4aeac3), closes /tools.ietf.org/html/std66#section-3

v6.3.2

Compare Source

Bug Fixes

• prefer IPv4 addresses when resolving domains (e17698f), closes #​3730

v6.3.1

Compare Source

Bug Fixes

• client: error out when opening a new tab fails (099b85e)

v6.3.0

Compare Source

Features

• support asynchronous config.set() call in karma.conf.js (#​3660) (4c9097a)

v6.2.0

Compare Source

Features

• plugins: add support wildcard config for scoped package plugin (#​3659) (39831b1)

6.1.2 (2021-03-09)

Bug Fixes

• commitlint: skip task on master (#​3650) (3fc6fda)
• patch karma to allow loading virtual packages (#​3663) (5bfcf5f)

6.1.1 (2021-02-12)

Bug Fixes

• config: check extension before ts-node register (#​3651) (474f4e1), closes #​3329
• report launcher process error when exit event is not emitted (#​3647) (7ab86be)

v6.1.2

Compare Source

Bug Fixes

• commitlint: skip task on master (#​3650) (3fc6fda)
• patch karma to allow loading virtual packages (#​3663) (5bfcf5f)

v6.1.1

Compare Source

Bug Fixes

• config: check extension before ts-node register (#​3651) (474f4e1), closes #​3329
• report launcher process error when exit event is not emitted (#​3647) (7ab86be)

v6.1.0

Compare Source

Features

• config: improve karma.config.parseConfig error handling (#​3635) (9dba1e2)

6.0.4 (2021-02-01)

Bug Fixes

• cli: temporarily disable strict parameters validation (#​3641) (9c755e0), closes #​3625
• client: fix a false positive page reload error in Safari (#​3643) (2a57b23)
• ensure that Karma supports running tests on IE 11 (#​3642) (dbd1943)

6.0.3 (2021-01-27)

Bug Fixes

• plugins: refactor instantiatePlugin from preproprocessor (#​3628) (e02858a)

6.0.2 (2021-01-25)

Bug Fixes

• avoid ES6+ syntax in client scripts (#​3629) (6629e96), closes #​3630

6.0.1 (2021-01-20)

Bug Fixes

• server: set maxHttpBufferSize to the socket.io v2 default (#​3626) (69baddc), closes #​3621
• restore customFileHandlers provider (#​3624) (25d9abb)

v6.0.4

Compare Source

Bug Fixes

• cli: temporarily disable strict parameters validation (#​3641) (9c755e0), closes #​3625
• client: fix a false positive page reload error in Safari (#​3643) (2a57b23)
• ensure that Karma supports running tests on IE 11 (#​3642) (dbd1943)

v6.0.3

Compare Source

Bug Fixes

• plugins: refactor instantiatePlugin from preproprocessor (#​3628) (e02858a)

v6.0.2

Compare Source

Bug Fixes

• avoid ES6+ syntax in client scripts (#​3629) (6629e96), closes #​3630

v6.0.1

Compare Source

Bug Fixes

• server: set maxHttpBufferSize to the socket.io v2 default (#​3626) (69baddc), closes #​3621
• restore customFileHandlers provider (#​3624) (25d9abb)

v6.0.0

Compare Source

Bug Fixes

• ci: abandon browserstack tests for Safari and IE (#​3615) (04a811d)
• client: do not reset karmaNavigating in unload handler (#​3591) (4a8178f), closes #​3482
• context: do not error when karma is navigating (#​3565) (05dc288), closes #​3560
• cve: update ua-parser-js to 0.7.23 to fix CVE-2020-7793 (#​3584) (f819fa8)
• cve: update yargs to 16.1.1 to fix cve-2020-7774 in y18n (#​3578) (3fed0bc), closes #​3577
• deps: bump socket-io to v3 (#​3586) (1b9e1de), closes #​3569
• middleware: catch errors when loading a module (#​3605) (fec972f), closes #​3572
• server: clean up close-server logic (#​3607) (3fca456)
• test: clear up clearContext (#​3597) (8997b74)
• test: mark all second connections reconnects (#​3598) (1c9c2de)

Features

• cli: error out on unexpected options or parameters (#​3589) (603bbc0)
• client: update banner with connection, test status, ping times (#​3611) (4bf90f7)
• server: print stack of unhandledrejections (#​3593) (35a5842)
• server: remove deprecated static methods (#​3595) (1a65bf1)
• remove support for running dart code in the browser (#​3592) (7a3bd55)

BREAKING CHANGES

• server: Deprecated require('karma').server.start() and require('karma').Server.start() variants were removed from the public API. Instead use canonical form:

const { Server } = require('karma');
const server = new Server();
server.start();

• cli: Karma is more strict and will error out if unknown option or argument is passed to CLI.
• Using Karma to run Dart code in the browser is no longer supported. Use your favorite Dart-to-JS compiler instead.

dart file type has been removed without a replacement.

customFileHandlers DI token has been removed. Use middleware to achieve similar functionality.

customScriptTypes DI token has been removed. It had no effect, so no replacement is provided.

• deps: Some projects have socket.io tests that are version sensitive.

5.2.3 (2020-09-25)

Bug Fixes

• update us-parser-js dependency (#​3564) (500ed25)

5.2.2 (2020-09-08)

Bug Fixes

• revert source-map update (#​3559) (d9ba284), closes #​3557

5.2.1 (2020-09-02)

Bug Fixes

• remove broken link from docs - 06-angularjs.md (#​3555) (da2f307)
• remove unused JSON utilities and flatted dependency (#​3550) (beed255)

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[github-advanced-security]

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.