JSDom improperly allows the loading of local resources, which allows for local files to be manipulated by a malicious web page when script execution is enabled.
Release Notes
jsdom/jsdom (jsdom)
### [`v16.5.0`](https://togithub.com/jsdom/jsdom/blob/HEAD/Changelog.md#1650)
[Compare Source](https://togithub.com/jsdom/jsdom/compare/16.4.0...16.5.0)
- Added `window.queueMicrotask()`.
- Added `window.event`.
- Added `inputEvent.inputType`. (diegohaz)
- Removed `ondragexit` from `Window` and friends, per a spec update.
- Fixed the URL of `about:blank` iframes. Previously it was getting set to the parent's URL. (SimonMueller)
- Fixed the loading of subresources from the filesystem when they had non-ASCII filenames.
- Fixed the `hidden=""` attribute to cause `display: none` per the user-agent stylesheet. (ph-fritsche)
- Fixed the `new File()` constructor to no longer convert `/` to `:`, per [a pending spec update](https://togithub.com/w3c/FileAPI/issues/41).
- Fixed mutation observer callbacks to be called with the `MutationObserver` instance as their `this` value.
- Fixed `` and `` to be mutable even when disabled, per [a spec update](https://togithub.com/whatwg/html/pull/5805).
- Fixed `XMLHttpRequest` to not fire a redundant final `progress` event if a `progress` event was previously fired with the same `loaded` value. This would usually occur with small files.
- Fixed `XMLHttpRequest` to expose the `Content-Length` header on cross-origin responses.
- Fixed `xhr.response` to return `null` for failures that occur during the middle of the download.
- Fixed edge cases around passing callback functions or event handlers. (ExE-Boss)
- Fixed edge cases around the properties of proxy-like objects such as `localStorage` or `dataset`. (ExE-Boss)
- Fixed a potential memory leak with custom elements (although we could not figure out how to trigger it). (soncodi)
Configuration
š Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
š¦ Automerge: Enabled.
ā» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
š Ignore: Close this PR and you won't be reminded about this update again.
[ ] If you want to rebase/retry this PR, check this box
This PR has been generated by Mend Renovate. View repository job log here.
This PR contains the following updates:
16.4.0
->16.5.0
GitHub Vulnerability Alerts
CVE-2021-20066
JSDom improperly allows the loading of local resources, which allows for local files to be manipulated by a malicious web page when script execution is enabled.
Release Notes
jsdom/jsdom (jsdom)
### [`v16.5.0`](https://togithub.com/jsdom/jsdom/blob/HEAD/Changelog.md#1650) [Compare Source](https://togithub.com/jsdom/jsdom/compare/16.4.0...16.5.0) - Added `window.queueMicrotask()`. - Added `window.event`. - Added `inputEvent.inputType`. (diegohaz) - Removed `ondragexit` from `Window` and friends, per a spec update. - Fixed the URL of `about:blank` iframes. Previously it was getting set to the parent's URL. (SimonMueller) - Fixed the loading of subresources from the filesystem when they had non-ASCII filenames. - Fixed the `hidden=""` attribute to cause `display: none` per the user-agent stylesheet. (ph-fritsche) - Fixed the `new File()` constructor to no longer convert `/` to `:`, per [a pending spec update](https://togithub.com/w3c/FileAPI/issues/41). - Fixed mutation observer callbacks to be called with the `MutationObserver` instance as their `this` value. - Fixed `` and `` to be mutable even when disabled, per [a spec update](https://togithub.com/whatwg/html/pull/5805). - Fixed `XMLHttpRequest` to not fire a redundant final `progress` event if a `progress` event was previously fired with the same `loaded` value. This would usually occur with small files. - Fixed `XMLHttpRequest` to expose the `Content-Length` header on cross-origin responses. - Fixed `xhr.response` to return `null` for failures that occur during the middle of the download. - Fixed edge cases around passing callback functions or event handlers. (ExE-Boss) - Fixed edge cases around the properties of proxy-like objects such as `localStorage` or `dataset`. (ExE-Boss) - Fixed a potential memory leak with custom elements (although we could not figure out how to trigger it). (soncodi)Configuration
š Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
š¦ Automerge: Enabled.
ā» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
š Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.