npm: bump the npm_and_yarn group in /dashboard with 7 updates

[dependabot]

Bumps the npm_and_yarn group in /dashboard with 8 updates:

Package	From	To
jsdom	15.2.1	16.5.0
ws	8.9.0	8.17.1
follow-redirects	1.14.8	1.15.6
braces	3.0.2	3.0.3
json5	1.0.1	1.0.2
qs	6.5.2	6.5.3
tough-cookie	2.5.0	4.1.4
jsdom	16.5.0	16.7.0

Updates jsdom from 15.2.1 to 16.5.0

Release notes

Sourced from jsdom's releases.

Version 16.5.0

• Added window.queueMicrotask().
• Added window.event.
• Added inputEvent.inputType. (diegohaz)
• Removed ondragexit from Window and friends, per a spec update.
• Fixed the URL of about:blank iframes. Previously it was getting set to the parent's URL. (SimonMueller)
• Fixed the loading of subresources from the filesystem when they had non-ASCII filenames.
• Fixed the hidden="" attribute to cause display: none per the user-agent stylesheet. (ph-fritsche)
• Fixed the new File() constructor to no longer convert / to :, per a pending spec update.
• Fixed mutation observer callbacks to be called with the MutationObserver instance as their this value.
• Fixed <input type=checkbox> and <input type=radio> to be mutable even when disabled, per a spec update.
• Fixed XMLHttpRequest to not fire a redundant final progress event if a progress event was previously fired with the same loaded value. This would usually occur with small files.
• Fixed XMLHttpRequest to expose the Content-Length header on cross-origin responses.
• Fixed xhr.response to return null for failures that occur during the middle of the download.
• Fixed edge cases around passing callback functions or event handlers. (ExE-Boss)
• Fixed edge cases around the properties of proxy-like objects such as localStorage or dataset. (ExE-Boss)
• Fixed a potential memory leak with custom elements (although we could not figure out how to trigger it). (soncodi)

Version 16.4.0

• Added a not-implemented warning if you try to use the second pseudo-element argument to getComputedStyle(), unless you pass a ::part or ::slotted pseudo-element, in which case we throw an error per the spec. (ExE-Boss)
• Improved the performance of repeated access to el.tagName, which also indirectly improves performance of selector matching and style computation. (eps1lon)
• Fixed form.elements to respect the form="" attribute, so that it can contain non-descendant form controls. (ccwebdesign)
• Fixed el.focus() to do nothing on disconnected elements. (eps1lon)
• Fixed el.focus() to work on SVG elements. (zjffun)
• Fixed removing the currently-focused element to move focus to the <body> element. (eps1lon)
• Fixed imgEl.complete to return true for <img> elements with empty or unset src="" attributes. (strager)
• Fixed imgEl.complete to return true if an error occurs loading the <img>, when canvas is enabled. (strager)
• Fixed imgEl.complete to return false if the <img> element's src="" attribute is reset. (strager)
• Fixed the valueMissing validation check for <input type="radio">. (zjffun)
• Fixed translate="" and draggable="" attribute processing to use ASCII case-insensitivity, instead of Unicode case-insensitivity. (zjffun)

Version 16.3.0

• Added firing of focusin and focusout when using el.focus() and el.blur(). (trueadm)
• Fixed elements with the contenteditable="" attribute to be considered as focusable. (jamieliu386)
• Fixed window.NodeFilter to be per-Window, instead of shared across all Windows. (ExE-Boss)
• Fixed edge-case behavior involving use of objects with handleEvent properties as event listeners. (ExE-Boss)
• Fixed a second failing image load sometimes firing a load event instead of an error event, when the canvas package is installed. (strager)
• Fixed drawing an empty canvas into another canvas. (zjffun)

