[Snyk] Upgrade jsdom from 25.0.1 to 27.0.0

[TheKingTermux]

Snyk has created this PR to upgrade jsdom from 25.0.1 to 27.0.0.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

• The recommended version is 7 versions ahead of your current version.

• The recommended version was released a month ago.

⚠️ Warning: This PR contains major version upgrade(s), and may be a breaking change.

Issues fixed by the recommended upgrade:

	Issue	Score	Exploit Maturity
	Uncaught Exception SNYK-JS-MULTER-10773732	400	No Known Exploit
	Regular Expression Denial of Service (ReDoS) SNYK-JS-NTHCHECK-1586032	400	Proof of Concept
	Uncontrolled Resource Consumption ('Resource Exhaustion') SNYK-JS-TAR-6476909	400	Proof of Concept
	Symlink Following SNYK-JS-TARFS-13045213	400	No Known Exploit
	Regular Expression Denial of Service (ReDoS) SNYK-JS-PATHTOREGEXP-7925106	400	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-PATHTOREGEXP-7925106	400	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-PATHTOREGEXP-8482416	400	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-PM2-10335843	400	Proof of Concept

Release notes

Package name: jsdom

• 27.0.0 - 2025-09-13
  

  Changes since 26.1.0

  • Node.js v20 is now the minimum supported version.
  • Added a variety of event constructors, even though we do not implement their associated specifications or ever fire them: BeforeUnloadEvent, BlobEvent, DeviceMotionEvent (omitting requestPermission()), DeviceOrientationEvent (omitting requestPermission()), PointerEvent, PromiseRejectionEvent, and TransitionEvent.
  • Added movementX and movementY to MouseEvent. (These are from the Pointer Lock specification, the rest of which is not implemented.)
  • Added customElements.getName(). (mash-graz)
  • Updated the virtual console:
    • "jsdomError" events are now documented, with specific type properties and other properties that depend on the type.
    • sendTo() was renamed to forwardTo().
    • The jsdomErrors option to forwardTo() can be used to control which errors are sent to the Node.js console. This replaces the previous omitJSDOMErrors boolean option.
    • "jsdomError"s for failed XMLHttpRequest fetches are no longer emitted.
    • The values that are printed when forwarding "jsdomError"s to the Node.js console are streamlined.
  • Switched our CSS selector engine from nwsapi to @ asamuzakjp/dom-selector, closing over 20 selector-related bugs.
  • Upgraded tough-cookie, which now considers URLs like http://localhost/ to be secure contexts (per the spec), and thus will return Secure-flagged cookies for such URLs. (colincasey)
  • Upgraded cssstyle, which brings along many improvements and fixes to the CSSStyleDeclaration object and its properties.
  • Updated the user agent stylesheet to be derived from the HTML Standard, instead of from an old revision of Chromium.
  • Changed element.click() to fire a PointerEvent instead of a MouseEvent.
  • Changed certain events to be passive by default.
  • Changed the <input> element's pattern="" attribute to use the v regular expression flag, instead of u.
  • Fixed many specification conformance issues with the Window object, including named properties and changing various data properties to accessor properties.
  • Fixed document.createEvent() to accept a more correct set of event names.
  • Fixed the ElementInternals accessibility getters and setters. (They were introduced in v23.1.0, but due to inadequate test coverage never actually worked.)
  • Fixed using Object.defineProperty() on certain objects, such as HTMLSelectElement instances.
  • Fixed jsdom.reconfigure({ url }) not updating document.baseURI or properties derived from it. (This regressed in v26.1.0.)
  • Fixed CSS system colors, as well as the initial, inherit, and unset keywords, to resolve correctly. (asamuzaK)
  • Fixed CSS display style resolution. (asamuzaK)

  Changes since 27.0.0-beta.3

  • Upgraded cssstyle, which brings along various CSS parsing fixes.
• 27.0.0-beta.3 - 2025-08-31
  
  • Breaking change: upgraded tough-cookie, which now considers URLs like http://localhost/ to be secure contexts (per the spec), and thus will return Secure-flagged cookies for such URLs. (colincasey)
  • Added customElements.getName(). (mash-graz)
  • Changed the <input> element's pattern="" attribute to use the v regular expression flag, instead of u.
  • Fixed jsdom.reconfigure({ url }) not updating document.baseURI or properties derived from it. This regressed in v26.1.0.
  • Fixed CSS system colors, as well as the initial, inherit, and unset keywords, to resolve correctly. This is especially important since the change in v27.0.0-beta.1 to use system colors in the user agent stylesheet. (asamuzaK)
  • Fixed CSS background property parsing and serialization. (asamuzaK)
  • Fixed CSS color parsing and serialization inside of gradients. (asamuzaK)
  • Fixed CSS display style resolution. (asamuzaK)
  • Upgraded @ asamuzakjp/dom-selector, which notably fixed repeated use of the :scope selector. (asamuzaK)
• 27.0.0-beta.2 - 2025-06-08
  

  Significantly improved specification conformance for the Window object, including named properties and changing various data properties to accessor properties. This is not likely to be breaking, but since it's a complex change to such a core object, we're happy to do another beta testing release with this included before graduating the v27 line to stable.

  Additionally, updated cssstyle to v4.4.0, which brings along various conformance fixes to the CSSStyleDeclaration object and its properties.

• 27.0.0-beta.1 - 2025-05-06
  

  Breaking changes:

  • Node.js v20+ is now the minimum supported version.
  • The user agent stylesheet is now derived from the HTML Standard, instead of from Chromium. This might change the results you see from getComputedStyle().
  • The virtual console has seen a number of changes:
    • "jsdomError" events are now documented, with specific type properties and other properties that depend on the type.
    • sendTo() was renamed to forwardTo().
    • The jsdomErrors option to sendTo() can be used to control which errors are sent to the Node.js console. This replaces the previous omitJSDOMErrors boolean option.
    • "jsdomError"s for failed XMLHttpRequest fetches are no longer emitted.
    • The values that are printed when forwarding "jsdomError"s to the Node.js console are streamlined.

  Other changes:

  • Fixed the ElementInternals accessibility getters and setters. (They were introduced in v23.1.0, but due to inadequate test coverage never actually worked.)
  • Fixed using Object.defineProperty() on certain objects, such as HTMLSelectElement instances.
• 27.0.0-beta.0 - 2025-04-19
  

  This release includes several changes that might be disruptive, and so are being tested as a beta release before the next major release. Hopefully, they will not be breaking, but your help testing would be appreciated.

  New selector engine

  Mostly notably, this switches our CSS selector engine from nwsapi to @ asamuzakjp/dom-selector. This was attempted back in 23.2.0, but reverted in 24.0.0 because of performance concerns. Since that time, @ asamuzakjp/dom-selector has improved its performance significantly. On the real-world benchmarks from #3659, we see the new version taking 1.1x as long (compared to 1.5x with the previous attempt). We hope this lower performance overhead will be enough to allow us to stick with the new selector engine. As a sample of how much more capable it is, 19 independent selector-related bugs were closed by merging in this new version.

  Please test with the new selector engine and report back with any performance concerns on the issue tracker, ideally before we make the next stable release.

  New event constructors

  The other major change in this prerelease is the addition of many new event constructors. Previously, we have avoided implementing event constructors unless we implemented their attendant specification. For example, we did not implement BeforeUnloadEvent since we don't implement unloading of documents; we did not implement BlobEvent since we did not implement the MediaStream Recording specification; etc. However, these are common popular requests, and so we've chosen to implement these event constructors without implementing their related specifications.

  If this causes you any problems, e.g. due to breaking feature detection, please open an issue on the issue tracker, ideally before we make the next stable release.

  The full list of implemented event constructors is: BeforeUnloadEvent, BlobEvent, DeviceMotionEvent (omitting requestPermission()), DeviceOrientationEvent (omitting requestPermission()), PointerEvent, PromiseRejectionEvent, and TransitionEvent.

  Additional changes

  The following non-breaking changes are included in this release:

  • Added movementX and movementY to MouseEvent. (These are from the Pointer Lock specification, the rest of which is not implemented.)
  • Changed element.click() to fire a PointerEvent instead of a MouseEvent.
  • Changed certain events to be passive by default.
  • Fixed document.createEvent() to accept a more correct set of event names.
• 26.1.0 - 2025-04-13
  
  • Added at least partial support for various SVG elements and their classes: <defs> (SVGDefsElement), <desc> (SVGDescElement), <g> (SVGGElement), <metadata> (SVGMetadataElement), <switch> (SVGSwitchElement), and <symbol> (SVGSymbolElement).
  • Added SVGAnimatedPreserveAspectRatio and SVGAnimatedRect, including support in the reflection layer.
  • Added the SVGSVGElement createSVGRect() method, and the SVGRect type (which is distinct from DOMRect.)
  • Added indexed property support to HTMLFormElement.
  • Updated the SVGElement viewportElement() method to correctly establish the viewport based on ancestor elements.
  • Removed the now-bloated form-data dependency in favor of our own smaller implementation of multipart/form-data serialization. No functional changes are expected.
  • Various performance improvements, caches, microoptimizations, and deferred object creation.
• 26.0.0 - 2025-01-09
  

  Breaking change: canvas peer dependency requirement has been upgraded from v2 to v3. (sebastianwachter)

  Other changes:

  • Added AbortSignal.any(). (jdbevan)
  • Added initial support for form-associated custom elements, in particular making them labelable and supporting the ElementInternals labels property. The form-associated callbacks are not yet supported. (hesxenon)
  • Updated whatwg-url, adding support for URL.parse().
  • Updated cssstyle and rrweb-cssom, to improve CSS parsing capabilities.
  • Updated nwsapi, improving CSS selector matching.
  • Updated parse5, fixing a bug around <noframes> elements and HTML entity decoding.
  • Fixed JSDOM.fromURL() to properly reject the returned promise if the server redirects to an invalid URL, instead of causing an uncaught exception.
• 25.0.1 - 2024-09-22
  
  • Updated dependencies, notably tough-cookie, which no longer prints a deprecation warning.

from jsdom GitHub release notes

---

Important

• Warning: This PR contains a major version upgrade, and may be a breaking change.
• Check the changes in this PR to ensure they won't cause issues with your project.
• This PR was automatically created by Snyk using the credentials of a real user.
• Max score is 1000. Note that the real score may have changed since the PR was raised.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

• 🧐 View latest project report
• 📜 Customise PR templates
• 🛠 Adjust upgrade PR settings
• 🔕 Ignore this dependency or unsubscribe from future upgrade PRs

[github-actions]

Thanks for the PR!

This section of the codebase is owned by @TheKingTermux - if they write a comment saying "LGTM" then it will be merged.

[TheKingTermux]

⚠️ Snyk checks are incomplete.

⚠️ security/snyk check encountered an error. (View Details)