build(deps-dev): bump jsdom from 29.0.0 to 29.0.1 by dependabot[bot] · Pull Request #2567 · duckduckgo/content-scope-scripts

dependabot · 2026-03-23T11:09:10Z

Bumps jsdom from 29.0.0 to 29.0.1.

Release notes

v29.0.1

Fixed CSS parsing of border, background, and their sub-shorthands containing keywords or var(). (@asamuzaK)

Fixed getComputedStyle() to return a more functional CSSStyleDeclaration object, including indexed access support, which regressed in v29.0.0.

Commits

34c7d6e 29.0.1
8ffc811 Add benchmark for computed style property access
5f2434c Update dependencies and dev dependencies
1e8a7ff Handle global keywords in CSS shorthand property handlers
0b79509 Wrap getComputedStyle return value for proper indexed access
d589a8e Fix border shorthand parsing
e528859 Modernize release infrastructure
See full diff in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for jsdom since your current version.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Note

Low Risk
Dev dependency/lockfile-only updates; risk is limited to potential test or build behavior changes in jsdom-related tooling.

Overview
Updates the jsdom devDependency from 29.0.0 to 29.0.2 in injected/package.json and refreshes package-lock.json accordingly.

This lockfile update also bumps jsdom’s transitive dependencies (notably @asamuzakjp/*, @csstools/*, and undici) to the versions required by the new jsdom release.

^{Reviewed by Cursor Bugbot for commit 3363318. Bugbot is set up for automated code reviews on this repo. Configure here.}

github-actions · 2026-03-23T11:09:22Z

Suggested comment for Cursor review (copy and paste as a new comment):

@cursoragent can you review against the current code and outline potential impacts based on the changelogs of the update?

Can you check the test coverage and ensure that the new code is covered?
Can you think through if this dependency is still needed or if there's better practices used elsewhere.

Can you draft a separate PR with any fixes that might be needed?

Note: GitHub Actions bot cannot trigger Cursor agent directly. Please copy the above comment to invoke the review.

github-actions · 2026-03-23T11:10:00Z

Build Branch


Branch	`pr-releases/dependabot/npm_and_yarn/main/jsdom-29.0.1`
Commit	`054201824a`
Updated	April 13, 2026 at 1:09:53 PM UTC

Static preview entry points

Docs: docs/index.html
Static pages: build/integration/pages/index.html
Integration pages: injected/integration-test/test-pages/index.html

QR codes (mobile preview)

Entry point	QR code
Docs
Static pages
Integration pages

Integration commands

npm (Android / Extension):

npm i github:duckduckgo/content-scope-scripts#pr-releases/dependabot/npm_and_yarn/main/jsdom-29.0.1

Swift Package Manager (Apple):

.package(url: "https://github.com/duckduckgo/content-scope-scripts.git", branch: "pr-releases/dependabot/npm_and_yarn/main/jsdom-29.0.1")

git submodule (Windows):

git -C submodules/content-scope-scripts fetch origin pr-releases/dependabot/npm_and_yarn/main/jsdom-29.0.1
git -C submodules/content-scope-scripts checkout origin/pr-releases/dependabot/npm_and_yarn/main/jsdom-29.0.1

Pin to exact commit

npm (Android / Extension):

npm i github:duckduckgo/content-scope-scripts#054201824ab09628bb29b6e1bbd81f253e267634

Swift Package Manager (Apple):

.package(url: "https://github.com/duckduckgo/content-scope-scripts.git", revision: "054201824ab09628bb29b6e1bbd81f253e267634")

git submodule (Windows):

git -C submodules/content-scope-scripts fetch origin pr-releases/dependabot/npm_and_yarn/main/jsdom-29.0.1
git -C submodules/content-scope-scripts checkout 054201824ab09628bb29b6e1bbd81f253e267634

cursor

Stale comment

Web Compatibility Assessment

No findings.

injected/package.json (devDependencies jsdom 29.0.0 -> 29.0.1), severity: info.
The change is limited to test tooling (jsdom is only referenced from injected/unit-test/*), so it does not alter injected page-world API shims, wrapper behavior, feature lifecycle (load/init), or platform entry-point bundles.

package-lock.json (jsdom, @asamuzakjp/dom-selector, undici lock updates), severity: info.
Lockfile updates are consistent with the jsdom patch bump and remain under dev dependency scope.

Security Assessment

No findings.

injected/package.json + package-lock.json, severity: info.
No changes to captured-globals, message bridge, transport/origin validation, wrapper utilities, or any runtime-injected feature code paths. Transitive updates are tied to jsdom and are marked dev-only in the lockfile.

Risk Level

Low Risk — this PR is a patch-level dev dependency update used for test execution, with no production injected-script code changes.

Recommendations

Merge as-is.

Run npm run test-unit in injected/ as a regression check for JSDOM behavioral drift in DOM-dependent tests.

Optional hardening: if CI supports it, keep Dependabot security updates for dev tooling enabled to continue receiving patch-level fixes automatically.

_{Sent by Cursor Automation: Web compat and sec}

github-actions · 2026-04-01T13:49:40Z

[Beta] Generated file diff

Time updated: Wed, 01 Apr 2026 13:49:40 GMT

cursor

Stale comment

Web Compatibility Assessment

injected/package.json (jsdom entry), severity: info
jsdom is updated in devDependencies only (^29.0.0 -> ^29.0.1). This does not modify injected runtime code paths (API shims, wrapper utilities, feature lifecycle hooks), so no direct web-compat regression surface is introduced.

package-lock.json (node_modules/jsdom, node_modules/undici), severity: info
Changes are lockfile resolution updates for test/dev tooling only. No browser API override contracts, descriptors, or prototype-chain behavior in shipped content scripts are changed.

Security Assessment

injected/package.json + package-lock.json, severity: info
No changes to security-sensitive runtime modules (captured-globals, message bridge, wrappers, exemption logic, feature init/load flow). No new messaging, origin, or DOM trust-boundary code is introduced.

package-lock.json transitive update (undici patch bump), severity: info
This is in the dev dependency tree and does not increase runtime attack surface for injected scripts.

Risk Level

Low Risk — this PR only updates dev/test dependency versions and lockfile entries; no injected production code or security-critical framework code is touched.

Recommendations

Run npm run test-unit to validate jsdom-backed test behavior remains stable after the patch bump.

Alternative dependency strategy: if tighter reproducibility is preferred over semver patch float, pin jsdom to an exact version in devDependencies (while continuing to rely on lockfile updates).

_{Sent by Cursor Automation: Web compat and sec}

cursor

Stale comment

Dependency Review (jsdom 29.0.0 → 29.0.1)

Findings

No confirmed security or functional regressions from this bump based on the diff and upstream patch notes.

Confirmed Impact (evidence-based)

PR changes only injected/package.json and package-lock.json.

Direct dev dependency bumped: jsdom ^29.0.0 → ^29.0.1.

Transitives changed in lockfile:

@asamuzakjp/dom-selector ^7.0.2 → ^7.0.3

undici 7.24.4 → 7.24.5

jsdom v29.0.1 release notes indicate this is a patch fix release (CSS shorthand parsing fixes + getComputedStyle() wrapper/indexed-access regression fix from 29.0.0), not a new feature surface.

In this repo, jsdom is used only in injected unit tests (injected/unit-test/dom-metadata.spec.js, injected/unit-test/page-context-dom.spec.js, injected/unit-test/web-detection.js), so runtime shipped code risk is low.

Test/Coverage Signal

CI is green for Linux unit + integration suites; Windows unit jobs are still in progress at review time.

Existing tests exercise JSDOM broadly, including getComputedStyle use in web-detection tests.

Uncertain Concerns / Validation Needed

I did not find targeted assertions for the exact patched behaviors (getComputedStyle()[index] access and CSS border/background shorthand parsing with global keywords/var()).

Suggested validation (optional hardening): add 1-2 focused unit tests for those two cases to detect future upstream regressions.

Dependency Necessity Check

jsdom is still needed for DOM-backed unit tests in injected; replacing it would be a larger test-infra change with no clear security or maintenance benefit for this patch update.

No separate fix PR is required from this review.

_{Sent by Cursor Automation: Review dependabot}

dependabot · 2026-04-13T11:34:35Z

A newer version of jsdom exists, but since this PR has been edited by someone other than Dependabot I haven't updated it. You'll get a PR for the updated version as normal once this PR is merged.

jonathanKingston · 2026-04-13T12:47:05Z

@dependabot recreate

cursor

Stale comment

Web Compatibility Assessment

injected/package.json (devDependencies.jsdom, line 58) — info: jsdom is a dev-only test dependency; no injected runtime feature code, wrappers, shims, or messaging paths are modified. No direct risk to browser API surface fidelity or site behavior in production bundles.

package-lock.json (node_modules/jsdom, lines 6588-6616; transitive @asamuzakjp/*, @csstools/*, undici) — info: lockfile updates are constrained to test-environment dependency graph changes. No injected/src/** runtime logic changes that could affect page compatibility across platforms.

package-lock.json (special-pages.devDependencies.@duckduckgo/design-tokens, line 10889) — warning: unrelated lockfile delta broadens review surface beyond the stated jsdom bump. Even if benign, mixed-scope lock updates reduce confidence and complicate compatibility attribution.

Security Assessment

injected/package.json + package-lock.json (jsdom/transitives, including undici) — info: changes are dev-only and do not execute in production content scripts, so no new direct attack surface in hostile page context (captured-globals, wrapper utilities, bridge security checks, and feature init paths are untouched).

package-lock.json (special-pages @duckduckgo/design-tokens spec change, line 10889) — warning: this is a supply-chain provenance change outside PR scope. It should be explicit and intentionally reviewed to avoid accidental dependency source drift.

Risk Level

Low Risk — this PR does not modify injected runtime code paths or security-sensitive infrastructure; risk is primarily procedural from an unrelated lockfile entry change.

Recommendations

Remove or isolate the @duckduckgo/design-tokens lockfile delta (package-lock.json) into a separate PR to keep scope auditable.

Confirm the intended target version in metadata (title says 29.0.1, diff resolves to 29.0.2) so dependency provenance is unambiguous.

Run injected unit tests that rely on jsdom to validate test-harness behavior remains stable (npm run test-unit in injected/).

_{Sent by Cursor Automation: Web compat and sec}

cursor

Stale comment

Web Compatibility Assessment

No findings.

injected/package.json (line 55), severity info: change is a devDependency bump (jsdom), not code that ships in injected bundles.

package-lock.json (ranges around 57, 85-120, 6588-6617, 9970-9976), severity info: lockfile-only transitive updates (@asamuzakjp/*, @csstools/*, undici) affect test/runtime emulation in Node, not page-world API shims or wrapper behavior in production injections.

Security Assessment

No findings.

injected/package.json (line 55), severity info: no change to messaging, bridge trust boundaries, captured globals, or runtime security-sensitive feature code.

package-lock.json (same ranges), severity info: dependency refresh does not introduce new browser-side attack surface in injected code paths; scope remains dev/test dependency resolution.

Risk Level

Low Risk — PR only updates a dev dependency and lockfile; there are no modifications to injected feature logic, wrapper utilities, messaging, or security controls executed on web pages.

Recommendations

Run injected unit/integration tests to catch any jsdom DOM-behavior drift in test harnesses.

If any test snapshots/assertions changed recently around DOM parsing/selectors, re-verify those suites because jsdom transitive selector/color parser packages were updated.

Keep this dependency bump isolated from runtime feature edits (already true) to preserve rollback clarity if test regressions appear.

_{Sent by Cursor Automation: Web compat and sec}

cursor

Stale comment

Web Compatibility Assessment

injected/package.json line 58 (info): jsdom devDependency bump (^29.0.0 -> ^29.0.2) is test-only; no changes to injected runtime files (injected/src/**, wrapper utilities, API shims), so no direct API-surface/prototype-chain regression is introduced by this PR.

package-lock.json lines 60, 88-113, 293-334, 6589-6610, 9971 (info): lockfile churn is consistent with jsdom transitive updates (@asamuzakjp/*, @csstools/*, undici) and does not include unrelated source or platform entrypoint changes.

Security Assessment

injected/package.json line 58 (info): change is limited to a devDependency; there are no modifications to captured globals, message bridge controls, origin validation, or feature initialization codepaths.

package-lock.json lines 6589-6610, 9971 (info): transitive undici update (7.24.4 -> 7.24.8) is dev-only via jsdom, so it does not expand the production injected-script attack surface.

Risk Level

Low Risk — dependency-only dev/test upgrade with lockfile updates confined to the jsdom dependency graph and no security-sensitive runtime code changes.

Recommendations

Run npm run test-unit --workspace injected to confirm no test-environment behavior drift from jsdom parsing/DOM changes.

Keep this PR scoped to dependency graph updates; if future pushes touch injected/src/**, wrapper-utils, captured-globals, or messaging transport code, re-run a high-risk compatibility/security review.

_{Sent by Cursor Automation: Web compat and sec}

cursor

Stale comment

Findings (ordered by severity)

No confirmed blocking security or behavioral regressions from this update.

Non-blocking concerns / uncertainties

PR intent vs actual version differs: title says 29.0.1, but the diff updates to jsdom@^29.0.2 in injected/package.json and lockfile.
Assumption: this is intended semver patch drift during lockfile refresh.
Validation needed: either retitle PR to 29.0.2 or pin/update commit message to match exact shipped version.

package-lock.json includes an unrelated spec-string change for @duckduckgo/design-tokens (commit hash spec -> #v0.17.0). The resolved git SHA stays identical (f8bfef...), so this appears metadata-only, but it is extra lockfile noise in a dependency-focused PR.

Evidence checked

Upstream jsdom release notes:

v29.0.1: CSS shorthand parsing fixes + getComputedStyle() wrapper/indexed-access fix.

v29.0.2: broader/faster getComputedStyle() computed-value handling + further background/border shorthand fixes.

Repo usage: jsdom is dev-only and imported only in injected unit tests (dom-metadata.spec.js, page-context-dom.spec.js, web-detection.js), not production runtime paths.

Validation run: npm run test-unit --workspace=injected passed (889 specs, 0 failures).

Dependency necessity / alternatives

jsdom still appears justified here: tests rely on DOM/CSS behavior (getComputedStyle, selector/CSS parsing) where lighter alternatives (cheerio, linkedom) are lower-fidelity for these cases.

No separate follow-up fix PR drafted at this time because no code changes were required.

_{Sent by Cursor Automation: Review dependabot}

cursor

Stale comment

Dependency risk review for jsdom update.

Findings

No blocking risks confirmed from this diff.

Confirmed impact (from diff + changelog)

The actual resolved update is jsdom 29.0.0 -> 29.0.2 (not just 29.0.1), via injected/package.json and package-lock.json.

Upstream jsdom 29.0.1/29.0.2 changes are mainly CSSOM behavior updates: getComputedStyle() behavior/perf and CSS background/border shorthand parsing fixes.

In this repo, jsdom is a devDependency in injected and is imported only in unit tests (injected/unit-test/page-context-dom.spec.js, injected/unit-test/dom-metadata.spec.js, injected/unit-test/web-detection.js), so production runtime exposure is low.

Relevant CI evidence is positive on Linux (Unit tests (injected, ubuntu-latest) passed; injected integration matrix jobs shown as passing in the current run status).

Uncertain concerns (require validation)

Because getComputedStyle() semantics changed in 29.0.2, there is some cross-platform risk of test expectation drift (especially for Windows runners that are still in progress at review time).

Transitive parser/network updates (@asamuzakjp/*, @csstools/*, undici) can subtly alter selector/CSS handling in tests; existing test coverage is strong for selector matching, but not exhaustive for all computed-style inheritance/custom-property edge cases.

Dependency necessity

jsdom is still justified here: it underpins DOM-centric unit tests without requiring browser startup.

Alternative if desired: move these cases to Playwright integration tests for browser-real CSS behavior, but that increases runtime and test maintenance overhead.

Follow-up PR

No follow-up PR is needed at this point.

If Windows CI surfaces regressions, a targeted follow-up PR should add explicit regression tests around changed getComputedStyle() / shorthand parsing behavior in injected unit tests.

_{Sent by Cursor Automation: Review dependabot}

cursor

Stale comment

Findings

No blocking security or regression concerns were confirmed for this update.

Confirmed Impact (from diff + changelogs)

The actual update scope is jsdom 29.0.0 -> 29.0.2 (not just 29.0.1), plus transitive updates (@asamuzakjp/*, @csstools/*, undici).

