You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Significantly improved and sped up getComputedStyle(). Computed value rules are now applied across a broader set of properties, and include fixes related to inheritance, defaulting keywords, custom properties, and color-related values such as currentcolor and system colors. (@asamuzaK)
Fixed CSS 'background' and 'border' shorthand parsing. (@asamuzaK)
v29.0.1
Fixed CSS parsing of 'border', 'background', and their sub-shorthands containing keywords or var(). (@asamuzaK)
Fixed getComputedStyle() to return a more functional CSSStyleDeclaration object, including indexed access support, which regressed in v29.0.0.
This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for jsdom since your current version.
You can trigger a rebase of this PR by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
Note
Low Risk
Low risk dependency-only update to the dev/test DOM environment; main risk is minor test behavior changes due to updated CSS/computed-style handling and transitive dependency bumps.
Overview
Updates the dev dependency jsdom from 29.0.0 to 29.0.2 (and refreshes package-lock.json accordingly).
This pulls in updated transitive packages (notably CSS parsing/computed style helpers and undici) to match the new jsdom release.
Reviewed by Cursor Bugbot for commit 1c7c9e2. Bugbot is set up for automated code reviews on this repo. Configure here.
Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.
Suggested comment for Cursor review (copy and paste as a new comment):
@cursoragent can you review against the current code and outline potential impacts based on the changelogs of the update?
Can you check the test coverage and ensure that the new code is covered?
Can you think through if this dependency is still needed or if there's better practices used elsewhere.
Can you draft a separate PR with any fixes that might be needed?
Note: GitHub Actions bot cannot trigger Cursor agent directly. Please copy the above comment to invoke the review.
The reason will be displayed to describe this comment to others. Learn more.
Stale comment
Web Compatibility Assessment
injected/package.json (line 55), severity: info: jsdom is bumped from ^29.0.0 to ^29.0.2 in devDependencies only. No runtime injected feature code, wrapper utilities, API shims, or platform entry points are modified, so there is no direct browser API surface regression risk.
package-lock.json (line 57, line 6598, line 9980), severity: info: Lockfile updates are constrained to dependency resolution for the test/tooling graph (jsdom, @asamuzakjp/*, @csstools/*, undici). No content-scope runtime bundle behavior is changed.
Security Assessment
injected/package.json (line 55), severity: info: Change is isolated to a development dependency and does not alter hostile-page runtime paths (no changes to captured globals, message bridge, wrapper/proxy logic, or config gating).
package-lock.json (line 6598), severity: info: Updated transitive packages execute in test tooling context, not in injected production script context. No new postMessage, origin validation, bridge secret, or prototype-override attack surface is introduced.
Risk Level
Low Risk — dependency/lockfile-only update in dev/test tooling with no modifications to injected runtime code or security-critical browser integration paths.
Recommendations
Run injected test suites (npm run test-unit --workspace injected and relevant integration coverage) to catch any jsdom behavioral shifts in DOM emulation that could affect test expectations.
If CI shows newly flaky DOM/CSS-selector tests, inspect changes from @asamuzakjp/dom-selector and @asamuzakjp/css-color first; these are the most likely behavior-change vectors in this bump.
Keep this change isolated from functional code edits (as done here) to preserve rollback simplicity if test harness behavior regresses.
The reason will be displayed to describe this comment to others. Learn more.
Stale comment
Dependency review for jsdom bump 29.0.0 -> 29.0.2.
Confirmed findings
No blocking issues found.
Evidence:
Diff scope is limited to injected/package.json + package-lock.json dependency graph updates.
jsdom is a devDependency only, used in injected unit tests (injected/unit-test/web-detection.js, injected/unit-test/page-context-dom.spec.js, injected/unit-test/dom-metadata.spec.js).
Upstream release notes for v29.0.1 and v29.0.2 are behavior fixes in CSS parsing and getComputedStyle() (no security-critical advisory in these notes).
Local validation on this PR state: npm run test-unit --workspace=injected passed (889 specs, 0 failures).
Uncertain concerns (non-blocking)
jsdom changed getComputedStyle() and background/border shorthand parsing semantics across 29.0.1/29.0.2.
Assumption: current tests adequately guard against behavior shifts. Required validation if we want higher confidence: add explicit assertions for background/border shorthand + var() + indexed CSSStyleDeclaration access in the affected unit-test areas.
Is this dependency still needed?
Yes, currently justified. npm ls jsdom --all shows jsdom is only pulled by the injected workspace test harness, and there is no parallel DOM emulator dependency to consolidate.
Separate follow-up PR
No fix PR is required for this bump.
Optional hardening PR: add targeted unit tests for the changed CSS/getComputedStyle behaviors to reduce future upgrade risk.
The reason will be displayed to describe this comment to others. Learn more.
