JSDom improperly allows the loading of local resources, which allows for local files to be manipulated by a malicious web page when script execution is enabled.
Release Notes
jsdom/jsdom
### [`v16.5.0`](https://togithub.com/jsdom/jsdom/blob/HEAD/Changelog.md#1650)
[Compare Source](https://togithub.com/jsdom/jsdom/compare/16.4.0...16.5.0)
- Added `window.queueMicrotask()`.
- Added `window.event`.
- Added `inputEvent.inputType`. (diegohaz)
- Removed `ondragexit` from `Window` and friends, per a spec update.
- Fixed the URL of `about:blank` iframes. Previously it was getting set to the parent's URL. (SimonMueller)
- Fixed the loading of subresources from the filesystem when they had non-ASCII filenames.
- Fixed the `hidden=""` attribute to cause `display: none` per the user-agent stylesheet. (ph-fritsche)
- Fixed the `new File()` constructor to no longer convert `/` to `:`, per [a pending spec update](https://togithub.com/w3c/FileAPI/issues/41).
- Fixed mutation observer callbacks to be called with the `MutationObserver` instance as their `this` value.
- Fixed `` and `` to be mutable even when disabled, per [a spec update](https://togithub.com/whatwg/html/pull/5805).
- Fixed `XMLHttpRequest` to not fire a redundant final `progress` event if a `progress` event was previously fired with the same `loaded` value. This would usually occur with small files.
- Fixed `XMLHttpRequest` to expose the `Content-Length` header on cross-origin responses.
- Fixed `xhr.response` to return `null` for failures that occur during the middle of the download.
- Fixed edge cases around passing callback functions or event handlers. (ExE-Boss)
- Fixed edge cases around the properties of proxy-like objects such as `localStorage` or `dataset`. (ExE-Boss)
- Fixed a potential memory leak with custom elements (although we could not figure out how to trigger it). (soncodi)
### [`v16.4.0`](https://togithub.com/jsdom/jsdom/blob/HEAD/Changelog.md#1640)
[Compare Source](https://togithub.com/jsdom/jsdom/compare/16.3.0...16.4.0)
- Added a not-implemented warning if you try to use the second pseudo-element argument to `getComputedStyle()`, unless you pass a `::part` or `::slotted` pseudo-element, in which case we throw an error per the spec. (ExE-Boss)
- Improved the performance of repeated access to `el.tagName`, which also indirectly improves performance of selector matching and style computation. (eps1lon)
- Fixed `form.elements` to respect the `form=""` attribute, so that it can contain non-descendant form controls. (ccwebdesign)
- Fixed `el.focus()` to do nothing on disconnected elements. (eps1lon)
- Fixed `el.focus()` to work on SVG elements. (zjffun)
- Fixed removing the currently-focused element to move focus to the `` element. (eps1lon)
- Fixed `imgEl.complete` to return true for `` elements with empty or unset `src=""` attributes. (strager)
- Fixed `imgEl.complete` to return true if an error occurs loading the ``, when canvas is enabled. (strager)
- Fixed `imgEl.complete` to return false if the `` element's `src=""` attribute is reset. (strager)
- Fixed the `valueMissing` validation check for ``. (zjffun)
- Fixed `translate=""` and `draggable=""` attribute processing to use ASCII case-insensitivity, instead of Unicode case-insensitivity. (zjffun)
### [`v16.3.0`](https://togithub.com/jsdom/jsdom/blob/HEAD/Changelog.md#1630)
[Compare Source](https://togithub.com/jsdom/jsdom/compare/16.2.2...16.3.0)
- Added firing of `focusin` and `focusout` when using `el.focus()` and `el.blur()`. (trueadm)
- Fixed elements with the `contenteditable=""` attribute to be considered as focusable. (jamieliu386)
- Fixed `window.NodeFilter` to be per-`Window`, instead of shared across all `Window`s. (ExE-Boss)
- Fixed edge-case behavior involving use of objects with `handleEvent` properties as event listeners. (ExE-Boss)
- Fixed a second failing image load sometimes firing a `load` event instead of an `error` event, when the `canvas` package is installed. (strager)
- Fixed drawing an empty canvas into another canvas. (zjffun)
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
â™» Rebasing: Never, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
[ ] If you want to rebase/retry this PR, check this box
This PR has been generated by Mend Renovate. View repository job log here.
