Skip to content

Bump happy-dom from 20.0.10 to 20.8.9 in /agentex-ui#180

Merged
smoreinis merged 1 commit intomainfrom
dependabot/npm_and_yarn/agentex-ui/happy-dom-20.8.9
Apr 3, 2026
Merged

Bump happy-dom from 20.0.10 to 20.8.9 in /agentex-ui#180
smoreinis merged 1 commit intomainfrom
dependabot/npm_and_yarn/agentex-ui/happy-dom-20.8.9

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot bot commented on behalf of github Mar 29, 2026
edited by greptile-apps bot
Loading

Bumps happy-dom from 20.0.10 to 20.8.9.

Release notes

Sourced from happy-dom's releases.

v20.8.9

👷‍♂️ Patch fixes

  • Fixes issue where cookies from the current origin was being forwarded to the target origin in fetch requests - By @​capricorn86 in task #2117

v20.8.8

👷‍♂️ Patch fixes

  • Fixes issue where export names can be interpolated as executable code in ESM - By @​capricorn86 in task #2113
    • A security advisory (GHSA-6q6h-j7hj-3r64) has been reported that shows a security vulnerability where it may be possible to escape the VM context and get access to process level functionality in unsafe environments using CommonJS. Big thanks to @​tndud042713 for reporting this!

v20.8.7

👷‍♂️ Patch fixes

  • Replace implementing Node.js Console with common IConsole interface to support latest version of Bun - By @​YevheniiKotyrlo in task #1845

v20.8.6

👷‍♂️ Patch fixes

v20.8.5

👷‍♂️ Patch fixes

  • Fixes error thrown when modifying DOM structure in connectedCallback() - By @​capricorn86 in task #2110

v20.8.4

👷‍♂️ Patch fixes

v20.8.3

👷‍♂️ Patch fixes

  • Throw error if event is not of type Event in EventTarget.dispatchEvent() - By @​capricorn86 in task #2054

v20.8.2

👷‍♂️ Patch fixes

  • Resets Event.cancelBubble and Event.defaultPrevented when calling Event.initEvent() - By @​capricorn86 in task #2090

v20.8.1

👷‍♂️ Patch fixes

v20.8.0

🎨 Features

  • Adds support for setPointerCapture, hasPointerCapture, and releasePointerCapture to Element - By @​coffeeandwork in task #1733

v20.7.2

👷‍♂️ Patch fixes

  • Properly decode CSS escape sequences in attribute selector values - By @​silverwind

v20.7.1

👷‍♂️ Patch fixes

  • Fixes issue related to parsing direct descendants (>) and universal (*) query selectors - By @​Cherry in task #2078

... (truncated)

Commits
  • 68324c2 fix: #2117 Fixes issue related to cookies from the current origin being for...
  • 5437fdf fix: #2113 Fixes issue where export names can be interpolated as executable...
  • 7e97acb fix: #1845 Replace implementing Node js Console with common IConsole interf...
  • 3373929 fix: #2106 Request.formData() should honor Content-Type header (#2107)
  • 55c17ba fix: #2110 Fixes error thrown when modifying DOM structure in connectedCall...
  • 82a0888 fix: #1845 Replace ConsoleConstructor import with indexed access type (#2095)
  • 5998eea fix: #2054 Throw error if event is not of type Event in dispatchEvent (#2092)
  • 7a11238 fix: #2090 Resets cancelBubble and defaultPrevented when calling initEvent ...
  • 7d27984 fix: #1422 Make inert attribute block focus interactions (#2083)
  • 53e4ec9 feat: #1733 Adds support for setPointerCapture, hasPointerCapture, and rele...
  • Additional commits viewable in compare view

Greptile Summary

This PR is an automated dependabot bump of happy-dom (a dev dependency used for browser environment simulation in tests) from 20.0.10 to 20.8.9 in agentex-ui.

Key highlights:

  • Patches two security advisories: a cookie-leakage issue where cookies from the current origin were forwarded to a target origin in fetch requests, and an ESM code-injection issue where export names could be interpolated as executable code — both only affect the test/dev environment since happy-dom is a devDependency.
  • Adds two new transitive dev dependencies: ws (^8.18.3) and entities (^7.0.1), along with @types/ws.
  • No production code is touched; changes are limited to package.json and package-lock.json.

Confidence Score: 5/5

Safe to merge — purely a dev-dependency security patch with no production impact.

The change only updates a devDependency used in tests. It patches two confirmed security vulnerabilities and introduces well-known, low-risk transitive dependencies (ws, entities). No production code, schemas, or APIs are affected.

No files require special attention.

Important Files Changed

Filename Overview
agentex-ui/package.json Bumps happy-dom dev dependency version constraint from ^20.0.10 to ^20.8.9; no other changes.
agentex-ui/package-lock.json Locks happy-dom to 20.8.9, adds new transitive dev dependencies ws@8.18.3, entities@7.0.1, and @types/ws@8.18.1; all are dev-only and do not affect the production bundle.

Flowchart

 
%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A["happy-dom 20.8.9\n(devDependency)"] --> B["@types/node >=20.0.0"]
    A --> C["@types/whatwg-mimetype ^3.0.2"]
    A --> D["@types/ws ^8.18.1\n(NEW)"]
    A --> E["entities ^7.0.1\n(NEW)"]
    A --> F["whatwg-mimetype ^3.0.0"]
    A --> G["ws ^8.18.3\n(NEW)"]
    D --> B
    style A fill:#f0a500,color:#000
    style D fill:#90ee90,color:#000
    style E fill:#90ee90,color:#000
    style G fill:#90ee90,color:#000
Loading

Reviews (2): Last reviewed commit: "Bump happy-dom from 20.0.10 to 20.8.9 in..." | Re-trigger Greptile

@dependabot dependabot bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Mar 29, 2026
@dependabot dependabot bot requested a review from a team as a code owner March 29, 2026 21:10
@dependabot dependabot bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Mar 29, 2026
@dependabot dependabot bot mentioned this pull request Mar 29, 2026
Closed
@socket-security
Copy link
Copy Markdown

socket-security bot commented Mar 29, 2026

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Updatednpm/​happy-dom@​20.0.10 ⏵ 20.8.975 +1100 +2288 +196 +2100

View full report

@smoreinis smoreinis enabled auto-merge (squash) April 3, 2026 17:07
@smoreinis
Copy link
Copy Markdown
Collaborator

smoreinis commented Apr 3, 2026

@dependabot rebase

@dependabot
Bump happy-dom from 20.0.10 to 20.8.9 in /agentex-ui
f7f892d 
Bumps [happy-dom](https://github.com/capricorn86/happy-dom) from 20.0.10 to 20.8.9.
- [Release notes](https://github.com/capricorn86/happy-dom/releases)
- [Commits](capricorn86/happy-dom@v20.0.10...v20.8.9)

---
updated-dependencies:
- dependency-name: happy-dom
  dependency-version: 20.8.9
  dependency-type: direct:development
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot force-pushed the dependabot/npm_and_yarn/agentex-ui/happy-dom-20.8.9 branch from 2af6ced to f7f892d Compare April 3, 2026 17:08
@smoreinis smoreinis merged commit b29a4c9 into main Apr 3, 2026
12 checks passed
@smoreinis smoreinis deleted the dependabot/npm_and_yarn/agentex-ui/happy-dom-20.8.9 branch April 3, 2026 17:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@smoreinis smoreinis smoreinis approved these changes

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@smoreinis