Build(deps-dev): bump jsdom from 27.4.0 to 28.1.0

[dependabot]

Bumps jsdom from 27.4.0 to 28.1.0.

Release notes

Sourced from jsdom's releases.

Version 28.1.0

• Added blob.text(), blob.arrayBuffer(), and blob.bytes() methods.
• Improved getComputedStyle() to account for CSS specificity when multiple rules apply. (asamuzaK)
• Improved synchronous XMLHttpRequest performance by using a persistent worker thread, avoiding ~400ms of setup overhead on every synchronous request after the first one.
• Improved performance of node.getRootNode(), node.isConnected, and event.dispatchEvent() by caching the root node of document-connected trees.
• Fixed getComputedStyle() to correctly handle !important priority. (asamuzaK)
• Fixed document.getElementById() to return the first element in tree order when multiple elements share the same ID.
• Fixed <svg> elements to no longer incorrectly proxy event handlers to the Window.
• Fixed FileReader event timing and fileReader.result state to more closely follow the spec.
• Fixed a potential hang when synchronous XMLHttpRequest encountered dispatch errors.
• Fixed compatibility with environments where Node.js's built-in fetch() has been used before importing jsdom, by working around undici v6/v7 incompatibilities.

Version 28.0.0

• Overhauled resource loading customization. See the new README for details on the new API.
• Added MIME type sniffing to <iframe> and <frame> loads.
• Regression: WebSockets are no longer correctly throttled to one connection per origin. This is a result of the bug at nodejs/undici#4743.
• Fixed decoding of the query components of <a> and <area> elements in non-UTF-8 documents.
• Fixed XMLHttpRequest fetches and WebSocket upgrade requests to be interceptable by the new customizable resource loading. (Except synchronous XMLHttpRequests.)
• Fixed the referrer of a document to be set correctly when redirects are involved; it is now the initiating page, not the last hop in the redirect chain.
• Fixed correctness bugs when passing ArrayBuffers or typed arrays to various APIs, where they would not correctly snapshot the data.
• Fixed require("url").parse() deprecation warning when using WebSockets.
• Fixed <iframe>, <frame>, and <img> (when canvas is installed) to fire load events, not error events, on non-OK HTTP responses.
• Fixed many small issues in XMLHttpRequest.

Changelog

Sourced from jsdom's changelog.

28.1.0

• Added blob.text(), blob.arrayBuffer(), and blob.bytes() methods.
• Improved getComputedStyle() to account for CSS specificity when multiple rules apply. (asamuzaK)
• Improved synchronous XMLHttpRequest performance by using a persistent worker thread, avoiding ~400ms of setup overhead on every synchronous request after the first one.
• Improved performance of node.getRootNode(), node.isConnected, and event.dispatchEvent() by caching the root node of document-connected trees.
• Fixed getComputedStyle() to correctly handle !important priority. (asamuzaK)
• Fixed document.getElementById() to return the first element in tree order when multiple elements share the same ID.
• Fixed <svg> elements to no longer incorrectly proxy event handlers to the Window.
• Fixed FileReader event timing and fileReader.result state to more closely follow the spec.
• Fixed a potential hang when synchronous XMLHttpRequest encountered dispatch errors.
• Fixed compatibility with environments where Node.js's built-in fetch() has been used before importing jsdom, by working around undici v6/v7 incompatibilities.

28.0.0

• Overhauled resource loading customization. See the new README for details on the new API.
• Added MIME type sniffing to <iframe> and <frame> loads.
• Regression: WebSockets are no longer correctly throttled to one connection per origin. This is a result of the bug at nodejs/undici#4743.
• Fixed decoding of the query components of <a> and <area> elements in non-UTF-8 documents.
• Fixed XMLHttpRequest fetches and WebSocket upgrade requests to be interceptable by the new customizable resource loading. (Except synchronous XMLHttpRequests.)
• Fixed the referrer of a document to be set correctly when redirects are involved; it is now the initiating page, not the last hop in the redirect chain.
• Fixed correctness bugs when passing ArrayBuffers or typed arrays to various APIs, where they would not correctly snapshot the data.
• Fixed require("url").parse() deprecation warning when using WebSockets.
• Fixed <iframe>, <frame>, and <img> (when canvas is installed) to fire load events, not error events, on non-OK HTTP responses.
• Fixed many small issues in XMLHttpRequest.

