Build: Make middleware-mockserver not crash on reading nonexistent files
`fs.readFileSync` crashes when a non-existing file is passed to it. Some APIs
of `middleware-mockserver` read a file the path of which depends on query
parameters, making it possible to crash it by providing such a parameter. The
old PHP server doesn't have these issues.
To fix this, wrap all `fs.readFileSync` occurrences with a function that falls
back to the string `"ERROR"`.
dependabot[bot] [Fri, 1 Nov 2024 14:07:39 +0000 (10:07 -0400)]
Build: Bump the github-actions group with 4 updates
Bumps the github-actions group with 4 updates: [actions/checkout](https://github.com/actions/checkout), [actions/setup-node](https://github.com/actions/setup-node), [actions/cache](https://github.com/actions/cache) and [github/codeql-action](https://github.com/github/codeql-action).
Updates `actions/checkout` from 4.2.0 to 4.2.2
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/d632683dd7b4114ad314bca15554477dd762a938...11bd71901bbe5b1630ceea73d27597364c9af683)
Changes:
1. Update the link to "help wanted" or "patch welcome" issues to only include
open ones.
2. Replace info about the jQuery Forum & IRC with Matrix & Stack Overflow.
3. Update the test reduction WebKit blog post link.
4. Update the Git clone instructions to not rely on the legacy `git://`
protocol.
5. Fix a few typos.
dependabot[bot] [Tue, 1 Oct 2024 00:23:58 +0000 (20:23 -0400)]
Build: Bump the github-actions group with 3 updates
Bumps the github-actions group with 3 updates: [actions/checkout](https://github.com/actions/checkout), [actions/setup-node](https://github.com/actions/setup-node) and [github/codeql-action](https://github.com/github/codeql-action).
Updates `actions/checkout` from 4.1.7 to 4.2.0
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/692973e3d937129bcbf40652eb9f2f61becf3332...d632683dd7b4114ad314bca15554477dd762a938)
Tests: Switch to an updated fork of promises-aplus-tests
The upstream package has been unmaintained for years, with dependencies
with long-reported security issues. Switching to a fork allows to resolve
all the security reports against the jQuery development environment.
The fork is maintained by @mgol and has the following changes:
1. The `underscore` dependency has been removed.
2. `sinon` has been updated from v1 to v19.
3. `mocha` has been updated from v2 to v10.
Changes to the source are minimal; it will be easy to rebase the fixes
if the upstream package is ever updated.
In addition to the above, the `q` dependency has been removed.
It's been added in gh-1996 but never really used.
Manipulation: Make jQuery.cleanData not skip elements during cleanup
When passing a result of `getElementByTagsName` to `jQuery.cleanData`, convert
it to an array first. Otherwise, a live NodeList is passed and if any of the
event cleanups remove the element itself, a collection is modified during the
iteration, making `jQuery.cleanData` skip cleanup for some elements.
Fixes gh-5214
Closes gh-5523
Co-authored-by: Michał Gołębiowski-Owczarek <m.goleb@gmail.com> Co-authored-by: Richard Gibson <richard.gibson@gmail.com>
Tests: Run tests in Edge in IE mode in GitHub Actions
While Edge in IE mode is not guaranteed to match IE 11 in every aspect,
in practice it generally does. Testing in this mode in GitHub Actions
will allow us to catch most IE-breaking issues at the PR level.
This change also adds missing npm scripts: `test:chrome`, `test:edge`
& `test:ie`.
1. At the same time, there may be two supported versions of Firefox ESR. Run
tests on both, installed locally.
2. Don't run tests on Firefox 115 on BrowserStack - it was added as there's
an ESR version of Firefox 115, but ESR versions may be different, e.g. for
some time ServiceWorker was disabled on ESR versions:
https://bugzilla.mozilla.org/show_bug.cgi?id=1547023
dependabot[bot] [Thu, 1 Aug 2024 09:04:29 +0000 (11:04 +0200)]
Build: Bump the github-actions group with 2 updates
Bumps the github-actions group with 2 updates: [actions/setup-node](https://github.com/actions/setup-node) and [github/codeql-action](https://github.com/github/codeql-action).
