Skip to content

chore(deps-dev): bump happy-dom from 18.0.1 to 20.9.0#148

Closed
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/npm_and_yarn/happy-dom-20.9.0
Closed

chore(deps-dev): bump happy-dom from 18.0.1 to 20.9.0#148
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/npm_and_yarn/happy-dom-20.9.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github May 23, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Bumps happy-dom from 18.0.1 to 20.9.0.

Release notes

Sourced from happy-dom's releases.

v20.9.0

🎨 Features

  • Adds support for event listener properties on Window (e.g. Window.onkeydown) - By @​capricorn86 in task #2131

v20.8.9

👷‍♂️ Patch fixes

  • Fixes issue where cookies from the current origin was being forwarded to the target origin in fetch requests - By @​capricorn86 in task #2117

v20.8.8

👷‍♂️ Patch fixes

  • Fixes issue where export names can be interpolated as executable code in ESM - By @​capricorn86 in task #2113
    • A security advisory (GHSA-6q6h-j7hj-3r64) has been reported that shows a security vulnerability where it may be possible to escape the VM context and get access to process level functionality in unsafe environments using CommonJS. Big thanks to @​tndud042713 for reporting this!

v20.8.7

👷‍♂️ Patch fixes

  • Replace implementing Node.js Console with common IConsole interface to support latest version of Bun - By @​YevheniiKotyrlo in task #1845

v20.8.6

👷‍♂️ Patch fixes

v20.8.5

👷‍♂️ Patch fixes

  • Fixes error thrown when modifying DOM structure in connectedCallback() - By @​capricorn86 in task #2110

v20.8.4

👷‍♂️ Patch fixes

v20.8.3

👷‍♂️ Patch fixes

  • Throw error if event is not of type Event in EventTarget.dispatchEvent() - By @​capricorn86 in task #2054

v20.8.2

👷‍♂️ Patch fixes

  • Resets Event.cancelBubble and Event.defaultPrevented when calling Event.initEvent() - By @​capricorn86 in task #2090

v20.8.1

👷‍♂️ Patch fixes

v20.8.0

🎨 Features

  • Adds support for setPointerCapture, hasPointerCapture, and releasePointerCapture to Element - By @​coffeeandwork in task #1733

v20.7.2

👷‍♂️ Patch fixes

  • Properly decode CSS escape sequences in attribute selector values - By @​silverwind

... (truncated)

Commits
  • 4090ade fix: #0 Fix github release workflow (#2140)
  • c7c2bb5 fix: #0 Fix github release workflow (#2139)
  • d541143 fix: #0 Fix github release workflow (#2138)
  • a78d89e feat: #2131 Adds support for event listener properties on Window (#2132)
  • 68324c2 fix: #2117 Fixes issue related to cookies from the current origin being for...
  • 5437fdf fix: #2113 Fixes issue where export names can be interpolated as executable...
  • 7e97acb fix: #1845 Replace implementing Node js Console with common IConsole interf...
  • 3373929 fix: #2106 Request.formData() should honor Content-Type header (#2107)
  • 55c17ba fix: #2110 Fixes error thrown when modifying DOM structure in connectedCall...
  • 82a0888 fix: #1845 Replace ConsoleConstructor import with indexed access type (#2095)
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for happy-dom since your current version.


Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
chore(deps-dev): bump happy-dom from 18.0.1 to 20.9.0
eb808a8 
Bumps [happy-dom](https://github.com/capricorn86/happy-dom) from 18.0.1 to 20.9.0.
- [Release notes](https://github.com/capricorn86/happy-dom/releases)
- [Commits](capricorn86/happy-dom@v18.0.1...v20.9.0)

---
updated-dependencies:
- dependency-name: happy-dom
  dependency-version: 20.9.0
  dependency-type: direct:development
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels May 23, 2026
@stid stid mentioned this pull request May 23, 2026
Merged
stid added a commit that referenced this pull request May 23, 2026
@stid @claude
fix: resolve security alerts via consolidated dependency update (#149)
9447bb2 
Bumps dependencies to clear open Dependabot security alerts (1 critical,
10 high, 4 medium) in one branch instead of merging 12 individual PRs.

Explicit manifest bumps (security-driven, exact/major):
- vite 7.0.4 -> 7.3.2 (high+med+low: dev-server/CVE fixes)
- happy-dom ^18.0.1 -> ^20.9.0 (critical: test-env DOM)

Swept via `yarn upgrade` (caret deps + transitive lockfile, all in-range):
- svgo -> 4.0.1, rollup -> 4.60.4, fast-uri -> 3.1.2, flatted -> 3.4.2,
  postcss -> 8.5.15, minimatch -> 10.2.5/3.1.5, picomatch -> 2.3.2/4.0.4
- glob (vulnerable range) no longer resolved at all
- plus caret dev-tooling minors: eslint 9.39, typescript-eslint 8.59,
  typescript 5.9, prettier 3.8, terser, autoprefixer, cssnano, etc.

Supersedes Dependabot PRs #140-#148 (Dependabot will auto-close them).

Residuals (intentionally out of scope):
- js-yaml 4.1.0 (medium) pinned by markdownlint-cli2, a dev-only .md
  linter; no untrusted-input path. Clears when markdownlint-cli2 is bumped.
- wee_alloc (critical, Rust) has no patched version; fix is to drop the
  custom global allocator in wasm-cpu -- a code change, separate branch.

Tests: 685 passed / 18 skipped. Lint + type-check clean.

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@dependabot @github

dependabot Bot commented on behalf of github May 23, 2026

Copy link
Copy Markdown
Contributor Author

Looks like happy-dom is up-to-date now, so this is no longer needed.

@dependabot dependabot Bot closed this May 23, 2026
@dependabot dependabot Bot deleted the dependabot/npm_and_yarn/happy-dom-20.9.0 branch May 23, 2026 22:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants