Skip to content

Bump the npm_and_yarn group across 1 directory with 3 updates#1

Closed
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/npm_and_yarn-7de53501ee
Closed

Bump the npm_and_yarn group across 1 directory with 3 updates#1
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/npm_and_yarn-7de53501ee

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Mar 11, 2026

Copy link
Copy Markdown

Bumps the npm_and_yarn group with 2 updates in the / directory: jspdf and happy-dom.

Updates jspdf from 2.5.2 to 4.2.0

Release notes

Sourced from jspdf's releases.

v4.2.0

This release fixes three security issues.

What's Changed

New Contributors

Full Changelog: parallax/jsPDF@v4.1.0...v4.2.0

v4.1.0

This release fixes several security issues.

What's Changed

Full Changelog: parallax/jsPDF@v4.0.0...v4.1.0

v4.0.0

This release fixes a critical path traversal/local file inclusion security vulnerability in the jsPDF Node.js build. File system access is now restricted by default and can be enabled by either using node's --permission flag or the new jsPDF.allowFsRead property.

There are no other breaking changes.

v3.0.4

This release includes a bunch of bugfixes. Thanks to all contributors!

What's Changed

New Contributors

... (truncated)

Commits

Updates happy-dom from 18.0.1 to 20.0.2

Release notes

Sourced from happy-dom's releases.

v20.0.2

👷‍♂️ Patch fixes

  • Adds frozen intrinsics flag to workers in @happy-dom/server-renderer - By @​capricorn86 in task #1934

v20.0.1

👷‍♂️ Patch fixes

  • Adds warning for environment with unfrozen intrinsics (builtins) when JavaScript evaluation is enabled- By @​capricorn86 in task #1932
    • A security advisory has been reported showing that the recommended preventive measure of running Node.js with --disallow-code-generation-from-strings wasn't enough to protect against attackers escaping the VM context and accessing process-level functions. Big thanks to @​cristianstaicu for reporting this!
    • The documentation for how to run Happy DOM with JavaScript evaluation enabled in a safer way has been updated. Read more about it in the Wiki

v20.0.0

I avoid making breaking changes as much as possible in Happy DOM. When I have to make a breaking change, I try to keep it as minimal as possible. This could be a breaking change that impacts many projects, and I am truly sorry if you are negatively affected by this.

💣 Breaking Changes

  • Due to security risks, JavaScript evaluation is now disabled by default - By @​capricorn86 in task #1930
    • A security advisory (GHSA-37j7-fg3j-429f) has been reported that shows a security vulnerability where it's possible to escape the VM context and get access to process level functionality. Big thanks to @​Mas0nShi for reporting this!
    • Due to this security risk, JavaScript evaluation is now disabled by default to prevent that consumers accidentally executes untrusted code without taking precautions
    • JavaScript evaluation can be enabled by setting enableJavaScriptEvaluation to "true". Read more about how to enable this in a safer way in the Wiki

v19.0.2

👷‍♂️ Patch fixes

  • Fixes issue related to CSS pseudo selector :scope that didn't work correctly for direct descendants to root - By @​capricorn86 in task #1620

v19.0.1

👷‍♂️ Patch fixes

  • Fixes issue with sending in URLs as string in @happy-dom/server-renderer config using CLI - By @​capricorn86 in task #1908

v19.0.0

💣 Breaking Changes

  • Removes support for CommonJS - By @​capricorn86 in task #1730
    • Support for CommonJS is no longer needed as Node.js v18 is deprecated and v20 and above supports loading ES modules from CommonJS using require()
  • Updates Jest to v30 in the @happy-dom/jest-environment package - By @​capricorn86 in task #1730
  • Makes Jest packages peer dependencies to make it easier to align versions with the project using @happy-dom/jest-environment - By @​capricorn86 in task #1730

🎨 Features

... (truncated)

Commits
  • f4bd4eb fix: #0 Adds frozen intrinsics flag to server-renderer workers (#1934)
  • f45d92e fix: #0 Adds warning for environemnt with unfrozen builtins (#1932)
  • 819d15b BREAKING CHANGE: #0 Changes JavaScript evaluation to be disabled by default...
  • c80a08f fix: #1620 Fixes issue related to CSS pseudo selector :scope (#1911)
  • 220df23 fix: #1908 Fixes issue with sending in URLs as string in server-renderer co...
  • 9849f8b chore: #1906 Fixes failing unit test caused by package version (#1907)
  • 48d174e chore: #1904 Updates conventional commit package (#1905)
  • 275efe5 BREAKING CHANGE: #1620 Release v18.0.0
  • See full diff in compare view

Updates dompurify from 2.5.9 to 3.3.3

Release notes

Sourced from dompurify's releases.

DOMPurify 3.3.3

  • Fixed an engine requirement for Node 20 which caused hiccups, thanks @​Rotzbua

DOMPurify 3.3.2

  • Fixed a possible bypass caused by jsdom's faulty raw-text tag parsing, thanks multiple reporters
  • Fixed a prototype pollution issue when working with custom elements, thanks @​christos-eth
  • Fixed a lenient config parsing in _isValidAttribute, thanks @​christos-eth
  • Bumped and removed several dependencies, thanks @​Rotzbua
  • Fixed the test suite after bumping dependencies, thanks @​Rotzbua

DOMPurify 3.3.1

  • Updated ADD_FORBID_CONTENTS setting to extend default list, thanks @​MariusRumpf
  • Updated the ESM import syntax to be more correct, thanks @​binhpv

DOMPurify 3.3.0

  • Added the SVG mask-type attribute to default allow-list, thanks @​prasadrajandran
  • Added support for ADD_ATTR and ADD_TAGS to accept functions, thanks @​nelstrom
  • Fixed an issue with the slot element being in both SVG and HTML allow-list, thanks @​Wim-Valgaeren

DOMPurify 3.2.7

  • Added new attributes and elements to default allow-list, thanks @​elrion018
  • Added tagName parameter to custom element attributeNameCheck, thanks @​nelstrom
  • Added better check for animated href attributes, thanks @​llamakko
  • Updated and improved the bundled types, thanks @​ssi02014
  • Updated several tests to better align with new browser encoding behaviors
  • Improved the handling of potentially risky content inside CDATA elements, thanks @​securityMB & @​terjanq
  • Improved the regular expression for raw-text elements to cover textareas, thanks @​securityMB & @​terjanq

DOMPurify 3.2.6

DOMPurify 3.2.5

  • Added a check to the mXSS detection regex to be more strict, thanks @​masatokinugawa
  • Added ESM type imports in source, removes patch function, thanks @​donmccurdy
  • Added script to verify various TypeScript configurations, thanks @​reduckted
  • Added more modern browsers to the Karma launchers list
  • Added Node 23.x to tested runtimes, removed Node 17.x
  • Fixed the generation of source maps, thanks @​reduckted
  • Fixed an unexpected behavior with ALLOWED_URI_REGEXP using the 'g' flag, thanks @​hhk-png
  • Fixed a few typos in the README file

DOMPurify 3.2.4

... (truncated)

Commits
  • 8bcbf73 chore: Preparing 3.3.3 release
  • 5faddd6 fix: engine requirement (#1210)
  • 0f91e3a Update README.md
  • d5ff1a8 Merge branch 'main' of github.com:cure53/DOMPurify
  • c3efd48 fix: moved back from jsdom 28 to jsdom 20
  • 988b888 fix: moved back from jsdom 28 to jsdom 20
  • 2726c74 chore: Preparing 3.3.2 release
  • 6202c7e build(deps): bump @​tootallnate/once and jsdom (#1204)
  • 302b51d fix: Expanded the regex ever so slightly to also cover script
  • cd85175 Merge branch 'main' of github.com:cure53/DOMPurify
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Mar 11, 2026
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/npm_and_yarn-7de53501ee branch 2 times, most recently from ceaadca to 8f5c40d Compare March 16, 2026 15:35
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/npm_and_yarn-7de53501ee branch 5 times, most recently from d543b8f to ec6dbe6 Compare April 2, 2026 22:26
Bumps the npm_and_yarn group with 2 updates in the / directory: [jspdf](https://github.com/parallax/jsPDF) and [happy-dom](https://github.com/capricorn86/happy-dom).


Updates `jspdf` from 2.5.2 to 4.2.0
- [Release notes](https://github.com/parallax/jsPDF/releases)
- [Changelog](https://github.com/parallax/jsPDF/blob/master/RELEASE.md)
- [Commits](parallax/jsPDF@v2.5.2...v4.2.0)

Updates `happy-dom` from 18.0.1 to 20.0.2
- [Release notes](https://github.com/capricorn86/happy-dom/releases)
- [Commits](capricorn86/happy-dom@v18.0.1...v20.0.2)

Updates `dompurify` from 2.5.9 to 3.3.3
- [Release notes](https://github.com/cure53/DOMPurify/releases)
- [Commits](cure53/DOMPurify@2.5.9...3.3.3)

---
updated-dependencies:
- dependency-name: jspdf
  dependency-version: 4.2.0
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: happy-dom
  dependency-version: 20.0.2
  dependency-type: direct:development
  dependency-group: npm_and_yarn
- dependency-name: dompurify
  dependency-version: 3.3.3
  dependency-type: indirect
  dependency-group: npm_and_yarn
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/npm_and_yarn-7de53501ee branch from ec6dbe6 to 0bee4e4 Compare April 2, 2026 22:27
@dependabot @github

dependabot Bot commented on behalf of github Jun 1, 2026

Copy link
Copy Markdown
Author

Superseded by #2.

@dependabot dependabot Bot closed this Jun 1, 2026
@dependabot dependabot Bot deleted the dependabot/npm_and_yarn/npm_and_yarn-7de53501ee branch June 1, 2026 21:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants