[Snyk] Security upgrade jsdom from 16.4.0 to 16.5.0

[victornpb]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • package.json
  • package-lock.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	718/1000 Why? Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 6.5	Prototype Pollution SNYK-JS-TOUGHCOOKIE-5672873	No	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: jsdom

The new version differs by 30 commits.

• 2d82763 Version 16.5.0
• 9741311 Fix loading of subresources with Unicode filenames
• 5e46553 Use domenic's ESLint config as the base
• 19b35da Fix the URL of about:blank iframes
• 017568e Support inputType on InputEvent
• 29f4fdf Upgrade dependencies
• e2f7639 Refactor create‑event‑accessor.js to remove code duplication
• ff69a75 Convert JSDOM to use callback functions
• 19df6bc Update links in contributing guidelines
• 1e34ff5 Test triage
• 1d6cb3c XHR: clear response buffer on errors
• 1e86b2e XHR: mark Content-Length as CORS-safelisted
• 6a8f012 XHR: avoid a redundant final progress event
• 021555b Allow mutating disabled <input type=checkbox/radio>
• a62d9fe Remove ondragexit from GlobalEventHandlers
• 745fbaf Call mutation observer callbacks with the MutationObserver as this
• 6c758c9 Implement window.event
• a88d0bf Clean up navigator.plugins and navigator.mimeTypes
• 31eb938 Implement queueMicrotask()
• 2ab99ad Stop replacing / with : in the File constructor
• ffd4aa3 Reduce log spam when starting WPT server
• e0de8be Upgrade to-upstream WPTs to Python 3
• c94ceeb Automatically omit all testdriver tests
• b3f6056 Update WPT

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Prototype Pollution

[socket-security]

Updated dependencies detected. Learn more about Socket for GitHub ↗︎

Packages	Version	New capabilities	Transitives	Size	Publisher
jsdom	16.4.0...16.5.0	eval	+17/-21	6.62 MB	domenic

[socket-security]

🚨 Potential security issues detected. Learn more about Socket for GitHub ↗︎

To accept the risk, merge this PR and you will not be notified again.

Issue	Package	Version	Note	Source
Dynamic require	url-parse	1.5.10	Location: dist/url-parse.js +3 more instances...	jsdom@16.5.0 via package.json
Obfuscated require	url-parse	1.5.10	Location: dist/url-parse.js +3 more instances...	jsdom@16.5.0 via package.json
Suspicious strings	psl	1.9.0	Location: data/rules.json +2 more instances...	jsdom@16.5.0 via package.json
Uses eval	lodash	4.17.21	Eval Type: Function Location: _root.js +1 more instances...	jsdom@16.5.0 via package.json

Next steps

What is dynamic require?

Dynamic require can indicate the package is performing dangerous or unsafe dynamic code execution.

Packages should avoid dynamic imports when possible. Audit the use of dynamic require to ensure it is not executing malicious or vulnerable code.

What is obfuscated require?

Package accesses dynamic properties of require and may be obfuscating code execution.

The package should not access dynamic properties of module. Instead use import or require directly.

What are suspicious strings?

This package contains suspicious text patterns which are commonly associated with bad behavior

The package code should be reviewed before installing

What is eval?

Package uses eval() which is a dangerous function. This prevents the code from running in certain environments and increases the risk that the code may contain exploits or malicious behavior.

Avoid packages that use eval, since this could potentially execute any code.

Take a deeper look at the dependency

Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev.

Remove the package

If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.

Mark a package as acceptable risk

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of package-name@version specifiers. e.g. @SocketSecurity ignore foo@1.0.0 bar@* or ignore all packages with @SocketSecurity ignore-all

• @SocketSecurity ignore lodash@4.17.21
• @SocketSecurity ignore url-parse@1.5.10
• @SocketSecurity ignore psl@1.9.0