Skip to content
This repository was archived by the owner on Aug 13, 2025. It is now read-only.

chore(STRINGS-2449): upgrade karma to 6.4.4 #60

Merged
anthonyshchang merged 7 commits into from
Jun 12, 2025
Merged

chore(STRINGS-2449): upgrade karma to 6.4.4 #60

anthonyshchang merged 7 commits into from
Jun 12, 2025

Conversation

@anthonyshchang
Copy link
Contributor

@anthonyshchang anthonyshchang commented Jun 6, 2025
edited
Loading

Purpose

  • Resolve security issue related to socket-io.
  • Resolve lint errors
  • Simplify test workflow

Vulnerability

Due to improper type validation in the socket.io-parser library (which is used by the socket.io and socket.io-client packages to encode and decode Socket.IO packets), it is possible to overwrite the _placeholder object which allows an attacker to place references to functions at arbitrary places in the resulting query object.

https://github.com/phrase/angular-phrase/security/dependabot/33
https://github.com/phrase/angular-phrase/security/dependabot/22

Ticket

https://phrase.atlassian.net/browse/STRINGS-2449

anthonyshchang
anthonyshchang commented Jun 6, 2025
View reviewed changes
yarn.lock
range-parser "^1.2.1"
rimraf "^3.0.2"
socket.io "^2.3.0"
socket.io "^4.7.2"
Copy link
Contributor Author

@anthonyshchang anthonyshchang Jun 6, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Resolves:

  1. https://github.com/phrase/angular-phrase/security/dependabot/33
  2. https://github.com/phrase/angular-phrase/security/dependabot/22

@anthonyshchang anthonyshchang mentioned this pull request Jun 6, 2025
Closed
@anthonyshchang anthonyshchang marked this pull request as ready for review June 6, 2025 11:09
@anthonyshchang anthonyshchang force-pushed the STRINGS-2449-address-critical-dependabot-alerts-socket-io-parser-angular-phrase branch from beac380 to b9f6ef3 Compare June 6, 2025 14:41
@anthonyshchang anthonyshchang requested a review from Copilot June 6, 2025 15:06
Copilot AI reviewed Jun 6, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

Upgrades Karma to 6.4.4 to resolve a Socket.IO parser security issue, adds a dedicated CI test script, and refactors the Karma configuration for headless and CI environments.

  • Bump Karma to version 6.4.4 and add @types/node
  • Introduce test:ci script and update GitHub Actions to use it
  • Refactor karma.conf.js for headless browsers, middleware stats, and CI flag handling

Reviewed Changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 4 comments.

File Description
package.json Updated test scripts, bumped karma, and added @types/node
karma.conf.js Switched to headless browsers, added webpackMiddleware, and CI flag logic
.github/workflows/main.yml Switched CI job to npm run test:ci
Comments suppressed due to low confidence (1)

package.json:10

  • The default npm test script now omits --single-run, causing Karma to stay in watch mode and never exit. Consider restoring --single-run here or documenting its behavior change to avoid hanging processes.
"test": "npm run lint && karma start",

package.json Outdated
"@types/angular-mocks": "^1.7.0",
"@types/angular-translate": "^2.16.2",
"@types/jasmine": "^3.5.11",
"@types/node": "14.14.10",
Copy link

Copilot AI Jun 6, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[nitpick] Dev dependencies are no longer sorted alphabetically; sorting them helps maintain readability and makes diffs clearer when new entries are added.

Copilot uses AI. Check for mistakes.
.github/workflows/main.yml Outdated
Comment on lines 18 to 19
export DISPLAY=:99.0
xvfb-run --auto-servernum npm test -- --configuration=ci
xvfb-run --auto-servernum npm run test:ci
Copy link

Copilot AI Jun 6, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[nitpick] Since ChromeHeadless and FirefoxHeadless do not require an X server, you may be able to remove xvfb-run and the DISPLAY export to simplify the CI job and speed up test startup.

Copilot uses AI. Check for mistakes.
anthonyshchang and others added 3 commits June 6, 2025 17:09
@anthonyshchang
Update package.json
6335e7d 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@anthonyshchang
Update karma.conf.js
69af308 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@anthonyshchang
remove superfluous config
9b8ba02
@anthonyshchang anthonyshchang requested review from a team and forelabs June 6, 2025 15:23
@anthonyshchang anthonyshchang merged commit 2c91c2b into master Jun 12, 2025
1 check passed
@anthonyshchang anthonyshchang deleted the STRINGS-2449-address-critical-dependabot-alerts-socket-io-parser-angular-phrase branch June 12, 2025 18:36
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

Copilot code review Copilot Copilot left review comments

@forelabs forelabs Awaiting requested review from forelabs

+1 more reviewer

@francawinter francawinter francawinter approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@anthonyshchang @francawinter