From e322401b2cb6fc1ee6fd47f176c32370e522b5de Mon Sep 17 00:00:00 2001 From: Charles Lyding <19598772+clydin@users.noreply.github.com> Date: Thu, 4 Jun 2026 11:19:59 -0400 Subject: [PATCH] fix(@schematics/angular): use null objects and callbacks in karma-to-vitest migration The karma-to-vitest migration schematic previously used plain JavaScript objects as dictionaries when processing custom build options and analyzing Karma AST configurations. In environments where the input workspace files contain custom keys such as "__proto__", these assignments would leak properties onto the global Object prototype. --- .../migrate-karma-to-vitest/karma-config-analyzer.ts | 2 +- .../migrate-karma-to-vitest/karma-config-comparer.ts | 5 ++--- .../migrations/migrate-karma-to-vitest/migration.ts | 11 ++++++++++- 3 files changed, 13 insertions(+), 5 deletions(-) diff --git a/packages/schematics/angular/migrations/migrate-karma-to-vitest/karma-config-analyzer.ts b/packages/schematics/angular/migrations/migrate-karma-to-vitest/karma-config-analyzer.ts index d39e1a16bab6..8a1c49c58f61 100644 --- a/packages/schematics/angular/migrations/migrate-karma-to-vitest/karma-config-analyzer.ts +++ b/packages/schematics/angular/migrations/migrate-karma-to-vitest/karma-config-analyzer.ts @@ -142,7 +142,7 @@ export function analyzeKarmaConfig(content: string): KarmaConfigAnalysis { case ts.SyntaxKind.ArrayLiteralExpression: return (node as ts.ArrayLiteralExpression).elements.map(extractValue); case ts.SyntaxKind.ObjectLiteralExpression: { - const obj: { [key: string]: KarmaConfigValue } = {}; + const obj: { [key: string]: KarmaConfigValue } = Object.create(null); for (const prop of (node as ts.ObjectLiteralExpression).properties) { if (isSupportedPropertyAssignment(prop)) { // Recursively extract values for nested objects. diff --git a/packages/schematics/angular/migrations/migrate-karma-to-vitest/karma-config-comparer.ts b/packages/schematics/angular/migrations/migrate-karma-to-vitest/karma-config-comparer.ts index 0c11a7196f1c..f7bef0213b1f 100644 --- a/packages/schematics/angular/migrations/migrate-karma-to-vitest/karma-config-comparer.ts +++ b/packages/schematics/angular/migrations/migrate-karma-to-vitest/karma-config-comparer.ts @@ -46,11 +46,10 @@ export async function generateDefaultKarmaConfig( // TODO: Replace this with the actual schematic templating logic. template = template - .replace( - /<%= relativePathToWorkspaceRoot %>/g, + .replace(/<%= relativePathToWorkspaceRoot %>/g, () => path.normalize(relativePathToWorkspaceRoot).replace(/\\/g, '/'), ) - .replace(/<%= folderName %>/g, projectName); + .replace(/<%= folderName %>/g, () => projectName); const devkitPluginRegex = /<% if \(needDevkitPlugin\) { %>(.*?)<% } %>/gs; const replacement = needDevkitPlugin ? '$1' : ''; diff --git a/packages/schematics/angular/migrations/migrate-karma-to-vitest/migration.ts b/packages/schematics/angular/migrations/migrate-karma-to-vitest/migration.ts index 7d2306428b32..a57f7373bbac 100644 --- a/packages/schematics/angular/migrations/migrate-karma-to-vitest/migration.ts +++ b/packages/schematics/angular/migrations/migrate-karma-to-vitest/migration.ts @@ -32,6 +32,9 @@ async function processTestTargetOptions( let needsIstanbul = false; for (const [configName, options] of allTargetOptions(testTarget, false)) { const configKey = configName || ''; + if (configKey === '__proto__' || configKey === 'constructor') { + continue; + } if (!customBuildOptions[configKey]) { // Match Karma behavior where AOT was disabled by default customBuildOptions[configKey] = { @@ -276,7 +279,10 @@ function updateProjects(tree: Tree, context: SchematicContext): Rule { tsConfigsToUpdate.add(join(project.root, 'tsconfig.spec.json')); // Store custom build options to move to a new build configuration if needed - const customBuildOptions: Record> = {}; + const customBuildOptions: Record< + string, + Record + > = Object.create(null); const projectCoverageInfo = await processTestTargetOptions( testTarget, @@ -300,6 +306,9 @@ function updateProjects(tree: Tree, context: SchematicContext): Rule { const baseOptions = buildTarget.options || {}; for (const [configKey, configOptions] of Object.entries(customBuildOptions)) { + if (configKey === '__proto__' || configKey === 'constructor') { + continue; + } const finalConfig: Record = {}; // Omit options that already have the same value in the base build options.