chore(deps): update dependency happy-dom to v15 [security] #66
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
^9.20.3
->^15.0.0
GitHub Vulnerability Alerts
CVE-2024-51757
Impact
Consumers of the NPM package
happy-dom
Patches
The security vulnerability has been patched in v15.10.2
Workarounds
No easy workarounds to my knowledge
References
#1585
happy-dom allows for server side code to be executed by a <script> tag
CVE-2024-51757 / GHSA-96g7-g7g9-jxw8
More information
Details
Impact
Consumers of the NPM package
happy-dom
Patches
The security vulnerability has been patched in v15.10.2
Workarounds
No easy workarounds to my knowledge
References
#1585
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
References
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Release Notes
capricorn86/happy-dom (happy-dom)
v15.10.2
Compare Source
👷♂️ Patch fixes
<script>
tag - By @capricorn86 in task #1585v15.10.1
Compare Source
👷♂️ Patch fixes
<script>
tag - By @capricorn86 in task #1585v15.10.0
Compare Source
🎨 Features
disableSameOriginPolicy
that makes it possible to bypass the same-origin policy in fetch requests - By @OlaviSau in task #1553v15.9.0
Compare Source
🎨 Features
CSSStyleDeclaration
- By @yinm in task #1147v15.8.5
Compare Source
👷♂️ Patch fixes
Node.getRootNode()
returned null when it was within aShadowRoot
that previously been disconnected from theDocument
- By @capricorn86 in task #1581v15.8.4
Compare Source
👷♂️ Patch fixes
HTMLSelectElement
andHTMLFormElement
had the wrong reference to the parent - By @capricorn86 in task #1578v15.8.3
Compare Source
👷♂️ Patch fixes
HTMLDetailsElement
when dispatching a click event on a summary element which is a child of the details element - By @mikedidomizio in task #1534v15.8.2
Compare Source
👷♂️ Patch fixes
globalThis
instead ofglobal
to make Happy DOM work in other runtimes such as Cloudflare workers - By @mattallty in task #1546v15.8.1
Compare Source
👷♂️ Patch fixes
Promise<Blob>
fromClipboardItem.getType()
- By @ezzatron in task #1538v15.8.0
Compare Source
👷♂️ Patch fixes
getHTML()
andgetInnerHTML()
would return the slotted content of a shadow root before the template, but the template should be the first child - By @capricorn86 in task #1079getElementsByTagName()
- By @capricorn86 in task #1079🎨 Features
SVGAnimateElement
,SVGAnimateMotionElement
,SVGAnimateTransformElement
,SVGCircleElement
,SVGClipPathElement
,SVGDefsElement
,SVGDescElement
,SVGEllipseElement
,SVGFEBlendElement
,SVGFEColorMatrixElement
,SVGFEComponentTransferElement
,SVGFECompositeElement
,SVGFEConvolveMatrixElement
,SVGFEDiffuseLightingElement
,SVGFEDisplacementMapElement
,SVGFEDistantLightElement
,SVGFEDropShadowElement
,SVGFEFloodElement
,SVGFEFuncAElement
,SVGFEFuncBElement
,SVGFEFuncGElement
,SVGFEFuncRElement
,SVGFEGaussianBlurElement
,SVGFEImageElement
,SVGFEMergeElement
,SVGFEMergeNodeElement
,SVGFEMorphologyElement
,SVGFEOffsetElement
,SVGFEPointLightElement
,SVGFESpecularLightingElement
,SVGFESpotLightElement
,SVGFETileElement
,SVGFETurbulenceElement
,SVGFilterElement
,SVGForeignObjectElement
,SVGGElement
,SVGImageElement
,SVGLineElement
,SVGLinearGradientElement
,SVGMarkerElement
,SVGMaskElement
,SVGMetadataElement
,SVGMPathElement
,SVGPathElement
,SVGPatternElement
,SVGPolygonElement
,SVGPolylineElement
,SVGRadialGradientElement
,SVGRectElement
,SVGScriptElement
,SVGSetElement
,SVGStopElement
,SVGStyleElement
,SVGSwitchElement
,SVGSymbolElement
,SVGTextElement
,SVGTextPathElement
,SVGTitleElement
,SVGTSpanElement
,SVGUseElement
andSVGViewElement
- By @capricorn86 in task #1079DOMMatrix
,DOMMatrixReadOnly
,DOMPoint
andDOMPointReadOnly
- By @capricorn86 in task #1079SVGAngle
,SVGAnimatedAngle
,SVGAnimatedBoolean
,SVGAnimatedEnumeration
,SVGAnimatedInteger
,SVGAnimatedLength
,SVGAnimatedLengthList
,SVGAnimatedNumber
,SVGAnimatedNumberList
,SVGAnimatedPreserveAspectRatio
,SVGAnimatedRect
,SVGAnimatedString
,SVGAnimatedTransformList
,SVGLength
,SVGLengthList
,SVGMatrix
,SVGNumber
,SVGNumberList
,SVGPoint
,SVGPointList
,SVGPreserveAspectRatio
,SVGRect
,SVGStringList
,SVGTransform
,SVGTransformList
andSVGUnitTypes
- By @capricorn86 in task #1079v15.7.4
Compare Source
👷♂️ Patch fixes
replaceWith()
,before()
andafter()
- By @BenjaminAster in task #1533v15.7.3
Compare Source
👷♂️ Patch fixes
HTMLSelectElement
- By @Cherry in task #1526v15.7.2
Compare Source
👷♂️ Patch fixes
MutationObserver
- By @capricorn86 in task #1524v15.7.1
Compare Source
👷♂️ Patch fixes
querySelector(['.class'])
) - By @capricorn86 in task #1507v15.7.0
Compare Source
🎨 Features
:has
pseudo selector - By @capricorn86 in task #1373v15.6.1
Compare Source
👷♂️ Patch fixes
Access-Control-*
,Origin
headers for cross-origin preflight requests - By @rexxars in task #1489v15.6.0
Compare Source
🎨 Features
:focus
and:focus-visible
- By @capricorn86 in task #1515👷♂️ Patch fixes
HTMLInputElement
andHTMLTextAreaElement
- By @capricorn86 in task #1487v15.5.0
Compare Source
🎨 Features
Blob.stream()
- By @PlopAndRun in task #1500v15.4.3
Compare Source
👷♂️ Patch fixes
v15.4.2
Compare Source
👷♂️ Patch fixes
v15.4.1
Compare Source
👷♂️ Patch fixes
FormData.append()
when value parameter type is incorrect - By @btea in task #1484v15.4.0
Compare Source
🎨 Features
font-face
rule - By @m-shaka in task #1441v15.3.2
Compare Source
👷♂️ Patch fixes
HTMLInputElement.indeterminate
property, so that it behaves correctly - By @malko in task #1439v15.3.1
Compare Source
👷♂️ Patch fixes
Element.matches()
andElement.closest()
- By @ocavue in task #1472v15.3.0
Compare Source
🎨 Features
AbortSignal.timeout()
- By @ezzatron in task #1470v15.2.0
Compare Source
🎨 Features
AbortSignal.any()
- By @ezzatron in task #1468v15.1.0
Compare Source
🎨 Features
Window
context for classes that can be constructed using the "new" operator - By @capricorn86 in task #1332Browser
context internally - By @capricorn86 in task #1332EventTarget.dispatchEvent()
to better handle the event phases "none", "capture", "atTarget" and "bubbling" - By @capricorn86 in task #1332HTMLInputElement.popoverTargetElement
,HTMLInputElement.popoverTargetAction
,HTMLButtonElement.popoverTargetElement
andHTMLButtonElement.popoverTargetAction
- By @capricorn86 in task #1332HTMLElement.popover
- By @capricorn86 in task #1332PerformanceObserver
,PerformanceEntry
andPerformanceObserverEntryList
- By @capricorn86 in task #1332👷♂️ Patch fixes
NodeList[Symbol.iterator]()
withArray.prototype.values()
- By @capricorn86 in task #1332Window
is closing (e.g. usingsetTimeout()
orfetch()
) - By @capricorn86 in task #1332Window
, which makes it possible forBrowserExceptionObserver
to know whichWindow
the error originated fromEvent.composedPath()
to not return theWindow
object if the event type is "load", which is the same behaviour as the browser - By @capricorn86 in task #1332Window
objectv15.0.0
Compare Source
💣 Breaking Changes
🎨 Features
HTMLAreaElement
,HTMLBodyElement
,HTMLQuoteElement
,HTMLBRElement
,HTMLTableCaptionElement
,HTMLTableColElement
,HTMLTableColElement
,HTMLDataElement
,HTMLDataListElement
,HTMLModElement
,HTMLDetailsElement
,HTMLDivElement
,HTMLDListElement
,HTMLEmbedElement
,HTMLFieldSetElement
,HTMLHeadingElement
,HTMLHeadElement
,HTMLHRElement
,HTMLHtmlElement
,HTMLModElement
,HTMLLegendElement
,HTMLLIElement
,HTMLMapElement
,HTMLMenuElement
,HTMLMeterElement
,HTMLObjectElement
,HTMLOListElement
,HTMLOutputElement
,HTMLParagraphElement
,HTMLParamElement
,HTMLPictureElement
,HTMLPreElement
,HTMLProgressElement
,HTMLQuoteElement
,HTMLSourceElement
,HTMLSpanElement
,HTMLTableElement
,HTMLTableSectionElement
,HTMLTableSectionElement
,HTMLTitleElement
,HTMLTableRowElement
,HTMLTrackElement
,HTMLUListElement
- By @capricorn86 in task #1332HTMLCanvasElement
- By @capricorn86 in task #1332CSSStyleDeclaration
,querySelector()
,querySelectorAll()
,getElementById()
,getElementsByClassName()
,getElementsByTagName()
,getElementsByTagNameNS()
,getElementsByClassName()
- By @capricorn86 in task #1332NodeList
,HTMLCollection
,DOMTokenList
,TextTrackList
,HTMLFormElement
,HTMLSelectElement
HTMLCollection
objects returned bygetElementsByClassName()
,getElementsByTagName()
,getElementsByTagNameNS()
andgetElementsByClassName()
live - By @capricorn86 in task #1332HTMLMediaElement
- By @capricorn86 in task #1332HTMLMediaElement
interfaceMediaStream
,MediaStreamTrack
,RemotePlayback
,TextTrack
,TextTrackCue
,TextTrackCueList
,TextTrackList
,VTTCue
,VTTRegion
,CanvasCaptureMediaStream
,ImageBitmap
,OffscreenCanvas
- By @capricorn86 in task #1332IntersectionObserver
- By @capricorn86 in task #1332HTMLInputElement.list
- By @capricorn86 in task #1332ShadowRoot
(it now supportsclonable
,serializable
andslotAssignment
) - By @capricorn86 in task #1332Element.getHTML()
- By @capricorn86 in task #1332HTMLSlotElement
- By @capricorn86 in task #1332assign()
,assignedNodes()
,assignedElements()
and theslotchange
event👷♂️ Patch fixes
XMLSerializer
(used by features such asinnerHTML
) - By @capricorn86 in task #1265waitForNavigation()
would not resolve when navigating to some URLs (e.g. "javascript" or "about:blank") - By @capricorn86 in task #1332Attr.cloneNode()
would not clone internal values - By @capricorn86 in task #1332Document.title
included text data inside child elements, which it shouldn't - By @capricorn86 in task #1332Event.preventDefault()
shouldn't cancel the default behaviour if cancelable is not sent as an option inEventTarget.dispatchEvent()
- By @capricorn86 in task #1332TimeRange
toTimeRanges
- By @capricorn86 in task #1332Window.parent
andWindow.top
would not be set correctly in some scenarios - By @capricorn86 in task #1332v14.12.3
Compare Source
👷♂️ Patch fixes
Node.insertBefore()
handling the scenario where the reference node equals the new node to be added incorrectly - By @juandiegombr in task #1429v14.12.2
Compare Source
👷♂️ Patch fixes
v14.12.1
Compare Source
👷♂️ Patch fixes
preventDefault
not preventing navigation - By @amitdahan in task #1464v14.12.0
Compare Source
🎨 Features
waitUntilComplete()
less likely to resolve too early - By @capricorn86 in task #1451v14.11.4
Compare Source
👷♂️ Patch fixes
waitUntilComplete()
was resolved too early when many micro tasks are used - By @capricorn86 in task #1447v14.11.3
Compare Source
👷♂️ Patch fixes
waitUntilComplete()
was resolved too early when many micro tasks are used - By @capricorn86 in task #1447v14.11.2
Compare Source
👷♂️ Patch fixes
HTMLStyleElement
sheet when editing the data of a childText
node - By @capricorn86 in task #1445v14.11.1
Compare Source
👷♂️ Patch fixes
waitUntilComplete()
will hook into promises returned byconnectedCallback()
until Happy DOM has support for waiting for dynamic imports - By @capricorn86 in task #1442connectedCallback()
of web components. As Happy DOM doesn't have support for dynamic imports inwaitUntilComplete()
, a temporary fix has been added to hook into promises returned byconnectedCallback()
.v14.11.0
Compare Source
🎨 Features
HTMLTimeElement
- By @r-thomson in task #1431v14.10.3
Compare Source
👷♂️ Patch fixes
v14.10.2
Compare Source
👷♂️ Patch fixes
HTMLAnchorElement
,HTMLButtonElement
,HTMLInputElement
andHTMLLabelElement
checked that click events triggering native behavior was of typePointerEvent
, but should check that they are of typeMouseEvent
- By @capricorn86 in task #1397v14.10.1
Compare Source
👷♂️ Patch fixes
Storage.entries()
,Storage.keys()
andStorage.values()
work according to spec - By @motss in task #1418v14.10.0
Compare Source
🎨 Features
Document.elementFromPoint()
- By @TreyVigus in task #1400null
as Happy DOM doesn't support rendering and can't calculate an element's position based on where it is renderedv14.9.0
Compare Source
🎨 Features
Document.queryCommandSupported()
- By @btea in task #1411v14.8.3
Compare Source
👷♂️ Patch fixes
Element.insertBefore()
not removing comment node from previous ancestor - By @mdafanasev in task #1406v14.8.2
Compare Source
👷♂️ Patch fixes
HTMLCollection
instead ofNodeList
inDocument.forms
- By @jean-leonco in task #1349v14.8.1
Compare Source
👷♂️ Patch fixes
DOMRect
interface - By @domakas in task #1161DOMReactReadOnly
interface - By @domakas in task #1161v14.8.0
Compare Source
🎨 Features
HTMLIFrameElement.srcdoc
property - By @jeffwcx in task #1398v14.7.1
Compare Source
👷♂️ Patch fixes
Node.prototype.cloneNode.call(element)
,Node.prototype.appendChild.call(element)
,Node.prototype.removeChild.call(element)
,Node.prototype.insertBefore.call(element)
andNode.prototype.replaceChild.call(element)
, which Svelte v5 relies on - By @capricorn86 in task #1392v14.7.0
Compare Source
🎨 Features
Text
andComment
using the new operator - By @capricorn86 in task #1387new Text('text')
ornew Comment('comment')
v14.6.2
Compare Source
👷♂️ Patch fixes
Storage.prototype
methods - By @capricorn86 in task #1377v14.6.1
Compare Source
👷♂️ Patch fixes
Document.createTextNode()
didn't handle conversion of non-string values to string - By @odanado in task #1380Document.createTextNode()
- By @odanado in task #1380v14.6.0
Compare Source
🎨 Features
HTMLElement.inert
property - By @odanado in task #1124v14.5.2
Compare Source
👷♂️ Patch fixes
Window.getComputedStyle()
- By @odanado in task #1363v14.5.1
Compare Source
👷♂️ Patch fixes
Document.defaultView
not referring to the global object when usingGlobalRegistrator
- By @capricorn86 in task #1367🎨 Features
GlobalRegistrator.unregister()
- By @capricorn86 in task #1367v14.5.0
Compare Source
🎨 Features
Request.formData()
- By @tt-public in #1379v14.4.0
Compare Source
🎨 Features
HTMLIFrameElement.sandbox
to return aDOMTokenList
- By @jeffwcx in task #825v14.3.10
Compare Source
👷♂️ Patch fixes
CSSStyleSheet
object when child nodes of anHTMLStyleElement
are modified - By @capricorn86 in task #1364v14.3.9
Compare Source
👷♂️ Patch fixes
v14.3.8
Compare Source
👷♂️ Patch fixes
:is
and :where
(without argument) was not handled correctly - By @capricorn86 in task #1352v14.3.7
Compare Source
👷♂️ Patch fixes
DOMTokenList
iterable - By @silverwind in task #1342v14.3.6
Compare Source
👷♂️ Patch fixes
<!>
- By @capricorn86 in task #1288v14.3.5
Compare Source
👷♂️ Patch fixes
<null>
- By @capricorn86 in task #1354v14.3.4
Compare Source
👷♂️ Patch fixes
Window.getComputedStyle()
- By @capricorn86 in task #1352v14.3.3
Compare Source
👷♂️ Patch fixes
Storage.getItem()
with a key that has the same name as one of its methods or properties, returned the method/property (e.g.Storage.getItem('key')
returnedStorage.key()
which is a function) - By @capricorn86 in task #1351Proxy
instead to safeguard against thisv14.3.2
Compare Source
👷♂️ Patch fixes
Storage.setItem()
- By @dr2009 in task #1347v14.3.1
Compare Source
👷♂️ Patch fixes
Storage
class used by the propertiesWindow.localStorage
andWindow.sessionStorage
- By @frankdiw in task #1181v14.3.0
Compare Source
🎨 Features
Select.selectedOptions
- By @otaviosoares in task #1282v14.2.1
Compare Source
👷♂️ Patch fixes
GlobalWindow
), so that they will be available when callingObject.getOwnPropertyDescriptors()
- By @capricorn86 in task #1343spyOn(window, 'property')
orObject.defineProperty(window, 'property')
v14.2.0
Compare Source
🎨 Features
:is()
and:where()
- By @capricorn86 in task #1333v14.1.2
Compare Source
👷♂️ Patch fixes
Object.getOwnPropertyDescriptors(window)
to read which properties to register globally, but getters and setters are defined on the prototypeGlobalWindow
now defines the properties on the instance when it is constructedv14.1.1
Compare Source
👷♂️ Patch fixes
location
,history
,navigator
,screen
,sessionStorage
andlocalStorage
to be getters instead of properties onWindow
- By @capricorn86 in task #1336Window.location
- By @capricorn86 in task #1336v14.1.0
Compare Source
🎨 Features
handleDisabledFileLoadingAsSuccess
, that can be used for triggering a "load" event instead of an "error" event when file loading is disabled - By @capricorn86 in task #1334v14.0.0
Compare Source
💣 Breaking Changes
Window
,Node
andElement
classes and by classes with a dependency to them - By @capricorn86 in task #1330Window
=>Document
=>Window
)HTMLElement
instead ofIHTMLElement
)v13.10.1
Compare Source
👷♂️ Patch fixes
TypeError: Cannot read properties of null (reading 'Symbol(nodeStream)')
to be thrown - By @capricorn86 in task #1325v13.10.0
Compare Source
🎨 Features
Headers.getSetCookie()
- By @ushiboy and @capricorn86 in task #1315v13.9.0
Compare Source
🎨 Features
AbortSignal.throwIfAborted()
- By @capricorn86 in task #1255v13.8.6
Compare Source
👷♂️ Patch fixes
v13.8.5
Compare Source
👷♂️ Patch fixes
HTMLElementConfig
- By @danbentley in task #1306v13.8.4
Compare Source
👷♂️ Patch fixes
HTMLLinkElement.href
,HTMLImageElement.src
andHTMLScriptElement.src
- By @capricorn86 in task #1135v13.8.3
Compare Source
👷♂️ Patch fixes
<li>
,<h1>
or<table>
) doesn't allow itself as direct descendant when parsing HTML, butConfiguration
📅 Schedule: Branch creation - "" in timezone Etc/UTC, Automerge - "after 8am and before 4pm on tuesday" in timezone Etc/UTC.
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Renovate Bot.