react-ssr-advanced-seed icon indicating copy to clipboard operation
react-ssr-advanced-seed copied to clipboard

Published 20 hours ago verified publisher icon vip-git

chore(deps): update dependency jsdom to v16 [security]

Open renovate[bot] opened this issue 3 years ago • 2 comments

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
jsdom 15.1.1 -> 16.5.0 age adoption passing confidence

[!WARNING] Some dependencies could not be looked up. Check the warning logs for more information.

GitHub Vulnerability Alerts

CVE-2021-20066

JSDom improperly allows the loading of local resources, which allows for local files to be manipulated by a malicious web page when script execution is enabled.

Release Notes

jsdom/jsdom (jsdom)

v16.5.0

Compare Source

  • Added window.queueMicrotask().
  • Added window.event.
  • Added inputEvent.inputType. (diegohaz)
  • Removed ondragexit from Window and friends, per a spec update.
  • Fixed the URL of about:blank iframes. Previously it was getting set to the parent's URL. (SimonMueller)
  • Fixed the loading of subresources from the filesystem when they had non-ASCII filenames.
  • Fixed the hidden="" attribute to cause display: none per the user-agent stylesheet. (ph-fritsche)
  • Fixed the new File() constructor to no longer convert / to :, per a pending spec update.
  • Fixed mutation observer callbacks to be called with the MutationObserver instance as their this value.
  • Fixed <input type=checkbox> and <input type=radio> to be mutable even when disabled, per a spec update.
  • Fixed XMLHttpRequest to not fire a redundant final progress event if a progress event was previously fired with the same loaded value. This would usually occur with small files.
  • Fixed XMLHttpRequest to expose the Content-Length header on cross-origin responses.
  • Fixed xhr.response to return null for failures that occur during the middle of the download.
  • Fixed edge cases around passing callback functions or event handlers. (ExE-Boss)
  • Fixed edge cases around the properties of proxy-like objects such as localStorage or dataset. (ExE-Boss)
  • Fixed a potential memory leak with custom elements (although we could not figure out how to trigger it). (soncodi)

v16.4.0

Compare Source

  • Added a not-implemented warning if you try to use the second pseudo-element argument to getComputedStyle(), unless you pass a ::part or ::slotted pseudo-element, in which case we throw an error per the spec. (ExE-Boss)
  • Improved the performance of repeated access to el.tagName, which also indirectly improves performance of selector matching and style computation. (eps1lon)
  • Fixed form.elements to respect the form="" attribute, so that it can contain non-descendant form controls. (ccwebdesign)
  • Fixed el.focus() to do nothing on disconnected elements. (eps1lon)
  • Fixed el.focus() to work on SVG elements. (zjffun)
  • Fixed removing the currently-focused element to move focus to the <body> element. (eps1lon)
  • Fixed imgEl.complete to return true for <img> elements with empty or unset src="" attributes. (strager)
  • Fixed imgEl.complete to return true if an error occurs loading the <img>, when canvas is enabled. (strager)
  • Fixed imgEl.complete to return false if the <img> element's src="" attribute is reset. (strager)
  • Fixed the valueMissing validation check for <input type="radio">. (zjffun)
  • Fixed translate="" and draggable="" attribute processing to use ASCII case-insensitivity, instead of Unicode case-insensitivity. (zjffun)

v16.3.0

Compare Source

  • Added firing of focusin and focusout when using el.focus() and el.blur(). (trueadm)
  • Fixed elements with the contenteditable="" attribute to be considered as focusable. (jamieliu386)
  • Fixed window.NodeFilter to be per-Window, instead of shared across all Windows. (ExE-Boss)
  • Fixed edge-case behavior involving use of objects with handleEvent properties as event listeners. (ExE-Boss)
  • Fixed a second failing image load sometimes firing a load event instead of an error event, when the canvas package is installed. (strager)
  • Fixed drawing an empty canvas into another canvas. (zjffun)

