Skip to content

chore(deps): bump happy-dom from 20.0.2 to 20.8.9#8980

Open
dependabot[bot] wants to merge 5 commits intomainfrom
dependabot/npm_and_yarn/happy-dom-20.8.9
Open

chore(deps): bump happy-dom from 20.0.2 to 20.8.9#8980
dependabot[bot] wants to merge 5 commits intomainfrom
dependabot/npm_and_yarn/happy-dom-20.8.9

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot bot commented on behalf of github Mar 29, 2026
edited by ccastrotrejo
Loading

Commit Type

  • feature - New functionality
  • fix - Bug fix
  • refactor - Code restructuring without behavior change
  • perf - Performance improvement
  • docs - Documentation update
  • test - Test-related changes
  • chore - Maintenance/tooling

Risk Level

  • Low - Minor changes, limited scope
  • Medium - Moderate changes, some user impact
  • High - Major changes, significant user/system impact

What & Why

Bumps the happy-dom dev dependency from 20.0.2 to 20.8.9. This update includes two security fixes and several bug fixes:

Security fixes:

  • GHSA-w4gp-fjgq-3q4g — Cookies from the current origin were being incorrectly forwarded to target origins in fetch requests (v20.8.9)
  • GHSA-6q6h-j7hj-3r64 — Export names could be interpolated as executable code in ESM, enabling VM context escape in unsafe environments (v20.8.8)

Notable bug fixes:

  • Request.formData() now honors the Content-Type header (v20.8.6)
  • Fixed error when modifying DOM structure in connectedCallback() (v20.8.5)
  • EventTarget.dispatchEvent() now throws if the event is not of type Event (v20.8.3)
  • Event.initEvent() now resets cancelBubble and defaultPrevented (v20.8.2)
  • inert attribute now blocks focus interactions (v20.8.1)

New features:

  • setPointerCapture, hasPointerCapture, and releasePointerCapture on Element (v20.8.0)

Impact of Change

  • Users: None — happy-dom is a dev dependency used only in the test environment
  • Developers: Test environment updated with security patches and improved DOM emulation fidelity
  • System: No production impact; lockfile updated with new transitive dependencies (entities@7.0.1, ws@8.20.0, @types/ws@8.18.1, @types/node@25.5.0)

Test Plan

  • Unit tests added/updated
  • E2E tests added/updated
  • Manual testing completed
  • Tested in: Existing unit test suite validates compatibility — no test changes required

Contributors

Dependabot automated security update

Screenshots/Videos

N/A — no visual changes

@dependabot
chore(deps): bump happy-dom from 20.0.2 to 20.8.9
9f79bb3 
Bumps [happy-dom](https://github.com/capricorn86/happy-dom) from 20.0.2 to 20.8.9.
- [Release notes](https://github.com/capricorn86/happy-dom/releases)
- [Commits](capricorn86/happy-dom@v20.0.2...v20.8.9)

---
updated-dependencies:
- dependency-name: happy-dom
  dependency-version: 20.8.9
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Mar 29, 2026
@dependabot dependabot bot mentioned this pull request Mar 29, 2026
Closed
@github-actions
Copy link
Copy Markdown

github-actions bot commented Mar 29, 2026
edited
Loading

🤖 AI PR Validation Report

PR Review Results

Thank you for your submission! Here's detailed feedback on your PR title and body compliance:

PR Title

  • Current: chore(deps): bump happy-dom from 20.0.2 to 20.8.9
  • Issue: None — title is clear, follows conventional commit style, and specifies the dependency and version change.
  • Recommendation: None.

Commit Type

  • Properly selected (chore).
  • Note: Only one commit type selected which is correct for a dependency update.

Risk Level

  • The PR has the risk:low label and the body selects Low. The change is a dev dependency bump used in the test environment, so Low is appropriate.

What & Why

  • Current:
    Bumps the happy-dom dev dependency from 20.0.2 to 20.8.9, lists security fixes and notable bug fixes, and links to advisories and release notes.
  • Issue: None — explanation is clear and succinct.
  • Recommendation: None.

Impact of Change

  • The PR correctly states there is no user-facing impact, that developer/test environment benefits, and that production is unaffected. The lockfile changes are noted.
  • Recommendation: As a small improvement, consider explicitly stating whether any CI jobs that run tests need to be re-run locally (e.g., pnpm install && pnpm test) before merging — you do still call out the lockfile changes which is good.
    • Users: No changes.
    • Developers: Test environment updated with security patches and improved DOM emulation fidelity.
    • System: No production impact; lockfile updated with new transitive dependencies.

Test Plan

  • Assessment: The PR does not add or modify unit/E2E tests (expected for a dev dependency bump), and the body explains the existing unit test suite validates compatibility.
  • Recommendation: Ensure CI completes successfully. If CI has a test matrix or node version matrix, note if any additional runs are required.

Contributors

  • Contributors field is present (Dependabot automated update + co-authors). Good.

Screenshots/Videos

  • Not applicable — no UI changes.

Summary Table

Section Status Recommendation
Title None needed.
Commit Type None needed.
Risk Level None needed.
What & Why None needed.
Impact of Change Consider adding a short note about re-running CI locally.
Test Plan Confirm CI passes; optionally add an explicit local verification step.
Contributors None needed.
Screenshots/Videos N/A

Final message: This PR passes the PR title/body validation. The assigned risk level (Low) matches my advised risk (Low). The PR description is clear and includes security advisories and lockfile changes. Before merging, please ensure CI completes successfully (run the test suite in CI); if you want to be extra cautious, run pnpm install and the full test suite locally to validate the lockfile changes on the maintainers' CI Node versions. Thank you for keeping dependencies up to date!

Last updated: Mon, 06 Apr 2026 15:34:42 GMT

@github-actions
Copy link
Copy Markdown

github-actions bot commented Mar 29, 2026
edited
Loading

📊 Coverage check completed. See workflow run for details.

@github-actions github-actions bot mentioned this pull request Mar 31, 2026
Closed
This was referenced Apr 2, 2026
Closed
Closed
@ccastrotrejo ccastrotrejo enabled auto-merge (squash) April 3, 2026 18:39
@ccastrotrejo ccastrotrejo added the risk:low Low risk change with minimal impact label Apr 3, 2026
This was referenced Apr 4, 2026
Closed
Closed
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@takyyon takyyon takyyon approved these changes

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code pr-validated risk:low Low risk change with minimal impact

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@takyyon @ccastrotrejo