Commits

• 12949b5 Version 28.1.0
• ce4c58f Apply CSS specificity when computing styles
• 7ed55a0 Skip single-byte-decoder encoding tests on Node 20
• f3b1973 Generalize node version conditions in test expectations
• 853c596 Rewrite getElementById ID caching for tree-order correctness
• 5fbfde6 Fix potential sync XHR worker hang from unhandled dispatch errors
• 82df38f Cache the root node for document-connected trees
• ed7c5c0 Add documentation comment to create-event-accessor.js
• b4562e9 Simplify Window.js installEventHandlers
• 7da340f Centralize "determine the target of an event handler"
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[dependabot]

Labels

The following labels could not be found: dependencies, npm. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

[code-genius-code-coverage]

The files' contents are under analysis for test generation.

[deepsource-io]

DeepSource Code Review

We reviewed changes in 443b337...bf6ffb6 on this pull request. Below is the summary for the review, and you can see the individual issues we found as inline review comments.

See full review on DeepSource ↗

PR Report Card

Overall Grade

Security   Reliability   Complexity   Hygiene

Code Review Summary

Analyzer	Status	Updated (UTC)	Details
Test coverage		Feb 25, 2026 4:01p.m.	Review ↗
Secrets		Feb 25, 2026 4:01p.m.	Review ↗
JavaScript		Feb 25, 2026 4:01p.m.	Review ↗

Code Coverage Summary

Language	Line Coverage (Overall)
Aggregate	93.8%
Javascript	93.8%

➟ Additional coverage metrics may have been reported. See full coverage report ↗

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	jsdom@​27.4.0 ⏵ 28.1.0			+1

View full report

[socket-security]

Caution

Review the following alerts detected in dependencies.

According to your organization's Security Policy, you must resolve all "Block" alerts before proceeding. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Block		Network access: npm undici in module globalThis["fetch"] Module: globalThis["fetch"] Location: Package overview From: package-lock.json → npm/jsdom@28.1.0 → npm/undici@7.22.0 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/undici@7.22.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Embedded URLs or IPs: npm @acemir/cssom URLs: http://www.w3.org/TR/DOM-Level-2-Style/css.html#CSS-CSSStyleSheet-deleteRule, https://www.w3.org/TR/cssom-1/#dom-cssstylesheet-replace, https://www.w3.org/TR/cssom-1/#dom-cssstylesheet-replacesync, http://www.w3.org/TR/DOM-Level-2-Style/css.html#CSS-CSSStyleDeclaration, http://www.w3.org/TR/DOM-Level-2-Style/css.html#CSS-CSSStyleDeclaration-getPropertyValue, http://www.w3.org/TR/DOM-Level-2-Style/css.html#CSS-CSSStyleDeclaration-setProperty, http://www.w3.org/TR/DOM-Level-2-Style/css.html#CSS-CSSStyleDeclaration-removeProperty, http://dev.w3.org/csswg/cssom/#the-cssrule-interface, http://www.w3.org/TR/DOM-Level-2-Style/css.html#CSS-CSSRule, https://drafts.csswg.org/cssom/#the-cssrulelist-interface, https://drafts.csswg.org/css-nesting-1/, https://drafts.csswg.org/cssom/#the-cssgroupingrule-interface, https://www.w3.org/TR/cssom-1/#dom-cssgroupingrule-insertrule, https://www.w3.org/TR/cssom-1/#dom-cssgroupingrule-deleterule, https://drafts.csswg.org/css-counter-styles/#the-csscounterstylerule-interface, https://drafts.css-houdini.org/css-properties-values-api/#the-css-property-rule-interface, https://www.w3.org/TR/css-conditional-3/#the-cssconditionrule-interface, http://dev.w3.org/csswg/cssom/#cssstylerule, http://www.w3.org/TR/DOM-Level-2-Style/css.html#CSS-CSSStyleRule, http://dev.w3.org/csswg/cssom/#the-medialist-interface, http://dev.w3.org/csswg/cssom/#cssmediarule, http://www.w3.org/TR/DOM-Level-2-Style/css.html#CSS-CSSMediaRule, https://opensource.apple.com/source/WebCore/WebCore-7611.1.21.161.3/css/CSSMediaRule.cpp, https://drafts.csswg.org/css-contain-3/, https://www.w3.org/TR/css-contain-3/, https://drafts.csswg.org/css-conditional-3/#the-csssupportsrule-interface, http://dev.w3.org/csswg/cssom/#cssimportrule, http://www.w3.org/TR/DOM-Level-2-Style/css.html#CSS-CSSImportRule, https://drafts.csswg.org/cssom/#the-cssnamespacerule-interface, http://dev.w3.org/csswg/cssom/#css-font-face-rule, http://www.opensource.apple.com/source/WebCore/WebCore-955.66.1/css/WebKitCSSFontFaceRule.cpp, http://www.w3.org/TR/shadow-dom/#host-at-rule, http://html5index.org/Shadow%20DOM%20-%20CSSHostRule.html, http://dev.w3.org/csswg/cssom/#the-stylesheet-interface, http://www.w3.org/TR/DOM-Level-2-Style/css.html#CSS-CSSStyleSheet, http://www.w3.org/TR/DOM-Level-2-Style/css.html#CSS-CSSStyleSheet-insertRule, http://www.w3.org/TR/css3-animations/#DOM-CSSKeyframesRule, http://www.opensource.apple.com/source/WebCore/WebCore-955.66.1/css/WebKitCSSKeyframesRule.cpp, https://www.w3.org/TR/css-animations-1/#dom-csskeyframesrule-appendrule, https://www.w3.org/TR/css-animations-1/#dom-csskeyframesrule-deleterule, https://www.w3.org/TR/css-animations-1/#dom-csskeyframesrule-findrule, http://www.w3.org/TR/css3-animations/#DOM-CSSKeyframeRule, http://www.opensource.apple.com/source/WebCore/WebCore-955.66.1/css/WebKitCSSKeyframeRule.cpp, https://developer.mozilla.org/en/CSS/@-moz-document, http://www.w3.org/TR/DOM-Level-2-Style/css.html#CSS-CSSValue, http://msdn.microsoft.com/en-us/library/ms537634, https://drafts.csswg.org/css-cascade-6/#cssscoperule, https://drafts.csswg.org/css-cascade-5/#csslayerblockrule, https://drafts.csswg.org/css-cascade-5/#csslayerstatementrule, https://drafts.csswg.org/cssom/#the-csspagerule-interface Location: Package overview From: package-lock.json → npm/jsdom@28.1.0 → npm/@acemir/cssom@0.9.31 ℹ Read more on: This package | This alert | What are URL strings? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@acemir/cssom@0.9.31. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Embedded URLs or IPs: npm @asamuzakjp/dom-selector URLs: http://www.w3.org/2000/svg, https://datatracker.ietf.org/doc/html/rfc4647#section-3.3.1, http://www.w3.org/1999/xhtml, https://html.spec.whatwg.org/#pseudo-classes Location: Package overview From: package-lock.json → npm/jsdom@28.1.0 → npm/@asamuzakjp/dom-selector@6.8.1 ℹ Read more on: This package | This alert | What are URL strings? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@asamuzakjp/dom-selector@6.8.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Embedded URLs or IPs: npm @bramus/specificity URLs: https://www.w3.org/TR/selectors-4/#specificity-rules, https://developer.mozilla.org/en-US/docs/Web/CSS/Pseudo-elements#index Location: Package overview From: package-lock.json → npm/jsdom@28.1.0 → npm/@bramus/specificity@2.4.2 ℹ Read more on: This package | This alert | What are URL strings? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@bramus/specificity@2.4.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Minified code present: npm @bramus/specificity with 100.0% likelihood Confidence: 1.00 Location: Package overview From: package-lock.json → npm/jsdom@28.1.0 → npm/@bramus/specificity@2.4.2 ℹ Read more on: This package | This alert | What's wrong with minified code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: In many cases minified code is harmless, however minified code can be used to hide a supply chain attack. Consider not shipping minified code on npm. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@bramus/specificity@2.4.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Embedded URLs or IPs: npm @exodus/bytes URLs: https://encoding.spec.whatwg.org/#shift_jis-decoder, https://encoding.spec.whatwg.org/#gbk-decoder, https://encoding.spec.whatwg.org/#gb18030-decoder, https://npmjs.com/text-encoding, https://encoding.spec.whatwg.org/#names-and-labels, https://github.com/whatwg/encoding/issues/324, https://encoding.spec.whatwg.org/#interface-textdecoderstream, https://streams.spec.whatwg.org/#dom-transformer-flush, https://encoding.spec.whatwg.org/#interface-textencoderstream, https://encoding.spec.whatwg.org/#encode-and-enqueue-a-chunk, https://github.com/ExodusOSS/bytes/blob/main/README.md, https://unicode.org/Public/MAPPINGS/ISO8859/8859-9.txt, https://webidl.spec.whatwg.org/#idl-DOMString, https://webidl.spec.whatwg.org/#idl-USVString Location: Package overview From: package-lock.json → npm/jsdom@28.1.0 → npm/@exodus/bytes@1.14.1 ℹ Read more on: This package | This alert | What are URL strings? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@exodus/bytes@1.14.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
See 16 more rows in the dashboard

View full report

[guibranco]

Automatically approved by gstraccini[bot]

[guibranco]

Automatically approved by gstraccini[bot]

[github-actions]

Infisical secrets check: ✅ No secrets leaked!

💻 Scan logs

2026-02-25T16:01:38Z INF scanning for exposed secrets...
4:01PM INF 466 commits scanned.
2026-02-25T16:01:38Z INF scan completed in 349ms
2026-02-25T16:01:38Z INF no leaks found

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud