Fixes #3751

## [6.3.13](v6.3.12...v6.3.13) (2022-01-31)

### Bug Fixes

* **deps:** bump log4js to resolve security issue ([5bf2df3](5bf2df3)), closes [#3751](#3751)

The `returnUrl` query parameter can be used to execute malicious code. For
example, visiting
`http://localhost:9876/?return_url=javascript:alert(document.domain)` will
display an alert.

Setting `singleRun` and `autoWatch` to `false` will not immediately run
anything. Warn the user about this.

It is incompatible with IE.

## [6.3.14](v6.3.13...v6.3.14) (2022-02-05)

### Bug Fixes

* remove string template from client code ([91d5acd](91d5acd))
* warn when `singleRun` and `autoWatch` are `false` ([69cfc76](69cfc76))
* **security:** remove XSS vulnerability in `returnUrl` query param ([839578c](839578c))

BrowserStack can be flaky when there are multiple concurrent jobs running on
it. This commit makes sure that only 1 browser can run concurrently during the
`npm run test:client` jobs and that the "Test" GitHub Action workflow is only
trigerred once when creating a PR; having the `on: push` configuration made it
so that GH triggers two duplicate jobs when a PR is opened.

The main motivation for this change is karma-runner/karma-coverage#434 (comment) where concurrent calls to the helper fail because of the race between the check and directory creation. This is a temporary solution and should be replaced with the native [`mkdir`](https://nodejs.org/api/fs.html#fsmkdirpath-options-callback) with the `recursive` option once minimum supported Node is bumped to 12.

## [6.3.15](v6.3.14...v6.3.15) (2022-02-05)

### Bug Fixes

* **helper:** make mkdirIfNotExists helper resilient to concurrent calls ([d9dade2](d9dade2)), closes [/github.com/karma-runner/karma-coverage/issues/434#issuecomment-1017939333](https://github.com//github.com/karma-runner/karma-coverage/issues/434/issues/issuecomment-1017939333)

## [6.3.16](v6.3.15...v6.3.16) (2022-02-10)

### Bug Fixes

* **security:** mitigate the "Open Redirect Vulnerability" ([ff7edbb](ff7edbb))