Update dependency karma to v6 [SECURITY] by renovate[bot] · Pull Request #24 · BreizhBytes/devops

renovate · 2026-04-30T16:37:09Z

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
karma (source)	`~5.0.0` → `~6.3.0`

Cross-site Scripting in karma

CVE-2022-0437 / GHSA-7x7c-qm48-pq9c

More information

Details

karma prior to version 6.3.14 contains a cross-site scripting vulnerability.

Severity

CVSS Score: 6.1 / 10 (Medium)
Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Open redirect in karma

CVE-2021-23495 / GHSA-rc3x-jf5g-xvc5

More information

Details

Karma before 6.3.16 is vulnerable to Open Redirect due to missing validation of the return_url query parameter.

Severity

CVSS Score: 5.4 / 10 (Medium)
Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Release Notes

karma-runner/karma (karma)

`v6.3.16`

Compare Source

Features

support SRI verification of link tags (dc51a2e)
support SRI verification of script tags (6a54b1c)

6.3.20 (2022-05-13)

Bug Fixes

prefer IPv4 addresses when resolving domains (e17698f), closes #3730

6.3.19 (2022-04-19)

Bug Fixes

client: error out when opening a new tab fails (099b85e)

6.3.18 (2022-04-13)

Bug Fixes

deps: upgrade socket.io to v4.4.1 (52a30bb)

6.3.17 (2022-02-28)

Bug Fixes

deps: update colors to maintained version (#3763) (fca1884)

6.3.16 (2022-02-10)

Bug Fixes

security: mitigate the "Open Redirect Vulnerability" (ff7edbb)

6.3.15 (2022-02-05)

Bug Fixes

helper: make mkdirIfNotExists helper resilient to concurrent calls (d9dade2), closes /github.com/karma-runner/karma-coverage/issues/434#issuecomment-1017939333

6.3.14 (2022-02-05)

Bug Fixes

remove string template from client code (91d5acd)
warn when singleRun and autoWatch are false (69cfc76)
security: remove XSS vulnerability in returnUrl query param (839578c)

6.3.13 (2022-01-31)

Bug Fixes

deps: bump log4js to resolve security issue (5bf2df3), closes #3751

6.3.12 (2022-01-24)

Bug Fixes

remove depreciation warning from log4js (41bed33)

6.3.11 (2022-01-13)

Bug Fixes

deps: pin colors package to 1.4.0 due to security vulnerability (a5219c5)

6.3.10 (2022-01-08)

Bug Fixes

logger: create parent folders if they are missing (0d24bd9), closes #3734

6.3.9 (2021-11-16)

Bug Fixes

restartOnFileChange option not restarting the test run (92ffe60), closes #27 #3724

6.3.8 (2021-11-07)

Bug Fixes

reporter: warning if stack trace contains generated code invocation (4f23b14)

6.3.7 (2021-11-01)

Bug Fixes

middleware: replace %X_UA_COMPATIBLE% marker anywhere in the file (f1aeaec), closes #3711

6.3.6 (2021-10-25)

Bug Fixes

bump vulnerable ua-parser-js version (6f2b2ec), closes #3713

6.3.5 (2021-10-20)

Bug Fixes

client: prevent socket.io from hanging due to mocked clocks (#3695) (105da90)

6.3.4 (2021-06-14)

Bug Fixes

bump production dependencies within SemVer ranges (#3682) (36467a8), closes #3680

6.3.3 (2021-06-01)

Bug Fixes

server: clean up vestigial code from proxy (#3640) (f4aeac3), closes /tools.ietf.org/html/std66#section-3

6.3.2 (2021-03-29)

Bug Fixes

fix running tests in IE9 (#3668) (0055bc5), closes /github.com/karma-runner/karma/blob/026fff870913fb6cd2858dd962935dc74c92b725/client/main.js#L14 #3665

6.3.1 (2021-03-24)

Bug Fixes

client: clearContext after complete sent (#3657) (c0962e3)

`v6.3.15`

Compare Source

Features

support SRI verification of link tags (dc51a2e)
support SRI verification of script tags (6a54b1c)

6.3.20 (2022-05-13)

Bug Fixes

prefer IPv4 addresses when resolving domains (e17698f), closes #3730

6.3.19 (2022-04-19)

Bug Fixes

client: error out when opening a new tab fails (099b85e)

6.3.18 (2022-04-13)

Bug Fixes

deps: upgrade socket.io to v4.4.1 (52a30bb)

6.3.17 (2022-02-28)

Bug Fixes

deps: update colors to maintained version (#3763) (fca1884)

6.3.16 (2022-02-10)

Bug Fixes

security: mitigate the "Open Redirect Vulnerability" (ff7edbb)

6.3.15 (2022-02-05)

Bug Fixes

helper: make mkdirIfNotExists helper resilient to concurrent calls (d9dade2), closes /github.com/karma-runner/karma-coverage/issues/434#issuecomment-1017939333

6.3.14 (2022-02-05)

Bug Fixes

remove string template from client code (91d5acd)
warn when singleRun and autoWatch are false (69cfc76)
security: remove XSS vulnerability in returnUrl query param (839578c)

6.3.13 (2022-01-31)

Bug Fixes

deps: bump log4js to resolve security issue (5bf2df3), closes #3751

6.3.12 (2022-01-24)

Bug Fixes

remove depreciation warning from log4js (41bed33)

6.3.11 (2022-01-13)

Bug Fixes

deps: pin colors package to 1.4.0 due to security vulnerability (a5219c5)

6.3.10 (2022-01-08)

Bug Fixes

logger: create parent folders if they are missing (0d24bd9), closes #3734

6.3.9 (2021-11-16)

Bug Fixes

restartOnFileChange option not restarting the test run (92ffe60), closes #27 #3724

6.3.8 (2021-11-07)

Bug Fixes

reporter: warning if stack trace contains generated code invocation (4f23b14)

6.3.7 (2021-11-01)

Bug Fixes

middleware: replace %X_UA_COMPATIBLE% marker anywhere in the file (f1aeaec), closes #3711

6.3.6 (2021-10-25)

Bug Fixes

bump vulnerable ua-parser-js version (6f2b2ec), closes #3713

6.3.5 (2021-10-20)

Bug Fixes

client: prevent socket.io from hanging due to mocked clocks (#3695) (105da90)

6.3.4 (2021-06-14)

Bug Fixes

bump production dependencies within SemVer ranges (#3682) (36467a8), closes #3680

6.3.3 (2021-06-01)

Bug Fixes

server: clean up vestigial code from proxy (#3640) (f4aeac3), closes /tools.ietf.org/html/std66#section-3

6.3.2 (2021-03-29)

Bug Fixes

fix running tests in IE9 (#3668) (0055bc5), closes /github.com/karma-runner/karma/blob/026fff870913fb6cd2858dd962935dc74c92b725/client/main.js#L14 #3665

6.3.1 (2021-03-24)

Bug Fixes

client: clearContext after complete sent (#3657) (c0962e3)

`v6.3.14`

Compare Source

Features

support SRI verification of link tags (dc51a2e)
support SRI verification of script tags (6a54b1c)

6.3.20 (2022-05-13)

Bug Fixes

prefer IPv4 addresses when resolving domains (e17698f), closes #3730

6.3.19 (2022-04-19)

Bug Fixes

client: error out when opening a new tab fails (099b85e)

6.3.18 (2022-04-13)

Bug Fixes

deps: upgrade socket.io to v4.4.1 (52a30bb)

6.3.17 (2022-02-28)

Bug Fixes

deps: update colors to maintained version (#3763) (fca1884)

6.3.16 (2022-02-10)

Bug Fixes

security: mitigate the "Open Redirect Vulnerability" (ff7edbb)

6.3.15 (2022-02-05)

Bug Fixes

helper: make mkdirIfNotExists helper resilient to concurrent calls (d9dade2), closes /github.com/karma-runner/karma-coverage/issues/434#issuecomment-1017939333

6.3.14 (2022-02-05)

Bug Fixes

remove string template from client code (91d5acd)
warn when singleRun and autoWatch are false (69cfc76)
security: remove XSS vulnerability in returnUrl query param (839578c)

6.3.13 (2022-01-31)

Bug Fixes

deps: bump log4js to resolve security issue (5bf2df3), closes #3751

6.3.12 (2022-01-24)

Bug Fixes

remove depreciation warning from log4js (41bed33)

6.3.11 (2022-01-13)

Bug Fixes

deps: pin colors package to 1.4.0 due to security vulnerability (a5219c5)

6.3.10 (2022-01-08)

Bug Fixes

logger: create parent folders if they are missing (0d24bd9), closes #3734

6.3.9 (2021-11-16)

Bug Fixes

restartOnFileChange option not restarting the test run (92ffe60), closes #27 #3724

6.3.8 (2021-11-07)

Bug Fixes

reporter: warning if stack trace contains generated code invocation (4f23b14)

6.3.7 (2021-11-01)

Bug Fixes

middleware: replace %X_UA_COMPATIBLE% marker anywhere in the file (f1aeaec), closes #3711

6.3.6 (2021-10-25)

Bug Fixes

bump vulnerable ua-parser-js version (6f2b2ec), closes #3713

6.3.5 (2021-10-20)

Bug Fixes

client: prevent socket.io from hanging due to mocked clocks (#3695) (105da90)

6.3.4 (2021-06-14)

Bug Fixes

bump production dependencies within SemVer ranges (#3682) (36467a8), closes #3680

6.3.3 (2021-06-01)

Bug Fixes

server: clean up vestigial code from proxy (#3640) (f4aeac3), closes /tools.ietf.org/html/std66#section-3

6.3.2 (2021-03-29)

Bug Fixes

fix running tests in IE9 (#3668) (0055bc5), closes /github.com/karma-runner/karma/blob/026fff870913fb6cd2858dd962935dc74c92b725/client/main.js#L14 #3665

6.3.1 (2021-03-24)

Bug Fixes

client: clearContext after complete sent (#3657) (c0962e3)

`v6.3.13`

Compare Source

Features

support SRI verification of link tags (dc51a2e)
support SRI verification of script tags (6a54b1c)

6.3.20 (2022-05-13)

Bug Fixes

prefer IPv4 addresses when resolving domains (e17698f), closes #3730

6.3.19 (2022-04-19)

Bug Fixes

client: error out when opening a new tab fails (099b85e)

6.3.18 (2022-04-13)

Bug Fixes

deps: upgrade socket.io to v4.4.1 (52a30bb)

6.3.17 (2022-02-28)

Bug Fixes

deps: update colors to maintained version (#3763) (fca1884)

6.3.16 (2022-02-10)

Bug Fixes

security: mitigate the "Open Redirect Vulnerability" (ff7edbb)

6.3.15 (2022-02-05)

Bug Fixes

helper: make mkdirIfNotExists helper resilient to concurrent calls (d9dade2), closes /github.com/karma-runner/karma-coverage/issues/434#issuecomment-1017939333

6.3.14 (2022-02-05)

Bug Fixes

remove string template from client code (91d5acd)
warn when singleRun and autoWatch are false (69cfc76)
security: remove XSS vulnerability in returnUrl query param (839578c)

6.3.13 (2022-01-31)

Bug Fixes

deps: bump log4js to resolve security issue (5bf2df3), closes #3751

6.3.12 (2022-01-24)

Bug Fixes

remove depreciation warning from log4js (41bed33)

6.3.11 (2022-01-13)

Bug Fixes

deps: pin colors package to 1.4.0 due to security vulnerability (a5219c5)

6.3.10 (2022-01-08)

Bug Fixes

logger: create parent folders if they are missing (0d24bd9), closes #3734

6.3.9 (2021-11-16)

Bug Fixes

restartOnFileChange option not restarting the test run (92ffe60), closes #27 #3724

6.3.8 (2021-11-07)

Bug Fixes

reporter: warning if stack trace contains generated code invocation (4f23b14)

6.3.7 (2021-11-01)

Bug Fixes

middleware: replace %X_UA_COMPATIBLE% marker anywhere in the file (f1aeaec), closes #3711

6.3.6 (2021-10-25)

Bug Fixes

bump vulnerable ua-parser-js version (6f2b2ec), closes #3713

6.3.5 (2021-10-20)

Bug Fixes

client: prevent socket.io from hanging due to mocked clocks (#3695) (105da90)

6.3.4 (2021-06-14)

Bug Fixes

bump production dependencies within SemVer ranges (#3682) (36467a8), closes #3680

6.3.3 (2021-06-01)

Bug Fixes

server: clean up vestigial code from proxy (#3640) (f4aeac3), closes /tools.ietf.org/html/std66#section-3

6.3.2 (2021-03-29)

Bug Fixes

fix running tests in IE9 (#3668) (0055bc5), closes /github.com/karma-runner/karma/blob/026fff870913fb6cd2858dd962935dc74c92b725/client/main.js#L14 #3665

6.3.1 (2021-03-24)

Bug Fixes

client: clearContext after complete sent (#3657) (c0962e3)

`v6.3.12`

Compare Source

Features

support SRI verification of link tags (dc51a2e)
support SRI verification of script tags (6a54b1c)

6.3.20 (2022-05-13)

Bug Fixes

prefer IPv4 addresses when resolving domains (e17698f), closes #3730

6.3.19 (2022-04-19)

Bug Fixes

client: error out when opening a new tab fails (099b85e)

6.3.18 (2022-04-13)

Bug Fixes

deps: upgrade socket.io to v4.4.1 (52a30bb)

6.3.17 (2022-02-28)

Bug Fixes

deps: update colors to maintained version (#3763) (fca1884)

6.3.16 (2022-02-10)

Bug Fixes

security: mitigate the "Open Redirect Vulnerability" (ff7edbb)

6.3.15 (2022-02-05)

Bug Fixes

helper: make mkdirIfNotExists helper resilient to concurrent calls (d9dade2), closes /github.com/karma-runner/karma-coverage/issues/434#issuecomment-1017939333

6.3.14 (2022-02-05)

Bug Fixes

remove string template from client code (91d5acd)
warn when singleRun and autoWatch are false (69cfc76)
security: remove XSS vulnerability in returnUrl query param (839578c)

6.3.13 (2022-01-31)

Bug Fixes

deps: bump log4js to resolve security issue (5bf2df3), closes #3751

6.3.12 (2022-01-24)

Bug Fixes

remove depreciation warning from log4js (41bed33)

6.3.11 (2022-01-13)

Bug Fixes

deps: pin colors package to 1.4.0 due to security vulnerability (a5219c5)

6.3.10 (2022-01-08)

Bug Fixes

logger: create parent folders if they are missing (0d24bd9), closes #3734

6.3.9 (2021-11-16)

Bug Fixes

restartOnFileChange option not restarting the test run (92ffe60), closes #27 #3724

6.3.8 (2021-11-07)

Bug Fixes

reporter: warning if stack trace contains generated code invocation (4f23b14)

6.3.7 (2021-11-01)

Bug Fixes

middleware: replace %X_UA_COMPATIBLE% marker anywhere in the file (f1aeaec), closes #3711

6.3.6 (2021-10-25)

Bug Fixes

bump vulnerable ua-parser-js version (6f2b2ec), closes #3713

6.3.5 (2021-10-20)

Bug Fixes

client: prevent socket.io from hanging due to mocked clocks (#3695) (105da90)

6.3.4 (2021-06-14)

Bug Fixes

bump production dependencies within SemVer ranges (#3682) (36467a8), closes #3680

6.3.3 (2021-06-01)

Bug Fixes

server: clean up vestigial code from proxy (#3640) (f4aeac3), closes /tools.ietf.org/html/std66#section-3

6.3.2 (2021-03-29)

Bug Fixes

fix running tests in IE9 (#3668) (0055bc5), closes /github.com/karma-runner/karma/blob/026fff870913fb6cd2858dd962935dc74c92b725/client/main.js#L14 #3665

6.3.1 (2021-03-24)

Bug Fixes

client: clearContext after complete sent (#3657) (c0962e3)

`v6.3.11`

Compare Source

Features

support SRI verification of link tags (dc51a2e)
support SRI verification of script tags (6a54b1c)

6.3.20 (2022-05-13)

Bug Fixes

prefer IPv4 addresses when resolving domains (e17698f), closes #3730

6.3.19 (2022-04-19)

Bug Fixes

client: error out when opening a new tab fails (099b85e)

6.3.18 (2022-04-13)

Bug Fixes

deps: upgrade socket.io to v4.4.1 (52a30bb)

6.3.17 (2022-02-28)

Bug Fixes

deps: update colors to maintained version (#3763) (fca1884)

6.3.16 (2022-02-10)

Bug Fixes

security: mitigate the "Open Redirect Vulnerability" (ff7edbb)

6.3.15 (2022-02-05)

Bug Fixes

helper: make mkdirIfNotExists helper resilient to concurrent calls (d9dade2), closes /github.com/karma-runner/karma-coverage/issues/434#issuecomment-1017939333

6.3.14 (2022-02-05)

Bug Fixes

remove string template from client code (91d5acd)
warn when singleRun and autoWatch are false (69cfc76)
security: remove XSS vulnerability in returnUrl query param (839578c)

6.3.13 (2022-01-31)

Bug Fixes

deps: bump log4js to resolve security issue (5bf2df3), closes #3751

6.3.12 (2022-01-24)

Bug Fixes

remove depreciation warning from log4js (41bed33)

6.3.11 (2022-01-13)

Bug Fixes

deps: pin colors package to 1.4.0 due to security vulnerability (a5219c5)

6.3.10 (2022-01-08)

Bug Fixes

logger: create parent folders if they are missing (0d24bd9), closes #3734

6.3.9 (2021-11-16)

Bug Fixes

restartOnFileChange option not restarting the test run (92ffe60), closes #27 #3724

6.3.8 (2021-11-07)

Bug Fixes

reporter: warning if stack trace contains generated code invocation (4f23b14)

6.3.7 (2021-11-01)

Bug Fixes

middleware: replace %X_UA_COMPATIBLE% marker anywhere in the file (f1aeaec), closes #3711

6.3.6 (2021-10-25)

Bug Fixes

bump vulnerable ua-parser-js version (6f2b2ec), closes #3713

6.3.5 (2021-10-20)

Bug Fixes

client: prevent socket.io from hanging due to mocked clocks (#3695) (105da90)

6.3.4 (2021-06-14)

Bug Fixes

bump production dependencies within SemVer ranges (#3682) (36467a8), closes #3680

6.3.3 (2021-06-01)

Bug Fixes

server: clean up vestigial code from proxy (#3640) (f4aeac3), closes /tools.ietf.org/html/std66#section-3

6.3.2 (2021-03-29)

Bug Fixes

fix running tests in IE9 (#3668) (0055bc5), closes /github.com/karma-runner/karma/blob/026fff870913fb6cd2858dd962935dc74c92b725/client/main.js#L14 #3665

6.3.1 (2021-03-24)

Bug Fixes

client: clearContext after complete sent (#3657) (c0962e3)

`v6.3.10`

Compare Source

Features

support SRI verification of link tags (dc51a2e)
support SRI verification of script tags (6a54b1c)

6.3.20 (2022-05-13)

Bug Fixes

prefer IPv4 addresses when resolving domains (e17698f), closes #3730

6.3.19 (2022-04-19)

Bug Fixes

client: error out when opening a new tab fails (099b85e)

6.3.18 (2022-04-13)

Bug Fixes

deps: upgrade socket.io to v4.4.1 (52a30bb)

6.3.17 (2022-02-28)

Bug Fixes

deps: update colors to maintained version (#3763) (fca1884)

6.3.16 (2022-02-10)

Bug Fixes

security: mitigate the "Open Redirect Vulnerability" (ff7edbb)

