build(deps-dev): bump jsdom from 29.0.2 to 29.1.1#2721
Conversation
Bumps [jsdom](https://github.com/jsdom/jsdom) from 29.0.2 to 29.1.1. - [Release notes](https://github.com/jsdom/jsdom/releases) - [Commits](jsdom/jsdom@v29.0.2...v29.1.1) --- updated-dependencies: - dependency-name: jsdom dependency-version: 29.1.1 dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
added
dependencies
|
Suggested comment for Cursor review (copy and paste as a new comment): Note: GitHub Actions bot cannot trigger Cursor agent directly. Please copy the above comment to invoke the review. |
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Web Compatibility Assessment
No web-compatibility findings. This PR only bumps the injected workspace devDependency jsdom from 29.0.2 to 29.1.1 and updates its lockfile transitive set; it does not change bundled injected source, wrapper utilities, API shims, messaging, config handling, DOM mutation logic, or platform entry points.
Release-note impact is limited to jsdom test behavior: v29.1.0 adds basic CSS ratio type support and fixes stale getComputedStyle() after CSS mutation; v29.1.1 fixes computed style serialization for border-radius/background-origin/background-clip and optimizes initial getComputedStyle() calls. Those can affect DOM/CSS unit-test expectations, but not page-world runtime behavior.
Security Assessment
No PR-introduced security findings. jsdom remains a devDependency used by injected unit tests only (web-detection, page-context-dom, and dom-metadata specs), so the bump does not add injected runtime code, captured-global usage, bridge/origin handling changes, or new data-exfiltration surface.
Risk Level
Low Risk: dependency-only dev/test change with no shipped injected runtime surface and no changes to security-sensitive modules.
Recommendations
- Keep the dependency: it is still directly used by injected unit tests that construct DOM fragments without a browser process.
- If reducing test dependency surface becomes a goal later, the alternative is moving those DOM-fragment assertions to a browser/Playwright-backed helper, but that is heavier and not needed for this bump.
Verification: npm ci, npm run build --workspace=injected, and npm run test-unit --workspace=injected all pass (929 specs, 0 failures, 16 pending).
Sent by Cursor Automation: Web compat and sec
There was a problem hiding this comment.
Dependency risk assessment for jsdom 29.0.2 -> 29.1.1: no blocking concerns found.
Evidence checked:
- Diff only changes
injected/package.jsonandpackage-lock.json;jsdomremains aninjecteddevDependency. - Upstream release notes/compare show CSSOM-focused changes: style cache invalidation, ratio CSS units,
background-origin/background-clip,border-radiusserialization, andgetComputedStyle()optimization. - Local code search found
jsdomonly in injected unit tests:web-detection,page-context-dom, anddom-metadata. No production bundle/runtime dependency found. - Focused local validation passed:
npx jasmine --config=unit-test/config.json unit-test/dom-metadata.spec.js unit-test/page-context-dom.spec.js unit-test/web-detection.js=>118 specs, 0 failures. - The full local
npm run test-unit --workspace=injectedfailure was limited to missing generated build artifacts in this workspace; the PR CI has injected/special-pages unit and integration jobs green. - Supply-chain pass:
jsdomlicense/engine/maintainers are unchanged; lockfile includes registry integrities; no install lifecycle scripts found forjsdomor the newly introduced/changed transitive packages checked.npm auditstill reports existing unrelated dev-tree issues, but none matched the changedjsdom/parse5/entities/undici/@asamuzakjppackages.
Residual risk:
- The update touches
getComputedStyle()and selector/CSS parsing behavior, so regressions would most likely show up in DOM/CSS-dependent tests rather than production code. The direct consumers passed. - The
Build Release Branchcheck failure appears to be a git push/network failure (HTTP 408), not a dependency/build failure.
No separate fix PR opened because I did not find a required fix.
Sent by Cursor Automation: Review dependabot
Bumps jsdom from 29.0.2 to 29.1.1.
Release notes
Sourced from jsdom's releases.
Commits
9b9ea7e29.1.107efb78Optimize computed style comparison5f66329Fix background-origin/background-clip in background shorthandad8af77Fix border shorthand handling5a3e88e29.1.073db204Update dependencies and dev dependenciesa7168a5Support ratio CSS unit type15346e0Fix style cache invalidationDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)Note
Low Risk
Dev-only dependency bump with no production or security-sensitive application code changes.
Overview
Bumps the dev dependency jsdom from
29.0.2to29.1.1ininjected/package.json, with the lockfile refreshed for jsdom and its transitive packages (e.g.parse5,lru-cache,undici,@csstools/css-syntax-patches-for-csstree).This is a patch/minor tooling update only; runtime extension code is unchanged. Tests that use JSDOM (e.g. DOM metadata, page-context markdown, web-detection) may see improved
getComputedStyle()behavior and CSS computed-style fixes from upstream jsdom releases.Reviewed by Cursor Bugbot for commit 67bd5d1. Bugbot is set up for automated code reviews on this repo. Configure here.