Version 16.2.2

• Updated StyleSheetList for better spec compliance; notably it no longer inherits from Array.prototype. (ExE-Boss)
• Fixed requestAnimationFrame() from preventing process exit. This likely regressed in v16.1.0.
• Fixed setTimeout() to no longer leak the closures passed in to it. This likely regressed in v16.1.0. (AviVahl)
• Fixed infinite recursion that could occur when calling click() on a <label> element, or one of its descendants.
• Fixed getComputedStyle() to consider inline style="" attributes. (eps1lon)
• Fixed several issues with <input type="number">'s stepUp() and stepDown() functions to be properly decimal-based, instead of floating point-based.
• Fixed various issues where updating selectEl.value would not invalidate properties such as selectEl.selectedOptions. (ExE-Boss)
• Fixed <input>'s src property, and <ins>/<del>'s cite property, to properly reflect as URLs.
• Fixed window.addEventLister, window.removeEventListener, and window.dispatchEvent to properly be inherited from EventTarget, instead of being distinct functions. (ExE-Boss)
• Fixed errors that would occur if attempting to use a DOM object, such as a custom element, as an argument to addEventListener.

... (truncated)

Changelog

Sourced from jsdom's changelog.

16.5.0

• Added window.queueMicrotask().
• Added window.event.
• Added inputEvent.inputType. (diegohaz)
• Removed ondragexit from Window and friends, per a spec update.
• Fixed the URL of about:blank iframes. Previously it was getting set to the parent's URL. (SimonMueller)
• Fixed the loading of subresources from the filesystem when they had non-ASCII filenames.
• Fixed the hidden="" attribute to cause display: none per the user-agent stylesheet. (ph-fritsche)
• Fixed the new File() constructor to no longer convert / to :, per a pending spec update.
• Fixed mutation observer callbacks to be called with the MutationObserver instance as their this value.
• Fixed <input type=checkbox> and <input type=radio> to be mutable even when disabled, per a spec update.
• Fixed XMLHttpRequest to not fire a redundant final progress event if a progress event was previously fired with the same loaded value. This would usually occur with small files.
• Fixed XMLHttpRequest to expose the Content-Length header on cross-origin responses.
• Fixed xhr.response to return null for failures that occur during the middle of the download.
• Fixed edge cases around passing callback functions or event handlers. (ExE-Boss)
• Fixed edge cases around the properties of proxy-like objects such as localStorage or dataset. (ExE-Boss)
• Fixed a potential memory leak with custom elements (although we could not figure out how to trigger it). (soncodi)

16.4.0

• Added a not-implemented warning if you try to use the second pseudo-element argument to getComputedStyle(), unless you pass a ::part or ::slotted pseudo-element, in which case we throw an error per the spec. (ExE-Boss)
• Improved the performance of repeated access to el.tagName, which also indirectly improves performance of selector matching and style computation. (eps1lon)
• Fixed form.elements to respect the form="" attribute, so that it can contain non-descendant form controls. (ccwebdesign)
• Fixed el.focus() to do nothing on disconnected elements. (eps1lon)
• Fixed el.focus() to work on SVG elements. (zjffun)
• Fixed removing the currently-focused element to move focus to the <body> element. (eps1lon)
• Fixed imgEl.complete to return true for <img> elements with empty or unset src="" attributes. (strager)
• Fixed imgEl.complete to return true if an error occurs loading the <img>, when canvas is enabled. (strager)
• Fixed imgEl.complete to return false if the <img> element's src="" attribute is reset. (strager)
• Fixed the valueMissing validation check for <input type="radio">. (zjffun)
• Fixed translate="" and draggable="" attribute processing to use ASCII case-insensitivity, instead of Unicode case-insensitivity. (zjffun)

16.3.0

• Added firing of focusin and focusout when using el.focus() and el.blur(). (trueadm)
• Fixed elements with the contenteditable="" attribute to be considered as focusable. (jamieliu386)
• Fixed window.NodeFilter to be per-Window, instead of shared across all Windows. (ExE-Boss)
• Fixed edge-case behavior involving use of objects with handleEvent properties as event listeners. (ExE-Boss)
• Fixed a second failing image load sometimes firing a load event instead of an error event, when the canvas package is installed. (strager)
• Fixed drawing an empty canvas into another canvas. (zjffun)

16.2.2

• Updated StyleSheetList for better spec compliance; notably it no longer inherits from Array.prototype. (ExE-Boss)
• Fixed requestAnimationFrame() from preventing process exit. This likely regressed in v16.1.0.
• Fixed setTimeout() to no longer leak the closures passed in to it. This likely regressed in v16.1.0. (AviVahl)
• Fixed infinite recursion that could occur when calling click() on a <label> element, or one of its descendants.
• Fixed getComputedStyle() to consider inline style="" attributes. (eps1lon)
• Fixed several issues with <input type="number">'s stepUp() and stepDown() functions to be properly decimal-based, instead of floating point-based.

... (truncated)

Commits

• 2d82763 Version 16.5.0
• 9741311 Fix loading of subresources with Unicode filenames
• 5e46553 Use domenic's ESLint config as the base
• 19b35da Fix the URL of about:blank iframes
• 017568e Support inputType on InputEvent
• 29f4fdf Upgrade dependencies
• e2f7639 Refactor create‑event‑accessor.js to remove code duplication
• ff69a75 Convert JSDOM to use callback functions
• 19df6bc Update links in contributing guidelines
• 1e34ff5 Test triage
• Additional commits viewable in compare view

Updates ws from 8.9.0 to 8.17.1

Release notes

Sourced from ws's releases.

8.17.1

Bug fixes

• Fixed a DoS vulnerability (#2231).

A request with a number of headers exceeding the[server.maxHeadersCount][] threshold could be used to crash a ws server.

const http = require('http');
const WebSocket = require('ws');
const wss = new WebSocket.Server({ port: 0 }, function () {
const chars = "!#$%&'*+-.0123456789abcdefghijklmnopqrstuvwxyz^_`|~".split('');
const headers = {};
let count = 0;
for (let i = 0; i < chars.length; i++) {
if (count === 2000) break;
for (let j = 0; j &lt; chars.length; j++) {
  const key = chars[i] + chars[j];
  headers[key] = 'x';
if (++count === 2000) break;
}

}
headers.Connection = 'Upgrade';
headers.Upgrade = 'websocket';
headers['Sec-WebSocket-Key'] = 'dGhlIHNhbXBsZSBub25jZQ==';
headers['Sec-WebSocket-Version'] = '13';
const request = http.request({
headers: headers,
host: '127.0.0.1',
port: wss.address().port
});
request.end();
});

The vulnerability was reported by Ryan LaPointe in websockets/ws#2230.

In vulnerable versions of ws, the issue can be mitigated in the following ways:

1. Reduce the maximum allowed length of the request headers using the [--max-http-header-size=size][] and/or the [maxHeaderSize][] options so that no more headers than the server.maxHeadersCount limit can be sent.

... (truncated)

Commits

• 3c56601 [dist] 8.17.1
• e55e510 [security] Fix crash when the Upgrade header cannot be read (#2231)
• 6a00029 [test] Increase code coverage
• ddfe4a8 [perf] Reduce the amount of crypto.randomFillSync() calls
• b73b118 [dist] 8.17.0
• 29694a5 [test] Use the highWaterMark variable
• 934c9d6 [ci] Test on node 22
• 1817bac [ci] Do not test on node 21
• 96c9b3d [major] Flip the default value of allowSynchronousEvents (#2221)
• e5f32c7 [fix] Emit at most one event per event loop iteration (#2218)
• Additional commits viewable in compare view

Updates follow-redirects from 1.14.8 to 1.15.6

Commits

• 35a517c Release version 1.15.6 of the npm package.
• c4f847f Drop Proxy-Authorization across hosts.
• 8526b4a Use GitHub for disclosure.
• b1677ce Release version 1.15.5 of the npm package.
• d8914f7 Preserve fragment in responseUrl.
• 6585820 Release version 1.15.4 of the npm package.
• 7a6567e Disallow bracketed hostnames.
• 05629af Prefer native URL instead of deprecated url.parse.
• 1cba8e8 Prefer native URL instead of legacy url.resolve.
• 72bc2a4 Simplify _processResponse error handling.
• Additional commits viewable in compare view

Updates braces from 3.0.2 to 3.0.3

Commits

• 74b2db2 3.0.3
• 88f1429 update eslint. lint, fix unit tests.
• 415d660 Snyk js braces 6838727 (#40)
• 190510f fix tests, skip 1 test in test/braces.expand
• 716eb9f readme bump
• a5851e5 Merge pull request #37 from coderaiser/fix/vulnerability
• 2092bd1 feature: braces: add maxSymbols (https://github.com/micromatch/braces/issues/...
• 9f5b4cf fix: vulnerability (https://security.snyk.io/vuln/SNYK-JS-BRACES-6838727)
• 98414f9 remove funding file
• 665ab5d update keepEscaping doc (#27)
• Additional commits viewable in compare view

Updates json5 from 1.0.1 to 1.0.2

Release notes

Sourced from json5's releases.

v1.0.2

• Fix: Properties with the name __proto__ are added to objects and arrays. (#199) This also fixes a prototype pollution vulnerability reported by Jonathan Gregson! (#295). This has been backported to v1. (#298)

Changelog

Sourced from json5's changelog.

Unreleased [code, diff]

v2.2.3 [code, diff]

• Fix: [email protected] is now the 'latest' release according to npm instead of v1.0.2. (#299)

v2.2.2 [code, diff]

• Fix: Properties with the name __proto__ are added to objects and arrays. (#199) This also fixes a prototype pollution vulnerability reported by Jonathan Gregson! (#295).

v2.2.1 [code, diff]

• Fix: Removed dependence on minimist to patch CVE-2021-44906. (#266)

v2.2.0 [code, diff]

• New: Accurate and documented TypeScript declarations are now included. There is no need to install @types/json5. (#236, #244)

v2.1.3 [code, diff]

• Fix: An out of memory bug when parsing numbers has been fixed. (#228, #229)

v2.1.2 [code, diff]

... (truncated)

Commits

• a62db1e 1.0.2
• e0c23fe docs: update CHANGELOG for v1.0.2
• 62a6540 fix: add proto to objects and arrays
• See full diff in compare view

Updates qs from 6.5.2 to 6.5.3

Changelog

Sourced from qs's changelog.

6.5.3

• [Fix] parse: ignore __proto__ keys (#428)
• [Fix] utils.merge: avoid a crash with a null target and a truthy non-array source
• [Fix] correctly parse nested arrays
• [Fix] stringify: fix a crash with strictNullHandling and a custom filter/serializeDate (#279)
• [Fix] utils: merge: fix crash when source is a truthy primitive & no options are provided
• [Fix] when parseArrays is false, properly handle keys ending in []
• [Fix] fix for an impossible situation: when the formatter is called with a non-string value
• [Fix] utils.merge: avoid a crash with a null target and an array source
• [Refactor] utils: reduce observable [[Get]]s
• [Refactor] use cached Array.isArray
• [Refactor] stringify: Avoid arr = arr.concat(...), push to the existing instance (#269)
• [Refactor] parse: only need to reassign the var once
• [Robustness] stringify: avoid relying on a global undefined (#427)
• [readme] remove travis badge; add github actions/codecov badges; update URLs
• [Docs] Clean up license text so it’s properly detected as BSD-3-Clause
• [Docs] Clarify the need for "arrayLimit" option
• [meta] fix README.md (#399)
• [meta] add FUNDING.yml
• [actions] backport actions from main
• [Tests] always use String(x) over x.toString()
• [Tests] remove nonexistent tape option
• [Dev Deps] backport from main

Commits

• 298bfa5 v6.5.3
• ed0f5dc [Fix] parse: ignore __proto__ keys (#428)
• 691e739 [Robustness] stringify: avoid relying on a global undefined (#427)
• 1072d57 [readme] remove travis badge; add github actions/codecov badges; update URLs
• 12ac1c4 [meta] fix README.md (#399)
• 0338716 [actions] backport actions from main
• 5639c20 Clean up license text so it’s properly detected as BSD-3-Clause
• 51b8a0b add FUNDING.yml
• 45f6759 [Fix] fix for an impossible situation: when the formatter is called with a no...
• f814a7f [Dev Deps] backport from main
• Additional commits viewable in compare view

Updates tough-cookie from 2.5.0 to 4.1.4

Release notes

Sourced from tough-cookie's releases.

v4.1.4

https://www.npmjs.com/package/tough-cookie/v/4.1.4

What's Changed

• Add local alias for toString by @​corvidism in salesforce/tough-cookie#409
• Fix incorrect string validation for URL by @​coditva in salesforce/tough-cookie#261

New Contributors

• @​corvidism made their first contribution in salesforce/tough-cookie#409
• @​coditva made their first contribution in salesforce/tough-cookie#261

Full Changelog: salesforce/tough-cookie@v4.1.3...v4.1.4

4.1.3

Security fix for Prototype Pollution discovery in #282. This is a minor release, although output from the inspect utility is affected by this change, we felt this change was important enough to be pushed into the next patch.

4.1.2 -- Patch and Bugfix Release

What's Changed

• fix: allow set cookies with localhost by @​colincasey in salesforce/tough-cookie#253

Full Changelog: salesforce/tough-cookie@v4.1.1...v4.1.2

4.1.1

Patch Release

What's Changed

• fix: allow special use domains by default by @​colincasey in salesforce/tough-cookie#249
• 4.1.1 Patch -- allow special use domains by default by @​awaterma in salesforce/tough-cookie#250

Full Changelog: salesforce/tough-cookie@v4.1.0...v4.1.1

4.1.0

v4.1.0

Minor release, focused mainly on resolving reported issues and some minor feature work.

What's Changed

• Create CHANGELOG.md by @​ShivanKaul in salesforce/tough-cookie#189
• Missing param validation issue145 by @​medelibero-sfdc in salesforce/tough-cookie#193
• Create SECURITY.md by @​ShivanKaul in salesforce/tough-cookie#201
• Create CODE_OF_CONDUCT.md by @​ShivanKaul in salesforce/tough-cookie#200
• Fix for issue #195 by @​medelibero-sfdc in salesforce/tough-cookie#202
• Add explanation and more special-use domains by @​ShivanKaul in salesforce/tough-cookie#203
• Sync of constructor options for serialization by @​medelibero-sfdc in salesforce/tough-cookie#204
• Returned null in case of empty cookie value by @​vsin12 in salesforce/tough-cookie#196
• 132 str trim not a function by @​awaterma in salesforce/tough-cookie#209
• Fix for issue #153 by @​medelibero-sfdc in salesforce/tough-cookie#210
• Fix permuteDomain with trailing dot by @​ruoho-sfdc in salesforce/tough-cookie#216
• Issue #213 -- added gh-actions flow for building and testing tough-co… by @​awaterma in salesforce/tough-cookie#218

... (truncated)

Commits

• cacbc37 Bump version to 4.1.4
• a48fb3a Add tests for url validation
• 50e69bf Merge pull request #261 from postmanlabs/fix/url-string-validation
• 1253d58 Merge pull request #409 from corvidism/validators-to-string
• 238367e Add local alias for toString
• 4ff4d29 4.1.3 release preparation, update the package and lib/version to 4.1.3. (#284)
• 12d4747 Prevent prototype pollution in cookie memstore (#283)
• f06b72d Fix documentation for store.findCookies, missing allowSpecialUseDomain proper...
• cf6debd Fix incorrect string validation for URL
• b1a8898 fix: allow set cookies with localhost (#253)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by ccasey, a new releaser for tough-cookie since your current version.

Updates jsdom from 16.5.0 to 16.7.0

Release notes

Sourced from jsdom's releases.

Version 16.5.0

• Added window.queueMicrotask().
• Added window.event.
• Added inputEvent.inputType. (diegohaz)
• Removed ondragexit from Window and friends, per a spec update.
• Fixed the URL of about:blank iframes. Previously it was getting set to the parent's URL. (SimonMueller)
• Fixed the loading of subresources from the filesystem when they had non-ASCII filenames.
• Fixed the hidden="" attribute to cause display: none per the user-agent stylesheet. (ph-fritsche)
• Fixed the new File() constructor to no longer convert / to :, per a pending spec update.
• Fixed mutation observer callbacks to be called with the MutationObserver instance as their this value.
• Fixed <input type=checkbox> and <input type=radio> to be mutable even when disabled, per a spec update.
• Fixed XMLHttpRequest to not fire a redundant final progress event if a progress event was previously fired with the same loaded value. This would usually occur with small files.
• Fixed XMLHttpRequest to expose the Content-Length header on cross-origin responses.
• Fixed xhr.response to return null for failures that occur during the middle of the download.
• Fixed edge cases around passing callback functions or event handlers. (ExE-Boss)
• Fixed edge cases around the properties of proxy-like objects such as localStorage or dataset. (ExE-Boss)
• Fixed a potential memory leak with custom elements (although we could not figure out how to trigger it). (soncodi)

Version 16.4.0

• Added a not-implemented warning if you try to use the second pseudo-element argument to getComputedStyle(), unless you pass a ::part or ::slotted pseudo-element, in which case we throw an error per the spec. (ExE-Boss)
• Improved the performance of repeated access to el.tagName, which also indirectly improves performance of selector matching and style computation. (eps1lon)
• Fixed form.elements to respect the form="" attribute, so that it can contain non-descendant form controls. (ccwebdesign)
• Fixed el.focus() to do nothing on disconnected elements. (eps1lon)
• Fixed el.focus() to work on SVG elements. (zjffun)
• Fixed removing the currently-focused element to move focus to the <body> element. (eps1lon)
• Fixed imgEl.complete to return true for <img> elements with empty or unset src="" attributes. (strager)
• Fixed imgEl.complete to return true if an error occurs loading the <img>, when canvas is enabled. (strager)
• Fixed imgEl.complete to return false if the <img> element's src="" attribute is reset. (strager)
• Fixed the valueMissing validation check for <input type="radio">. (zjffun)
• Fixed translate="" and draggable="" attribute processing to use ASCII case-insensitivity, instead of Unicode case-insensitivity. (zjffun)

Version 16.3.0

• Added firing of focusin and focusout when using el.focus() and el.blur(). (trueadm)
• Fixed elements with the contenteditable="" attribute to be considered as focusable. (jamieliu386)
• Fixed window.NodeFilter to be per-Window, instead of shared across all Windows. (ExE-Boss)
• Fixed edge-case behavior involving use of objects with handleEvent properties as event listeners. (ExE-Boss)
• Fixed a second failing image load sometimes firing a load event instead of an error event, when the canvas package is installed. (strager)
• Fixed drawing an empty canvas into another canvas. (zjffun)

Version 16.2.2

• Updated StyleSheetList for better spec compliance; notably it no longer inherits from Array.prototype. (ExE-Boss)
• Fixed requestAnimationFrame() from preventing process exit. This likely regressed in v16.1.0.
• Fixed setTimeout() to no longer leak the closures passed in to it. This likely regressed in v16.1.0. (AviVahl)
• Fixed infinite recursion that could occur when calling click() on a <label> element, or one of its descendants.
• Fixed getComputedStyle() to consider inline style="" attributes. (eps1lon)
• Fixed several issues with <input type="number">'s stepUp() and stepDown() functions to be properly decimal-based, instead of floating point-based.
• Fixed various issues where updating selectEl.value would not invalidate properties such as selectEl.selectedOptions. (ExE-Boss)
• Fixed <input>'s src property, and <ins>/<del>'s cite property, to properly reflect as URLs.
• Fixed window.addEventLister, window.removeEventListener, and window.dispatchEvent to properly be inherited from EventTarget, instead of being distinct functions. (ExE-Boss)
• Fixed errors that would occur if attempting to use a DOM object, such as a custom element, as an argument to addEventListener.

... (truncated)

Changelog

Sourced from jsdom's changelog.

16.5.0

• Added window.queueMicrotask().
• Added window.event.
• Added inputEvent.inputType. (diegohaz)
• Removed ondragexit from Window and friends, per a spec update.
• Fixed the URL of about:blank iframes. Previously it was getting set to the parent's URL. (SimonMueller)
• Fixed the loading of subresources from the filesystem when they had non-ASCII filenames.
• Fixed the hidden="" attribute to cause display: none per the user-agent stylesheet. (ph-fritsche)
• Fixed the new File() constructor to no longer convert / to :, per a pending spec update.
• Fixed mutation observer callbacks to be called with the MutationObserver instance as their this value.
• Fixed <input type=checkbox> and <input type=radio> to be mutable even when disabled, per a spec update.
• Fixed XMLHttpRequest to not fire a redundant final progress event if a progress event was previously fired with the same loaded value. This would usually occur with small files.
• Fixed XMLHttpRequest to expose the Content-Length header on cross-origin responses.
• Fixed xhr.response to return null for failures that occur during the middle of the download.
• Fixed edge cases around passing callback functions or event handlers. (ExE-Boss)
• Fixed edge cases around the properties of proxy-like objects such as localStorage or dataset. (ExE-Boss)
• Fixed a potential memory leak with custom elements (although we could not figure out how to trigger it). (soncodi)

16.4.0

• Added a not-implemented warning if you try to use the second pseudo-element argument to getComputedStyle(), unless you pass a ::part or ::slotted pseudo-element, in which case we throw an error per the spec. (ExE-Boss)
• Improved the performance of repeated access to el.tagName, which also indirectly improves performance of selector matching and style computation. (eps1lon)
• Fixed form.elements to respect the form="" attribute, so that it can contain non-descendant form controls. (ccwebdesign)
• Fixed el.focus() to do nothing on disconnected elements. (eps1lon)
• Fixed el.focus() to work on SVG elements. (zjffun)
• Fixed removing the currently-focused element to move focus to the <body> element. (eps1lon)
• Fixed imgEl.complete to return true for <img> elements with empty or unset src="" attributes. (strager)
• Fixed imgEl.complete to return true if an error occurs loading the <img>, when canvas is enabled. (strager)
• Fixed imgEl.complete to return false if the <img> element's src="" attribute is reset. (strager)
• Fixed the valueMissing validation check for <input type="radio">. (zjffun)
• Fixed translate="" and draggable="" attribute processing to use ASCII case-insensitivity, instead of Unicode case-insensitivity. (zjffun)

16.3.0

• Added firing of focusin and focusout when using el.focus() and el.blur(). (trueadm)
• Fixed elements with the contenteditable="" attribute to be considered as focusable. (jamieliu386)
• Fixed window.NodeFilter to be per-Window, instead of shared across all Windows. (ExE-Boss)
• Fixed edge-case behavior involving use of objects with handleEvent properties as event listeners. (ExE-Boss)
• Fixed a second failing image load sometimes firing a load event instead of an error event, when the canvas package is installed. (strager)
• Fixed drawing an empty canvas into another canvas. (zjffun)

16.2.2

• Updated StyleSheetList for better spec compliance; notably it no longer inherits from Array.prototype. (ExE-Boss)
• Fixed requestAnimationFrame() from preventing process exit. This likely regressed in v16.1.0.
• Fixed setTimeout() to no longer leak the closures passed in to it. This likely regressed in v16.1.0. (AviVahl)
• Fixed infinite recursion that could occur when calling click() on a <label> element, or one of its descendants.
• Fixed getComputedStyle() to consider inline style="" attributes. (eps1lon)
• Fixed several issues with <input type="number">'s stepUp() and stepDown() functions to be properly decimal-based, instead of floating point-based.

... (truncated)

Commits

• 2d82763 Version 16.5.0
• 9741311 Fix loading of subresources with Unicode filenames
• 5e46553 Use domenic's ESLint config as the base
• 19b35da Fix the URL of about:blank iframes
• 017568e Support inputType on InputEvent
• 29f4fdf Upgrade dependencies
• e2f7639 Refactor create‑event‑accessor.js to remove code duplication
• ff69a75 Convert JSDOM to use callback functions
• 19df6bc Update links in contributing guidelines
• 1e34ff5 Test triage
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[dependabot]

This pull request was built based on a group rule. Closing it will not ignore any of these versions in future pull requests.

To ignore these dependencies, configure ignore rules in dependabot.yml