chore(deps): update dependency jsdom to v16.5.0 [security] - autoclosed #341
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
16.2.2
->16.5.0
GitHub Vulnerability Alerts
CVE-2021-20066
Withdrawn Advisory
This advisory has been withdrawn because the user must configure jsdom to allow access to local files.
Original Description
JSDom improperly allows the loading of local resources, which allows for local files to be manipulated by a malicious web page when script execution is enabled.
Release Notes
jsdom/jsdom (jsdom)
v16.5.0
Compare Source
window.queueMicrotask()
.window.event
.inputEvent.inputType
. (diegohaz)ondragexit
fromWindow
and friends, per a spec update.about:blank
iframes. Previously it was getting set to the parent's URL. (SimonMueller)hidden=""
attribute to causedisplay: none
per the user-agent stylesheet. (ph-fritsche)new File()
constructor to no longer convert/
to:
, per a pending spec update.MutationObserver
instance as theirthis
value.<input type=checkbox>
and<input type=radio>
to be mutable even when disabled, per a spec update.XMLHttpRequest
to not fire a redundant finalprogress
event if aprogress
event was previously fired with the sameloaded
value. This would usually occur with small files.XMLHttpRequest
to expose theContent-Length
header on cross-origin responses.xhr.response
to returnnull
for failures that occur during the middle of the download.localStorage
ordataset
. (ExE-Boss)v16.4.0
Compare Source
getComputedStyle()
, unless you pass a::part
or::slotted
pseudo-element, in which case we throw an error per the spec. (ExE-Boss)el.tagName
, which also indirectly improves performance of selector matching and style computation. (eps1lon)form.elements
to respect theform=""
attribute, so that it can contain non-descendant form controls. (ccwebdesign)el.focus()
to do nothing on disconnected elements. (eps1lon)el.focus()
to work on SVG elements. (zjffun)<body>
element. (eps1lon)imgEl.complete
to return true for<img>
elements with empty or unsetsrc=""
attributes. (strager)imgEl.complete
to return true if an error occurs loading the<img>
, when canvas is enabled. (strager)imgEl.complete
to return false if the<img>
element'ssrc=""
attribute is reset. (strager)valueMissing
validation check for<input type="radio">
. (zjffun)translate=""
anddraggable=""
attribute processing to use ASCII case-insensitivity, instead of Unicode case-insensitivity. (zjffun)v16.3.0
Compare Source
focusin
andfocusout
when usingel.focus()
andel.blur()
. (trueadm)contenteditable=""
attribute to be considered as focusable. (jamieliu386)window.NodeFilter
to be per-Window
, instead of shared across allWindow
s. (ExE-Boss)handleEvent
properties as event listeners. (ExE-Boss)load
event instead of anerror
event, when thecanvas
package is installed. (strager)Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.