v16.2.2

Compare Source

  • Updated StyleSheetList for better spec compliance; notably it no longer inherits from Array.prototype. (ExE-Boss)
  • Fixed requestAnimationFrame() from preventing process exit. This likely regressed in v16.1.0.
  • Fixed setTimeout() to no longer leak the closures passed in to it. This likely regressed in v16.1.0. (AviVahl)
  • Fixed infinite recursion that could occur when calling click() on a <label> element, or one of its descendants.
  • Fixed getComputedStyle() to consider inline style="" attributes. (eps1lon)
  • Fixed several issues with <input type="number">'s stepUp() and stepDown() functions to be properly decimal-based, instead of floating point-based.
  • Fixed various issues where updating selectEl.value would not invalidate properties such as selectEl.selectedOptions. (ExE-Boss)
  • Fixed <input>'s src property, and <ins>/<del>'s cite property, to properly reflect as URLs.
  • Fixed window.addEventLister, window.removeEventListener, and window.dispatchEvent to properly be inherited from EventTarget, instead of being distinct functions. (ExE-Boss)
  • Fixed errors that would occur if attempting to use a DOM object, such as a custom element, as an argument to addEventListener.
  • Fixed errors that would occur when closing a window with outstanding requests to data: URLs.
  • Fixed sporadic issues with the value of <input type="month"> that could occur in some time zones and for some times.
  • Fixed document.implementation.createDocument() to return an XMLDocument, instead of a Document. (ExE-Boss)
  • Fixed running jsdom in a browser to detect globals more reliably. (ExE-Boss)

v16.2.1

Compare Source

  • Updated saxes, to bring in some BOM-related fixes.
  • Updated Acorn-related packages to squelch npm audit warnings.

v16.2.0

Compare Source

  • Added support for custom elements! Congratulations and thanks to @​pmdartus for making this happen, after ten months of hard work and lots of effort poured into the complex architectural prerequisites in jsdom and supporting packages.
  • Fixed some issues when trying to use Attr as a Node, e.g. by checking its baseURI property or calling attr.cloneNode().
  • Fixed a memory leak during parsing that was introduced in v14.0.0.
  • Fixed edge cases in number/string conversion used for certain element properties that reflected integer attributes.

v16.1.0

Compare Source

  • Added console.timeLog().
  • Changed Attr to extend Node, to align with specifications. (ExE-Boss)
  • Changed <noscript> children to be parsed as nodes, instead of as text, when runScripts is left as the default of undefined. (ACHP)
  • Upgraded cssstyle to v2.1.0, which brings along fixes to handling of rgba() and hsl() colors. (kraynel)
  • Fixed some selection-related issues when manipulating the value of <input>s and <textarea>s. (Matthew-Goldberg)
  • Fixed various issues with setTimeout(), setInterval(), and requestAnimationFrame(), particularly around window closing and recursive calls.

v16.0.1

Compare Source

  • Fixed Node v10 and v11 support when runScripts was set.
  • Fixed the behavior when changing an <input>'s type="" attribute.
  • Fixed input validation behavior for <input type="range"> when max="" is less than min="".

v16.0.0

Compare Source

For this release we'd like to welcome @​pmdartus to the core team. Among other work, he's driven the heroic effort of constructor prototype and reform in jsdom and its dependencies over the last few months, to allow us to move away from shared constructors and prototypes, and set the groundwork for custom elements support (coming soon!).

Breaking changes:

  • Node v10 is now the minimum supported version.
  • The dom.runVMScript() API has been replaced with the more general dom.getInternalVMContext() API.
  • Each jsdom Window now creates new instances of all the web platform globals. That is, our old shared constructor and prototypes caveat is no longer in play.
  • Each jsdom Window now exposes all JavaScript-spec-defined globals uniformly. When runScripts is disabled, it exposes them as aliases of the ones from the outer Node.js environment. Whereas when runScripts is enabled, it exposes fresh copies of each global from the new scripting environment. (Previously, a few typed array classes would always be aliased, and with runScripts disabled, the other classes would not be exposed at all.)