6.3.15 (2022-02-05)

Bug Fixes

helper: make mkdirIfNotExists helper resilient to concurrent calls (d9dade2), closes /github.com/karma-runner/karma-coverage/issues/434#issuecomment-1017939333

6.3.14 (2022-02-05)

Bug Fixes

remove string template from client code (91d5acd)
warn when singleRun and autoWatch are false (69cfc76)
security: remove XSS vulnerability in returnUrl query param (839578c)

6.3.13 (2022-01-31)

Bug Fixes

deps: bump log4js to resolve security issue (5bf2df3), closes #3751

6.3.12 (2022-01-24)

Bug Fixes

remove depreciation warning from log4js (41bed33)

6.3.11 (2022-01-13)

Bug Fixes

deps: pin colors package to 1.4.0 due to security vulnerability (a5219c5)

6.3.10 (2022-01-08)

Bug Fixes

logger: create parent folders if they are missing (0d24bd9), closes #3734

6.3.9 (2021-11-16)

Bug Fixes

restartOnFileChange option not restarting the test run ([92ffe60](https://redirect.github.com/karma-run

✂ Note

PR body was truncated to here.

Configuration

📅 Schedule: (in timezone Europe/Paris)

Branch creation
- ""
Automerge
- At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

renovate Bot force-pushed the renovate/npm-karma-vulnerability branch from af2a8f7 to edafade Compare May 13, 2026 07:42

Update dependency karma to v6 [SECURITY]

d7c0d67

renovate Bot force-pushed the renovate/npm-karma-vulnerability branch from edafade to d7c0d67 Compare May 23, 2026 15:44

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Update dependency karma to v6 [SECURITY]#24

Update dependency karma to v6 [SECURITY]#24
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/npm-karma-vulnerability

renovate Bot commented Apr 30, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

renovate Bot commented Apr 30, 2026

Cross-site Scripting in karma

Details

Severity

References

Open redirect in karma

Details

Severity

References

Release Notes

v6.3.16

Features

6.3.20 (2022-05-13)

Bug Fixes

6.3.19 (2022-04-19)

Bug Fixes

6.3.18 (2022-04-13)

Bug Fixes

6.3.17 (2022-02-28)

Bug Fixes

6.3.16 (2022-02-10)

Bug Fixes

6.3.15 (2022-02-05)

Bug Fixes

6.3.14 (2022-02-05)

Bug Fixes

6.3.13 (2022-01-31)

Bug Fixes

6.3.12 (2022-01-24)

Bug Fixes

6.3.11 (2022-01-13)

Bug Fixes

6.3.10 (2022-01-08)

Bug Fixes

6.3.9 (2021-11-16)

Bug Fixes

6.3.8 (2021-11-07)

Bug Fixes

6.3.7 (2021-11-01)

Bug Fixes

6.3.6 (2021-10-25)

Bug Fixes

6.3.5 (2021-10-20)

Bug Fixes

6.3.4 (2021-06-14)

Bug Fixes

6.3.3 (2021-06-01)

Bug Fixes

6.3.2 (2021-03-29)

Bug Fixes

6.3.1 (2021-03-24)

Bug Fixes

v6.3.15

Features

6.3.20 (2022-05-13)

Bug Fixes

6.3.19 (2022-04-19)

Bug Fixes

6.3.18 (2022-04-13)

Bug Fixes

6.3.17 (2022-02-28)

Bug Fixes

6.3.16 (2022-02-10)

Bug Fixes

6.3.15 (2022-02-05)

Bug Fixes

6.3.14 (2022-02-05)

Bug Fixes

6.3.13 (2022-01-31)

Bug Fixes

6.3.12 (2022-01-24)

Bug Fixes

6.3.11 (2022-01-13)

Bug Fixes

6.3.10 (2022-01-08)

Bug Fixes

6.3.9 (2021-11-16)

Bug Fixes

6.3.8 (2021-11-07)

`v6.3.16`

`v6.3.15`

`v6.3.14`

`v6.3.13`