Skip to content

fix(deps): bump karma from ^4.4 to ^6.4#776

Merged
DeepDiver1975 merged 2 commits into
masterfrom
fix/bump-karma-security
Jul 10, 2026
Merged

fix(deps): bump karma from ^4.4 to ^6.4#776
DeepDiver1975 merged 2 commits into
masterfrom
fix/bump-karma-security

Conversation

@DeepDiver1975

Copy link
Copy Markdown
Member

What

Bump the karma test runner from ^4.4 to ^6.4.

Why

Clears the two remaining open Dependabot advisories on this repo, both in
karma:

  • Open redirect — fixed in 6.3.16
  • Cross-site scripting — fixed in 6.3.14

karma is a devDependency (test-only) and is never shipped in the app
tarball, so there is no runtime impact for users.

Compatibility

  • The existing karma.conf.js loads unchanged under karma 6, verified via
    karma.config.parseConfig(...) (frameworks/reporters/browsers resolve, plugin
    autoload intact).
  • All karma-* plugins install cleanly alongside karma 6.4.4; no config
    migration required.

Verification

JS-unit CI (make test-jsnpm run test → gulp karma, Firefox) exercises the
full run.

Clears two medium Dependabot advisories in the karma test runner:
open redirect (fixed in 6.3.16) and cross-site scripting (fixed in
6.3.14). karma is a devDependency (test-only) and is never shipped in
the app.

The existing karma.conf.js loads unchanged under karma 6 (verified via
karma.config.parseConfig) and all karma-* plugins install cleanly, so no
config migration is required.

Co-Authored-By: Claude Opus 4.8 <[email protected]>
Signed-off-by: Thomas Müller <[email protected]>
@DeepDiver1975 DeepDiver1975 requested a review from a team as a code owner July 7, 2026 07:39
karma 6 removed the static `Server.start()` used by the gulp `karma`
task (`TypeError: KarmaServer.start is not a function`). Instantiate
`new karma.Server(config, doneCallback)` with config built via
`karma.config.parseConfig(...)` and call `.start()` on the instance.
Also propagate a non-zero karma exit code as a task error so failing
tests fail the build.

Co-Authored-By: Claude Opus 4.8 <[email protected]>
Signed-off-by: Thomas Müller <[email protected]>

@dj4oC dj4oC left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This PR bumps the karma devDependency from ^4.4 to ^6.4 in package.json and updates gulpfile.js's karma task to use the new programmatic Server-startup API required by Karma 6.

Findings

Nothing blocking. The gulpfile.js change correctly migrates from the deprecated KarmaServer.start(config, callback) call to the Karma 6.x pattern (karma.config.parseConfig(...) with promiseConfig/throwErrors, followed by new karma.Server(config, exitCallback).start()), matching the officially documented migration path — this is not a partial/trivially-passing shim. It also improves on the original by checking the exit code and catching config-parse rejections, whereas the old code silently called done() regardless of failure. The bumped package (karma, MIT-licensed) is already covered by the repo's .github/dependabot.yml npm entry (root directory), so no dependabot config gap. No PHP, composer, or new files touched.

Verdict

Approved

🤖 Automated review by Claude Code (security · stability · performance · coverage)


Generated by Claude Code

dj4oC commented Jul 8, 2026

Copy link
Copy Markdown
Contributor
  • Security: no findings
  • Stability: no findings
  • Performance: no findings
  • Test coverage: n/a (test-tooling bump)
  • TODOs found: none
  • Dependency touched: yes — confirmed in dependabot.yml
  • CI status: all green
  • Stale review: no

🤖 Automated review by Claude Code (security · stability · performance · coverage)


Generated by Claude Code

@DeepDiver1975 DeepDiver1975 merged commit f1e2ede into master Jul 10, 2026
10 checks passed
@DeepDiver1975 DeepDiver1975 deleted the fix/bump-karma-security branch July 10, 2026 08:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants