New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update dependency jsdom to v16 [SECURITY] #278
Open
renovate
wants to merge
1
commit into
develop
Choose a base branch
from
renovate/npm-jsdom-vulnerability
base: develop
Could not load branches
Branch not found: {{ refName }}
Could not load tags
Nothing to show
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
renovate
bot
force-pushed
the
renovate/npm-jsdom-vulnerability
branch
from
March 16, 2023 23:59
fa7ab4a
to
5608a7e
Compare
renovate
bot
changed the title
Update dependency jsdom to v20 [SECURITY]
Update dependency jsdom to v21 [SECURITY]
Mar 17, 2023
renovate
bot
changed the title
Update dependency jsdom to v21 [SECURITY]
Update dependency jsdom to v16 [SECURITY]
Mar 25, 2023
renovate
bot
force-pushed
the
renovate/npm-jsdom-vulnerability
branch
from
March 25, 2023 00:55
5608a7e
to
8ea0e7a
Compare
renovate
bot
changed the title
Update dependency jsdom to v16 [SECURITY]
Update dependency jsdom to v21 [SECURITY]
Apr 3, 2023
renovate
bot
force-pushed
the
renovate/npm-jsdom-vulnerability
branch
from
April 3, 2023 09:23
8ea0e7a
to
bfdc93f
Compare
renovate
bot
changed the title
Update dependency jsdom to v21 [SECURITY]
Update dependency jsdom to v16 [SECURITY]
Apr 3, 2023
renovate
bot
force-pushed
the
renovate/npm-jsdom-vulnerability
branch
from
April 3, 2023 11:37
bfdc93f
to
7a4ddc5
Compare
renovate
bot
force-pushed
the
renovate/npm-jsdom-vulnerability
branch
from
April 17, 2023 14:01
7a4ddc5
to
7918400
Compare
renovate
bot
changed the title
Update dependency jsdom to v16 [SECURITY]
Update dependency jsdom to v21 [SECURITY]
Apr 17, 2023
renovate
bot
changed the title
Update dependency jsdom to v21 [SECURITY]
Update dependency jsdom to v16 [SECURITY]
Apr 17, 2023
renovate
bot
force-pushed
the
renovate/npm-jsdom-vulnerability
branch
from
April 17, 2023 17:06
7918400
to
cf348c9
Compare
renovate
bot
changed the title
Update dependency jsdom to v16 [SECURITY]
Update dependency jsdom to v22 [SECURITY]
May 28, 2023
renovate
bot
force-pushed
the
renovate/npm-jsdom-vulnerability
branch
from
May 28, 2023 12:24
cf348c9
to
c0de171
Compare
renovate
bot
changed the title
Update dependency jsdom to v22 [SECURITY]
Update dependency jsdom to v16 [SECURITY]
May 28, 2023
renovate
bot
force-pushed
the
renovate/npm-jsdom-vulnerability
branch
2 times, most recently
from
June 4, 2023 10:25
373b18f
to
5d0b268
Compare
renovate
bot
changed the title
Update dependency jsdom to v16 [SECURITY]
Update dependency jsdom to v22 [SECURITY]
Jun 4, 2023
renovate
bot
force-pushed
the
renovate/npm-jsdom-vulnerability
branch
from
June 4, 2023 13:01
5d0b268
to
0f344f9
Compare
renovate
bot
changed the title
Update dependency jsdom to v22 [SECURITY]
Update dependency jsdom to v16 [SECURITY]
Jun 4, 2023
renovate
bot
force-pushed
the
renovate/npm-jsdom-vulnerability
branch
from
June 13, 2023 14:17
0f344f9
to
4080071
Compare
renovate
bot
changed the title
Update dependency jsdom to v16 [SECURITY]
Update dependency jsdom to v22 [SECURITY]
Jun 13, 2023
renovate
bot
force-pushed
the
renovate/npm-jsdom-vulnerability
branch
from
June 13, 2023 16:05
4080071
to
35c1a60
Compare
renovate
bot
changed the title
Update dependency jsdom to v22 [SECURITY]
Update dependency jsdom to v16 [SECURITY]
Jun 13, 2023
renovate
bot
force-pushed
the
renovate/npm-jsdom-vulnerability
branch
from
June 18, 2023 07:50
35c1a60
to
ae88891
Compare
renovate
bot
changed the title
Update dependency jsdom to v16 [SECURITY]
Update dependency jsdom to v22 [SECURITY]
Jun 18, 2023
renovate
bot
force-pushed
the
renovate/npm-jsdom-vulnerability
branch
from
June 18, 2023 11:06
ae88891
to
9ee9c20
Compare
renovate
bot
changed the title
Update dependency jsdom to v22 [SECURITY]
Update dependency jsdom to v16 [SECURITY]
Jun 18, 2023
renovate
bot
force-pushed
the
renovate/npm-jsdom-vulnerability
branch
from
June 19, 2023 07:49
9ee9c20
to
056a331
Compare
renovate
bot
changed the title
Update dependency jsdom to v24 [SECURITY]
Update dependency jsdom to v16 [SECURITY]
Mar 20, 2024
renovate
bot
force-pushed
the
renovate/npm-jsdom-vulnerability
branch
from
March 24, 2024 14:10
abc3a63
to
f037ef8
Compare
renovate
bot
changed the title
Update dependency jsdom to v16 [SECURITY]
Update dependency jsdom to v24 [SECURITY]
Mar 24, 2024
renovate
bot
force-pushed
the
renovate/npm-jsdom-vulnerability
branch
from
March 24, 2024 17:32
f037ef8
to
a136d90
Compare
renovate
bot
changed the title
Update dependency jsdom to v24 [SECURITY]
Update dependency jsdom to v16 [SECURITY]
Mar 24, 2024
renovate
bot
force-pushed
the
renovate/npm-jsdom-vulnerability
branch
from
April 14, 2024 10:33
a136d90
to
5fa1a84
Compare
renovate
bot
changed the title
Update dependency jsdom to v16 [SECURITY]
Update dependency jsdom to v24 [SECURITY]
Apr 14, 2024
renovate
bot
force-pushed
the
renovate/npm-jsdom-vulnerability
branch
from
April 14, 2024 12:58
5fa1a84
to
b436da1
Compare
renovate
bot
changed the title
Update dependency jsdom to v24 [SECURITY]
Update dependency jsdom to v16 [SECURITY]
Apr 14, 2024
renovate
bot
force-pushed
the
renovate/npm-jsdom-vulnerability
branch
from
April 21, 2024 10:58
b436da1
to
4b9f314
Compare
renovate
bot
changed the title
Update dependency jsdom to v16 [SECURITY]
Update dependency jsdom to v24 [SECURITY]
Apr 21, 2024
renovate
bot
changed the title
Update dependency jsdom to v24 [SECURITY]
Update dependency jsdom to v16 [SECURITY]
Apr 21, 2024
renovate
bot
force-pushed
the
renovate/npm-jsdom-vulnerability
branch
2 times, most recently
from
April 25, 2024 08:58
ef3c3db
to
5bd2e27
Compare
renovate
bot
changed the title
Update dependency jsdom to v16 [SECURITY]
Update dependency jsdom to v24 [SECURITY]
Apr 25, 2024
renovate
bot
force-pushed
the
renovate/npm-jsdom-vulnerability
branch
from
April 25, 2024 12:23
5bd2e27
to
748364e
Compare
renovate
bot
changed the title
Update dependency jsdom to v24 [SECURITY]
Update dependency jsdom to v16 [SECURITY]
Apr 25, 2024
renovate
bot
force-pushed
the
renovate/npm-jsdom-vulnerability
branch
from
May 1, 2024 09:21
748364e
to
024e99b
Compare
renovate
bot
changed the title
Update dependency jsdom to v16 [SECURITY]
Update dependency jsdom to v24 [SECURITY]
May 1, 2024
renovate
bot
force-pushed
the
renovate/npm-jsdom-vulnerability
branch
from
May 1, 2024 12:38
024e99b
to
4bee005
Compare
renovate
bot
changed the title
Update dependency jsdom to v24 [SECURITY]
Update dependency jsdom to v16 [SECURITY]
May 1, 2024
renovate
bot
force-pushed
the
renovate/npm-jsdom-vulnerability
branch
from
May 9, 2024 11:08
4bee005
to
ed34d69
Compare
renovate
bot
changed the title
Update dependency jsdom to v16 [SECURITY]
Update dependency jsdom to v24 [SECURITY]
May 9, 2024
renovate
bot
force-pushed
the
renovate/npm-jsdom-vulnerability
branch
from
May 9, 2024 12:53
ed34d69
to
9fa1438
Compare
renovate
bot
changed the title
Update dependency jsdom to v24 [SECURITY]
Update dependency jsdom to v16 [SECURITY]
May 9, 2024
renovate
bot
force-pushed
the
renovate/npm-jsdom-vulnerability
branch
from
May 15, 2024 17:58
9fa1438
to
f6d81a3
Compare
renovate
bot
changed the title
Update dependency jsdom to v16 [SECURITY]
Update dependency jsdom to v24 [SECURITY]
May 15, 2024
renovate
bot
force-pushed
the
renovate/npm-jsdom-vulnerability
branch
from
May 15, 2024 23:52
f6d81a3
to
1fefdf7
Compare
renovate
bot
changed the title
Update dependency jsdom to v24 [SECURITY]
Update dependency jsdom to v16 [SECURITY]
May 15, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
^13.0.0
->^16.5.0
GitHub Vulnerability Alerts
CVE-2021-20066
JSDom improperly allows the loading of local resources, which allows for local files to be manipulated by a malicious web page when script execution is enabled.
Release Notes
jsdom/jsdom (jsdom)
v16.5.0
Compare Source
window.queueMicrotask()
.window.event
.inputEvent.inputType
. (diegohaz)ondragexit
fromWindow
and friends, per a spec update.about:blank
iframes. Previously it was getting set to the parent's URL. (SimonMueller)hidden=""
attribute to causedisplay: none
per the user-agent stylesheet. (ph-fritsche)new File()
constructor to no longer convert/
to:
, per a pending spec update.MutationObserver
instance as theirthis
value.<input type=checkbox>
and<input type=radio>
to be mutable even when disabled, per a spec update.XMLHttpRequest
to not fire a redundant finalprogress
event if aprogress
event was previously fired with the sameloaded
value. This would usually occur with small files.XMLHttpRequest
to expose theContent-Length
header on cross-origin responses.xhr.response
to returnnull
for failures that occur during the middle of the download.localStorage
ordataset
. (ExE-Boss)v16.4.0
Compare Source
getComputedStyle()
, unless you pass a::part
or::slotted
pseudo-element, in which case we throw an error per the spec. (ExE-Boss)el.tagName
, which also indirectly improves performance of selector matching and style computation. (eps1lon)form.elements
to respect theform=""
attribute, so that it can contain non-descendant form controls. (ccwebdesign)el.focus()
to do nothing on disconnected elements. (eps1lon)el.focus()
to work on SVG elements. (zjffun)<body>
element. (eps1lon)imgEl.complete
to return true for<img>
elements with empty or unsetsrc=""
attributes. (strager)imgEl.complete
to return true if an error occurs loading the<img>
, when canvas is enabled. (strager)imgEl.complete
to return false if the<img>
element'ssrc=""
attribute is reset. (strager)valueMissing
validation check for<input type="radio">
. (zjffun)translate=""
anddraggable=""
attribute processing to use ASCII case-insensitivity, instead of Unicode case-insensitivity. (zjffun)v16.3.0
Compare Source
focusin
andfocusout
when usingel.focus()
andel.blur()
. (trueadm)contenteditable=""
attribute to be considered as focusable. (jamieliu386)window.NodeFilter
to be per-Window
, instead of shared across allWindow
s. (ExE-Boss)handleEvent
properties as event listeners. (ExE-Boss)load
event instead of anerror
event, when thecanvas
package is installed. (strager)v16.2.2
Compare Source
StyleSheetList
for better spec compliance; notably it no longer inherits fromArray.prototype
. (ExE-Boss)requestAnimationFrame()
from preventing process exit. This likely regressed in v16.1.0.setTimeout()
to no longer leak the closures passed in to it. This likely regressed in v16.1.0. (AviVahl)click()
on a<label>
element, or one of its descendants.getComputedStyle()
to consider inlinestyle=""
attributes. (eps1lon)<input type="number">
'sstepUp()
andstepDown()
functions to be properly decimal-based, instead of floating point-based.selectEl.value
would not invalidate properties such asselectEl.selectedOptions
. (ExE-Boss)<input>
'ssrc
property, and<ins>
/<del>
'scite
property, to properly reflect as URLs.window.addEventLister
,window.removeEventListener
, andwindow.dispatchEvent
to properly be inherited fromEventTarget
, instead of being distinct functions. (ExE-Boss)addEventListener
.data:
URLs.<input type="month">
that could occur in some time zones and for some times.document.implementation.createDocument()
to return anXMLDocument
, instead of aDocument
. (ExE-Boss)v16.2.1
Compare Source
saxes
, to bring in some BOM-related fixes.npm audit
warnings.v16.2.0
Compare Source
Attr
as aNode
, e.g. by checking itsbaseURI
property or callingattr.cloneNode()
.v16.1.0
Compare Source
console.timeLog()
.Attr
to extendNode
, to align with specifications. (ExE-Boss)<noscript>
children to be parsed as nodes, instead of as text, whenrunScripts
is left as the default ofundefined
. (ACHP)cssstyle
to v2.1.0, which brings along fixes to handling ofrgba()
andhsl()
colors. (kraynel)<input>
s and<textarea>
s. (Matthew-Goldberg)setTimeout()
,setInterval()
, andrequestAnimationFrame()
, particularly around window closing and recursive calls.v16.0.1
Compare Source
runScripts
was set.<input>
'stype=""
attribute.<input type="range">
whenmax=""
is less thanmin=""
.v16.0.0
Compare Source
For this release we'd like to welcome @pmdartus to the core team. Among other work, he's driven the heroic effort of constructor prototype and reform in jsdom and its dependencies over the last few months, to allow us to move away from shared constructors and prototypes, and set the groundwork for custom elements support (coming soon!).
Breaking changes:
dom.runVMScript()
API has been replaced with the more generaldom.getInternalVMContext()
API.Window
now creates new instances of all the web platform globals. That is, our old shared constructor and prototypes caveat is no longer in play.Window
now exposes all JavaScript-spec-defined globals uniformly. WhenrunScripts
is disabled, it exposes them as aliases of the ones from the outer Node.js environment. Whereas whenrunScripts
is enabled, it exposes fresh copies of each global from the new scripting environment. (Previously, a few typed array classes would always be aliased, and withrunScripts
disabled, the other classes would not be exposed at all.)Other changes:
AbstractRange
,Range
,StaticRange
,Selection
, andwindow.getSelection()
APIs.Comment
,Text
, andDocumentFragment
.valueAsDate
,valueAsNumber
,stepUp()
andstepDown()
to<input>
elements. (kraynel)window.origin
.document.origin
.<template>
to work correctly inside XML documents.<meta charset>
or<meta http-equiv="charset">
elements.input.type
to default to"text"
. (connormeredith)<input>
with fractional values for theirstep=""
attribute. (kontomondo)<input>
elements.<input type="email" multiple pattern="...">
validation.fileReader.readAsDataURL()
to always base64-encode the result. (ytetsuro)<img>
elements into documents without a browsing context to no longer crash when thecanvas
package is installed.window.setTimeout()
orwindow.setInterval()
.getComputedStyle()
. (eps1lon)v15.2.1
Compare Source
JSDOM.fromURL()
handling of URLs with hashes in them, to no longer send the hash to the server and append an extra copy of it when constructing theDocument
. (rchl)focus
events. (eps1lon)mediaElement.addTextTrack()
. (mtsmfm)nwsapi
minimum version to 2.2.0, which fixes issues with::-webkit-
prefixed pseudo-elements and namespaced attribute selectors.v15.2.0
Compare Source
getComputedStyle()
for the'visibility'
property. This sets the foundation for further work on inheritance, cascading, and specificity. (eps1lon)shadowRoot.activeElement
.readystatechange
events during document loading.form.requestSubmit()
, to match our existing stub forform.submit()
.el.tabIndex
's default value, when notabindex=""
attribute was set, to reflect the updated specification.el.attachShadow()
on something that's already a shadow host, to reflect the updated specification.<input type="range">
.selectEl.value
when no<option>
is selected to return the empty string, instead of the value of the first option. (tgohn)new FormData(formElement)
. (brendo)"undefined"
. (papandreou)el.getAttributeNS()
orel.setAttributeNS()
.canvas
as an optional ``peerDependency`, which apparently helps with Yarn PnP support.v15.1.1
Compare Source
nonce
property fromHTMLScriptElement
andHTMLStyleElement
toHTMLElement
. Note that it is still just a simple reflection of the attribute, and has not been updated for the rest of the changes in whatwg/html#2373.style
andon<event>
properties to properly track their related attributes for SVG elements. (kbruneel)XMLHttpRequest
merging preflight and response headers. (thiagohirata)XMLHttpRequest
reserializingcontent-type
request headers unnecessarily. See whatwg/mimesniff#84 for more details. (thiagohirata)element.tagName
to be the ASCII uppercase of the element's qualified name, instead of the Unicode uppercase.v15.1.0
Compare Source
Headers
class from the Fetch standard.element.translate
getter and setter.XMLHttpRequest
on the newly-released Node.js v12.form.elements
to exclude<input type="image">
elements.pattern=""
form control validation to apply the given regular expression to the whole string. (kontomondo)v15.0.0
Compare Source
Several potentially-breaking changes, each of them fairly unlikely to actually break anything:
JSDOM.fromFile()
now treats.xht
files asapplication/xhtml+xml
, the same as it does for.xhtml
and.xml
. Previously, it would treat them astext/html
.JSDOM
constructor'scontentType
option has acharset
parameter, and the first argument to the constructor is a binary data type (e.g.Buffer
orArrayBuffer
), then thecharset
will override any sniffed encoding in the same way as aContent-Type
header would in browser scenarios. Previously, thecharset
parameter was ignored.Blob
orFile
constructor with theendings: "native"
option, jsdom will now convert line endings to\n
on all operating systems, for consistency. Previously, on Windows, it would convert line endings to\r\n
.v14.1.0
Compare Source
<a>
and<area>
elements whosehref=""
points to ajavascript:
URL or fragment.<datalist>
element'soptions
property.<input>
element'slist
property.PageTransitionEvent
, and the firing ofpageshow
events during loading.External
class as a property ofwindow
.innerHTML
andouterHTML
) to be spec-compliant. (pmdartus)innerHTML
) breaking after setting certain properties to non-string values.<style>
s to no longer apply to documents without a browsing context. This includes fixing a crash that would occur with such styles if they had an@import
rule.<option>
'slabel
andvalue
properties to return correct values in various edge cases.load
event during document loading to target theDocument
, not theWindow
.pretendToBeVisual
option to propagate to child subframes, as well as the mainWindow
. (pyrho)nwsapi
version from v2.1.1 to v2.1.3, bringing along a few fixes in our selector engine.v14.0.0
Compare Source
Breaking changes:
JSDOM.fragment()
now creates fragments whose document has no browsing context, i.e. no associatedWindow
. This means thedefaultView
property will be null, resources will not load, etc.JSDOM.fragment()
, called with no arguments, now creates aDocumentFragment
with no children, instead of with a single child text node whose data was"undefined"
.Other changes:
element.blur()
on a focused element.<link>
elements into documents with no browsing context to no longer crash if the originatingJSDOM
was configured to fetch the resource. Now, per spec,<link>
elements only attempt to fetch if they are browsing-context connected.<template>
elements to have the correct semantics, of using a separate browsing-context-less document to store its contents. In particular this means resources will not be fetched for elements inside the<template>
, as per spec.v13.2.0
Compare Source
MutationObserver
s! (pmdartus)<progress>
element'svalue
,max
, andposition
properties.navigator.plugins
andnavigator.mimeTypes
. (But, they are always empty.)<summary>
elements respond toclick
events by toggling their parent<details>
.<summary>
elements to be focusable.isTrusted
set totrue
.DOMParser
-created documents to have theirreadyState
set to"complete"
.<fieldset>
s get disabled.getComputedStyle()
to throw a sensible exception when passed the wrong argument, instead of one that exposes jsdom internals.saxes
dependency, so that it now correctly errors on XML fragments like<foo bar:="1"/>
.v13.1.0
Compare Source
el.insertAdjacentElement()
andel.insertAdjacentText()
.reset
event toform.reset()
. (epfremmer)type
,value
, anddefaultValue
properties to<output>
elements, including their form reset behavior. (epfremmer)outputEl.htmlFor
property.<style>
or<script>
elements. This regressed in v11.6.0. To learn more, see V8 issue #6730.style
property on<a>
and<area>
elements. This regressed in v13.0.0.node.isConnected
to not always return false for nodes inside a shadow tree. (pmdartus)<button type="reset">
and<input type="reset">
elements to actually perform a form reset when clicked, instead of doing nothing. (epfremmer)el.setCustomValidity()
for<output>
and<fieldset>
.click
events, so that for example callingel.click()
on the child of a submit button element will submit the form.focus
/blur
events to be composed.mediaElement.duration
to default toNaN
.olEl.start
to default to1
.XMLHttpRequest
against non-existantfile:
URLs to treat that as a network error, instead of crashing. (pascalbayer) Note that in the future we may completely disableXMLHttpRequest
usage againstfile:
URLs to follow the browser security model.document.title
in SVG documents.titleElement.text
to return the child text content, instead of being the same astitleElement.innerHTML
.<textarea>
s to properly account for child CDATA section nodes changing.Element.prototype[Symbol.unscopables]
.Configuration
📅 Schedule: Branch creation - "" in timezone Asia/Tokyo, Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.