Upstream jsdom releases v29.0.1 and v29.0.2 are focused on CSS parsing and getComputedStyle() correctness/perf fixes.

In this repo, jsdom is a devDependency in injected and is used in unit tests (not production runtime), primarily in:

injected/unit-test/web-detection.js

injected/unit-test/page-context-dom.spec.js

injected/unit-test/dom-metadata.spec.js

Validation run: npm run test-unit --workspace=injected passed (889 specs, 0 failures).

Uncertain Concerns / Assumptions

Assumption: CI integration coverage is sufficient for any subtle behavior drift from the broadened getComputedStyle() implementation in 29.0.2.

If there are tests outside current injected unit coverage that implicitly rely on old JSDOM CSS-computed-value quirks, they could change behavior. No evidence of this in the current PR diff/tests.

Dependency Necessity

jsdom still appears justified: it enables fast deterministic DOM unit testing in injected.

Alternative approach: move the most CSS-semantics-sensitive assertions to Playwright/integration tests over time, keeping jsdom for structural/unit-level DOM tests.

_{Sent by Cursor Automation: Review dependabot}

cursor

Stale comment

Web Compatibility Assessment

injected/package.json (58), package-lock.json (60, 6589-6610) — severity: info: Change is limited to jsdom dev dependency (^29.0.0 -> ^29.0.2) and lockfile resolution updates. No changes to injected feature code, wrappers, shims, lifecycle hooks, or platform entry points, so there is no direct runtime web-compat regression vector for page-executed code.

package-lock.json (88-117, 293-334, 9971-9973) — severity: info: Transitive updates (@asamuzakjp/*, @csstools/*, undici) are scoped to the test/tooling dependency graph via jsdom; they can affect test environment DOM/CSS parsing behavior, but do not modify production browser API override behavior.

Security Assessment

injected/package.json (58), package-lock.json (60, 6589-6610) — severity: info: No changes to security-critical runtime surfaces (captured-globals, wrapper-utils, DDGProxy, message bridge, transport origin checks, or config gating). Threat-model-relevant protections are unchanged.

package-lock.json (9971-9973) — severity: info: undici transitive bump is in dev/test dependency context through jsdom; this does not introduce new data-exfiltration or messaging paths in injected page runtime.

Risk Level

Low Risk — dependency-only update in test tooling (jsdom and lockfile), with no modifications to injected runtime code paths that execute in hostile page context.

Recommendations

Run npm run test-unit to validate no jsdom behavioral drift impacts existing test assumptions.

If any jsdom-backed tests become flaky, prefer pinning assertions to standards behavior (DOM/API contracts) instead of jsdom internals.

Keep this as a dependency-only PR; avoid mixing runtime feature changes so rollback remains trivial if CI regressions appear.

_{Sent by Cursor Automation: Web compat and sec}

cursor

Stale comment

Dependency risk review for jsdom update (29.0.0 -> resolved 29.0.2).

Confirmed Findings

No blocking security or runtime risk found in this PR diff.

The change is dev-only (injected/package.json devDependencies), so production bundles are not directly affected.

Upstream patch notes reviewed:

29.0.1: fixes CSS shorthand parsing (border/background) and getComputedStyle() indexed-access regression.

29.0.2: further getComputedStyle() correctness/perf and additional shorthand parsing fixes.

Existing CI evidence shows unit/integration checks passing on Ubuntu for this PR run.

Uncertain Concerns (Need Validation)

Coverage gap for upstream fix area: I did not find targeted tests asserting CSS shorthand parsing of border/background with keyword/var() combinations in our jsdom-based tests.

Since this PR resolves to 29.0.2 (not only 29.0.1), behavior changes from both patches are in scope; this is likely fine, but worth explicit acknowledgment in review policy.

Dependency Necessity

jsdom is still needed here: it is actively used in injected unit tests (web-detection, page-context-dom, dom-metadata) to provide DOM APIs not available in plain Node.

Suggested Follow-ups (separate PR, not this one)

Add focused regression tests for CSS shorthand parsing scenarios that motivated the upstream fixes.

Optional policy hardening: pin exact patch for test-only DOM engine dependencies if you want to avoid surprise lockfile drift during rebases.

No immediate fix PR is required to safely merge this dependency update.

_{Sent by Cursor Automation: Review dependabot}

cursor

Stale comment

Web Compatibility Assessment

No findings.

injected/package.json (~55), package-lock.json (~57, ~6588, transitive blocks): changes are dependency metadata only (jsdom dev dependency and lockfile resolution). No modifications to injected runtime code paths (injected/src/**), wrappers (wrapper-utils.js), feature lifecycle hooks, or platform entry points.

package-lock.json transitive updates (@asamuzakjp/*, @csstools/*, undici) are scoped under the jsdom dependency tree and remain dev: true, so they do not alter production API shims, DOM overrides, or page-world execution behavior.

Security Assessment

No findings.

injected/package.json and package-lock.json only: no changes to captured globals, message bridge validation, origin checks, or any runtime code handling hostile page inputs.

Security posture impact is neutral-to-positive: updating jsdom and transitive undici in dev/test tooling reduces exposure to known dependency defects without expanding injected attack surface.

Risk Level

Low Risk — this PR only updates dev/test dependencies and lockfile entries, with no runtime JavaScript changes executed in web pages.

Recommendations

Run npm run test-unit to validate jsdom-backed test behavior remains stable across environments.

If CI has any DOM-test snapshot/golden baselines, recheck them for subtle parser/selector behavior changes from jsdom transitive updates.

Keep this update isolated from runtime feature changes (good as-is) to preserve rollback simplicity if any test-only regressions appear.

_{Sent by Cursor Automation: Web compat and sec}

cursor

Stale comment

Dependency review for jsdom bump in PR #2567.

Confirmed issues

None identified.

Confirmed impact of this update

The effective update in this PR is jsdom 29.0.0 -> 29.0.2 (not only 29.0.1), as shown in injected/package.json and package-lock.json.

Upstream 29.0.1 -> 29.0.2 includes substantial CSS/computed-style internals changes (10 commits / 36 files in the upstream compare range), including:

Resolve computed CSS values lazily in CSSStyleDeclaration

Fix background shorthand handlers

Fix border shorthand handling

Consolidate color helpers

Transitive updates include undici (^7.24.5 in jsdom; lock resolved to 7.24.8) and CSS parser/color-selector stack updates.

Codebase-specific risk assessment

In this repo, jsdom is a devDependency and appears only in unit tests (no production runtime usage found).

Current direct jsdom usage is in:

injected/unit-test/web-detection.js

injected/unit-test/page-context-dom.spec.js

injected/unit-test/dom-metadata.spec.js

These three jsdom-using suites were run directly and passed:

npx jasmine unit-test/web-detection.js (80/80)

npx jasmine unit-test/page-context-dom.spec.js (20/20)

npx jasmine unit-test/dom-metadata.spec.js (18/18)

Uncertain concerns (low confidence)

Upstream changes are concentrated in CSS computed style / shorthand serialization, while our local tests do not explicitly validate advanced CSS shorthand/currentColor/color-mix behaviors. If future tests begin asserting those semantics, minor output differences are plausible.

Dependency necessity / alternatives

jsdom is still justified here: it provides DOM APIs needed by existing unit tests.

Replacing it with lighter DOM emulators would reduce fidelity and likely increase behavior drift in security-sensitive DOM detection tests.

Follow-up PR

No concrete breakage or security regression was confirmed, so I do not recommend drafting a separate fix PR at this time.

_{Sent by Cursor Automation: Review dependabot}

Bumps [jsdom](https://github.com/jsdom/jsdom) from 29.0.0 to 29.0.1. - [Release notes](https://github.com/jsdom/jsdom/releases) - [Commits](jsdom/jsdom@v29.0.0...v29.0.1) --- updated-dependencies: - dependency-name: jsdom dependency-version: 29.0.1 dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>

cursor

Web Compatibility Assessment

File: injected/package.json; Line range: 58; Severity: info; Change is a dev-dependency version bump for jsdom only. No injected runtime feature code, wrappers, shims, or platform entry points were modified, so no direct risk to API-surface fidelity/prototype integrity on live sites.
File: package-lock.json; Line ranges: 60, 6589-6610, 9971-9973; Severity: info; Lockfile updates jsdom and transitive packages (undici, CSS parser/selector stack) in test tooling scope. This affects local/CI DOM emulation behavior, not production injected scripts.
File: package-lock.json; Line ranges: 97, 113; Severity: info; Transitive removal of lru-cache under jsdom-related packages can change jsdom-internal performance characteristics, but does not alter browser-page runtime behavior of Content Scope Scripts.

Security Assessment

File: injected/package.json, package-lock.json; Line ranges: all changed lines; Severity: info; No changes to security-sensitive runtime paths (captured-globals, wrapper-utils, DDGProxy, message bridge/transports, origin checks, or load() initialization paths).
File: package-lock.json; Line ranges: 6589-6610, 9971-9973; Severity: info; Dependency movement is limited to dev/test dependencies. No new data-exfiltration surface, message-boundary change, or global-capture bypass is introduced in shipped injected code.

Risk Level

Low Risk — this PR is dependency/lockfile-only in dev tooling (jsdom ecosystem) and does not modify production injection logic or security boundary code.

Recommendations

Run injected unit/integration suites that execute under jsdom to detect emulation drift (selectors, CSS parsing, fetch/polyfill behavior).
Add/keep targeted tests around any known jsdom-sensitive behavior in injected test helpers to catch future transitive parser/selector changes early.
Alternative if you want tighter reproducibility: keep lockfile updates but pin jsdom without a caret in injected/package.json so future updates are explicit PRs only.

_{Sent by Cursor Automation: Web compat and sec}

cursor

Dependency Risk Review (`jsdom`)

No blocking security or behavior regressions found from this bump.

Confirmed findings

Effective upgrade is broader than PR title
The PR title says 29.0.0 -> 29.0.1, but the committed lockfile resolves to jsdom@29.0.2 (package-lock.json) and also updates transitive deps (undici and CSS parser/selector packages).
Runtime product risk is low
jsdom is a devDependency in injected/package.json, and repo usage is test-only (imports in injected/unit-test/web-detection.js, injected/unit-test/dom-metadata.spec.js, injected/unit-test/page-context-dom.spec.js). This does not ship into production bundles.
Changed upstream areas are relevant to this test harness and currently pass
Upstream v29.0.1/v29.0.2 notes mention changes to getComputedStyle() and CSS shorthand parsing (background/border).
This repo has jsdom-backed tests touching computed style/visibility logic in web detection, and targeted execution passed locally (119 specs, 0 failures for WebDetection|dom-metadata|page-context).

Uncertain concerns (assumptions + validation)

Coverage gap for newly changed CSS shorthand parsing paths
I did not find unit assertions explicitly validating jsdom parsing of background/border shorthand or var() forms in this repo’s jsdom tests.
Assumption: current feature logic mostly relies on display/visibility/opacity, so this is likely low risk now.
Validation if desired: add one focused jsdom unit test that exercises shorthand + getComputedStyle() behavior used by detector visibility checks.

Is dependency still needed?

Yes. jsdom is actively used as the DOM test environment for multiple injected unit test suites.

Follow-up / separate PR suggestion

No mandatory fix PR required for this dependency bump.
Optional hardening PR: add targeted jsdom regression tests for CSS shorthand + computed-style edge cases to guard future patch bumps.

_{Sent by Cursor Automation: Review dependabot}

dependabot · 2026-04-20T12:20:42Z

Superseded by #2644.

dependabot Bot added dependencies Update one or more dependencies version patch Increment the patch version when merged labels Mar 23, 2026

dependabot Bot requested a review from a team as a code owner March 23, 2026 11:09

dependabot Bot added dependencies Update one or more dependencies version patch Increment the patch version when merged labels Mar 23, 2026

github-actions Bot added the semver-patch Bug fix / internal — no release needed label Mar 23, 2026

cursor Bot reviewed Mar 23, 2026

View reviewed changes

jonathanKingston approved these changes Apr 1, 2026

View reviewed changes

cursor Bot reviewed Apr 1, 2026

View reviewed changes

dependabot Bot force-pushed the dependabot/npm_and_yarn/main/jsdom-29.0.1 branch from ce76083 to b7ffe3a Compare April 13, 2026 12:48