cypress
cypress copied to clipboard
chore(deps): update dependency jsdom to v16 [security]
This PR contains the following updates:
Package | Change | Age | Adoption | Passing | Confidence |
---|---|---|---|---|---|
jsdom | 13.2.0 -> 16.5.0 |
GitHub Vulnerability Alerts
CVE-2021-20066
JSDom improperly allows the loading of local resources, which allows for local files to be manipulated by a malicious web page when script execution is enabled.
Release Notes
jsdom/jsdom
v16.5.0
- Added
window.queueMicrotask()
. - Added
window.event
. - Added
inputEvent.inputType
. (diegohaz) - Removed
ondragexit
fromWindow
and friends, per a spec update. - Fixed the URL of
about:blank
iframes. Previously it was getting set to the parent's URL. (SimonMueller) - Fixed the loading of subresources from the filesystem when they had non-ASCII filenames.
- Fixed the
hidden=""
attribute to causedisplay: none
per the user-agent stylesheet. (ph-fritsche) - Fixed the
new File()
constructor to no longer convert/
to:
, per a pending spec update. - Fixed mutation observer callbacks to be called with the
MutationObserver
instance as theirthis
value. - Fixed
<input type=checkbox>
and<input type=radio>
to be mutable even when disabled, per a spec update. - Fixed
XMLHttpRequest
to not fire a redundant finalprogress
event if aprogress
event was previously fired with the sameloaded
value. This would usually occur with small files. - Fixed
XMLHttpRequest
to expose theContent-Length
header on cross-origin responses. - Fixed
xhr.response
to returnnull
for failures that occur during the middle of the download. - Fixed edge cases around passing callback functions or event handlers. (ExE-Boss)
- Fixed edge cases around the properties of proxy-like objects such as
localStorage
ordataset
. (ExE-Boss) - Fixed a potential memory leak with custom elements (although we could not figure out how to trigger it). (soncodi)
v16.4.0
- Added a not-implemented warning if you try to use the second pseudo-element argument to
getComputedStyle()
, unless you pass a::part
or::slotted
pseudo-element, in which case we throw an error per the spec. (ExE-Boss) - Improved the performance of repeated access to
el.tagName
, which also indirectly improves performance of selector matching and style computation. (eps1lon) - Fixed
form.elements
to respect theform=""
attribute, so that it can contain non-descendant form controls. (ccwebdesign) - Fixed
el.focus()
to do nothing on disconnected elements. (eps1lon) - Fixed
el.focus()
to work on SVG elements. (zjffun) - Fixed removing the currently-focused element to move focus to the
<body>
element. (eps1lon) - Fixed
imgEl.complete
to return true for<img>
elements with empty or unsetsrc=""
attributes. (strager) - Fixed
imgEl.complete
to return true if an error occurs loading the<img>
, when canvas is enabled. (strager) - Fixed
imgEl.complete
to return false if the<img>
element'ssrc=""
attribute is reset. (strager) - Fixed the
valueMissing
validation check for<input type="radio">
. (zjffun) - Fixed
translate=""
anddraggable=""
attribute processing to use ASCII case-insensitivity, instead of Unicode case-insensitivity. (zjffun)
v16.3.0
- Added firing of
focusin
andfocusout
when usingel.focus()
andel.blur()
. (trueadm) - Fixed elements with the
contenteditable=""
attribute to be considered as focusable. (jamieliu386) - Fixed
window.NodeFilter
to be per-Window
, instead of shared across allWindow
s. (ExE-Boss) - Fixed edge-case behavior involving use of objects with
handleEvent
properties as event listeners. (ExE-Boss) - Fixed a second failing image load sometimes firing a
load
event instead of anerror
event, when thecanvas
package is installed. (strager) - Fixed drawing an empty canvas into another canvas. (zjffun)
v16.2.2
- Updated
StyleSheetList
for better spec compliance; notably it no longer inherits fromArray.prototype
. (ExE-Boss) - Fixed
requestAnimationFrame()
from preventing process exit. This likely regressed in v16.1.0. - Fixed
setTimeout()
to no longer leak the closures passed in to it. This likely regressed in v16.1.0. (AviVahl) - Fixed infinite recursion that could occur when calling
click()
on a<label>
element, or one of its descendants. - Fixed
getComputedStyle()
to consider inlinestyle=""
attributes. (eps1lon) - Fixed several issues with
<input type="number">
'sstepUp()
andstepDown()
functions to be properly decimal-based, instead of floating point-based. - Fixed various issues where updating
selectEl.value
would not invalidate properties such asselectEl.selectedOptions
. (ExE-Boss) - Fixed
<input>
'ssrc
property, and<ins>
/<del>
'scite
property, to properly reflect as URLs. - Fixed
window.addEventLister
,window.removeEventListener
, andwindow.dispatchEvent
to properly be inherited fromEventTarget
, instead of being distinct functions. (ExE-Boss) - Fixed errors that would occur if attempting to use a DOM object, such as a custom element, as an argument to
addEventListener
. - Fixed errors that would occur when closing a window with outstanding requests to
data:
URLs. - Fixed sporadic issues with the value of
<input type="month">
that could occur in some time zones and for some times. - Fixed
document.implementation.createDocument()
to return anXMLDocument
, instead of aDocument
. (ExE-Boss) - Fixed running jsdom in a browser to detect globals more reliably. (ExE-Boss)
v16.2.1
- Updated
saxes
, to bring in some BOM-related fixes. - Updated Acorn-related packages to squelch
npm audit
warnings.
v16.2.0
- Added support for custom elements! Congratulations and thanks to @pmdartus for making this happen, after ten months of hard work and lots of effort poured into the complex architectural prerequisites in jsdom and supporting packages.
- Fixed some issues when trying to use
Attr
as aNode
, e.g. by checking itsbaseURI
property or callingattr.cloneNode()
. - Fixed a memory leak during parsing that was introduced in v14.0.0.
- Fixed edge cases in number/string conversion used for certain element properties that reflected integer attributes.
v16.1.0
- Added
console.timeLog()
. - Changed
Attr
to extendNode
, to align with specifications. (ExE-Boss) - Changed
<noscript>
children to be parsed as nodes, instead of as text, whenrunScripts
is left as the default ofundefined
. (ACHP) - Upgraded
cssstyle
to v2.1.0, which brings along fixes to handling ofrgba()
andhsl()
colors. (kraynel) - Fixed some selection-related issues when manipulating the value of
<input>
s and<textarea>
s. (Matthew-Goldberg) - Fixed various issues with
setTimeout()
,setInterval()
, andrequestAnimationFrame()
, particularly around window closing and recursive calls.
v16.0.1
- Fixed Node v10 and v11 support when
runScripts
was set. - Fixed the behavior when changing an
<input>
'stype=""
attribute. - Fixed input validation behavior for
<input type="range">
whenmax=""
is less thanmin=""
.
v16.0.0
For this release we'd like to welcome @pmdartus to the core team. Among other work, he's driven the heroic effort of constructor prototype and reform in jsdom and its dependencies over the last few months, to allow us to move away from shared constructors and prototypes, and set the groundwork for custom elements support (coming soon!).
Breaking changes:
- Node v10 is now the minimum supported version.
- The
dom.runVMScript()
API has been replaced with the more generaldom.getInternalVMContext()
API. - Each jsdom
Window
now creates new instances of all the web platform globals. That is, our old shared constructor and prototypes caveat is no longer in play. - Each jsdom
Window
now exposes all JavaScript-spec-defined globals uniformly. WhenrunScripts
is disabled, it exposes them as aliases of the ones from the outer Node.js environment. Whereas whenrunScripts
is enabled, it exposes fresh copies of each global from the new scripting environment. (Previously, a few typed array classes would always be aliased, and withrunScripts
disabled, the other classes would not be exposed at all.)
Other changes:
- Added the
AbstractRange
,Range
,StaticRange
,Selection
, andwindow.getSelection()
APIs. - Added working constructors for
Comment
,Text
, andDocumentFragment
. - Added
valueAsDate
,valueAsNumber
,stepUp()
andstepDown()
to<input>
elements. (kraynel) - Added
window.origin
. - Removed
document.origin
. - Fixed
<template>
to work correctly inside XML documents. - Fixed some bugs which would cause jsdom to choose the wrong character encoding because it was failing to detect
<meta charset>
or<meta http-equiv="charset">
elements. - Fixed
input.type
to default to"text"
. (connormeredith) - Fixed incorrect validation errors for
<input>
with fractional values for theirstep=""
attribute. (kontomondo) - Fixed incorrect validation errors on readonly
<input>
elements. - Fixed
<input type="email" multiple pattern="...">
validation. - Fixed
fileReader.readAsDataURL()
to always base64-encode the result. (ytetsuro) - Fixed inserting
<img>
elements into documents without a browsing context to no longer crash when thecanvas
package is installed. - Fixed a memory leak when using
window.setTimeout()
orwindow.setInterval()
. - Improved the performance of
getComputedStyle()
. (eps1lon)
v15.2.1
- Fixed
JSDOM.fromURL()
handling of URLs with hashes in them, to no longer send the hash to the server and append an extra copy of it when constructing theDocument
. (rchl) - Fixed focusing an already-focused element to correctly do nothing, instead of firing additional
focus
events. (eps1lon) - Fixed typo in the not-implemented message for
mediaElement.addTextTrack()
. (mtsmfm) - Upgraded
nwsapi
minimum version to 2.2.0, which fixes issues with::-webkit-
prefixed pseudo-elements and namespaced attribute selectors.
v15.2.0
- Added basic style inheritance in
getComputedStyle()
for the'visibility'
property. This sets the foundation for further work on inheritance, cascading, and specificity. (eps1lon) - Added
shadowRoot.activeElement
. - Added
readystatechange
events during document loading. - Added a stub for
form.requestSubmit()
, to match our existing stub forform.submit()
. - Changed
el.tabIndex
's default value, when notabindex=""
attribute was set, to reflect the updated specification. - Changed the exception thrown by
el.attachShadow()
on something that's already a shadow host, to reflect the updated specification. - Fixed the validation logic for
<input type="range">
. - Fixed
selectEl.value
when no<option>
is selected to return the empty string, instead of the value of the first option. (tgohn) - Fixed various correctness issues with
new FormData(formElement)
. (brendo) - Fixed error messages when parsing XML to include the filename, instead of using
"undefined"
. (papandreou) - Fixed the logic for reflected properties to not be affected by overwriting of
el.getAttributeNS()
orel.setAttributeNS()
. - Set
canvas
as an optional ``peerDependency`, which apparently helps with Yarn PnP support.
v15.1.1
- Moved the
nonce
property fromHTMLScriptElement
andHTMLStyleElement
toHTMLElement
. Note that it is still just a simple reflection of the attribute, and has not been updated for the rest of the changes in whatwg/html#2373. - Fixed the
style
andon<event>
properties to properly track their related attributes for SVG elements. (kbruneel) - Fixed
XMLHttpRequest
merging preflight and response headers. (thiagohirata) - Fixed
XMLHttpRequest
reserializingcontent-type
request headers unnecessarily. See whatwg/mimesniff#84 for more details. (thiagohirata) - Fixed
element.tagName
to be the ASCII uppercase of the element's qualified name, instead of the Unicode uppercase.
v15.1.0
- Added the
Headers
class from the Fetch standard. - Added the
element.translate
getter and setter. - Fixed synchronous
XMLHttpRequest
on the newly-released Node.js v12. - Fixed
form.elements
to exclude<input type="image">
elements. - Fixed event path iteration in shadow DOM cases, following spec fixes at whatwg/dom#686 and whatwg/dom#750.
- Fixed
pattern=""
form control validation to apply the given regular expression to the whole string. (kontomondo)
v15.0.0
Several potentially-breaking changes, each of them fairly unlikely to actually break anything:
-
JSDOM.fromFile()
now treats.xht
files asapplication/xhtml+xml
, the same as it does for.xhtml
and.xml
. Previously, it would treat them astext/html
. - If the
JSDOM
constructor'scontentType
option has acharset
parameter, and the first argument to the constructor is a binary data type (e.g.Buffer
orArrayBuffer
), then thecharset
will override any sniffed encoding in the same way as aContent-Type
header would in browser scenarios. Previously, thecharset
parameter was ignored. - When using the
Blob
orFile
constructor with theendings: "native"
option, jsdom will now convert line endings to\n
on all operating systems, for consistency. Previously, on Windows, it would convert line endings to\r\n
.
v14.1.0
- Added activation behavior for
<a>
and<area>
elements whosehref=""
points to ajavascript:
URL or fragment. - Added the
<datalist>
element'soptions
property. - Added the
<input>
element'slist
property. - Added
PageTransitionEvent
, and the firing ofpageshow
events during loading. - Exposed the
External
class as a property ofwindow
. - Fixed HTML fragment parsing (via
innerHTML
andouterHTML
) to be spec-compliant. (pmdartus) - Fixed HTML serialization (e.g. via
innerHTML
) breaking after setting certain properties to non-string values. - Fixed how disabling an element would cause its activation behavior to forever be null, even if it were re-enabled.
- Fixed all access to attributes to ignore attributes with namespaces, per the spec.
- Fixed
<style>
s to no longer apply to documents without a browsing context. This includes fixing a crash that would occur with such styles if they had an@import
rule. - Fixed
<option>
'slabel
andvalue
properties to return correct values in various edge cases. - Fixed the
load
event during document loading to target theDocument
, not theWindow
. - Fixed the
pretendToBeVisual
option to propagate to child subframes, as well as the mainWindow
. (pyrho) - Updated the minimum
nwsapi
version from v2.1.1 to v2.1.3, bringing along a few fixes in our selector engine.
v14.0.0
Breaking changes:
-
JSDOM.fragment()
now creates fragments whose document has no browsing context, i.e. no associatedWindow
. This means thedefaultView
property will be null, resources will not load, etc. -
JSDOM.fragment()
, called with no arguments, now creates aDocumentFragment
with no children, instead of with a single child text node whose data was"undefined"
.
Other changes:
- Fixed a regression in v13.2.0 when calling
element.blur()
on a focused element. - Fixed inserting
<link>
elements into documents with no browsing context to no longer crash if the originatingJSDOM
was configured to fetch the resource. Now, per spec,<link>
elements only attempt to fetch if they are browsing-context connected. - Fixed
<template>
elements to have the correct semantics, of using a separate browsing-context-less document to store its contents. In particular this means resources will not be fetched for elements inside the<template>
, as per spec.
Configuration
📅 Schedule: Branch creation - "" in timezone America/New_York, Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
- [ ] If you want to rebase/retry this PR, click this checkbox.
This PR has been generated by Mend Renovate. View repository job log here.
See the guidelines for reviewing dependency updates for info on how to review dependency update PRs.
Test summary
Run details
Project | cypress |
Status | Passed |
Commit | 1247fce83a |
Started | Aug 16, 2022 4:24 AM |
Ended | Aug 16, 2022 4:46 AM |
Duration | 21:37 💡 |
OS | Linux Debian - 11.3 |
Browser | Multiple |
View run in Cypress Dashboard ➡️
Flakiness
This comment has been generated by cypress-bot as a result of this project's GitHub integration settings. You can manage this integration in this project's settings in the Cypress Dashboard
Renovate Ignore Notification
As this PR has been closed unmerged, Renovate will ignore this upgrade and you will not receive PRs for any future 16.x releases. However, if you upgrade to 16.x manually then Renovate will reenable minor and patch updates automatically.
If this PR was closed by mistake or you changed your mind, you can simply rename this PR and you will soon get a fresh replacement PR opened.