fix(@schematics/angular): use null objects and callbacks in karma-to-vitest migration

clydin · clydin · commit e322401b2cb6 · 2026-06-04T13:32:33.000-04:00
The karma-to-vitest migration schematic previously used plain JavaScript objects as dictionaries when processing custom build options and analyzing Karma AST configurations. In environments where the input workspace files contain custom keys such as "__proto__", these assignments would leak properties onto the global Object prototype.
diff --git a/packages/schematics/angular/migrations/migrate-karma-to-vitest/karma-config-analyzer.ts b/packages/schematics/angular/migrations/migrate-karma-to-vitest/karma-config-analyzer.ts
@@ -142,7 +142,7 @@ export function analyzeKarmaConfig(content: string): KarmaConfigAnalysis {
       case ts.SyntaxKind.ArrayLiteralExpression:
         return (node as ts.ArrayLiteralExpression).elements.map(extractValue);
       case ts.SyntaxKind.ObjectLiteralExpression: {
-        const obj: { [key: string]: KarmaConfigValue } = {};
+        const obj: { [key: string]: KarmaConfigValue } = Object.create(null);
         for (const prop of (node as ts.ObjectLiteralExpression).properties) {
           if (isSupportedPropertyAssignment(prop)) {
             // Recursively extract values for nested objects.
diff --git a/packages/schematics/angular/migrations/migrate-karma-to-vitest/karma-config-comparer.ts b/packages/schematics/angular/migrations/migrate-karma-to-vitest/karma-config-comparer.ts
@@ -46,11 +46,10 @@ export async function generateDefaultKarmaConfig(
 
   // TODO: Replace this with the actual schematic templating logic.
   template = template
-    .replace(
-      /<%= relativePathToWorkspaceRoot %>/g,
+    .replace(/<%= relativePathToWorkspaceRoot %>/g, () =>
       path.normalize(relativePathToWorkspaceRoot).replace(/\\/g, '/'),
     )
-    .replace(/<%= folderName %>/g, projectName);
+    .replace(/<%= folderName %>/g, () => projectName);
 
   const devkitPluginRegex = /<% if \(needDevkitPlugin\) { %>(.*?)<% } %>/gs;
   const replacement = needDevkitPlugin ? '$1' : '';
diff --git a/packages/schematics/angular/migrations/migrate-karma-to-vitest/migration.ts b/packages/schematics/angular/migrations/migrate-karma-to-vitest/migration.ts
@@ -32,6 +32,9 @@ async function processTestTargetOptions(
   let needsIstanbul = false;
   for (const [configName, options] of allTargetOptions(testTarget, false)) {
     const configKey = configName || '';
+    if (configKey === '__proto__' || configKey === 'constructor') {
+      continue;
+    }
     if (!customBuildOptions[configKey]) {
       // Match Karma behavior where AOT was disabled by default
       customBuildOptions[configKey] = {
@@ -276,7 +279,10 @@ function updateProjects(tree: Tree, context: SchematicContext): Rule {
       tsConfigsToUpdate.add(join(project.root, 'tsconfig.spec.json'));
 
       // Store custom build options to move to a new build configuration if needed
-      const customBuildOptions: Record<string, Record<string, json.JsonValue | undefined>> = {};
+      const customBuildOptions: Record<
+        string,
+        Record<string, json.JsonValue | undefined>
+      > = Object.create(null);
 
       const projectCoverageInfo = await processTestTargetOptions(
         testTarget,
@@ -300,6 +306,9 @@ function updateProjects(tree: Tree, context: SchematicContext): Rule {
       const baseOptions = buildTarget.options || {};
 
       for (const [configKey, configOptions] of Object.entries(customBuildOptions)) {
+        if (configKey === '__proto__' || configKey === 'constructor') {
+          continue;
+        }
         const finalConfig: Record<string, json.JsonValue | undefined> = {};
 
         // Omit options that already have the same value in the base build options.
