Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore(deps): update dependency jsdom to v16 [security] - autoclosed #1069

Conversation

renovate-bot
Copy link
Contributor

@renovate-bot renovate-bot commented Jun 23, 2022

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
jsdom 15.2.1 -> 16.5.0 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2021-20066

JSDom improperly allows the loading of local resources, which allows for local files to be manipulated by a malicious web page when script execution is enabled.


Release Notes

jsdom/jsdom

v16.5.0

Compare Source

  • Added window.queueMicrotask().
  • Added window.event.
  • Added inputEvent.inputType. (diegohaz)
  • Removed ondragexit from Window and friends, per a spec update.
  • Fixed the URL of about:blank iframes. Previously it was getting set to the parent's URL. (SimonMueller)
  • Fixed the loading of subresources from the filesystem when they had non-ASCII filenames.
  • Fixed the hidden="" attribute to cause display: none per the user-agent stylesheet. (ph-fritsche)
  • Fixed the new File() constructor to no longer convert / to :, per a pending spec update.
  • Fixed mutation observer callbacks to be called with the MutationObserver instance as their this value.
  • Fixed <input type=checkbox> and <input type=radio> to be mutable even when disabled, per a spec update.
  • Fixed XMLHttpRequest to not fire a redundant final progress event if a progress event was previously fired with the same loaded value. This would usually occur with small files.
  • Fixed XMLHttpRequest to expose the Content-Length header on cross-origin responses.
  • Fixed xhr.response to return null for failures that occur during the middle of the download.
  • Fixed edge cases around passing callback functions or event handlers. (ExE-Boss)
  • Fixed edge cases around the properties of proxy-like objects such as localStorage or dataset. (ExE-Boss)
  • Fixed a potential memory leak with custom elements (although we could not figure out how to trigger it). (soncodi)

v16.4.0

Compare Source

  • Added a not-implemented warning if you try to use the second pseudo-element argument to getComputedStyle(), unless you pass a ::part or ::slotted pseudo-element, in which case we throw an error per the spec. (ExE-Boss)
  • Improved the performance of repeated access to el.tagName, which also indirectly improves performance of selector matching and style computation. (eps1lon)
  • Fixed form.elements to respect the form="" attribute, so that it can contain non-descendant form controls. (ccwebdesign)
  • Fixed el.focus() to do nothing on disconnected elements. (eps1lon)
  • Fixed el.focus() to work on SVG elements. (zjffun)
  • Fixed removing the currently-focused element to move focus to the <body> element. (eps1lon)
  • Fixed imgEl.complete to return true for <img> elements with empty or unset src="" attributes. (strager)
  • Fixed imgEl.complete to return true if an error occurs loading the <img>, when canvas is enabled. (strager)
  • Fixed imgEl.complete to return false if the <img> element's src="" attribute is reset. (strager)
  • Fixed the valueMissing validation check for <input type="radio">. (zjffun)
  • Fixed translate="" and draggable="" attribute processing to use ASCII case-insensitivity, instead of Unicode case-insensitivity. (zjffun)

v16.3.0

Compare Source

  • Added firing of focusin and focusout when using el.focus() and el.blur(). (trueadm)
  • Fixed elements with the contenteditable="" attribute to be considered as focusable. (jamieliu386)
  • Fixed window.NodeFilter to be per-Window, instead of shared across all Windows. (ExE-Boss)
  • Fixed edge-case behavior involving use of objects with handleEvent properties as event listeners. (ExE-Boss)
  • Fixed a second failing image load sometimes firing a load event instead of an error event, when the canvas package is installed. (strager)
  • Fixed drawing an empty canvas into another canvas. (zjffun)

v16.2.2

Compare Source

  • Updated StyleSheetList for better spec compliance; notably it no longer inherits from Array.prototype. (ExE-Boss)
  • Fixed requestAnimationFrame() from preventing process exit. This likely regressed in v16.1.0.
  • Fixed setTimeout() to no longer leak the closures passed in to it. This likely regressed in v16.1.0. (AviVahl)
  • Fixed infinite recursion that could occur when calling click() on a <label> element, or one of its descendants.
  • Fixed getComputedStyle() to consider inline style="" attributes. (eps1lon)
  • Fixed several issues with <input type="number">'s stepUp() and stepDown() functions to be properly decimal-based, instead of floating point-based.
  • Fixed various issues where updating selectEl.value would not invalidate properties such as selectEl.selectedOptions. (ExE-Boss)
  • Fixed <input>'s src property, and <ins>/<del>'s cite property, to properly reflect as URLs.
  • Fixed window.addEventLister, window.removeEventListener, and window.dispatchEvent to properly be inherited from EventTarget, instead of being distinct functions. (ExE-Boss)
  • Fixed errors that would occur if attempting to use a DOM object, such as a custom element, as an argument to addEventListener.
  • Fixed errors that would occur when closing a window with outstanding requests to data: URLs.
  • Fixed sporadic issues with the value of <input type="month"> that could occur in some time zones and for some times.
  • Fixed document.implementation.createDocument() to return an XMLDocument, instead of a Document. (ExE-Boss)
  • Fixed running jsdom in a browser to detect globals more reliably. (ExE-Boss)

v16.2.1

Compare Source

  • Updated saxes, to bring in some BOM-related fixes.
  • Updated Acorn-related packages to squelch npm audit warnings.

v16.2.0

Compare Source

  • Added support for custom elements! Congratulations and thanks to @​pmdartus for making this happen, after ten months of hard work and lots of effort poured into the complex architectural prerequisites in jsdom and supporting packages.
  • Fixed some issues when trying to use Attr as a Node, e.g. by checking its baseURI property or calling attr.cloneNode().
  • Fixed a memory leak during parsing that was introduced in v14.0.0.
  • Fixed edge cases in number/string conversion used for certain element properties that reflected integer attributes.

v16.1.0

Compare Source

  • Added console.timeLog().
  • Changed Attr to extend Node, to align with specifications. (ExE-Boss)
  • Changed <noscript> children to be parsed as nodes, instead of as text, when runScripts is left as the default of undefined. (ACHP)
  • Upgraded cssstyle to v2.1.0, which brings along fixes to handling of rgba() and hsl() colors. (kraynel)
  • Fixed some selection-related issues when manipulating the value of <input>s and <textarea>s. (Matthew-Goldberg)
  • Fixed various issues with setTimeout(), setInterval(), and requestAnimationFrame(), particularly around window closing and recursive calls.

v16.0.1

Compare Source

  • Fixed Node v10 and v11 support when runScripts was set.
  • Fixed the behavior when changing an <input>'s type="" attribute.
  • Fixed input validation behavior for <input type="range"> when max="" is less than min="".

v16.0.0

Compare Source

For this release we'd like to welcome @​pmdartus to the core team. Among other work, he's driven the heroic effort of constructor prototype and reform in jsdom and its dependencies over the last few months, to allow us to move away from shared constructors and prototypes, and set the groundwork for custom elements support (coming soon!).

Breaking changes:

  • Node v10 is now the minimum supported version.
  • The dom.runVMScript() API has been replaced with the more general dom.getInternalVMContext() API.
  • Each jsdom Window now creates new instances of all the web platform globals. That is, our old shared constructor and prototypes caveat is no longer in play.
  • Each jsdom Window now exposes all JavaScript-spec-defined globals uniformly. When runScripts is disabled, it exposes them as aliases of the ones from the outer Node.js environment. Whereas when runScripts is enabled, it exposes fresh copies of each global from the new scripting environment. (Previously, a few typed array classes would always be aliased, and with runScripts disabled, the other classes would not be exposed at all.)

Other changes:

  • Added the AbstractRange, Range, StaticRange, Selection, and window.getSelection() APIs.
  • Added working constructors for Comment, Text, and DocumentFragment.
  • Added valueAsDate, valueAsNumber, stepUp() and stepDown() to <input> elements. (kraynel)
  • Added window.origin.
  • Removed document.origin.
  • Fixed <template> to work correctly inside XML documents.
  • Fixed some bugs which would cause jsdom to choose the wrong character encoding because it was failing to detect <meta charset> or <meta http-equiv="charset"> elements.
  • Fixed input.type to default to "text". (connormeredith)
  • Fixed incorrect validation errors for <input> with fractional values for their step="" attribute. (kontomondo)
  • Fixed incorrect validation errors on readonly <input> elements.
  • Fixed <input type="email" multiple pattern="..."> validation.
  • Fixed fileReader.readAsDataURL() to always base64-encode the result. (ytetsuro)
  • Fixed inserting <img> elements into documents without a browsing context to no longer crash when the canvas package is installed.
  • Fixed a memory leak when using window.setTimeout() or window.setInterval().
  • Improved the performance of getComputedStyle(). (eps1lon)

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, click this checkbox.

This PR has been generated by Mend Renovate. View repository job log here.

@renovate-bot renovate-bot requested a review from a team June 23, 2022 23:39
@forking-renovate forking-renovate bot added the dependencies Pull requests that update a dependency file label Jun 23, 2022
@codecov
Copy link

codecov bot commented Jun 24, 2022

Codecov Report

Merging #1069 (1ba3da3) into main (1436f3c) will not change coverage.
The diff coverage is n/a.

@@           Coverage Diff           @@
##             main    #1069   +/-   ##
=======================================
  Coverage   95.91%   95.91%           
=======================================
  Files          13       13           
  Lines         856      856           
  Branches      178      178           
=======================================
  Hits          821      821           
  Misses         35       35           

@renovate-bot renovate-bot changed the title chore(deps): update dependency jsdom to v16 [security] chore(deps): update dependency jsdom to v16 [SECURITY] Jun 27, 2022
@dyladan
Copy link
Member

dyladan commented Jun 27, 2022

Requires dropping support for node 8 as node 8 doesn't support the try { } catch { } syntax without the typical (err) variable binding to the caught object

@rauno56
Copy link
Member

rauno56 commented Jun 27, 2022

Can be dealt with after #1065.

@renovate-bot renovate-bot changed the title chore(deps): update dependency jsdom to v16 [SECURITY] chore(deps): update dependency jsdom to v16 [security] Jun 28, 2022
@renovate-bot renovate-bot force-pushed the renovate/npm-jsdom-vulnerability branch from 7cac969 to 1ba3da3 Compare August 4, 2022 16:44
@renovate-bot renovate-bot changed the title chore(deps): update dependency jsdom to v16 [security] chore(deps): update dependency jsdom to v16 [security] - autoclosed Aug 22, 2022
@renovate-bot renovate-bot deleted the renovate/npm-jsdom-vulnerability branch August 22, 2022 22:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
dependencies Pull requests that update a dependency file
Projects
None yet
Development

Successfully merging this pull request may close these issues.

7 participants