chore(deps): update dependency jsdom to v16 [security] - autoclosed #1069
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
15.2.1
->16.5.0
GitHub Vulnerability Alerts
CVE-2021-20066
JSDom improperly allows the loading of local resources, which allows for local files to be manipulated by a malicious web page when script execution is enabled.
Release Notes
jsdom/jsdom
v16.5.0
Compare Source
window.queueMicrotask()
.window.event
.inputEvent.inputType
. (diegohaz)ondragexit
fromWindow
and friends, per a spec update.about:blank
iframes. Previously it was getting set to the parent's URL. (SimonMueller)hidden=""
attribute to causedisplay: none
per the user-agent stylesheet. (ph-fritsche)new File()
constructor to no longer convert/
to:
, per a pending spec update.MutationObserver
instance as theirthis
value.<input type=checkbox>
and<input type=radio>
to be mutable even when disabled, per a spec update.XMLHttpRequest
to not fire a redundant finalprogress
event if aprogress
event was previously fired with the sameloaded
value. This would usually occur with small files.XMLHttpRequest
to expose theContent-Length
header on cross-origin responses.xhr.response
to returnnull
for failures that occur during the middle of the download.localStorage
ordataset
. (ExE-Boss)v16.4.0
Compare Source
getComputedStyle()
, unless you pass a::part
or::slotted
pseudo-element, in which case we throw an error per the spec. (ExE-Boss)el.tagName
, which also indirectly improves performance of selector matching and style computation. (eps1lon)form.elements
to respect theform=""
attribute, so that it can contain non-descendant form controls. (ccwebdesign)el.focus()
to do nothing on disconnected elements. (eps1lon)el.focus()
to work on SVG elements. (zjffun)<body>
element. (eps1lon)imgEl.complete
to return true for<img>
elements with empty or unsetsrc=""
attributes. (strager)imgEl.complete
to return true if an error occurs loading the<img>
, when canvas is enabled. (strager)imgEl.complete
to return false if the<img>
element'ssrc=""
attribute is reset. (strager)valueMissing
validation check for<input type="radio">
. (zjffun)translate=""
anddraggable=""
attribute processing to use ASCII case-insensitivity, instead of Unicode case-insensitivity. (zjffun)v16.3.0
Compare Source
focusin
andfocusout
when usingel.focus()
andel.blur()
. (trueadm)contenteditable=""
attribute to be considered as focusable. (jamieliu386)window.NodeFilter
to be per-Window
, instead of shared across allWindow
s. (ExE-Boss)handleEvent
properties as event listeners. (ExE-Boss)load
event instead of anerror
event, when thecanvas
package is installed. (strager)v16.2.2
Compare Source
StyleSheetList
for better spec compliance; notably it no longer inherits fromArray.prototype
. (ExE-Boss)requestAnimationFrame()
from preventing process exit. This likely regressed in v16.1.0.setTimeout()
to no longer leak the closures passed in to it. This likely regressed in v16.1.0. (AviVahl)click()
on a<label>
element, or one of its descendants.getComputedStyle()
to consider inlinestyle=""
attributes. (eps1lon)<input type="number">
'sstepUp()
andstepDown()
functions to be properly decimal-based, instead of floating point-based.selectEl.value
would not invalidate properties such asselectEl.selectedOptions
. (ExE-Boss)<input>
'ssrc
property, and<ins>
/<del>
'scite
property, to properly reflect as URLs.window.addEventLister
,window.removeEventListener
, andwindow.dispatchEvent
to properly be inherited fromEventTarget
, instead of being distinct functions. (ExE-Boss)addEventListener
.data:
URLs.<input type="month">
that could occur in some time zones and for some times.document.implementation.createDocument()
to return anXMLDocument
, instead of aDocument
. (ExE-Boss)v16.2.1
Compare Source
saxes
, to bring in some BOM-related fixes.npm audit
warnings.v16.2.0
Compare Source
Attr
as aNode
, e.g. by checking itsbaseURI
property or callingattr.cloneNode()
.v16.1.0
Compare Source
console.timeLog()
.Attr
to extendNode
, to align with specifications. (ExE-Boss)<noscript>
children to be parsed as nodes, instead of as text, whenrunScripts
is left as the default ofundefined
. (ACHP)cssstyle
to v2.1.0, which brings along fixes to handling ofrgba()
andhsl()
colors. (kraynel)<input>
s and<textarea>
s. (Matthew-Goldberg)setTimeout()
,setInterval()
, andrequestAnimationFrame()
, particularly around window closing and recursive calls.v16.0.1
Compare Source
runScripts
was set.<input>
'stype=""
attribute.<input type="range">
whenmax=""
is less thanmin=""
.v16.0.0
Compare Source
For this release we'd like to welcome @pmdartus to the core team. Among other work, he's driven the heroic effort of constructor prototype and reform in jsdom and its dependencies over the last few months, to allow us to move away from shared constructors and prototypes, and set the groundwork for custom elements support (coming soon!).
Breaking changes:
dom.runVMScript()
API has been replaced with the more generaldom.getInternalVMContext()
API.Window
now creates new instances of all the web platform globals. That is, our old shared constructor and prototypes caveat is no longer in play.Window
now exposes all JavaScript-spec-defined globals uniformly. WhenrunScripts
is disabled, it exposes them as aliases of the ones from the outer Node.js environment. Whereas whenrunScripts
is enabled, it exposes fresh copies of each global from the new scripting environment. (Previously, a few typed array classes would always be aliased, and withrunScripts
disabled, the other classes would not be exposed at all.)Other changes:
AbstractRange
,Range
,StaticRange
,Selection
, andwindow.getSelection()
APIs.Comment
,Text
, andDocumentFragment
.valueAsDate
,valueAsNumber
,stepUp()
andstepDown()
to<input>
elements. (kraynel)window.origin
.document.origin
.<template>
to work correctly inside XML documents.<meta charset>
or<meta http-equiv="charset">
elements.input.type
to default to"text"
. (connormeredith)<input>
with fractional values for theirstep=""
attribute. (kontomondo)<input>
elements.<input type="email" multiple pattern="...">
validation.fileReader.readAsDataURL()
to always base64-encode the result. (ytetsuro)<img>
elements into documents without a browsing context to no longer crash when thecanvas
package is installed.window.setTimeout()
orwindow.setInterval()
.getComputedStyle()
. (eps1lon)Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.