Update jsdom 27.4.0 → 29.0.1 (major)

[depfu]

Here is everything you need to know about this upgrade. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ jsdom (27.4.0 → 29.0.1) · Repo · Changelog

Release Notes

29.0.1

• Fixed CSS parsing of border, background, and their sub-shorthands containing keywords or var(). (@asamuzaK)
• Fixed getComputedStyle() to return a more functional CSSStyleDeclaration object, including indexed access support, which regressed in v29.0.0.

29.0.0

Breaking changes:

• Node.js v22.13.0+ is now the minimum supported v22 version (was v22.12.0+).

Other changes:

• Overhauled the CSSOM implementation, replacing the @acemir/cssom and cssstyle dependencies with fresh internal implementations built on webidl2js wrappers and the css-tree parser. Serialization, parsing, and API behavior is improved in various ways, especially around edge cases.
• Added CSSCounterStyleRule and CSSNamespaceRule to jsdom Windows.
• Added cssMediaRule.matches and cssSupportsRule.matches getters.
• Added proper media query parsing in MediaList, using css-tree instead of naive comma-splitting. Invalid queries become "not all" per spec.
• Added cssKeyframeRule.keyText getter/setter validation.
• Added cssStyleRule.selectorText setter validation: invalid selectors are now rejected.
• Added styleSheet.ownerNode, styleSheet.href, and styleSheet.title.
• Added bad port blocking per the fetch specification, preventing fetches to commonly-abused ports.
• Improved Document initialization performance by lazily initializing the CSS selector engine, avoiding ~0.5 ms of overhead per Document. (@thypon)
• Fixed a memory leak when stylesheets were removed from the document.
• Fixed CSSStyleDeclaration modifications to properly trigger custom element reactions.
• Fixed nested @media rule parsing.
• Fixed CSSStyleSheet's "disallow modification" flag not being checked in all mutation methods.
• Fixed XMLHttpRequest's response getter returning parsed JSON during the LOADING state instead of null.
• Fixed getComputedStyle() crashing in XHTML documents when stylesheets contained at-rules such as @page or @font-face.
• Fixed a potential hang in synchronous XMLHttpRequest caused by a race condition with the worker thread's idle timeout.

28.1.0

• Added blob.text(), blob.arrayBuffer(), and blob.bytes() methods.
• Improved getComputedStyle() to account for CSS specificity when multiple rules apply. (asamuzaK)
• Improved synchronous XMLHttpRequest performance by using a persistent worker thread, avoiding ~400ms of setup overhead on every synchronous request after the first one.
• Improved performance of node.getRootNode(), node.isConnected, and event.dispatchEvent() by caching the root node of document-connected trees.
• Fixed getComputedStyle() to correctly handle !important priority. (asamuzaK)
• Fixed document.getElementById() to return the first element in tree order when multiple elements share the same ID.
• Fixed <svg> elements to no longer incorrectly proxy event handlers to the Window.
• Fixed FileReader event timing and fileReader.result state to more closely follow the spec.
• Fixed a potential hang when synchronous XMLHttpRequest encountered dispatch errors.
• Fixed compatibility with environments where Node.js's built-in fetch() has been used before importing jsdom, by working around undici v6/v7 incompatibilities.

28.0.0

• Overhauled resource loading customization. See the new README for details on the new API.
• Added MIME type sniffing to <iframe> and <frame> loads.
• Regression: WebSockets are no longer correctly throttled to one connection per origin. This is a result of the bug at nodejs/undici#4743.
• Fixed decoding of the query components of <a> and <area> elements in non-UTF-8 documents.
• Fixed XMLHttpRequest fetches and WebSocket upgrade requests to be interceptable by the new customizable resource loading. (Except synchronous XMLHttpRequests.)
• Fixed the referrer of a document to be set correctly when redirects are involved; it is now the initiating page, not the last hop in the redirect chain.
• Fixed correctness bugs when passing ArrayBuffers or typed arrays to various APIs, where they would not correctly snapshot the data.
• Fixed require("url").parse() deprecation warning when using WebSockets.
• Fixed <iframe>, <frame>, and <img> (when canvas is installed) to fire load events, not error events, on non-OK HTTP responses.
• Fixed many small issues in XMLHttpRequest.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ css-tree (indirect, 3.1.0 → 3.2.1) · Repo · Changelog

Release Notes

3.2.1

• Fixed parsing of nested function in a group in definition syntax (#358)

3.2.0

• Added "sideEffects": false in package.json
• Added list option to the parse() method to specify whether the parser should produce a List (by default, list: true) or an array (list: false) for node's children (e.g., SelectorList, Block, etc.)
• Added support for Functional Notation in definition syntax (for now by wrapping function arguments into an implicit group when necessary, see #292)
• Added support for stacked multipliers {A}? and {A,B}? according to spec in definition syntax parsing (#346)
• Added math functions support in syntax matching (e.g., min(), max(), etc.) (#344)
• Added onToken option to the parse() method, which can be either an array or a function:
  • When the value is an array, it is populated with objects { type, start, end } (token type, and its start and end offsets).
  • When the value is a function, it accepts type, start, end, and index parameters, and is invoked with a token API as this, enabling advanced token handling (see onToken). For example, the following demonstrates checking if all block tokens have matching pairs:

    parse(css, {
        onToken(type, start, end, index) {
            if (this.isBlockOpenerTokenType(type)) {
                if (this.getBlockPairTokenIndex(index) === -1) {
                    console.warn('No closing pair for', this.getTokenValue(index), this.getRangeLocation(start, end));
                }
            } else if (this.isBlockCloserTokenType(type)) {
                if (this.getBlockPairTokenIndex(index) === -1) {
                    console.warn('No opening pair for', this.getTokenValue(index), this.getRangeLocation(start, end));
                }
            }
        }
    });

• Extended TokenStream with the following methods:
  • getTokenEnd(tokenIndex) – returns the token's end offset by index, complementing getTokenStart(tokenIndex)
  • getTokenType(tokenIndex) – returns the token's type by index
  • isBlockOpenerTokenType(tokenType) – returns true for <function-token>, <(-token>, <[-token>, and <{-token>
  • isBlockCloserTokenType(tokenType) – returns true for <)-token>, <]-token>, and <}-token>
  • getBlockTokenPairIndex(tokenIndex) – returns the index of the pair token for a block, or -1 if no pair exists
• Changed generate() to not auto insert whitespaces between tokens for raw values (#356)
• Fixed fork() to extend node definitions instead of overriding them. For example, fork({ node: { Dimension: { generate() { /* ... */ } } } }) will now update only the generate() method on the Dimension node, while inheriting all other properties from the previous syntax definition.
• Bumped mdn/data to 2.27.1 and various fixes in syntaxes

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ data-urls (indirect, 6.0.0 → 7.0.0) · Repo

Release Notes

7.0.0

Node.js ^20.19.0 || ^22.12.0 || >=24.0.0 is now the minimum supported version.

6.0.1

This release contains dependency updates which should not impact users of the package.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ lru-cache (indirect, 11.2.4 → 11.2.7) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ mdn-data (indirect, 2.12.2 → 2.27.1) · Repo · Changelog

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ tldts (indirect, 7.0.19 → 7.0.27) · Repo · Changelog

Release Notes

7.0.27

📜 Update Public Suffix List

• tldts-experimental, tldts
  • Update upstream public suffix list #2534 (@remusao)

🔩 Dependencies

• Bump flatted from 3.3.1 to 3.4.2 #2535 (@dependabot[bot])
• Bump typescript-eslint from 8.57.0 to 8.57.1 #2533 (@dependabot[bot])
• Bump tar from 7.5.7 to 7.5.11 #2532 (@dependabot[bot])