This PR contains the following updates:
16.2.2
->16.5.0
GitHub Vulnerability Alerts
CVE-2021-20066
JSDom improperly allows the loading of local resources, which allows for local files to be manipulated by a malicious web page when script execution is enabled.
Release Notes
jsdom/jsdom
### [`v16.5.0`](https://togithub.com/jsdom/jsdom/blob/HEAD/Changelog.md#1650) [Compare Source](https://togithub.com/jsdom/jsdom/compare/16.4.0...16.5.0) - Added `window.queueMicrotask()`. - Added `window.event`. - Added `inputEvent.inputType`. (diegohaz) - Removed `ondragexit` from `Window` and friends, per a spec update. - Fixed the URL of `about:blank` iframes. Previously it was getting set to the parent's URL. (SimonMueller) - Fixed the loading of subresources from the filesystem when they had non-ASCII filenames. - Fixed the `hidden=""` attribute to cause `display: none` per the user-agent stylesheet. (ph-fritsche) - Fixed the `new File()` constructor to no longer convert `/` to `:`, per [a pending spec update](https://togithub.com/w3c/FileAPI/issues/41). - Fixed mutation observer callbacks to be called with the `MutationObserver` instance as their `this` value. - Fixed `` and `` to be mutable even when disabled, per [a spec update](https://togithub.com/whatwg/html/pull/5805). - Fixed `XMLHttpRequest` to not fire a redundant final `progress` event if a `progress` event was previously fired with the same `loaded` value. This would usually occur with small files. - Fixed `XMLHttpRequest` to expose the `Content-Length` header on cross-origin responses. - Fixed `xhr.response` to return `null` for failures that occur during the middle of the download. - Fixed edge cases around passing callback functions or event handlers. (ExE-Boss) - Fixed edge cases around the properties of proxy-like objects such as `localStorage` or `dataset`. (ExE-Boss) - Fixed a potential memory leak with custom elements (although we could not figure out how to trigger it). (soncodi) ### [`v16.4.0`](https://togithub.com/jsdom/jsdom/blob/HEAD/Changelog.md#1640) [Compare Source](https://togithub.com/jsdom/jsdom/compare/16.3.0...16.4.0) - Added a not-implemented warning if you try to use the second pseudo-element argument to `getComputedStyle()`, unless you pass a `::part` or `::slotted` pseudo-element, in which case we throw an error per the spec. (ExE-Boss) - Improved the performance of repeated access to `el.tagName`, which also indirectly improves performance of selector matching and style computation. (eps1lon) - Fixed `form.elements` to respect the `form=""` attribute, so that it can contain non-descendant form controls. (ccwebdesign) - Fixed `el.focus()` to do nothing on disconnected elements. (eps1lon) - Fixed `el.focus()` to work on SVG elements. (zjffun) - Fixed removing the currently-focused element to move focus to the `` element. (eps1lon) - Fixed `imgEl.complete` to return true for `` elements with empty or unset `src=""` attributes. (strager) - Fixed `imgEl.complete` to return true if an error occurs loading the ``, when canvas is enabled. (strager) - Fixed `imgEl.complete` to return false if the `` element's `src=""` attribute is reset. (strager) - Fixed the `valueMissing` validation check for ``. (zjffun) - Fixed `translate=""` and `draggable=""` attribute processing to use ASCII case-insensitivity, instead of Unicode case-insensitivity. (zjffun) ### [`v16.3.0`](https://togithub.com/jsdom/jsdom/blob/HEAD/Changelog.md#1630) [Compare Source](https://togithub.com/jsdom/jsdom/compare/16.2.2...16.3.0) - Added firing of `focusin` and `focusout` when using `el.focus()` and `el.blur()`. (trueadm) - Fixed elements with the `contenteditable=""` attribute to be considered as focusable. (jamieliu386) - Fixed `window.NodeFilter` to be per-`Window`, instead of shared across all `Window`s. (ExE-Boss) - Fixed edge-case behavior involving use of objects with `handleEvent` properties as event listeners. (ExE-Boss) - Fixed a second failing image load sometimes firing a `load` event instead of an `error` event, when the `canvas` package is installed. (strager) - Fixed drawing an empty canvas into another canvas. (zjffun)Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
â™» Rebasing: Never, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.