Other changes:

  • Added the AbstractRange, Range, StaticRange, Selection, and window.getSelection() APIs.
  • Added working constructors for Comment, Text, and DocumentFragment.
  • Added valueAsDate, valueAsNumber, stepUp() and stepDown() to <input> elements. (kraynel)
  • Added window.origin.
  • Removed document.origin.
  • Fixed <template> to work correctly inside XML documents.
  • Fixed some bugs which would cause jsdom to choose the wrong character encoding because it was failing to detect <meta charset> or <meta http-equiv="charset"> elements.
  • Fixed input.type to default to "text". (connormeredith)
  • Fixed incorrect validation errors for <input> with fractional values for their step="" attribute. (kontomondo)
  • Fixed incorrect validation errors on readonly <input> elements.
  • Fixed <input type="email" multiple pattern="..."> validation.
  • Fixed fileReader.readAsDataURL() to always base64-encode the result. (ytetsuro)
  • Fixed inserting <img> elements into documents without a browsing context to no longer crash when the canvas package is installed.
  • Fixed a memory leak when using window.setTimeout() or window.setInterval().
  • Improved the performance of getComputedStyle(). (eps1lon)

v15.2.1

Compare Source

  • Fixed JSDOM.fromURL() handling of URLs with hashes in them, to no longer send the hash to the server and append an extra copy of it when constructing the Document. (rchl)
  • Fixed focusing an already-focused element to correctly do nothing, instead of firing additional focus events. (eps1lon)
  • Fixed typo in the not-implemented message for mediaElement.addTextTrack(). (mtsmfm)
  • Upgraded nwsapi minimum version to 2.2.0, which fixes issues with ::-webkit- prefixed pseudo-elements and namespaced attribute selectors.

v15.2.0

Compare Source

  • Added basic style inheritance in getComputedStyle() for the 'visibility' property. This sets the foundation for further work on inheritance, cascading, and specificity. (eps1lon)
  • Added shadowRoot.activeElement.
  • Added readystatechange events during document loading.
  • Added a stub for form.requestSubmit(), to match our existing stub for form.submit().
  • Changed el.tabIndex's default value, when no tabindex="" attribute was set, to reflect the updated specification.
  • Changed the exception thrown by el.attachShadow() on something that's already a shadow host, to reflect the updated specification.
  • Fixed the validation logic for <input type="range">.
  • Fixed selectEl.value when no <option> is selected to return the empty string, instead of the value of the first option. (tgohn)
  • Fixed various correctness issues with new FormData(formElement). (brendo)
  • Fixed error messages when parsing XML to include the filename, instead of using "undefined". (papandreou)
  • Fixed the logic for reflected properties to not be affected by overwriting of el.getAttributeNS() or el.setAttributeNS().
  • Set canvas as an optional ``peerDependency`, which apparently helps with Yarn PnP support.

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • [ ] If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

renovate[bot] avatar Sep 25 '22 18:09 renovate[bot]

⚠ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: package-lock.json
ERR! lerna Unknown command "info"
ERR! lerna Did you mean init?
npm WARN [email protected] No repository field.

lerna notice cli v3.18.4
lerna info versioning independent
lerna notice filter excluding "__tests__"
lerna info filter [ '!__tests__' ]
lerna info Bootstrapping 27 packages
lerna info Installing external dependencies
lerna ERR! npm install --ignore-scripts --no-package-lock --ignore-scripts --no-audit --package-lock-only exited 1 in 'omega-web'
lerna ERR! npm install --ignore-scripts --no-package-lock --ignore-scripts --no-audit --package-lock-only stderr:
npm ERR! code ERESOLVE
npm ERR! ERESOLVE could not resolve
npm ERR! 
npm ERR! While resolving: [email protected]
npm ERR! Found: [email protected]
npm ERR! node_modules/react
npm ERR!   peer react@"^16.8.0" from @material-ui/[email protected]
npm ERR!   node_modules/@material-ui/core
npm ERR!     @material-ui/core@"4.4.2" from the root project
npm ERR!     peer @material-ui/core@"^4.0.0" from @material-ui/[email protected]
npm ERR!     node_modules/@material-ui/icons
npm ERR!       @material-ui/icons@"4.4.1" from the root project
npm ERR!   peer react@"^16.0.0" from [email protected]
npm ERR!   node_modules/react-dom
npm ERR!     react-dom@"16.8.6" from the root project
npm ERR!     peer react-dom@"^16.8.0" from @material-ui/[email protected]
npm ERR!     node_modules/@material-ui/core
npm ERR!       @material-ui/core@"4.4.2" from the root project
npm ERR!       1 more (@material-ui/icons)
npm ERR!     2 more (@material-ui/icons, @material-ui/styles)
npm ERR!   2 more (@material-ui/icons, @material-ui/styles)
npm ERR! 
npm ERR! Could not resolve dependency:
npm ERR! react-fade-in@"0.1.6" from the root project
npm ERR! 
npm ERR! Conflicting peer dependency: [email protected]
npm ERR! node_modules/react
npm ERR!   peer react@"^15.4.1" from [email protected]
npm ERR!   node_modules/react-fade-in
npm ERR!     react-fade-in@"0.1.6" from the root project
npm ERR! 
npm ERR! Fix the upstream dependency conflict, or retry
npm ERR! this command with --force or --legacy-peer-deps
npm ERR! to accept an incorrect (and potentially broken) dependency resolution.
npm ERR! 
npm ERR! 
npm ERR! For a full report see:
npm ERR! /tmp/renovate-cache/others/npm/_logs/2023-03-18T22_08_26_589Z-eresolve-report.txt

npm ERR! A complete log of this run can be found in:
npm ERR!     /tmp/renovate-cache/others/npm/_logs/2023-03-18T22_08_26_589Z-debug-0.log

lerna ERR! npm install --ignore-scripts --no-package-lock --ignore-scripts --no-audit --package-lock-only exited 1 in 'omega-web'
lerna WARN complete Waiting for 1 child process to exit. CTRL-C to exit immediately.

renovate[bot] avatar Sep 25 '22 18:09 renovate[bot]

:warning: We detected 33 security issues in this pull request:

Vulnerable Libraries (33)
Severity Details
High @lerna/[email protected] (t) upgrade to: >3.21.0
High @lerna/[email protected] (t) upgrade to: >3.21.0
High @lerna/[email protected] (t) upgrade to: >3.21.0
High @lerna/[email protected] (t) upgrade to: >3.21.0
High @lerna/[email protected] (t) upgrade to: >3.21.0
High @lerna/[email protected] (t) upgrade to: >3.21.0
High @lerna/[email protected] (t) upgrade to: >3.22.0
High @lerna/[email protected] (t) upgrade to: >3.21.0
High @lerna/[email protected] (t) upgrade to: >3.21.0
High @lerna/[email protected] (t) upgrade to: >3.21.0
Critical @lerna/[email protected] (t) upgrade to: >5.5.1
High @lerna/[email protected] (t) upgrade to: >3.21.0
High @pm2/[email protected] (t) upgrade to: >2.0.0
High @pm2/[email protected] (t) upgrade to: >0.6.1
High [email protected] (t) upgrade to: >1.0.0-rc.3
High [email protected] (t) upgrade to: >=1.3.2
Medium [email protected] (t) upgrade to: >=6.5.4
Critical [email protected] (t) upgrade to: >=1.1.1
Critical [email protected] (t) upgrade to: >=4.7.7
Medium [email protected] (t) upgrade to: >=2.8.9
Medium [email protected] upgrade to: >16.4.0
Critical [email protected] (t) upgrade to: >1.4.1 || >2.0.1
Medium [email protected] (t) upgrade to: >3.6.0
Critical [email protected] (t) upgrade to: >=3.0.3
Medium [email protected] (t) upgrade to: >0.5.34
Medium [email protected] (t) upgrade to: >=8.0.1
Medium [email protected] (t) upgrade to: >=1.0.7
High [email protected] (t) upgrade to: >2.0.5
High [email protected] (t) upgrade to: >5.6.3
Critical [email protected] (t) upgrade to: >=3.3.1
High [email protected] (t) upgrade to: >=1.0.5
Medium [email protected] (t) upgrade to: >=1.0.3
Critical [email protected] (t) upgrade to: >1.5.8

More info on how to fix Vulnerable Libraries in JavaScript.

👉 Go to the dashboard for detailed results.

📥 Happy? Share your feedback with us.

guardrails[bot] avatar Sep 25 '22 18:09 guardrails[bot]