Stale comment
Web Compatibility Assessment
No compatibility regressions found in injected runtime code.
injected/package.json (devDependency update) — severity: info
jsdom was bumped from ^29.0.0 to ^29.0.2 in dev tooling only. No changes to injected feature code, wrapper utilities, API shims, or platform entry points.
package-lock.json (lockfile transitive updates) — severity: info
Transitives (@asamuzakjp/*, @csstools/*, undici) were updated as part of the jsdom bump. These affect test/runtime simulation in Node, not browser-injected production script behavior.
Security Assessment
No exploitable security issues identified in this diff.
injected/package.json, package-lock.json — severity: info
No modifications to captured-globals, message bridge, origin validation, stack-trace exemption logic, or any page-exposed override/shim code paths.
Change scope is limited to dev dependencies; no new messaging, postMessage, eval-like execution, or DOM-injection patterns introduced.
Risk Level
Low Risk — dependency/lockfile-only update in dev tooling (jsdom) with no changes to injected production code paths or security-sensitive runtime surfaces.
Recommendations
Run injected unit/integration suites that rely on jsdom to catch subtle DOM emulation behavior changes in tests.
If any snapshot/assertion drift appears, prefer test expectation updates over production code changes unless a real browser behavior mismatch is proven.
Keep this dependency bump isolated (no fallback code changes) unless CI demonstrates a concrete regression.
Assumption: installs run with engine-strict off (default npm behavior) and CI/dev Node from .nvmrc (22) is recent enough.
If any self-hosted/dev environments enforce strict engines on older Node patch versions, install could fail.
Test Coverage Check
jsdom is used in targeted injected unit tests (dom-metadata, page-context, web-detection/evaluateMatch).
I ran targeted suites locally after npm ci:
dom-metadata.js: 18/18 passing
page-context.js - domToMarkdown: 20/20 passing
evaluateMatch: 34/34 passing
Coverage gap: full workspace unit/integration matrix was not rerun in this review pass.
Is dependency still needed?
Yes, currently justified: it is the active DOM emulation layer for Node unit tests in injected.
Alternative (non-blocking): evaluate happy-dom/linkedom in a separate performance-focused PR if test runtime becomes a priority.
Recommendation
Approve/merge is reasonable with current evidence.
Optional hardening in a separate PR (not this one): add an explicit CI guard for Node floor compatibility (e.g., a lightweight npm ci job with strict engines) to catch future transitive engine bumps early.
A newer version of jsdom exists, but since this PR has been edited by someone other than Dependabot I haven't updated it. You'll get a PR for the updated version as normal once this PR is merged.
The reason will be displayed to describe this comment to others. Learn more.
Stale comment
Web Compatibility Assessment
injected/package.json lines 58-58, severity: info: jsdom is bumped from ^29.0.0 to ^29.0.2 as an injected workspace devDependency only. No injected feature code, wrapper utilities, API shims, platform entry points, or page-world lifecycle code changed, so there is no direct browser API surface or timing-regression risk.
package-lock.json lines 61-61 and 6966-6997, severity: info: Lockfile movement is constrained to the jsdom test/tooling dependency graph. The updated DOM/CSS selector/color behavior may affect Node unit-test expectations, but it does not change production content-scope bundles.
package-lock.json lines 88-121 and 10395-10403, severity: info: Updated transitives (@asamuzakjp/*, @csstools/*, undici) are marked dev: true; no runtime web compatibility surface is introduced.
Security Assessment
injected/package.json lines 58-58, severity: info: The change does not touch hostile-page runtime paths such as captured-globals, DDGProxy, wrapper utilities, message bridge, origin validation, stack-trace exemptions, or config gating.
package-lock.json lines 6966-6997, severity: info: The new jsdom package is still a dev-only test dependency. No new production postMessage, native messaging, eval-like execution, DOM injection, iframe access, or network request path is added to injected scripts.
Risk Level
Low Risk — dependency/lockfile-only dev tooling update with no modifications to injected production code or security-critical browser integration paths.
Recommendations
No blocking compatibility or security changes requested.
Keep this PR dependency-only; avoid mixing in production code changes if CI exposes jsdom expectation drift.
Validation run on current head: npm ci completed on Node v22.22.0; npm run build --workspace=injected && npm run test-unit --workspace=injected passed (929 specs, 0 failures, 16 pending).
The reason will be displayed to describe this comment to others. Learn more.
Dependency review result: no blocking concerns found.
Evidence checked:
Diff only updates jsdom in injected/package.json and lockfile metadata from 29.0.0 to 29.0.2; it remains a direct dev dependency.
Upstream 29.0.1 / 29.0.2 release notes focus on CSS parsing and getComputedStyle() / CSSStyleDeclaration fixes. The notable 29.0.2getComputedStyle() regression report is closed, with the fix confirmed by using @asamuzakjp/dom-selector@7.1.1; this lockfile resolves that version.
Repo usage is limited to JSDOM imports in injected/unit-test/dom-metadata.spec.js, injected/unit-test/page-context-dom.spec.js, and injected/unit-test/web-detection.js.
After npm ci, verified installed versions include jsdom@29.0.2, @asamuzakjp/dom-selector@7.1.1, @asamuzakjp/css-color@5.1.11, and undici@7.25.0.
npm audit reports existing vulnerabilities, but none are attributed to the changed package set checked above.
Validation note: a full local npm run test-unit --workspace=injected run failed only because generated build artifacts were missing in this checkout (Sources/ContentScopeScripts/dist/*, build/*). PR CI shows the injected Ubuntu unit and injected integration jobs passing; some unrelated Windows / special-pages jobs were still running when reviewed.
No separate fix PR drafted because I did not find a concrete issue to fix.
The reason will be displayed to describe this comment to others. Learn more.
Web Compatibility Assessment
injected/package.json lines 58-58, severity: info: jsdom is bumped from ^29.0.0 to ^29.0.2 as an injected workspace devDependency. No injected feature code, wrapper utilities, API shims, DOM manipulation, lifecycle timing, or platform entry points changed, so there is no direct page-world compatibility surface.
package-lock.json lines 61-61 and 6966-6997, severity: info: Lockfile changes are scoped to the jsdom test/tooling graph. The likely behavior-change vectors are DOM/CSS emulation in Node tests (@asamuzakjp/*, @csstools/*, undici), not production content-scope bundles.
Security Assessment
injected/package.json lines 58-58, severity: info: No hostile-page runtime paths changed; this does not touch captured-globals, DDGProxy, wrapper utilities, message bridge, origin validation, stack-trace exemptions, config gating, postMessage, or iframe access.
package-lock.json lines 88-129, 6966-6997, and 10395-10402, severity: info: Updated transitives are marked dev: true. npm audit still reports existing repo vulnerabilities, but none match the changed jsdom/@asamuzakjp/@csstools/undici package set in this diff.
Risk Level
Low Risk — dependency/lockfile-only dev tooling update with no modifications to injected production code or security-critical browser integration paths.
Recommendations
No blocking compatibility or security changes requested.
Keep this PR dependency-only; if CI exposes jsdom expectation drift, handle it as test-harness behavior unless a real browser mismatch is demonstrated.
Validation on current head: npm ci, npm run build --workspace=injected, and npm run test-unit --workspace=injected passed (929 specs, 0 failures, 16 pending).
The reason will be displayed to describe this comment to others. Learn more.
Dependency update review for jsdom29.0.0 -> 29.0.2:
No blocking concerns found.
Evidence checked:
Diff only updates direct dev dependency jsdom in injected/package.json plus lockfile transitive dev deps.
Upstream jsdom29.0.1/29.0.2 release notes are CSSOM-focused: fixes to getComputedStyle() indexed/liveness behavior, broader computed-value handling, and border/background shorthand parsing.
Lockfile transitive movement includes @asamuzakjp/css-color, @asamuzakjp/dom-selector, new @asamuzakjp/generational-cache, @csstools/css-calc, @csstools/css-color-parser, and undici. These are all under the dev/test dependency graph here; the new package has no install lifecycle script in npm metadata.
Local repo usage of JSDOM is limited to injected unit tests (web-detection, page-context-dom, dom-metadata), not shipped browser scripts.
Full local npm run test-unit -w injected was not a useful signal in this checkout because generated build artifacts were absent for verify-artifacts.js; PR CI shows the injected unit job and current injected integration jobs passing.
Residual risk:
The main behavioral risk is test expectation drift around CSS computed styles/selectors, especially visibility checks using display, visibility, and opacity. Existing targeted specs cover that surface and passed with 29.0.2.
No separate fix PR appears necessary from this review.
Sent by Cursor Automation: Review dependabot
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
dependenciesUpdate one or more dependencies versionpatchIncrement the patch version when mergedsemver-patchBug fix / internal — no release needed
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
dependabot
Bot
added
dependencies
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
Bumps jsdom from 29.0.0 to 29.0.2.
Release notes
Sourced from jsdom's releases.
Commits
2a1e2cd29.0.24097d66Resolve computed CSS values lazily in CSSStyleDeclarationcf5523fAdd more test cases for nested color-mix with currentColorb33b616Add test that getComputedStyle() works with !important6bf559cAdd test for custom property inheritance in computed styles6817657Fix border shorthand handling470f5c5Consolidate color helpers3db53cbFix background shorthand handlers678e840Remove some longhand property filesd526a07Add regression test for getComputedStyle() livenessMaintainer changes
This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for jsdom since your current version.
You can trigger a rebase of this PR by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)Note
Low Risk
Low risk dependency-only update to the dev/test DOM environment; main risk is minor test behavior changes due to updated CSS/computed-style handling and transitive dependency bumps.
Overview
Updates the dev dependency
jsdomfrom29.0.0to29.0.2(and refreshespackage-lock.jsonaccordingly).This pulls in updated transitive packages (notably CSS parsing/computed style helpers and
undici) to match the newjsdomrelease.Reviewed by Cursor Bugbot for commit 1c7c9e2. Bugbot is set up for automated code reviews on this repo. Configure here.