⬆️ Updates jsdom to v25

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
jsdom	^17.0.0 -> ^25.0.0

---

Release Notes

jsdom/jsdom (jsdom)

v25.0.0

Compare Source

This major release changes the prototype of a jsdom's EventTarget.prototype to point to the Object.prototype inside the jsdom, instead of pointing to the Node.js Object.prototype. Thus, the prototype chain of Window stays entirely within the jsdom, never crossing over into the Node.js realm.

This only occurs when runScripts is set to non-default values of "dangerously" or "outside-only", as with the default value, there is no separate Object.prototype inside the jsdom.

This will likely not impact many programs, but could cause some changes in instanceof behavior, and so out of an abundance of caution, we're releasing it as a new major version.

v24.1.3

Compare Source

• Fixed calls to postMessage() that were done as a bare property (i.e., postMessage() instead of window.postMessage()).

v24.1.2

Compare Source

• Fixed an issue with the in operator applied to EventTarget methods, e.g. 'addEventListener' in window, which only appeared in Node.js ≥22.5.0. (legendecas)
• Fixed the events fired by blur(): it no longer fires focus and focusin on the Document, and blur and focusout no longer have their relatedTarget property set. (asamuzaK)

v24.1.1

Compare Source

• Fixed selection methods to trigger the selectionchange event on the Document object. (piotr-oles)

v24.1.0

Compare Source

• Added the getSetCookie() method to the Headers class. (ushiboy)
• Fixed the creation and parsing of elements with names from Object.prototype, like "constructor" or "toString".
• Updated rweb-cssom, which can now parse additional CSS constructs.

v24.0.0

Compare Source

This release reverts our selector engine back to nwsapi. As discussed in #​3659, the performance regressions from @asamuzakjp/dom-selector turned out to be higher than anticipated. In the future, we can revisit @asamuzakjp/dom-selector after it reaches nwsapi's performance on the two real-world benchmarks provided by the community.

Since reverting to nwsapi causes several functionality regressions, e.g. removing :has() support, we've decided to make this a major version.

Additionally:

• Small fixes to edge-case behavior of the following properties: input.maxLength, input.minLength, input.size, progress.max, tableCell.colSpan, tableCell.rowSpan, tableCol.span, textArea.cols, textArea.maxLength, textArea.minLength, textArea.rows.

v23.2.0

Compare Source

This release switches our CSS selector engine from nwsapi to @asamuzakjp/dom-selector. The new engine is more actively maintained, and supports many new selectors: see the package's documentation for the full list. It also works better with shadow trees.

There is a potential of a performance regression due to this change. In our stress test benchmark, which runs most of these 273 selectors against this 128 KiB document, the new engine completes the benchmark only 0.25x as fast. However, we're hopeful that in more moderate usage this will not be a significant issue. Any help speeding up @asamuzakjp/dom-selector is appreciated, and feel free to open an issue if this has had a significant impact on your project.

v23.1.0

Compare Source

• Added an initial implementation of ElementInternals, including the shadowRoot getter and the string-valued ARIA properties. (zjffun)
• Added the string-valued ARIA attribute-reflecting properties to Element.
• Fixed history.pushState() and history.replaceState() to follow the latest specification, notably with regards to how they handle empty string inputs and what new URLs are possible.
• Fixed the input.valueAsANumber setter to handle NaN correctly. (alexandertrefz)
• Updated various dependencies, including cssstyle which contains several bug fixes.

v23.0.1

Compare Source

• Fix incorrect canvas peer dependency.

v23.0.0

Compare Source

v22.1.0

Compare Source

• Added crypto.randomUUID(). (jamesbvaughan)
• Added DOMRect and DOMRectReadOnly.
• Added AbortSignal.timeout().
• Added abortSignal.throwIfAborted().
• Added support for the submitter argument to the FormData constructor. (jenseng)
• Improved getComputedStyle()'s results for color-based properties, to resolve named colors and attempt to provide initial inheritance support. (hoekz-wwt)
• Updated Window's event handler properties (e.g. oncopy, ontouchstart, etc.) to reflect the latest list from the standard.
• Fixed DOMParser-created documents to inherit their URL from the creating document.

v22.0.0

Compare Source

• Node.js v16 is now the minimum supported version.
• Removed support for running jsdom in the browser via a browserified bundle. This carried with it too much complexity, especially for our testing infrastructure, and a testing package we relied on was recently deprecated.

v21.1.2

Compare Source

• Fixed setRangeText() used on <input> and <textarea> elements to calculate the new end index correctly. (pmstss)
• Fixed pageX, pageY, offsetX, and offsetY on MouseEvents during dispatch. (jenseng)
• Upgraded nwsapi to v2.2.4, bringing along various fixes to our selector engine.

v21.1.1

Compare Source

• Fixed jsdom.reconfigure() to also adjust the URL as seen by the history API, so that e.g. history.replaceState(null, "") would not mess up the URL. (jdufresne)
• Fixed location.hash = "" to leave any # in location.href.
• Fixes a few bugs with CSS parsing by replacing cssom with rweb-cssom, since the latter is maintained. (seanparmelee)

v21.1.0

Compare Source

• Added x, y, pageX, pageY, offsetX, and offsetY to MouseEvent. (jenseng, ViniciusFXavier)
• Added support for unset with getComputedStyle(). (jsnajdr)
• Added the submitter property to SubmitEvent. (jenseng)
• Fixed MouseEvent's screenX and screenY to no longer coerce to integers, allowing fractional values. (jenseng)
• Fixed formEl.submit() to not longer fire submit events. (jenseng)
• Fixed stylesheets to no longer affect the document after their corresponding <link> is removed. (jsnajdr)
• Fixed pointer-events to inherit when used with getComputedStyle(). (jnajdr)
• Fixed <script> elements with no src="" to no longer fire load events. (t1ger2080)
• Improved getComputedStyle() to cache its results, which should make it much faster. (jsnajdr)

v21.0.0

Compare Source

A potentially-breaking bug fix:

• Fixed the window, document, location, and top properties of Window to be non-configurable. (ExE-Boss)

Other changes:

• Added support for <input type=image> submitting forms. (jenseng)
• Added the location setter to the Window object, which forwards to the location.href setter. Setting the URL is still only implemented for fragment navigations, however. (ExE-Boss)
• Fixed defer="" <script> elements that are added after DOMContentLoaded to execute, instead of being skipped.
• Fixed selectElement.selectedOptions being incorrect when optionElement.selected is set. This was a regression introduced in v20.0.1. Unfortunately this also reverts the performance improvement when appending <option> elements that was introduced then. (eps1lon)
• Fixed the self, locationbar, menubar, personalbar, scrollbars, statusbar, toolbar, frames, parent, external, length, and screen properties of Window to be replaceable: that is, setting them will override their values, instead of having the new value be ignored. (ExE-Boss)
• Fixed a few issues with JSDOM.fromURL() in the browser build of jsdom. (LungZeno)

v20.0.3

Compare Source

• Updated dependencies, notably w3c-xmlserializer, which fixes using DOMParser on XML documents containing emoji.

v20.0.2

Compare Source

• Fixed xhr.abort() to no longer give an exception when the constructed XMLHttpRequest was invalid. (whamtet)
• Fixed event.getModifierState() on MouseEvent and KeyboardEvent instances to properly consult the ctrlKey, altKey, metaKey, and shiftKey properties of the event. (juzerzarif)
• Fixed custom element creation to not be affected by any modifications to the window.customElements property. (bicknellr)

v20.0.1

Compare Source

• Improved the performance of appending <option> elements to <select> elements. (TheHound)
• Fixed location.pathname getter to not crash when the JSDOM instance was created using an opaque-path URL, including the default URL of about:blank.
• Fixed crypto.getRandomValues() to accept typed array subclasses. (sebamarynissen)
• Updated various dependency minor versions. Notably, nwsapi fixed some selectors bugs, and tough-cookie fixed some cookie bugs.

v20.0.0

Compare Source

• Node.js v14 is now the minimum supported version.
• Added crypto.getRandomValues(). (sjrd)
• Added HTMLFormControlsCollection and RadioNodeList, so formEl.elements now behaves correctly. (UndefinedBehavior)
• Added the signal option to addEventListener(). (cheap-glitch)
• Fixed the :root pseudoclass to work correctly. (hughs-ch)
• Updated parse5, bringing along some HTML parsing and serialization fixes. (fb55)

v19.0.0

Compare Source

• Changed jsdom.nodeLocation() to return undefined when used on nodes that originate via fragment parsing (e.g., via innerHTML). Previously it would return based on the node location of the fragment string, which made node locations unreliable with respect to the original document source. This restores the behavior that was present in v14.0.0, and was accidentally broken in v14.1.0. (bakkot)
• Fixed calling window.close() inside the Window's load event to no longer crash. (MattiasBuelens)

v18.1.1

Compare Source

• Fixed connectedCallback to fire in situations involving document fragments, which was broken in v18.0.1. (GrantGryczan)

v18.1.0

Compare Source

• Fixed headers.append() and headers.set() to normalize values. (MattiasBuelens)
• Fixed pageshow events to have bubbles: true and cancelable: true. (MattiasBuelens)
• Implemented the reason property on AbortSignals, along with the corresponding reason argument to abortSignal.abort() and AbortSignal.abort(). (MattiasBuelens)

v18.0.1

Compare Source

• Fixed live Ranges to update correctly after calling node.normalize(). (hgiesel)
• Fixed live Ranges to update correctly after removing child nodes. (hgiesel)
• Fixed setting inputEl.valueAsDate = null to no longer throw an exception, but instead set the value to the empty string. (simon-weimann)
• Improved performance of node insertion and node.contains(). (GrantGryczan)

v18.0.0

Compare Source

Potentially-breaking bug fixes:

• Fixed SSL certificate checking for WebSocket connections. Previously, invalid SSL certificates were always accepted; now, they properly respect the ResourceLoader's strictSSL option (which defaults to true).
• Changed the global in which almost all Promise and TypeError instances are created to be the jsdom global, not the Node.js global. This could affect any code that uses instanceof.

Other changes:

• Fixed moving an element between HTML and XML documents to reset the tagName cache, allowing it to return a lowercase value once it's in the XML document. (LucasLefevre)
• Fixed form submission to not happen when the form is invalid. (pozil)

v17.0.0

Compare Source

Breaking change: Node v12 is now the minimum supported version.

v16.7.0

Compare Source

• Added AbortSignal.abort(). (ninevra)
• Added dummy x and y properties to the return value of getBoundingClientRect(). (eiko)
• Implemented wrapping for textareaEl.value if the wrap="" attribute is specified. (ninevra)
• Changed newline normalization in <textarea>s according to recent HTML Standard updates. (ninevra)
• Fixed some bad cascade computation in getComputedStyle(). (romain-trotard)

v16.6.0

Compare Source

• Added parentNode.replaceChildren(). (ninevra)
• Fixed jsdom's handling of when code running inside the jsdom throws null or undefined as an exception. (mbest)
• Removed the dependency on the deprecated request package, in the process fixing several issues with the XMLHttpRequest implementation around header processing. Special thanks to vegardbb for completing this months-long effort!

v16.5.3

Compare Source

• Fixed infinite recursion when using MutationObservers to observe elements inside a MutationObserver callback.

v16.5.2

Compare Source

• Fixed Access-Control-Allow-Headers: * to work with XMLHttpRequest. (silviot)
• Fixed xhr.response to strip any leading BOM when xhr.responseType is "json".
• Fixed new Text() and new Comment() constructors to properly set the resulting node's ownerDocument.
• Fixed customElements.whenDefined() to resolve its returned promise with the custom element constructor, per recent spec updates. (ExE-Boss)
• Fixed parsing to ensure that <svg><template></template></svg> does not throw an exception, but instead correctly produces a SVG-namespace <template> element.
• Fixed domParser.parseFromString() to treat <noscript> elements appropriately.
• Fixed form control validity checking when the control was outside the <form> element and instead associated using the form="" attribute.
• Fixed legendEl.form to return the correct result based on its parent <fieldset>.
• Fixed optionEl.text to exclude <script> descendants.
• Fixed radio buttons and checkboxes to not fire input and change events when disconnected.
• Fixed inputEl.indeterminate to reset to its previous value when canceling a click event on a checkbox or radio button.
• Fixed the behavior of event handler attributes (e.g. onclick="...code...") when there were global variables named element or formOwner. (ExE-Boss)
• On Node.js v14.6.0+ where WeakRefs are available, fixed NodeIterator to no longer stop working when more than ten NodeIterator instances are created, and to use less memory due to inactive NodeIterators sticking around. (ExE-Boss)

v16.5.1

Compare Source

• Fixed a regression that broke customElements.get() in v16.5.0. (fdesforges)
• Fixed window.event to have a setter which overwrites the window.event property with the given value, per the specification. This fixes an issue where after upgrading to jsdom v16.5.0 you would no longer be able to set a global variable named event in the jsdom context.

v16.5.0

Compare Source

• Added window.queueMicrotask().
• Added window.event.
• Added inputEvent.inputType. (diegohaz)
• Removed ondragexit from Window and friends, per a spec update.
• Fixed the URL of about:blank iframes. Previously it was getting set to the parent's URL. (SimonMueller)
• Fixed the loading of subresources from the filesystem when they had non-ASCII filenames.
• Fixed the hidden="" attribute to cause display: none per the user-agent stylesheet. (ph-fritsche)
• Fixed the new File() constructor to no longer convert / to :, per a pending spec update.
• Fixed mutation observer callbacks to be called with the MutationObserver instance as their this value.
• Fixed <input type=checkbox> and <input type=radio> to be mutable even when disabled, per a spec update.
• Fixed XMLHttpRequest to not fire a redundant final progress event if a progress event was previously fired with the same loaded value. This would usually occur with small files.
• Fixed XMLHttpRequest to expose the Content-Length header on cross-origin responses.
• Fixed xhr.response to return null for failures that occur during the middle of the download.
• Fixed edge cases around passing callback functions or event handlers. (ExE-Boss)
• Fixed edge cases around the properties of proxy-like objects such as localStorage or dataset. (ExE-Boss)
• Fixed a potential memory leak with custom elements (although we could not figure out how to trigger it). (soncodi)

---

Configuration

📅 Schedule: Branch creation - "after 10pm every weekday,before 5am every weekday,every weekend" in timezone Europe/Moscow, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

Thanks for opening an issue! Make sure you've followed CONTRIBUTING.md.

[github-actions]

Hello from PR Helper

Is your PR ready for review and processing? Mark the PR ready by including #pr-ready in a comment.

If you still have work to do, even after marking this ready. Put the PR on hold by including #pr-onhold in a comment.

[github-actions]

Thanks for the PR!

This section of the codebase is owner by https://github.com/AlexRogalskiy/ - if they write a comment saying "LGTM" then it will be merged.

[socket-security]

Report too large to display inline

View full report↗︎

[socket-security]

🚨 Potential security issues detected. Learn more about Socket for GitHub ↗︎

To accept the risk, merge this PR and you will not be notified again.

Alert	Package	Note	Source	CI
Install scripts	npm/ssh2@1.15.0	Install script: install Source: node install.js	npm-shrinkwrap.json	🚫

View full report↗︎

Next steps

What is an install script?

Install scripts are run when the package is installed. The majority of malware in npm is hidden in install scripts.

Packages should not be running non-essential scripts during install and there are often solutions to problems people solve with install scripts that can be run at publish time instead.

Take a deeper look at the dependency

Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev.

Remove the package

If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.

Mark a package as acceptable risk

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of ecosystem/package-name@version specifiers. e.g. @SocketSecurity ignore npm/foo@1.0.0 or ignore all packages with @SocketSecurity ignore-all

• @SocketSecurity ignore npm/ssh2@1.15.0