Update dependency jsdom to v16.5.0 [SECURITY] - autoclosed

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
jsdom	16.0.1 -> 16.5.0

GitHub Vulnerability Alerts

CVE-2021-20066

Withdrawn Advisory

This advisory has been withdrawn because the user must configure jsdom to allow access to local files.

Original Description

JSDom improperly allows the loading of local resources, which allows for local files to be manipulated by a malicious web page when script execution is enabled.

---

Release Notes

jsdom/jsdom (jsdom)

v16.5.0

Compare Source

• Added window.queueMicrotask().
• Added window.event.
• Added inputEvent.inputType. (diegohaz)
• Removed ondragexit from Window and friends, per a spec update.
• Fixed the URL of about:blank iframes. Previously it was getting set to the parent's URL. (SimonMueller)
• Fixed the loading of subresources from the filesystem when they had non-ASCII filenames.
• Fixed the hidden="" attribute to cause display: none per the user-agent stylesheet. (ph-fritsche)
• Fixed the new File() constructor to no longer convert / to :, per a pending spec update.
• Fixed mutation observer callbacks to be called with the MutationObserver instance as their this value.
• Fixed <input type=checkbox> and <input type=radio> to be mutable even when disabled, per a spec update.
• Fixed XMLHttpRequest to not fire a redundant final progress event if a progress event was previously fired with the same loaded value. This would usually occur with small files.
• Fixed XMLHttpRequest to expose the Content-Length header on cross-origin responses.
• Fixed xhr.response to return null for failures that occur during the middle of the download.
• Fixed edge cases around passing callback functions or event handlers. (ExE-Boss)
• Fixed edge cases around the properties of proxy-like objects such as localStorage or dataset. (ExE-Boss)
• Fixed a potential memory leak with custom elements (although we could not figure out how to trigger it). (soncodi)

v16.4.0

Compare Source

• Added a not-implemented warning if you try to use the second pseudo-element argument to getComputedStyle(), unless you pass a ::part or ::slotted pseudo-element, in which case we throw an error per the spec. (ExE-Boss)
• Improved the performance of repeated access to el.tagName, which also indirectly improves performance of selector matching and style computation. (eps1lon)
• Fixed form.elements to respect the form="" attribute, so that it can contain non-descendant form controls. (ccwebdesign)
• Fixed el.focus() to do nothing on disconnected elements. (eps1lon)
• Fixed el.focus() to work on SVG elements. (zjffun)
• Fixed removing the currently-focused element to move focus to the <body> element. (eps1lon)
• Fixed imgEl.complete to return true for <img> elements with empty or unset src="" attributes. (strager)
• Fixed imgEl.complete to return true if an error occurs loading the <img>, when canvas is enabled. (strager)
• Fixed imgEl.complete to return false if the <img> element's src="" attribute is reset. (strager)
• Fixed the valueMissing validation check for <input type="radio">. (zjffun)
• Fixed translate="" and draggable="" attribute processing to use ASCII case-insensitivity, instead of Unicode case-insensitivity. (zjffun)

v16.3.0

Compare Source

• Added firing of focusin and focusout when using el.focus() and el.blur(). (trueadm)
• Fixed elements with the contenteditable="" attribute to be considered as focusable. (jamieliu386)
• Fixed window.NodeFilter to be per-Window, instead of shared across all Windows. (ExE-Boss)
• Fixed edge-case behavior involving use of objects with handleEvent properties as event listeners. (ExE-Boss)
• Fixed a second failing image load sometimes firing a load event instead of an error event, when the canvas package is installed. (strager)
• Fixed drawing an empty canvas into another canvas. (zjffun)

v16.2.2

Compare Source

• Updated StyleSheetList for better spec compliance; notably it no longer inherits from Array.prototype. (ExE-Boss)
• Fixed requestAnimationFrame() from preventing process exit. This likely regressed in v16.1.0.
• Fixed setTimeout() to no longer leak the closures passed in to it. This likely regressed in v16.1.0. (AviVahl)
• Fixed infinite recursion that could occur when calling click() on a <label> element, or one of its descendants.
• Fixed getComputedStyle() to consider inline style="" attributes. (eps1lon)
• Fixed several issues with <input type="number">'s stepUp() and stepDown() functions to be properly decimal-based, instead of floating point-based.
• Fixed various issues where updating selectEl.value would not invalidate properties such as selectEl.selectedOptions. (ExE-Boss)
• Fixed <input>'s src property, and <ins>/<del>'s cite property, to properly reflect as URLs.
• Fixed window.addEventLister, window.removeEventListener, and window.dispatchEvent to properly be inherited from EventTarget, instead of being distinct functions. (ExE-Boss)
• Fixed errors that would occur if attempting to use a DOM object, such as a custom element, as an argument to addEventListener.
• Fixed errors that would occur when closing a window with outstanding requests to data: URLs.
• Fixed sporadic issues with the value of <input type="month"> that could occur in some time zones and for some times.
• Fixed document.implementation.createDocument() to return an XMLDocument, instead of a Document. (ExE-Boss)
• Fixed running jsdom in a browser to detect globals more reliably. (ExE-Boss)

v16.2.1

Compare Source

• Updated saxes, to bring in some BOM-related fixes.
• Updated Acorn-related packages to squelch npm audit warnings.

v16.2.0

Compare Source

• Added support for custom elements! Congratulations and thanks to @​pmdartus for making this happen, after ten months of hard work and lots of effort poured into the complex architectural prerequisites in jsdom and supporting packages.
• Fixed some issues when trying to use Attr as a Node, e.g. by checking its baseURI property or calling attr.cloneNode().
• Fixed a memory leak during parsing that was introduced in v14.0.0.
• Fixed edge cases in number/string conversion used for certain element properties that reflected integer attributes.

v16.1.0

Compare Source

• Added console.timeLog().
• Changed Attr to extend Node, to align with specifications. (ExE-Boss)
• Changed <noscript> children to be parsed as nodes, instead of as text, when runScripts is left as the default of undefined. (ACHP)
• Upgraded cssstyle to v2.1.0, which brings along fixes to handling of rgba() and hsl() colors. (kraynel)
• Fixed some selection-related issues when manipulating the value of <input>s and <textarea>s. (Matthew-Goldberg)
• Fixed various issues with setTimeout(), setInterval(), and requestAnimationFrame(), particularly around window closing and recursive calls.

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 100.00%. Comparing base (b73e284) to head (1323ae7).
Report is 21 commits behind head on master.

Additional details and impacted files

@@            Coverage Diff            @@
##            master       #95   +/-   ##
=========================================
  Coverage   100.00%   100.00%           
=========================================
  Files            1         1           
  Lines            8         8           
  Branches         1         1           
=========================================
  Hits             8         8           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.