Skip to content

chore(deps-dev): bump happy-dom from 18.0.1 to 20.0.0 #661

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Oct 13, 2025
Merged

chore(deps-dev): bump happy-dom from 18.0.1 to 20.0.0 #661

merged 1 commit into from
Oct 13, 2025

Conversation

@dependabot
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Oct 11, 2025
edited by greptile-apps bot
Loading

Bumps happy-dom from 18.0.1 to 20.0.0.

Release notes

Sourced from happy-dom's releases.

v20.0.0

I avoid making breaking changes as much as possible in Happy DOM. When I have to make a breaking change, I try to keep it as minimal as possible. This could be a breaking change that impacts many projects, and I am truly sorry if you are negatively affected by this.

💣 Breaking Changes

  • Due to security risks, JavaScript evaluation is now disabled by default - By @​capricorn86 in task #1930
    • A security advisory (GHSA-37j7-fg3j-429f) has been reported that shows a security vulnerability where it's possible to escape the VM context and get access to process level functionality. Big thanks to @​Mas0nShi for reporting this!
    • Due to this security risk, JavaScript evaluation is now disabled by default to prevent that consumers accidentally executes untrusted code without taking precautions
    • JavaScript evaluation can be enabled by setting enableJavaScriptEvaluation to "true". Read more about how to enable this in a safer way in the Wiki

v19.0.2

👷‍♂️ Patch fixes

  • Fixes issue related to CSS pseudo selector :scope that didn't work correctly for direct descendants to root - By @​capricorn86 in task #1620

v19.0.1

👷‍♂️ Patch fixes

  • Fixes issue with sending in URLs as string in @happy-dom/server-renderer config using CLI - By @​capricorn86 in task #1908

v19.0.0

💣 Breaking Changes

  • Removes support for CommonJS - By @​capricorn86 in task #1730
    • Support for CommonJS is no longer needed as Node.js v18 is deprecated and v20 and above supports loading ES modules from CommonJS using require()
  • Updates Jest to v30 in the @happy-dom/jest-environment package - By @​capricorn86 in task #1730
  • Makes Jest packages peer dependencies to make it easier to align versions with the project using @happy-dom/jest-environment - By @​capricorn86 in task #1730

🎨 Features

  • Adds a new package called @happy-dom/server-renderer - By @​capricorn86 in task #1730
    • This package provides a simple way to statically render (SSG) or server-side render (SSR) your client-side application
    • Read more in the Wiki under Server-Renderer
  • Adds support for import.meta to the ESM compiler - By @​capricorn86 in task #1730
  • Adds support for the CSS pseudo selector :scope - By @​capricorn86 in task #1620
  • Improves support for MediaList - By @​capricorn86 in task #1730
  • Adds support for CSSKeywordValue, CSSStyleValue, StylePropertyMap, StylePropertyMap, StylePropertyMapReadOnly - By @​capricorn86 in task #1730
  • Improves debug information in the ESM compiler - By @​capricorn86 in task #1730
  • Adds validation of browser settings when creating a new Browser instance - By @​capricorn86 in task #1730
  • Adds support for the browser setting navigation.beforeContentCallback which makes it possible to inject event listeners or logic before content is loaded to the document when navigating a browser frame - By @​capricorn86 in task #1730
  • Adds support for the browser setting fetch.requestHeaders which provides with a declarative and simple way to add request headers - By @​capricorn86 in task #1730
  • Adds support for setting an object to timer.preventTimerLoops which makes it possible to define different settings for setTimeout() and requestAnimationFrame() - By @​capricorn86 in task #1730
  • Adds support for the browser setting viewport which makes it possible to define a default viewport size - By @​capricorn86 in task #1730
  • Adds support for the parameters beforeContentCallback and headers to BrowserFrame.goto(), BrowserFrame.goBack(), BrowserFrame.goForward(), BrowserFrame.goSteps() and BrowserFrame.reload() - By @​capricorn86 in task #1730
  • Adds support for PopStateEvent and trigger the event when navigating the page history using History.pushState() - By @​capricorn86 in task #1730
  • Use local file paths for virtual server files in stack traces - By @​capricorn86 in task #1730
  • Adds support for ResponseCache.fileSystem.load() and ResponseCache.fileSystem.save() for storing and loading cache from the file system - By @​capricorn86 in task #1730

👷‍♂️ Patch fixes

  • Fixes a bug in the ESM compiler that caused it to fail to parse certain code - By @​capricorn86 in task #1730
  • Disables the same origin policy when navigating a browser frame using BrowserFrame.goto() - By @​capricorn86 in task #1730
  • Fixes bug where CSS selectors with the pseudos "+" and ">" failed for selectors without arguments - By @​capricorn86 in task #1730

... (truncated)

Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

Important

Bumps happy-dom from 18.0.1 to 20.0.0, introducing breaking changes like disabling JavaScript evaluation by default and removing CommonJS support.

  • Dependency Update:
    • Bumps happy-dom from 18.0.1 to 20.0.0 in package.json.
  • Breaking Changes:
    • JavaScript evaluation is disabled by default due to security risks.
    • Removes support for CommonJS.
  • Features:
    • Adds @happy-dom/server-renderer package for SSG/SSR.
    • Supports import.meta in ESM compiler.
  • Patch Fixes:
    • Fixes CSS pseudo selector :scope issue.
    • Fixes URL string handling in @happy-dom/server-renderer config.

This description was created by Ellipsis for db4ebbd. You can customize this summary. It will automatically update as commits are pushed.

Disclaimer: Experimental PR review

Greptile Overview

Updated On: 2025-10-11 00:18:22 UTC

Summary

Updated happy-dom from version 18.0.1 to 20.0.0, a dev dependency used as the test environment for Vitest.

Key Changes:

  • Major version bump skips v19, includes breaking changes from both v19 and v20
  • Breaking (v20): JavaScript evaluation is now disabled by default in happy-dom's VM context due to security vulnerability (GHSA-37j7-fg3j-429f). Can be re-enabled with enableJavaScriptEvaluation: true if needed.
  • Breaking (v19): Removed CommonJS support (ESM only), updated Jest to v30
  • Includes Node.js engine requirement update to >=20 (already met by this project)
  • Transitive dependency updates: @types/node (18.19.124→130, 20.19.11→20, 24.3.0→24.7.1), undici-types (7.10.0→7.14.0)

Impact Assessment:

  • The eval() usage found in tests/e2e/langchain.e3e.test.ts:469 runs in Node.js context (not happy-dom VM), so it's unaffected by the breaking change
  • happy-dom is used only as the test environment in vitest.config.ts, no custom configuration needed
  • All breaking changes are compatible with the existing setup

Confidence Score: 5/5

  • This PR is safe to merge with minimal risk
  • Standard automated dependency update with breaking changes that don't affect this codebase. The eval() usage in tests runs in Node.js context, not the happy-dom VM that has the breaking change. All transitive dependency updates are routine. Tests should be run to verify, but no code changes are needed.
  • No files require special attention

Important Files Changed

File Analysis

Filename Score Overview
package.json 5/5 Updated happy-dom from 18.0.1 to 20.0.0, a dev dependency used for testing environment
pnpm-lock.yaml 5/5 Lockfile updated with happy-dom 20.0.0 and transitive dependency updates

Sequence Diagram

sequenceDiagram
    participant Dev as Developer
    participant Dep as Dependabot
    participant PKG as package.json
    participant Lock as pnpm-lock.yaml
    participant Vitest as Vitest Tests
    participant HD as happy-dom 20.0.0

    Dep->>PKG: Update happy-dom: 18.0.1 → 20.0.0
    Dep->>Lock: Update dependency tree
    Lock->>Lock: Update @types/node versions
    Lock->>Lock: Update undici-types versions
    
    Note over Vitest,HD: Breaking Change: JS eval disabled by default
    
    Vitest->>HD: Initialize test environment
    HD-->>Vitest: Environment ready (no eval by default)
    Vitest->>Vitest: Run test suites
    
    alt Tests use eval() in Node.js context
        Note over Vitest: Tests run in Node.js, not happy-dom VM
        Vitest->>Vitest: eval() works normally
    else Tests need happy-dom eval
        HD-->>Vitest: Would need enableJavaScriptEvaluation: true
    end
Loading

@dependabot
chore(deps-dev): bump happy-dom from 18.0.1 to 20.0.0
db4ebbd 
Bumps [happy-dom](https://github.com/capricorn86/happy-dom) from 18.0.1 to 20.0.0.
- [Release notes](https://github.com/capricorn86/happy-dom/releases)
- [Commits](capricorn86/happy-dom@v18.0.1...v20.0.0)

---
updated-dependencies:
- dependency-name: happy-dom
  dependency-version: 20.0.0
  dependency-type: direct:development
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Oct 11, 2025
@vercel
Copy link

vercel bot commented Oct 11, 2025
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Preview Updated (UTC)
langfuse-js Ready Ready Preview Oct 11, 2025 0:17am

greptile-apps[bot]
greptile-apps bot reviewed Oct 11, 2025
View reviewed changes
Copy link
Contributor

@greptile-apps greptile-apps bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

1 file reviewed, no comments

Edit Code Review Agent Settings | Greptile

@hassiebp hassiebp merged commit eaff05e into main Oct 13, 2025
8 checks passed
@hassiebp hassiebp deleted the dependabot/npm_and_yarn/happy-dom-20.0.0 branch October 13, 2025 07:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@greptile-apps greptile-apps[bot] greptile-apps[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@hassiebp