Skip to content

chore(deps-dev): Bump jsdom from 25.0.1 to 29.1.1#85

Merged
lukaso merged 2 commits into
mainfrom
dependabot/npm_and_yarn/jsdom-29.1.1
Jul 5, 2026
Merged

chore(deps-dev): Bump jsdom from 25.0.1 to 29.1.1#85
lukaso merged 2 commits into
mainfrom
dependabot/npm_and_yarn/jsdom-29.1.1

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 4, 2026

Copy link
Copy Markdown
Contributor

Bumps jsdom from 25.0.1 to 29.1.1.

Release notes

Sourced from jsdom's releases.

v29.1.1

  • Fixed 'border-radius' computed style serialization. (@​asamuzaK)
  • Fixed computed style computation when using 'background-origin' and 'background-clip' CSS properties. (@​asamuzaK)
  • Significantly optimized initial calls to getComputedStyle(), before the cache warms up. (@​asamuzaK)

v29.1.0

  • Added basic support for the ratio CSS type. (@​asamuzaK)
  • Fixed getComputedStyle() sometimes returning outdated results after CSS was modified. (@​asamuzaK)

v29.0.2

  • Significantly improved and sped up getComputedStyle(). Computed value rules are now applied across a broader set of properties, and include fixes related to inheritance, defaulting keywords, custom properties, and color-related values such as currentcolor and system colors. (@​asamuzaK)
  • Fixed CSS 'background' and 'border' shorthand parsing. (@​asamuzaK)

v29.0.1

  • Fixed CSS parsing of 'border', 'background', and their sub-shorthands containing keywords or var(). (@​asamuzaK)
  • Fixed getComputedStyle() to return a more functional CSSStyleDeclaration object, including indexed access support, which regressed in v29.0.0.

v29.0.0

Breaking changes:

  • Node.js v22.13.0+ is now the minimum supported v22 version (was v22.12.0+).

Other changes:

  • Overhauled the CSSOM implementation, replacing the @acemir/cssom and cssstyle dependencies with fresh internal implementations built on webidl2js wrappers and the css-tree parser. Serialization, parsing, and API behavior is improved in various ways, especially around edge cases.
  • Added CSSCounterStyleRule and CSSNamespaceRule to jsdom Windows.
  • Added cssMediaRule.matches and cssSupportsRule.matches getters.
  • Added proper media query parsing in MediaList, using css-tree instead of naive comma-splitting. Invalid queries become "not all" per spec.
  • Added cssKeyframeRule.keyText getter/setter validation.
  • Added cssStyleRule.selectorText setter validation: invalid selectors are now rejected.
  • Added styleSheet.ownerNode, styleSheet.href, and styleSheet.title.
  • Added bad port blocking per the fetch specification, preventing fetches to commonly-abused ports.
  • Improved Document initialization performance by lazily initializing the CSS selector engine, avoiding ~0.5 ms of overhead per Document. (@​thypon)
  • Fixed a memory leak when stylesheets were removed from the document.
  • Fixed CSSStyleDeclaration modifications to properly trigger custom element reactions.
  • Fixed nested @media rule parsing.
  • Fixed CSSStyleSheet's "disallow modification" flag not being checked in all mutation methods.
  • Fixed XMLHttpRequest's response getter returning parsed JSON during the LOADING state instead of null.
  • Fixed getComputedStyle() crashing in XHTML documents when stylesheets contained at-rules such as @page or @font-face.
  • Fixed a potential hang in synchronous XMLHttpRequest caused by a race condition with the worker thread's idle timeout.

v28.1.0

  • Added blob.text(), blob.arrayBuffer(), and blob.bytes() methods.
  • Improved getComputedStyle() to account for CSS specificity when multiple rules apply. (@​asamuzaK)
  • Improved synchronous XMLHttpRequest performance by using a persistent worker thread, avoiding ~400ms of setup overhead on every synchronous request after the first one.
  • Improved performance of node.getRootNode(), node.isConnected, and event.dispatchEvent() by caching the root node of document-connected trees.
  • Fixed getComputedStyle() to correctly handle !important priority. (@​asamuzaK)
  • Fixed document.getElementById() to return the first element in tree order when multiple elements share the same ID.
  • Fixed <svg> elements to no longer incorrectly proxy event handlers to the Window.
  • Fixed FileReader event timing and fileReader.result state to more closely follow the spec.

... (truncated)

Commits
  • 9b9ea7e 29.1.1
  • 07efb78 Optimize computed style comparison
  • 5f66329 Fix background-origin/background-clip in background shorthand
  • ad8af77 Fix border shorthand handling
  • 5a3e88e 29.1.0
  • 73db204 Update dependencies and dev dependencies
  • a7168a5 Support ratio CSS unit type
  • 15346e0 Fix style cache invalidation
  • 2a1e2cd 29.0.2
  • 4097d66 Resolve computed CSS values lazily in CSSStyleDeclaration
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for jsdom since your current version.

Install script changes

This version modifies prepare script that runs during installation. Review the package contents before updating.


@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jul 4, 2026
@lukaso-bot

Copy link
Copy Markdown
Collaborator

Leaving this red — it's a genuine upstream/transitive incompatibility, not something the loop can green without a product decision.

Root cause (confirmed). a11y.test.ts is the only jsdom consumer, and it fails to collect on all four CI matrix jobs (ubuntu + windows × node 20 + 22):

TypeError: webidl.util.markAsUncloneable is not a function
  ❯ new CacheStorage  undici/lib/web/cache/cachestorage.js
  ❯ jsdom@29.1.1/lib/api.js

jsdom 29 instantiates CacheStorage via undici, and the repo's security-floor override pnpm.overrides."undici": ">=7.28.0" (package.json) collapses the tree to an undici whose CacheStorage calls a webidl.util method that isn't present in the resolved build. jsdom 25 (current) never touches that path, which is why main is green. Same signature was diagnosed twice on the old grouped #75.

Prod is unaffected — the Worker runs on workerd (no jsdom, no undici); this is test-infra only.

Why I'm not fix-forwarding it: the only levers are (a) loosen/re-pin the undici override to a version where jsdom 29's CacheStorage path agrees — but that override is a security floor, so moving it is a product call, not a silent bot-PR edit; or (b) transitive lockfile surgery to give jsdom its own undici, which I can't verify locally right now (the install is blocked by a package-age supply-chain policy on this machine). Speculating a fix I can't run would be worse than an honest red.

To unblock (human): bump/adjust the undici override once jsdom 29 + undici settle upstream, or @dependabot ignore jsdom major version if you'd rather stay on jsdom 25 for now. I won't re-diagnose this each week — it's noted in my understanding.md.

@dependabot
dependabot Bot force-pushed the dependabot/npm_and_yarn/jsdom-29.1.1 branch 4 times, most recently from f8c1d69 to e6d56a6 Compare July 4, 2026 22:54
Bumps [jsdom](https://github.com/jsdom/jsdom) from 25.0.1 to 29.1.1.
- [Release notes](https://github.com/jsdom/jsdom/releases)
- [Commits](jsdom/jsdom@v25.0.1...v29.1.1)

---
updated-dependencies:
- dependency-name: jsdom
  dependency-version: 29.1.1
  dependency-type: direct:development
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot
dependabot Bot force-pushed the dependabot/npm_and_yarn/jsdom-29.1.1 branch from e6d56a6 to 222fee1 Compare July 4, 2026 23:40
jsdom 29 instantiates undici's CacheStorage, which calls
webidl.util.markAsUncloneable. undici removed the no-op fallback for that
binding in 8.1.0 (7.28.0 and 8.0.0 guard it with
`runtimeFeatures.has(...) ? real : () => {}`; 8.1.0+ assign the bare
worker_threads export). On any Node whose worker_threads lacks
markAsUncloneable, the app-level `undici: >=7.28.0` security-floor override
(which resolves to 8.7.0) hands jsdom that regressed build and
`webidl.util.markAsUncloneable` is undefined — a11y.test.ts fails to collect
on all four CI jobs. Prod (workerd) never touches jsdom/undici.

Fix: a dev-only scoped override `jsdom>undici: >=7.28.0 <8`, resolving jsdom's
transitive undici to 7.28.0 — the undici major jsdom 29 declares (^7.25.0),
which keeps the fallback and still satisfies the >=7.28.0 security floor. The
app-level undici override is untouched (still 8.7.0), so the security posture
is unchanged; only jsdom's dev-only copy is pinned.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@lukaso-bot

Copy link
Copy Markdown
Collaborator

Update — adopted (fix-forward pushed, superseding my earlier "leaving this red"). I found a fix that needs no product/security decision, so I took it.

Sharper root cause. The break is an undici regression, not "jsdom 29 + undici need to settle." jsdom 29 instantiates undici's CacheStorage, which calls webidl.util.markAsUncloneable. undici removed the no-op fallback for that binding in 8.1.0:

  • 7.28.0 / 8.0.0: webidl.util.markAsUncloneable = runtimeFeatures.has('markAsUncloneable') ? require('node:worker_threads').markAsUncloneable : () => {} — always a function.
  • 8.1.0+ (our override resolves to 8.7.0): webidl.util.markAsUncloneable = markAsUncloneable — the bare worker_threads export. On any Node whose worker_threads lacks it, this is undefined → jsdom's new CacheStorage throws … is not a function. That's why all four CI jobs fail to collect a11y.test.ts, while my local Node 24 (which has the API) couldn't repro.

The app-level undici: >=7.28.0 security-floor override forces jsdom onto that regressed 8.x build.

Fix (this commit). A dev-only scoped override "jsdom>undici": ">=7.28.0 <8", resolving jsdom's transitive undici to 7.28.0 — the undici major jsdom 29 declares (^7.25.0), which keeps the fallback and still satisfies the >=7.28.0 floor. The app-level undici override is untouched (still 8.7.0), so the app's security posture is unchanged; only jsdom's dev-only test copy is pinned. jsdom never runs on workerd, so this doesn't diverge CI's runtime from prod.

Verified locally: pnpm -r build + pnpm -r test green (web 219 passed, incl. a11y.test.ts collecting), lint + typecheck clean, pre-push osv scan found no High/Critical. CI (older Node, where the fallback actually matters) is the real proof — a later cycle confirms it green.

@lukaso
lukaso merged commit 9b6080a into main Jul 5, 2026
8 checks passed
@lukaso
lukaso deleted the dependabot/npm_and_yarn/jsdom-29.1.1 branch July 5, 2026 00:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants