karma Karma 6.4.4 Depends on "Vulnerable" inflight Library

[email protected] depends on a deprecated version of the 'glob' package. Need to update the version of glob to 9 or higher to fix the following vulnerabilities

https://security.snyk.io/vuln/SNYK-JS-INFLIGHT-6095116

[email protected] C:\Myfolders\Myfiles\2_proj\demo\06-ng\ng-demo └─┬ [email protected] └─┬ [email protected] └── [email protected]

Sep 06 '24 16:09 poiuylkkk

I can propose to use https://www.npmjs.com/package/karma-up my fork which updated all deps

package.json "overrides": { "karma": "npm:[email protected]" },

Sep 10 '24 11:09 anthony-redFox

body-parser 1.20.3 should be included in the package.json updates as well. Fixes a High vulnerability reported by Mend.

Sep 13 '24 10:09 Devvox93

"body-parser": "^1.20.2", it is not have the fixed version usages so that mean you can use body-parser 1.20.3 as well

Sep 13 '24 11:09 anthony-redFox

Hi all,

Any updates on when the deprecated packages are due to be updated in Karma?

Nov 11 '24 00:11 beneccles

It would be nice to see these dependencies updated.

Jan 09 '25 16:01 rgant

+1

Jan 20 '25 12:01 broomfn

+2

Jan 21 '25 19:01 AllenPCG

+1

Feb 07 '25 08:02 daze99

+1

Feb 24 '25 20:02 YanFChen

+1

Mar 12 '25 15:03 pstoellberger

Would very much appreciate new apps not spitting out errors based on this issue in a new Angular 19 app.

Mar 28 '25 00:03 kosso

+1

Jul 04 '25 09:07 vivek-ra

+1

Jul 10 '25 11:07 Karexar

+1

Aug 20 '25 07:08 xiv3n

+1

Aug 25 '25 11:08 disha-sengupta

+1

Sep 04 '25 19:09 ZackManning

+1

Sep 15 '25 19:09 ronwang01

+1

Sep 25 '25 07:09 ThomasHeinkel

+1

Sep 26 '25 23:09 ryanscovill

+1

Sep 29 '25 13:09 Montag1206

+1

Oct 22 '25 08:10 valdrin-hoti

+1

Nov 05 '25 18:11 pgeyman

+1

Nov 19 '25 14:11 MarkCuypersPpw

For anyone ending up here due to npm audit complaining

# npm audit report

body-parser  <2.2.1
Severity: moderate
body-parser is vulnerable to denial of service when url encoding is used - https://github.com/advisories/GHSA-wqch-xfxh-vrr4
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/body-parser
node_modules/karma/node_modules/body-parser
  karma  >=0.13.0-rc.0
  Depends on vulnerable versions of body-parser
  node_modules/karma
    @angular/build  >=19.2.0-next.0
    Depends on vulnerable versions of karma
    node_modules/@angular/build
    karma-jasmine  >=5.0.0
    Depends on vulnerable versions of karma
    node_modules/karma-jasmine
    karma-jasmine-html-reporter  >=2.0.0
    Depends on vulnerable versions of karma
    Depends on vulnerable versions of karma-jasmine
    node_modules/karma-jasmine-html-reporter

5 moderate severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force

the suggested downgrade of karma to version 0.12.37 is not a viable solution. Instead add an override as a workaround:

diff --git a/package.json b/package.json
index 54a3f03..c56e4fb 100644
--- a/package.json
+++ b/package.json
@@ -9,10 +9,15 @@
     "watch": "ng build --watch --configuration development",
     "test": "ng test --watch=false --code-coverage",
     "zzzz-last-script": ""
   },
   "private": true,
+  "overrides": {
+    "karma": {
+      "body-parser": "2.2.1"
+    }
+  },
   "dependencies": {
     "@angular/common": "^20.3.12",
     "@angular/compiler": "^20.3.12",
     "@angular/core": "^20.3.12",
     "@angular/forms": "^20.3.12",
@@ -29,10 +34,11 @@
   "devDependencies": {
     "@angular/build": "^20.3.10",
     "@angular/cli": "^20.3.10",
     "@angular/compiler-cli": "^20.3.12",
     "@types/jasmine": "~5.1.13",
+    "body-parser": "^2.2.1",
     "jasmine-auto-spies": "^8.0.1",
     "jasmine-core": "~5.12.1",
     "karma": "~6.4.4",
     "karma-chrome-launcher": "~3.2.0",
     "karma-coverage": "~2.2.1",

Nov 25 '25 18:11 hlovdal