[Snyk] Upgrade jsdom from 23.2.0 to 28.1.0

[shafeeqd959]

Snyk has created this PR to upgrade jsdom from 23.2.0 to 28.1.0.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

• The recommended version is 21 versions ahead of your current version.

• The recommended version was released a month ago.

Release notes

Package name: jsdom

• 28.1.0 - 2026-02-15
  
  • Added blob.text(), blob.arrayBuffer(), and blob.bytes() methods.
  • Improved getComputedStyle() to account for CSS specificity when multiple rules apply. (@ asamuzaK)
  • Improved synchronous XMLHttpRequest performance by using a persistent worker thread, avoiding ~400ms of setup overhead on every synchronous request after the first one.
  • Improved performance of node.getRootNode(), node.isConnected, and event.dispatchEvent() by caching the root node of document-connected trees.
  • Fixed getComputedStyle() to correctly handle !important priority. (@ asamuzaK)
  • Fixed document.getElementById() to return the first element in tree order when multiple elements share the same ID.
  • Fixed <svg> elements to no longer incorrectly proxy event handlers to the Window.
  • Fixed FileReader event timing and fileReader.result state to more closely follow the spec.
  • Fixed a potential hang when synchronous XMLHttpRequest encountered dispatch errors.
  • Fixed compatibility with environments where Node.js's built-in fetch() has been used before importing jsdom, by working around undici v6/v7 incompatibilities.
• 28.0.0 - 2026-02-02
  
  • Overhauled resource loading customization. See the new README for details on the new API.
  • Added MIME type sniffing to <iframe> and <frame> loads.
  • Regression: WebSockets are no longer correctly throttled to one connection per origin. This is a result of the bug at nodejs/undici#4743.
  • Fixed decoding of the query components of <a> and <area> elements in non-UTF-8 documents.
  • Fixed XMLHttpRequest fetches and WebSocket upgrade requests to be interceptable by the new customizable resource loading. (Except synchronous XMLHttpRequests.)
  • Fixed the referrer of a document to be set correctly when redirects are involved; it is now the initiating page, not the last hop in the redirect chain.
  • Fixed correctness bugs when passing ArrayBuffers or typed arrays to various APIs, where they would not correctly snapshot the data.
  • Fixed require("url").parse() deprecation warning when using WebSockets.
  • Fixed <iframe>, <frame>, and <img> (when canvas is installed) to fire load events, not error events, on non-OK HTTP responses.
  • Fixed many small issues in XMLHttpRequest.
• 27.4.0 - 2025-12-26
  
  • Added TextEncoder and TextDecoder.
  • Improved decoding of HTML bytes by using the new @ exodus/bytes package; it is now much more correct. (@ ChALkeR)
  • Improved decoding of XML bytes to use UTF-8 more often, instead of sniffing for <meta charset> or using the parent frame's encoding.
  • Fixed a memory leak when Ranges were used and then the elements referred to by those ranges were removed.
• 27.3.0 - 2025-12-08
  
  • Improved CSS parsing and CSSOM object APIs via updates to @ acemir/cssom. (@ acemir)
• 27.2.0 - 2025-11-12
  
  • Added CSSGroupingRule, CSSNestedDeclarations, CSSConditionRule, CSSContainerRule, CSSScopeRule, CSSSupportsRule, CSSLayerBlockRule, and CSSLayerStatementRule to jsdom Windows. (@ acemir)
  • Improved CSS parsing and CSSOM object APIs via updates to @ acemir/cssom. (@ acemir)
  • Fixed @ import-ed stylesheets to be properly exposed to CSSOM, and not to overwrite the sheet created from the <link> or <style> element. (@ acemir)
• 27.1.0 - 2025-10-31
  
  • Improved CSS parsing by switching to @ acemir/cssom, including support for nested selectors, nested declarations, layer statements, and improved at-rule validation. (@ acemir)
  • Fixed some selector cache invalidation issues where changes to attributes were not being picked up. (@ asamuzaK)
  • Fixed package.json "engines" field to reflect the new minimum Node.js versions needed to run jsdom, as noted in the changelog for v27.0.1.
• 27.0.1 - 2025-10-18
  

  This release inadvertently raised the minimum Node.js version from v20.0.0 to v20.19.0+, v22.12.0+, v24.0.0+. (This happened via a dependency update.) This probably should have been a breaking (major) change, instead of happening in a patch version, since it prevents using earlier Node.js versions.

  After further testing, we found that most of our development dependencies also require these versions, and so it's not feasible for the jsdom project to support earlier Node.js versions. (For example, our testing frameworks will not run on them.) If you need to use such earlier versions, or otherwise are working in an environment which gives related errors such as ERR_REQUIRE_ESM, then please stick with the v26.1.0 release of jsdom. (Noting, of course, that such versions are unsupported, and we will not respond to bug reports opened against them.)

  Subsequent jsdom releases will explicitly require these minimum Node.js versions, and will have CI testing to ensure that the minimum version is not accidentally raised again.

  Normal changelog:

  • Fixed some regressions in CSS selectors. Most such regression fixes were done in a minor update of a dependency, and thus available for all fresh installs of v27.0.0. However, one related to class="" attribute changes is only possible with a new version of jsdom. (@ asamuzaK)
• 27.0.0 - 2025-09-13
  

  Changes since 26.1.0

  • Node.js v20 is now the minimum supported version.
  • Added a variety of event constructors, even though we do not implement their associated specifications or ever fire them: BeforeUnloadEvent, BlobEvent, DeviceMotionEvent (omitting requestPermission()), DeviceOrientationEvent (omitting requestPermission()), PointerEvent, PromiseRejectionEvent, and TransitionEvent.
  • Added movementX and movementY to MouseEvent. (These are from the Pointer Lock specification, the rest of which is not implemented.)
  • Added customElements.getName(). (@ mash-graz)
  • Updated the virtual console:
    • "jsdomError" events are now documented, with specific type properties and other properties that depend on the type.
    • sendTo() was renamed to forwardTo().
    • The jsdomErrors option to forwardTo() can be used to control which errors are sent to the Node.js console. This replaces the previous omitJSDOMErrors boolean option.
    • "jsdomError"s for failed XMLHttpRequest fetches are no longer emitted.
    • The values that are printed when forwarding "jsdomError"s to the Node.js console are streamlined.
  • Switched our CSS selector engine from nwsapi to @ asamuzakjp/dom-selector, closing over 20 selector-related bugs.
  • Upgraded tough-cookie, which now considers URLs like http://localhost/ to be secure contexts (per the spec), and thus will return Secure-flagged cookies for such URLs. (@ colincasey)
  • Upgraded cssstyle, which brings along many improvements and fixes to the CSSStyleDeclaration object and its properties.
  • Updated the user agent stylesheet to be derived from the HTML Standard, instead of from an old revision of Chromium.
  • Changed element.click() to fire a PointerEvent instead of a MouseEvent.
  • Changed certain events to be passive by default.
  • Changed the <input> element's pattern="" attribute to use the v regular expression flag, instead of u.
  • Fixed many specification conformance issues with the Window object, including named properties and changing various data properties to accessor properties.
  • Fixed document.createEvent() to accept a more correct set of event names.
  • Fixed the ElementInternals accessibility getters and setters. (They were introduced in v23.1.0, but due to inadequate test coverage never actually worked.)
  • Fixed using Object.defineProperty() on certain objects, such as HTMLSelectElement instances.
  • Fixed jsdom.reconfigure({ url }) not updating document.baseURI or properties derived from it. (This regressed in v26.1.0.)
  • Fixed CSS system colors, as well as the initial, inherit, and unset keywords, to resolve correctly. (@ asamuzaK)
  • Fixed CSS display style resolution. (@ asamuzaK)

  Changes since 27.0.0-beta.3

  • Upgraded cssstyle, which brings along various CSS parsing fixes.
• 27.0.0-beta.3 - 2025-08-31
  
  • Breaking change: upgraded tough-cookie, which now considers URLs like http://localhost/ to be secure contexts (per the spec), and thus will return Secure-flagged cookies for such URLs. (@ colincasey)
  • Added customElements.getName(). (@ mash-graz)
  • Changed the <input> element's pattern="" attribute to use the v regular expression flag, instead of u.
  • Fixed jsdom.reconfigure({ url }) not updating document.baseURI or properties derived from it. This regressed in v26.1.0.
  • Fixed CSS system colors, as well as the initial, inherit, and unset keywords, to resolve correctly. This is especially important since the change in v27.0.0-beta.1 to use system colors in the user agent stylesheet. (@ asamuzaK)
  • Fixed CSS background property parsing and serialization. (@ asamuzaK)
  • Fixed CSS color parsing and serialization inside of gradients. (@ asamuzaK)
  • Fixed CSS display style resolution. (@ asamuzaK)
  • Upgraded @ asamuzakjp/dom-selector, which notably fixed repeated use of the :scope selector. (@ asamuzaK)
• 27.0.0-beta.2 - 2025-06-08
  

  Significantly improved specification conformance for the Window object, including named properties and changing various data properties to accessor properties. This is not likely to be breaking, but since it's a complex change to such a core object, we're happy to do another beta testing release with this included before graduating the v27 line to stable.

  Additionally, updated cssstyle to v4.4.0, which brings along various conformance fixes to the CSSStyleDeclaration object and its properties.

• 27.0.0-beta.1 - 2025-05-06
• 27.0.0-beta.0 - 2025-04-19
• 26.1.0 - 2025-04-13
• 26.0.0 - 2025-01-09
• 25.0.1 - 2024-09-22
• 25.0.0 - 2024-08-25
• 24.1.3 - 2024-08-25
• 24.1.2 - 2024-08-25
• 24.1.1 - 2024-07-21
• 24.1.0 - 2024-05-26
• 24.0.0 - 2024-01-21
• 23.2.0 - 2024-01-07

from jsdom GitHub release notes

---

Important

• Warning: This PR contains a major version upgrade, and may be a breaking change.
• Check the changes in this PR to ensure they won't cause issues with your project.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

• 🧐 View latest project report
• 📜 Customise PR templates
• 🛠 Adjust upgrade PR settings
• 🔕 Ignore this dependency or unsubscribe from future upgrade PRs

[github-actions]

🔒 Security Scan Results

ℹ️ Note: Only vulnerabilities with available fixes (upgrades or patches) are counted toward thresholds.

Check Type	Count (with fixes)	Without fixes	Threshold	Result
🔴 Critical Severity	0	0	10	✅ Passed
🟠 High Severity	0	0	25	✅ Passed
🟡 Medium Severity	0	4	500	✅ Passed
🔵 Low Severity	0	0	1000	✅ Passed

⏱️ SLA Breach Summary

✅ No SLA breaches detected. All vulnerabilities are within acceptable time thresholds.

Severity	Breaches (with fixes)	Breaches (no fixes)	SLA Threshold (with/no fixes)	Status
🔴 Critical	0	0	15 / 30 days	✅ Passed
🟠 High	0	0	30 / 120 days	✅ Passed
🟡 Medium	0	0	90 / 365 days	✅ Passed
🔵 Low	0	0	180 / 365 days	✅ Passed

ℹ️ Vulnerabilities Without Available Fixes (Informational Only)

The following vulnerabilities were detected but do not have fixes available (no upgrade or patch). These are excluded from failure thresholds:

• Critical without fixes: 0
• High without fixes: 0
• Medium without fixes: 4
• Low without fixes: 0

✅ BUILD PASSED - All security checks passed