You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Low Risk
DevDependency-only version bump with lockfile churn; no shipped extension logic is modified.
Overview
Bumps the dev dependency jsdom from 29.0.2 to 29.1.1 in injected/package.json, with the matching lockfile refresh for jsdom and its transitive packages (e.g. parse5, lru-cache, undici, @csstools/css-syntax-patches-for-csstree).
No application or extension runtime code changes—only the test DOM environment used by Jasmine unit tests that import JSDOM (e.g. dom metadata, page context, web detection). The newer jsdom release mainly improves getComputedStyle() behavior and performance, which may slightly affect tests that stub computed styles.
Reviewed by Cursor Bugbot for commit e588413. Bugbot is set up for automated code reviews on this repo. Configure here.
Suggested comment for Cursor review (copy and paste as a new comment):
@cursoragent can you review against the current code and outline potential impacts based on the changelogs of the update?
Can you check the test coverage and ensure that the new code is covered?
Can you think through if this dependency is still needed or if there's better practices used elsewhere.
Can you draft a separate PR with any fixes that might be needed?
Note: GitHub Actions bot cannot trigger Cursor agent directly. Please copy the above comment to invoke the review.
The reason will be displayed to describe this comment to others. Learn more.
Stale comment
Web Compatibility Assessment
No web-compatibility findings. This PR only bumps the injected workspace devDependency jsdom from 29.0.2 to 29.1.1 and updates its lockfile transitive set; it does not change bundled injected source, wrapper utilities, API shims, messaging, config handling, DOM mutation logic, or platform entry points.
Release-note impact is limited to jsdom test behavior: v29.1.0 adds basic CSS ratio type support and fixes stale getComputedStyle() after CSS mutation; v29.1.1 fixes computed style serialization for border-radius/background-origin/background-clip and optimizes initial getComputedStyle() calls. Those can affect DOM/CSS unit-test expectations, but not page-world runtime behavior.
Security Assessment
No PR-introduced security findings. jsdom remains a devDependency used by injected unit tests only (web-detection, page-context-dom, and dom-metadata specs), so the bump does not add injected runtime code, captured-global usage, bridge/origin handling changes, or new data-exfiltration surface.
Risk Level
Low Risk: dependency-only dev/test change with no shipped injected runtime surface and no changes to security-sensitive modules.
Recommendations
Keep the dependency: it is still directly used by injected unit tests that construct DOM fragments without a browser process.
If reducing test dependency surface becomes a goal later, the alternative is moving those DOM-fragment assertions to a browser/Playwright-backed helper, but that is heavier and not needed for this bump.
Verification: npm ci, npm run build --workspace=injected, and npm run test-unit --workspace=injected all pass (929 specs, 0 failures, 16 pending).
The reason will be displayed to describe this comment to others. Learn more.
Stale comment
Dependency risk assessment for jsdom29.0.2 -> 29.1.1: no blocking concerns found.
Evidence checked:
Diff only changes injected/package.json and package-lock.json; jsdom remains an injected devDependency.
Upstream release notes/compare show CSSOM-focused changes: style cache invalidation, ratio CSS units, background-origin/background-clip, border-radius serialization, and getComputedStyle() optimization.
Local code search found jsdom only in injected unit tests: web-detection, page-context-dom, and dom-metadata. No production bundle/runtime dependency found.
The full local npm run test-unit --workspace=injected failure was limited to missing generated build artifacts in this workspace; the PR CI has injected/special-pages unit and integration jobs green.
Supply-chain pass: jsdom license/engine/maintainers are unchanged; lockfile includes registry integrities; no install lifecycle scripts found for jsdom or the newly introduced/changed transitive packages checked. npm audit still reports existing unrelated dev-tree issues, but none matched the changed jsdom/parse5/entities/undici/@asamuzakjp packages.
Residual risk:
The update touches getComputedStyle() and selector/CSS parsing behavior, so regressions would most likely show up in DOM/CSS-dependent tests rather than production code. The direct consumers passed.
The Build Release Branch check failure appears to be a git push/network failure (HTTP 408), not a dependency/build failure.
No separate fix PR opened because I did not find a required fix.
The reason will be displayed to describe this comment to others. Learn more.
Stale comment
Injected PR Evaluation: Web Compatibility & Security
Reviewed PR #2721 (jsdom 29.0.2 → 29.1.1). Diff is limited to injected/package.json and package-lock.json; no files under injected/src/ or platform entry points are touched.
Web Compatibility Assessment
File
Severity
Finding
injected/package.json
info
jsdom is a devDependency only. It is not bundled into contentScope.js / inject.js and does not run in user-facing page contexts. No API surface fidelity, prototype chain, DOM timing, or platform-specific runtime concerns apply.
injected/unit-test/*.js (unchanged)
info
jsdom is consumed only by unit tests (web-detection.js, page-context-dom.spec.js, dom-metadata.spec.js). The 29.1.x release improves getComputedStyle() behavior (border-radius serialization, background-origin/background-clip, cache warmup). This may slightly change test DOM semantics but does not affect live sites.
No web compatibility regressions identified for injected runtime.
Security Assessment
File
Severity
Finding
injected/package.json
info
Dev-only dependency bump. No change to captured-globals.js, message bridge, messaging transports, or config trust boundaries.
package-lock.json (transitive)
info
Lockfile also updates jsdom transitive deps (undici 7.24→7.25, parse5 8.0.0→8.0.1, entities 6→8, lru-cache, @csstools/css-syntax-patches-for-csstree). All remain under the dev/test tree and are not shipped to browsers.
No security vulnerabilities or trust-boundary changes identified.
Risk Level
Low Risk — dependency-only dev/test tooling update with zero injected runtime surface area.
Recommendations
Merge once CI is green. Local verification: npm ci, npm run build --workspace=injected, and npm run test-unit --workspace=injected all succeeded (937 specs, 0 failures).
No runtime follow-up required. If web-detection unit tests ever flake on computed-style assertions, the 29.1.x CSS fixes are more likely to reduce false negatives than introduce breakage.
Cursor automation — injected web compat & security review
Confirmed relevance to this repo:web-detection unit tests call getComputedStyle for display, visibility, and opacity visibility matching (matching.js:isVisible). This is the only usage surface materially affected by the release notes.
Confirmed non-impact:dom-metadata tests do not exercise computed styles. page-context tests use getComputedStyle indirectly via checkNodeIsVisible for display: none filtering — behavior unchanged.
Test coverage
Ran jsdom-touching specs on Node 22.14.0 with the updated lockfile:
Coverage gap (informational, not blocking): No unit tests exercise border-radius, background-origin/clip, or aspect-ratio through jsdom. These are outside current feature usage and irrelevant to production code paths.
Dependency necessity
jsdom remains appropriate here. Unit tests need a lightweight in-process DOM with CSS selector and computed-style support; Playwright integration tests cover real-browser behavior separately. No happy-dom / linkedom usage elsewhere in the monorepo.
Supply chain
Check
Status
Package provenance
Established maintainers (incl. domenic); MIT license
entities 6→8 (via parse5), undici 7.24→7.25, lru-cache 11.2→11.5 — all dev-scoped, no known advisories on these versions
Informational note (no action required)
web-detection.js test harness still wraps getComputedStyle with a Proxy to coerce empty-string opacity to "1" (comment: "JSDOM returns '' for opacity"). On 29.1.1, default opacity already serializes as "1", so the workaround is now redundant but harmless. Optional future cleanup only — not a merge blocker.
Separate fix PR
Not needed. All jsdom-dependent tests pass; no production code changes required.
This test file wraps getComputedStyle to paper over jsdom quirks. jsdom 29.1.x improves CSSOM/getComputedStyle fidelity (border-radius serialization, background-origin/clip, cache optimizations). Tests still pass; any behavioral delta is test-harness only.
Security Assessment
No security findings.
File
Severity
Explanation
Entire diff
info
No changes to captured-globals.js, wrapper-utils.js, message bridge, messaging transports, or injected/src/features/. jsdom does not ship in production bundles.
package-lock.json
info
Transitive bumps (undici 7.24.5→7.25.0, parse5 8.0.0→8.0.1, entities 6→8) are dev-scoped; no new network surface in injected runtime.
Risk Level
Low Risk — dev-only dependency bump with no injected source changes; unit tests pass.
Recommendations
Merge once CI is green (local verification already clean).
Optional follow-up (non-blocking): Revisit the getComputedStyle Proxy shim in injected/unit-test/web-detection.js if jsdom 29.1.x now returns browser-like defaults for opacity and related properties — the shim may be redundant but is harmless while tests pass.
The reason will be displayed to describe this comment to others. Learn more.
Stale comment
Dependency update review: jsdom 29.0.2 → 29.1.1
Verdict: Low risk — safe to merge. No blocking issues found.
Scope of change
Only injected/package.json and package-lock.json change. jsdom is a devDependency used exclusively in Jasmine unit tests; it is not bundled into injected scripts shipped to browsers.
Changelog impact (29.0.2 → 29.1.1)
All changes are CSSOM / getComputedStyle() correctness and performance fixes:
Release
Changes
29.1.0
getComputedStyle() style-cache invalidation fix; basic ratio CSS unit support
injected/unit-test/dom-metadata.spec.js — anchor/selection metadata helpers (basic DOM only)
Production code that depends on computed styles (web-detection/matching.js, page-context.js, detection-utils.js) runs in real browsers; jsdom fidelity changes do not affect shipped behavior.
Confirmed: jsdom 29.1.1 now returns "1" for default opacity (was "" in 29.0.2). The Proxy workaround in web-detection.js is therefore obsolete but harmless — tests still pass with it in place.
Opacity-based visibility matching is exercised in web-detection.js (including opacity: 0 cases)
display: none hidden-content path is covered in page-context-dom.spec.js
Minor gap (non-blocking):page-context-dom.spec.js does not fixture-test opacity: 0 or visibility: hidden paths in checkNodeIsVisible(). Unlikely to regress on this patch, but worth a follow-up fixture if we want tighter guardrails.
Dependency necessity
jsdom remains the right choice here. It is the only DOM implementation in this repo (no happy-dom/linkedom). Integration tests correctly use Playwright for real-browser coverage. No alternative needed.
No fix PR needed. The upgrade is clean and tests pass. Optional follow-up (not blocking): remove the obsolete getComputedStyle opacity Proxy shim in web-detection.js now that jsdom returns browser-like defaults.
The reason will be displayed to describe this comment to others. Learn more.
Stale comment
Injected PR Evaluation: Web Compatibility & Security
PR:build(deps-dev): bump jsdom from 29.0.2 to 29.1.1
Reviewed diff 23c7c8ce…45f64d43 and verified jsdom usage is confined to unit-test harnesses. Ran 43 jsdom-dependent Jasmine specs locally — all passed.
Web Compatibility Assessment
File
Lines
Severity
Finding
injected/package.json
58
info
jsdom is listed under devDependencies only. It is not bundled into platform entry points and has zero runtime impact on injected page-world code.
package-lock.json
(transitive)
info
Lockfile updates pull in CSS/DOM parser patches (@csstools/css-syntax-patches-for-csstree, parse5, entities, etc.). These affect the Node.js test environment only, not browser WebViews.
injected/unit-test/web-detection.js
648–660
info
This test helper wraps getComputedStyle to paper over jsdom opacity defaults. jsdom 29.1.x improves getComputedStyle serialization/performance; the Proxy shim remains compatible and tests pass. No production API-fidelity concerns apply.
No web compatibility regressions identified. No changes touch wrapper-utils.js, feature shims, prototype chains, DOM injection paths, or platform bundles.
Security Assessment
File
Lines
Severity
Finding
injected/package.json
58
info
Dev-only dependency — not shipped to end users. No exposure of messaging bridge, captured-globals, or nativeData handling.
package-lock.json
(transitive)
info
Transitive bumps (undici 7.25.0, parse5 8.0.1, entities 8.0.0) are test-time only. jsdom's ResourceLoader/fetch paths are not exercised by C-S-S unit tests in a way that could reach production.
No security vulnerabilities identified. No changes to trust boundaries, origin validation, global capture hygiene, or config gating.
Risk Level
Low Risk — lockfile-only dev-dependency bump with no modifications to injected source, build entry points, or security-sensitive infrastructure.
Recommendations
Merge once CI is green — no injected-code changes required.
Optional: If CI flakes on web-detection specs, re-run; jsdom 29.1.x getComputedStyle changes are the only plausible (test-only) delta, and local runs passed 43/43 filtered specs.
No follow-up hardening, config gating, or captured-globals changes needed for this PR.
Performance optimization for initial getComputedStyle() calls
Confirmed relevance:web-detection/matching.js uses getComputedStyle for display, visibility, and opacity in element visibility checks. The changelog fixes align with code paths exercised by the evaluateMatch visibility tests (display: none, visibility: hidden, opacity: 0). These changes should improve test fidelity, not break it.
Transitive dependency bumps (via lockfile): parse5 8.0.0→8.0.1, entities 6.0.1→8.0.0, lru-cache 11.2.7→11.5.1, undici 7.24.5→7.25.0, @csstools/css-syntax-patches-for-csstree 1.1.1→1.1.5. All are dev-time transitive deps of jsdom.
Test coverage
Ran jsdom-consuming specs on 29.1.1:
cd injected && npm run test-unit -- --filter="web-detection|dom-metadata|page-context"
→ 43 specs, 0 failures
web-detection.js has thorough visibility coverage. page-context-dom.spec.js does not exercise checkNodeIsVisible() (which also calls getComputedStyle) — this is a pre-existing gap, not introduced by this bump.
Attack surface: Dev/test only; no runtime network fetches from test code paths reviewed
Risk level: Low
Dependency necessity
JSDOM remains appropriate here. It provides lightweight in-process DOM for Jasmine unit tests without Playwright overhead. Integration tests already use Playwright for real-browser coverage. No alternative needed.
Uncertain / informational (not blockers)
Obsolete test shim:web-detection.js still wraps getComputedStyle in a Proxy to coerce opacity: "" → "1", but JSDOM 29.0.2+ already returns "1". The shim is harmless but misleading. Cleanup PR opened separately (not on this branch).
checkNodeIsVisible untested with real JSDOM:page-context.js visibility logic has no dedicated jsdom fixture tests. Worth adding eventually, but unrelated to this bump.
Recommendation
✅ Approve and merge. No production impact, changelog changes are CSS correctness improvements aligned with existing test coverage, and supply-chain risk is low.
This PR only updates jsdom in injected/package.json (devDependencies) and the lockfile. It does not modify injected/src/, platform entry points, wrapper utilities, or any code shipped into page contexts. jsdom is used exclusively in unit tests (dom-metadata.spec.js, page-context-dom.spec.js, web-detection.js) to simulate DOM APIs in Node — it is not bundled into content-scope scripts.
Security Assessment
No findings.
No changes to captured-globals.js, messaging transports, message bridge, postMessage, or runtime feature initialization. Transitive lockfile updates (parse5, entities, lru-cache, undici, @asamuzakjp/*, @csstools/css-syntax-patches-for-csstree) are dev-only and do not affect the injected runtime attack surface.
Risk Level
Low Risk — dev-only test dependency bump with no injected-runtime code changes.
Recommendations
Info: Merge after CI passes. No injected-runtime action required.
Info: Targeted jsdom unit tests passed locally (118 specs, 0 failures across dom-metadata.spec.js, page-context-dom.spec.js, web-detection.js).
Info: Lockfile churn is limited to jsdom and its transitive dependencies; no unrelated ref or version-downgrade changes observed.
Performance optimization for initial getComputedStyle() calls
Relevance to this repo: The only direct getComputedStyle consumer in jsdom-backed tests is web-detection.js, which wraps jsdom's getComputedStyle to paper over opacity defaults ("" → "1"). The v29.1.0 cache-invalidation fix is aligned with that usage pattern. All 43 jsdom-related specs pass on 29.1.1.
Test coverage
Ran jasmine --filter="dom-metadata|page-context|web-detection" against 29.1.1:
43 specs, 0 failures
web-detection.js exercises opacity/visibility matching via matchInDOM(). page-context-dom.spec.js covers DOM-to-markdown traversal. dom-metadata.spec.js covers anchor/text extraction. These are the right surfaces for this bump.
Gap (non-blocking): No unit tests assert jsdom's raw getComputedStyle output for border-radius or background-clip — but those properties aren't used in production code paths that depend on jsdom.
Dependency necessity
jsdom remains the right choice here. It's the sole DOM-emulation library in the repo and is used appropriately for lightweight unit tests that don't need a full Playwright browser. browser-ui-lock unit tests mock getComputedStyle with Jasmine spies instead — a valid pattern that doesn't overlap.
Opacity proxy may be redundant now.web-detection.js still wraps getComputedStyle because "JSDOM returns "" for opacity". v29.1.0's style-cache fix may have improved this. Tests pass either way; consider verifying whether the proxy can be removed in a future cleanup PR.
entities major bump (6→8) is transitive via parse5. Low risk for static test HTML, but worth noting if anyone runs tests on Node < 20.19 locally (repo standard is Node 22).
Confirmed issues
None.
Assessed against commit 8fc30caca on dependabot/npm_and_yarn/main/jsdom-29.1.1.
Looks like this PR is already up-to-date with main! If you'd still like to recreate it from scratch, overwriting any edits, you can request @dependabot recreate.
The reason will be displayed to describe this comment to others. Learn more.
Web Compatibility Assessment
File
Lines
Severity
Finding
injected/package.json
58
info
jsdom is a devDependency only. It is not bundled into any platform entry point (apple.js, android.js, windows.js, extension-mv3.js). No injected-runtime API overrides, DOM shims, or prototype patches are affected.
package-lock.json
(lockfile)
info
Transitive updates (parse5 8.0.0→8.0.1, entities 6→8, lru-cache, undici, @csstools/css-syntax-patches-for-csstree) are confined to the dev/test dependency tree.
This is the primary jsdom consumer and calls getComputedStyle(). jsdom 29.1.x improves computed-style serialization/caching for border-radius, background-origin/background-clip. This may change unit-test assertions but does not affect live page behavior. Local run: 937 specs, 0 failures.
No web-compatibility regressions identified for production injected code.
Security Assessment
File
Lines
Severity
Finding
Entire diff
—
info
No changes to injected/src/, captured-globals.js, wrapper-utils.js, message bridge, or platform entry points.
injected/package.json
58
info
jsdom runs only in Node.js unit tests; it never executes in the hostile page context and cannot be reached by third-party sites.
package-lock.json
(lockfile)
info
Transitive undici bump (7.24.5→7.25.0) is dev-only; no new network surface in shipped bundles.
No security vulnerabilities or trust-boundary regressions identified.
Risk Level
Low Risk — dependency-only bump confined to dev/test tooling with zero changes to injected runtime, messaging, or security-sensitive code paths.
Recommendations
Merge after CI green — no injected-runtime review blockers.
Validation already exercised locally: npm run build --workspace=injected and npm run test-unit --workspace=injected (937 specs, 0 failures).
