Karate v2.1.0, released on 2026-06-17, brings important security enhancements, bug fixes, and new features for API and mobile testing.
Key Changes
Breaking Change: Enhanced Mock Server Security
Karate v2.1.0 introduces a critical security update for mock servers. By default, Java interop (Java.type) and embedded-expression evaluation of request-derived data (request, requestHeaders, requestParams) are now disabled. This mitigates a remote-code-execution risk. Mocks requiring these features must explicitly opt-in by adding to their Background:
configure javaBridgeEnabled = true
configure requestExpressionsEnabled = true
Alternatively, use .javaBridgeEnabled(true) or .requestExpressionsEnabled(true) on MockServer.Builder.
Important Fixes
This release resolves several issues, notably improving match behavior with null/absent paths and ensuring #notpresent works across Examples columns. Gatling simulations now auto-read KARATE_ENV again. Other fixes include correct schema cross-reference resolution, configure headers/cookies mutations reflecting per-request, and accurate parsing of call read('file.js')(args). Reporting for JS-driven feature calls and HTML report pass percentages are also improved.
New Features & Enhancements
QA engineers gain more control with new console logging levels (off/none), stable scenario identity via __id, and a karate.scenario.slug accessor. The request.bodyJson convenience accessor simplifies API testing. HTML reports now show effective (inherited) tags, and karate.getConfigDir() exposes the karate-config.js directory. Dry-run reports steps as skipped, not passed.
View the complete list of all issues fixed in this release.
Impact for QA Teams
QA teams upgrading to Karate v2.1.0 must review existing mock server configurations to ensure functionality, especially those relying on dynamic request data processing. This update significantly enhances security for mock services. The numerous bug fixes and new features streamline API and mobile testing workflows, improving reporting accuracy and developer experience. For more on API testing, see our Karate API Testing Tutorial.
FAQ
- Q: What is the most important change in v2.1.0? A: The default disabling of Java interop and request expression evaluation in mock servers for security reasons.
- Q: How do I enable Java interop in my mock server?
A: Add
configure javaBridgeEnabled = trueto your mock’sBackgroundsection. - Q: Is this a mandatory upgrade? A: While not mandatory, the security enhancements and bug fixes make it a recommended update for all users.
For full details, refer to the Karate v2.1.0 Full Changelog.