Authors: 2

• @dependabot[bot]
• Rémi (@remusao)

7.0.26

📜 Update Public Suffix List

• tldts-experimental, tldts
  • Update upstream public suffix list #2525 (@remusao)

🔩 Dependencies

• Bump lerna from 9.0.5 to 9.0.7 #2531 (@dependabot[bot])
• Bump @types/node from 25.3.5 to 25.5.0 #2530 (@dependabot[bot])
• Bump typescript-eslint from 8.56.1 to 8.57.0 #2528 (@dependabot[bot])

Authors: 2

• @dependabot[bot]
• Rémi (@remusao)

7.0.25

📜 Update Public Suffix List

• tldts-experimental, tldts-icann, tldts
  • Update upstream public suffix list #2522 (@remusao)

🔩 Dependencies

• Bump rimraf from 6.1.2 to 6.1.3 #2509 (@dependabot[bot])
• Bump rollup from 4.57.1 to 4.59.0 #2513 (@dependabot[bot])
• Bump typescript-eslint from 8.54.0 to 8.56.1 #2514 (@dependabot[bot])
• Bump lerna from 9.0.3 to 9.0.5 #2521 (@dependabot[bot])
• Bump @types/node from 25.2.1 to 25.3.5 #2524 (@dependabot[bot])
• tldts-core, tldts-experimental, tldts-icann, tldts-utils, tldts
  • Bump nyc from 17.1.0 to 18.0.0 #2517 (@dependabot[bot])
• tldts-experimental, tldts-icann, tldts
  • Bump @rollup/plugin-terser from 0.4.4 to 1.0.0 #2523 (@dependabot[bot])

Authors: 2

• @dependabot[bot]
• Rémi (@remusao)

7.0.24

📜 Update Public Suffix List

• tldts-experimental, tldts-icann, tldts
  • Update upstream public suffix list #2506 (@remusao)

Authors: 1

• Rémi (@remusao)

7.0.23

📜 Update Public Suffix List

• tldts-experimental, tldts-icann, tldts
  • Update upstream public suffix list #2502 (@remusao)

🔩 Dependencies

• Bump @types/node from 25.2.0 to 25.2.1 #2501 (@dependabot[bot])

Authors: 2

• @dependabot[bot]
• Rémi (@remusao)

7.0.22

📜 Update Public Suffix List

• tldts-experimental, tldts-icann, tldts
  • Update upstream public suffix list #2500 (@remusao)

🔩 Dependencies

• Bump @types/node from 25.1.0 to 25.2.0 #2499 (@dependabot[bot])
• tldts-core, tldts-experimental, tldts-icann, tldts-tests, tldts-utils, tldts
  • Bump chai from 4.5.0 to 6.2.2 #2482 (@dependabot[bot])
  • chore: upgrade dependencies #2498 (@remusao)

Authors: 2

• @dependabot[bot]
• Rémi (@remusao)

7.0.21

📜 Update Public Suffix List

• tldts-core, tldts-experimental, tldts-icann, tldts-tests, tldts-utils, tldts
  • Update PSL + dependencies #2497 (@remusao)

⚠️ Pushed to master

• Fix publishing (@remusao)

Authors: 1

• Rémi (@remusao)

7.0.20

📜 Update Public Suffix List

• tldts-experimental, tldts-icann, tldts
  • Update upstream public suffix list #2472 (@remusao)

⚠️ Pushed to master

• Try to fix publishing (@remusao)
• Fix publishing (@remusao)
• tldts-core, tldts-experimental, tldts-icann, tldts-tests, tldts-utils, tldts
  • Bump to Yarn 4 and try to fix publishing. (@remusao)

Authors: 1

• Rémi (@remusao)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ tough-cookie (indirect, 6.0.0 → 6.0.1) · Repo · Changelog

Release Notes

6.0.1

Notable

• Review Section 5.1.1. Dates by @colincasey in #547
• Adopt npm trusted publishing (OIDC) by @colincasey in #571
• Bump tldts from 7.0.23 to 7.0.25 in the production-dependencies group by @dependabot[bot] in #573

What's Changed

• Bump the dev-dependencies group across 1 directory with 9 updates by @dependabot[bot] in #543
• Bump tldts from 7.0.10 to 7.0.12 in the production-dependencies group by @dependabot[bot] in #540
• Bump the dev-dependencies group with 8 updates by @dependabot[bot] in #545
• Bump tldts from 7.0.16 to 7.0.17 in the production-dependencies group by @dependabot[bot] in #544
• Bump vitest from 3.2.4 to 4.0.6 by @dependabot[bot] in #546
• Bump js-yaml from 4.1.0 to 4.1.1 by @dependabot[bot] in #548
• Bump glob from 10.4.5 to 10.5.0 by @dependabot[bot] in #549
• Bump tldts from 7.0.17 to 7.0.19 in the production-dependencies group by @dependabot[bot] in #550
• test(timing): retry flaky test and increase threshold by @wjhsf in #552
• Bump the dev-dependencies group with 8 updates by @dependabot[bot] in #551
• chore(deps): bump lodash from 4.17.21 to 4.17.23 by @dependabot[bot] in #555
• chore(deps): bump tldts from 7.0.19 to 7.0.21 in the production-dependencies group by @dependabot[bot] in #556
• chore(deps-dev): bump the dev-dependencies group across 1 directory with 10 updates by @dependabot[bot] in #557
• chore(deps): bump rollup from 4.44.2 to 4.59.0 by @dependabot[bot] in #558
• chore(deps): bump tldts from 7.0.21 to 7.0.23 in the production-dependencies group by @dependabot[bot] in #559
• Review Section 5.1.1. Dates by @colincasey in #547
• chore(deps-dev): bump the dev-dependencies group with 5 updates by @dependabot[bot] in #560
• Fix api-documenter CRLF line endings in generated docs by @colincasey in #570
• Adopt npm trusted publishing (OIDC) by @colincasey in #571
• chore: group eslint deps in dependabot config by @colincasey in #563
• chore(deps): bump tldts from 7.0.23 to 7.0.25 in the production-dependencies group by @dependabot[bot] in #573
• Prepare release v6.0.1 by @colincasey in #572

Full Changelog: v6.0.0...v6.0.1

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ webidl-conversions (indirect, 8.0.0 → 8.0.1) · Repo

Release Notes

8.0.1

• Sped up and simplified ByteString and USVString conversions. (@ChALkeR, #54)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ whatwg-mimetype (indirect, 4.0.0 → 5.0.0) · Repo

Release Notes

5.0.0

Node.js v20 is now the minimum supported version.

The MIMEType class has moved from being the default export to being a named export.

Added MIME sniffing functionality, via the computedMIMEType export.

Removed the raw parsing/serialization APIs.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ whatwg-url (indirect, 15.1.0 → 16.0.1) · Repo

Release Notes

16.0.1

Fixed URL.parse() to return a proper URL object, instead of an internal implementation object. This fixes, among other things, URL.parse(x) instanceof URL.

16.0.0

Breaking change: now requires Node.js versions ^20.19.0 || ^22.12.0 || >=24.0.0.

Added encoding support for query string parsing, via the new encoding options to parseURL() and basicURLParse(). (The URL API is not affected, as it always uses UTF-8.) Thanks to @ChALkeR and his excellent @exodus/bytes package for providing the foundation!

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

🆕 @​bramus/specificity (added, 2.4.2)

🆕 undici (added, 7.24.5)

🗑️ @​acemir/cssom (removed)

🗑️ agent-base (removed)

🗑️ cssstyle (removed)

🗑️ http-proxy-agent (removed)

🗑️ https-proxy-agent (removed)

🗑️ ws (removed)

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)