Optional awareness: jsdom 29.1.x getComputedStyle() changes are the only behavioral delta relevant to this repo; monitor web-detection.js / dom-metadata.spec.js if CI flakes on style assertions (none observed locally).
Relevance to this repo: The only production-adjacent code paths exercised through jsdom are DOM/CSS helpers tested via Jasmine:
evaluateMatch() visibility checks (display, visibility, opacity) in web-detection/matching.js
checkNodeIsVisible() (display: none, visibility: hidden, opacity) in page-context.js
DOM traversal helpers in dom-metadata.js (no getComputedStyle)
The 29.1.x CSS fixes are aligned with these use cases and are unlikely to regress behavior. Confirmed locally on 29.1.1: default opacity is now "1" (was "" in older jsdom), display: none and opacity: 0 serialize correctly.
20 specs including hidden-content (display: none) fixture
✅ Pass
dom-metadata DOM helpers
Anchor/selection/metadata specs
✅ Pass
CI runs npm run build -w injected before unit tests, so verify-artifacts specs are covered in the pipeline.
Gap (non-blocking): No unit tests assert jsdom's getComputedStyle fidelity against real-browser baselines — existing tests validate our logic given jsdom's semantics. The opacity Proxy shim in web-detection.js (lines 648–659) was written for the old "" default; it is now redundant on 29.1.1 but harmless.
Is jsdom still needed?
Yes. It is the sole DOM shim for Jasmine unit tests in injected/. Integration tests use Playwright (real browsers). No happy-dom / linkedom alternatives exist in the repo, and jsdom remains the conventional choice for this pattern.
Supply chain
Check
Assessment
Package provenance
Official jsdom/jsdom on npm, MIT, long-maintained (Domenic Denicola et al.)
Update source
Dependabot PR with lockfile integrity hashes
Runtime exposure
Dev-only; not bundled into contentScope.js or extension artifacts
entities@8 and parse5@8 are well-known HTML-parsing deps; undici is Node's official fetch implementation — all dev-transitive, no red flags
Confirmed vs. uncertain
Confirmed
Dev-only bump within the same major (29.x)
All jsdom-exercising unit specs pass on 29.1.1
Changelog changes are CSS correctness/perf fixes, not API breaks
Node version in CI satisfies updated engine constraints
Uncertain (low priority)
Whether 29.1.0's style-cache invalidation fix changes any edge-case visibility test not covered by current inline-style fixtures — current suite gives good confidence; no failures observed
Fix PR
Not needed. No code changes required to adopt this bump. Optional follow-up (separate PR, not blocking): remove the obsolete opacity Proxy shim in injected/unit-test/web-detection.js now that jsdom 29.1.x returns "1" by default.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
dependenciesUpdate one or more dependencies versionminorIncrement the minor version when merged
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
dependabot
Bot
added
dependencies
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
Bumps jsdom from 29.0.2 to 29.1.1.
Release notes
Sourced from jsdom's releases.
Commits
9b9ea7e29.1.107efb78Optimize computed style comparison5f66329Fix background-origin/background-clip in background shorthandad8af77Fix border shorthand handling5a3e88e29.1.073db204Update dependencies and dev dependenciesa7168a5Support ratio CSS unit type15346e0Fix style cache invalidationNote
Low Risk
DevDependency-only version bump with lockfile churn; no shipped extension logic is modified.
Overview
Bumps the dev dependency
jsdomfrom 29.0.2 to 29.1.1 ininjected/package.json, with the matching lockfile refresh forjsdomand its transitive packages (e.g.parse5,lru-cache,undici,@csstools/css-syntax-patches-for-csstree).No application or extension runtime code changes—only the test DOM environment used by Jasmine unit tests that import
JSDOM(e.g. dom metadata, page context, web detection). The newerjsdomrelease mainly improvesgetComputedStyle()behavior and performance, which may slightly affect tests that stub computed styles.Reviewed by Cursor Bugbot for commit e588413. Bugbot is set up for automated code reviews on this repo. Configure here.