Update dependency jsdom to v16 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
jsdom	^13.0.0 -> ^16.5.0

GitHub Vulnerability Alerts

CVE-2021-20066

JSDom improperly allows the loading of local resources, which allows for local files to be manipulated by a malicious web page when script execution is enabled.

---

Release Notes

jsdom/jsdom (jsdom)

v16.5.0

Compare Source

• Added window.queueMicrotask().
• Added window.event.
• Added inputEvent.inputType. (diegohaz)
• Removed ondragexit from Window and friends, per a spec update.
• Fixed the URL of about:blank iframes. Previously it was getting set to the parent's URL. (SimonMueller)
• Fixed the loading of subresources from the filesystem when they had non-ASCII filenames.
• Fixed the hidden="" attribute to cause display: none per the user-agent stylesheet. (ph-fritsche)
• Fixed the new File() constructor to no longer convert / to :, per a pending spec update.
• Fixed mutation observer callbacks to be called with the MutationObserver instance as their this value.
• Fixed <input type=checkbox> and <input type=radio> to be mutable even when disabled, per a spec update.
• Fixed XMLHttpRequest to not fire a redundant final progress event if a progress event was previously fired with the same loaded value. This would usually occur with small files.
• Fixed XMLHttpRequest to expose the Content-Length header on cross-origin responses.
• Fixed xhr.response to return null for failures that occur during the middle of the download.
• Fixed edge cases around passing callback functions or event handlers. (ExE-Boss)
• Fixed edge cases around the properties of proxy-like objects such as localStorage or dataset. (ExE-Boss)
• Fixed a potential memory leak with custom elements (although we could not figure out how to trigger it). (soncodi)

v16.4.0

Compare Source

• Added a not-implemented warning if you try to use the second pseudo-element argument to getComputedStyle(), unless you pass a ::part or ::slotted pseudo-element, in which case we throw an error per the spec. (ExE-Boss)
• Improved the performance of repeated access to el.tagName, which also indirectly improves performance of selector matching and style computation. (eps1lon)
• Fixed form.elements to respect the form="" attribute, so that it can contain non-descendant form controls. (ccwebdesign)
• Fixed el.focus() to do nothing on disconnected elements. (eps1lon)
• Fixed el.focus() to work on SVG elements. (zjffun)
• Fixed removing the currently-focused element to move focus to the <body> element. (eps1lon)
• Fixed imgEl.complete to return true for <img> elements with empty or unset src="" attributes. (strager)
• Fixed imgEl.complete to return true if an error occurs loading the <img>, when canvas is enabled. (strager)
• Fixed imgEl.complete to return false if the <img> element's src="" attribute is reset. (strager)
• Fixed the valueMissing validation check for <input type="radio">. (zjffun)
• Fixed translate="" and draggable="" attribute processing to use ASCII case-insensitivity, instead of Unicode case-insensitivity. (zjffun)

v16.3.0

Compare Source

• Added firing of focusin and focusout when using el.focus() and el.blur(). (trueadm)
• Fixed elements with the contenteditable="" attribute to be considered as focusable. (jamieliu386)
• Fixed window.NodeFilter to be per-Window, instead of shared across all Windows. (ExE-Boss)
• Fixed edge-case behavior involving use of objects with handleEvent properties as event listeners. (ExE-Boss)
• Fixed a second failing image load sometimes firing a load event instead of an error event, when the canvas package is installed. (strager)
• Fixed drawing an empty canvas into another canvas. (zjffun)

v16.2.2

Compare Source

• Updated StyleSheetList for better spec compliance; notably it no longer inherits from Array.prototype. (ExE-Boss)
• Fixed requestAnimationFrame() from preventing process exit. This likely regressed in v16.1.0.
• Fixed setTimeout() to no longer leak the closures passed in to it. This likely regressed in v16.1.0. (AviVahl)
• Fixed infinite recursion that could occur when calling click() on a <label> element, or one of its descendants.
• Fixed getComputedStyle() to consider inline style="" attributes. (eps1lon)
• Fixed several issues with <input type="number">'s stepUp() and stepDown() functions to be properly decimal-based, instead of floating point-based.
• Fixed various issues where updating selectEl.value would not invalidate properties such as selectEl.selectedOptions. (ExE-Boss)
• Fixed <input>'s src property, and <ins>/<del>'s cite property, to properly reflect as URLs.
• Fixed window.addEventLister, window.removeEventListener, and window.dispatchEvent to properly be inherited from EventTarget, instead of being distinct functions. (ExE-Boss)
• Fixed errors that would occur if attempting to use a DOM object, such as a custom element, as an argument to addEventListener.
• Fixed errors that would occur when closing a window with outstanding requests to data: URLs.
• Fixed sporadic issues with the value of <input type="month"> that could occur in some time zones and for some times.
• Fixed document.implementation.createDocument() to return an XMLDocument, instead of a Document. (ExE-Boss)
• Fixed running jsdom in a browser to detect globals more reliably. (ExE-Boss)

v16.2.1

Compare Source

• Updated saxes, to bring in some BOM-related fixes.
• Updated Acorn-related packages to squelch npm audit warnings.

v16.2.0

Compare Source

• Added support for custom elements! Congratulations and thanks to @​pmdartus for making this happen, after ten months of hard work and lots of effort poured into the complex architectural prerequisites in jsdom and supporting packages.
• Fixed some issues when trying to use Attr as a Node, e.g. by checking its baseURI property or calling attr.cloneNode().
• Fixed a memory leak during parsing that was introduced in v14.0.0.
• Fixed edge cases in number/string conversion used for certain element properties that reflected integer attributes.

v16.1.0

Compare Source

• Added console.timeLog().
• Changed Attr to extend Node, to align with specifications. (ExE-Boss)
• Changed <noscript> children to be parsed as nodes, instead of as text, when runScripts is left as the default of undefined. (ACHP)
• Upgraded cssstyle to v2.1.0, which brings along fixes to handling of rgba() and hsl() colors. (kraynel)
• Fixed some selection-related issues when manipulating the value of <input>s and <textarea>s. (Matthew-Goldberg)
• Fixed various issues with setTimeout(), setInterval(), and requestAnimationFrame(), particularly around window closing and recursive calls.

v16.0.1

Compare Source

• Fixed Node v10 and v11 support when runScripts was set.
• Fixed the behavior when changing an <input>'s type="" attribute.
• Fixed input validation behavior for <input type="range"> when max="" is less than min="".

v16.0.0

Compare Source

For this release we'd like to welcome @​pmdartus to the core team. Among other work, he's driven the heroic effort of constructor prototype and reform in jsdom and its dependencies over the last few months, to allow us to move away from shared constructors and prototypes, and set the groundwork for custom elements support (coming soon!).

Breaking changes:

• Node v10 is now the minimum supported version.
• The dom.runVMScript() API has been replaced with the more general dom.getInternalVMContext() API.
• Each jsdom Window now creates new instances of all the web platform globals. That is, our old shared constructor and prototypes caveat is no longer in play.
• Each jsdom Window now exposes all JavaScript-spec-defined globals uniformly. When runScripts is disabled, it exposes them as aliases of the ones from the outer Node.js environment. Whereas when runScripts is enabled, it exposes fresh copies of each global from the new scripting environment. (Previously, a few typed array classes would always be aliased, and with runScripts disabled, the other classes would not be exposed at all.)

Other changes:

• Added the AbstractRange, Range, StaticRange, Selection, and window.getSelection() APIs.
• Added working constructors for Comment, Text, and DocumentFragment.
• Added valueAsDate, valueAsNumber, stepUp() and stepDown() to <input> elements. (kraynel)
• Added window.origin.
• Removed document.origin.
• Fixed <template> to work correctly inside XML documents.
• Fixed some bugs which would cause jsdom to choose the wrong character encoding because it was failing to detect <meta charset> or <meta http-equiv="charset"> elements.
• Fixed input.type to default to "text". (connormeredith)
• Fixed incorrect validation errors for <input> with fractional values for their step="" attribute. (kontomondo)
• Fixed incorrect validation errors on readonly <input> elements.
• Fixed <input type="email" multiple pattern="..."> validation.
• Fixed fileReader.readAsDataURL() to always base64-encode the result. (ytetsuro)
• Fixed inserting <img> elements into documents without a browsing context to no longer crash when the canvas package is installed.
• Fixed a memory leak when using window.setTimeout() or window.setInterval().
• Improved the performance of getComputedStyle(). (eps1lon)

v15.2.1

Compare Source

• Fixed JSDOM.fromURL() handling of URLs with hashes in them, to no longer send the hash to the server and append an extra copy of it when constructing the Document. (rchl)
• Fixed focusing an already-focused element to correctly do nothing, instead of firing additional focus events. (eps1lon)
• Fixed typo in the not-implemented message for mediaElement.addTextTrack(). (mtsmfm)
• Upgraded nwsapi minimum version to 2.2.0, which fixes issues with ::-webkit- prefixed pseudo-elements and namespaced attribute selectors.

v15.2.0

Compare Source

• Added basic style inheritance in getComputedStyle() for the 'visibility' property. This sets the foundation for further work on inheritance, cascading, and specificity. (eps1lon)
• Added shadowRoot.activeElement.
• Added readystatechange events during document loading.
• Added a stub for form.requestSubmit(), to match our existing stub for form.submit().
• Changed el.tabIndex's default value, when no tabindex="" attribute was set, to reflect the updated specification.
• Changed the exception thrown by el.attachShadow() on something that's already a shadow host, to reflect the updated specification.
• Fixed the validation logic for <input type="range">.
• Fixed selectEl.value when no <option> is selected to return the empty string, instead of the value of the first option. (tgohn)
• Fixed various correctness issues with new FormData(formElement). (brendo)
• Fixed error messages when parsing XML to include the filename, instead of using "undefined". (papandreou)
• Fixed the logic for reflected properties to not be affected by overwriting of el.getAttributeNS() or el.setAttributeNS().
• Set canvas as an optional ``peerDependency`, which apparently helps with Yarn PnP support.

v15.1.1

Compare Source

• Moved the nonce property from HTMLScriptElement and HTMLStyleElement to HTMLElement. Note that it is still just a simple reflection of the attribute, and has not been updated for the rest of the changes in whatwg/html#2373.
• Fixed the style and on<event> properties to properly track their related attributes for SVG elements. (kbruneel)
• Fixed XMLHttpRequest merging preflight and response headers. (thiagohirata)
• Fixed XMLHttpRequest reserializing content-type request headers unnecessarily. See whatwg/mimesniff#84 for more details. (thiagohirata)
• Fixed element.tagName to be the ASCII uppercase of the element's qualified name, instead of the Unicode uppercase.

v15.1.0

Compare Source

• Added the Headers class from the Fetch standard.
• Added the element.translate getter and setter.
• Fixed synchronous XMLHttpRequest on the newly-released Node.js v12.
• Fixed form.elements to exclude <input type="image"> elements.
• Fixed event path iteration in shadow DOM cases, following spec fixes at whatwg/dom#686 and whatwg/dom#750.
• Fixed pattern="" form control validation to apply the given regular expression to the whole string. (kontomondo)

v15.0.0

Compare Source

Several potentially-breaking changes, each of them fairly unlikely to actually break anything:

• JSDOM.fromFile() now treats .xht files as application/xhtml+xml, the same as it does for .xhtml and .xml. Previously, it would treat them as text/html.
• If the JSDOM constructor's contentType option has a charset parameter, and the first argument to the constructor is a binary data type (e.g. Buffer or ArrayBuffer), then the charset will override any sniffed encoding in the same way as a Content-Type header would in browser scenarios. Previously, the charset parameter was ignored.
• When using the Blob or File constructor with the endings: "native" option, jsdom will now convert line endings to \n on all operating systems, for consistency. Previously, on Windows, it would convert line endings to \r\n.

v14.1.0

Compare Source

• Added activation behavior for <a> and <area> elements whose href="" points to a javascript: URL or fragment.
• Added the <datalist> element's options property.
• Added the <input> element's list property.
• Added PageTransitionEvent, and the firing of pageshow events during loading.
• Exposed the External class as a property of window.
• Fixed HTML fragment parsing (via innerHTML and outerHTML) to be spec-compliant. (pmdartus)
• Fixed HTML serialization (e.g. via innerHTML) breaking after setting certain properties to non-string values.
• Fixed how disabling an element would cause its activation behavior to forever be null, even if it were re-enabled.
• Fixed all access to attributes to ignore attributes with namespaces, per the spec.
• Fixed <style>s to no longer apply to documents without a browsing context. This includes fixing a crash that would occur with such styles if they had an @import rule.
• Fixed <option>'s label and value properties to return correct values in various edge cases.
• Fixed the load event during document loading to target the Document, not the Window.
• Fixed the pretendToBeVisual option to propagate to child subframes, as well as the main Window. (pyrho)
• Updated the minimum nwsapi version from v2.1.1 to v2.1.3, bringing along a few fixes in our selector engine.

v14.0.0

Compare Source

Breaking changes:

• JSDOM.fragment() now creates fragments whose document has no browsing context, i.e. no associated Window. This means the defaultView property will be null, resources will not load, etc.
• JSDOM.fragment(), called with no arguments, now creates a DocumentFragment with no children, instead of with a single child text node whose data was "undefined".

Other changes:

• Fixed a regression in v13.2.0 when calling element.blur() on a focused element.
• Fixed inserting <link> elements into documents with no browsing context to no longer crash if the originating JSDOM was configured to fetch the resource. Now, per spec, <link> elements only attempt to fetch if they are browsing-context connected.
• Fixed <template> elements to have the correct semantics, of using a separate browsing-context-less document to store its contents. In particular this means resources will not be fetched for elements inside the <template>, as per spec.

v13.2.0

Compare Source

• Added support for MutationObservers! (pmdartus)
• Added support for XML documents loaded in frames and iframes; previously this would error.
• Added the <progress> element's value, max, and position properties.
• Added navigator.plugins and navigator.mimeTypes. (But, they are always empty.)
• Fixed <summary> elements respond to click events by toggling their parent <details>.
• Fixed <summary> elements to be focusable.
• Fixed XML document DOCTYPE parsing to preserve any custom name values.
• Fixed XML documents to default to UTF-8, not windows-1252 like HTML documents do.
• Fixed all events fired by jsdom to have isTrusted set to true.
• Fixed DOMParser-created documents to have their readyState set to "complete".
• Fixed how nested <fieldset>s get disabled.
• Fixed getComputedStyle() to throw a sensible exception when passed the wrong argument, instead of one that exposes jsdom internals.
• Upgraded our saxes dependency, so that it now correctly errors on XML fragments like <foo bar:="1"/>.

v13.1.0

Compare Source

• Added el.insertAdjacentElement() and el.insertAdjacentText().
• Added the firing of a cancelable reset event to form.reset(). (epfremmer)
• Added the type, value, and defaultValue properties to <output> elements, including their form reset behavior. (epfremmer)
• Added the outputEl.htmlFor property.
• Fixed the performance of parsing large text nodes, particularly noticeable for large inline <style> or <script> elements. This regressed in v11.6.0. To learn more, see V8 issue #​6730.
• Fixed the style property on <a> and <area> elements. This regressed in v13.0.0.
• Fixed node.isConnected to not always return false for nodes inside a shadow tree. (pmdartus)
• Fixed <button type="reset"> and <input type="reset"> elements to actually perform a form reset when clicked, instead of doing nothing. (epfremmer)
• Fixed el.setCustomValidity() for <output> and <fieldset>.
• Fixed activation behavior when dispatching bubbling click events, so that for example calling el.click() on the child of a submit button element will submit the form.
• Fixed our XML parsing code to ignore text outside the root element, instead of treating it as an error. (lddubeau)
• Fixed XML serialization when elements had an unknown prefix.
• Fixed radio button group name matching to be case-sensitive, per a spec update.
• Fixed focus/blur events to be composed.
• Fixed mediaElement.duration to default to NaN.
• Fixed olEl.start to default to 1.
• Fixed using XMLHttpRequest against non-existant file: URLs to treat that as a network error, instead of crashing. (pascalbayer) Note that in the future we may completely disable XMLHttpRequest usage against file: URLs to follow the browser security model.
• Fixed document.title in SVG documents.
• Fixed titleElement.text to return the child text content, instead of being the same as titleElement.innerHTML.
• Fixed <textarea>s to properly account for child CDATA section nodes changing.
• Fixed the value of Element.prototype[Symbol.unscopables].

---

Configuration

📅 Schedule: Branch creation - "" in timezone Asia/Tokyo, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.