Closes gh-5528
Updates `actions/setup-node` from 4.0.2 to 4.0.3
- [Release notes](https://github.com/actions/setup-node/releases)
- [Commits](https://github.com/actions/setup-node/compare/v4.0.2...1e60f620b9541d16bece96c5465dc8ee9832be0b)
Updates `github/codeql-action` from 3.25.11 to 3.25.15
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/b611370bb5703a7efb587f9d136a52ea24c5c38c...afb54ba388a7dca6ecae48f608c4ff05ff4cc77a)
Release: correct build date in verification; other improvements
- the date is actually the date of the commit *prior*
to the tag commit, as the files are built and then committed.
- also, the CDN should still be checked for non-stable releases,
and should use different filenames (including in the map files).
- certain files should be skipped when checking the CDN.
- removed file diffing because it ended up being far too noisy,
making it difficult to find the info I needed.
- because the build script required an addition, release
verification will not work until the next release.
- print all files in failure case and whether each matched
- avoid npm script log in GH release notes changelog
- exclude changelog.md from release:clean command
- separate the post-release script from release-it for now, so we
can keep manual verification before each push. The exact command is
printed at the ened for convenience.
*Authors*
- Checking and updating authors has been migrated
to a custom script in the repo
*Changelog*
- changelogplease is no longer maintained
- generate changelog in markdown for GitHub releases
- generate changelog in HTML for blog posts
- generate contributors list in HTML for blog posts
*dist*
- clone dist repo, copy files, and commit/push
- commit tag with dist files on main branch;
remove dist files from main branch after release
*cdn*
- clone cdn repo, copy files, and commit/push
- create versioned and unversioned copies in cdn/
- generate md5 sums and archives for Google and MSFT
*build*
- implement reproducible builds and verify release builds
* uses the last modified date for the latest commit
* See https://reproducible-builds.org/
- the verify workflow also ensures all files were
properly published to the CDN and npm
*docs*
- the new release workflow is documented at build/release/README.md
*misc*
- now that we don't need the jquery-release script and
now that we no longer need to build on Node 10, we can
use ESM in all files in the build folder
- move dist wrappers to "wrappers" folders for easy removal
of all built files
- limit certain workflows to the main repo (not forks)
- version in package.json has been set to beta.1 so that
the next release will be beta.2
- release-it added the `preReleaseBase` option and we
now always set it to `1` in the npm script. This is
a noop for stable releases.
Build: Bump the github-actions group with 2 updates
Bumps the github-actions group with 2 updates: [actions/checkout](https://github.com/actions/checkout) and [github/codeql-action](https://github.com/github/codeql-action).
Updates `actions/checkout` from 4.1.6 to 4.1.7
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/a5ac7e51b41094c92402da3b24376905380afc29...692973e3d937129bcbf40652eb9f2f61becf3332)
Updates `github/codeql-action` from 3.25.8 to 3.25.11
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/2e230e8fe0ad3a14a340ad0815ddb96d599d2aff...b611370bb5703a7efb587f9d136a52ea24c5c38c)
dependabot[bot] [Wed, 5 Jun 2024 22:05:28 +0000 (00:05 +0200)]
Build: Bump the github-actions group with 2 updates
Bumps the github-actions group with 2 updates: [actions/checkout](https://github.com/actions/checkout) and [github/codeql-action](https://github.com/github/codeql-action).
Updates `actions/checkout` from 4.1.2 to 4.1.6
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/9bb56186c3b09b4f86b1c65136769dd318469633...a5ac7e51b41094c92402da3b24376905380afc29)
Updates `github/codeql-action` from 3.24.9 to 3.25.8
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/1b1aada464948af03b950897e5eb522f92603cc2...2e230e8fe0ad3a14a340ad0815ddb96d599d2aff)
Build: Group dependabot PRs updating GitHub Actions
We have monthly automatic dependabot PRs for GitHub Actions. Unfortunately,
as of now we get a separate PR for every dependency which is a bit spammy
compared to regular commits updating source.
Thankfully, there's now a way to tell dependabot to submit a single PR per
a defined group. This change defines a single group to have a single dependabot
PR for all action updates.
CSS:Tests: Fix tests & support tests under CSS Zoom
Firefox 126+ implements CSS zoom in a way it affects width computed style
very slightly (`100.008px` instead of `100px`); accept that difference.
Add a test for support tests resolving the same under CSS zoom & without one.
That test uncovered Chrome failing the `reliableTrDimensions` support test
under zoom; the test has been fixed.
Timmy Willison [Wed, 29 May 2024 15:06:23 +0000 (11:06 -0400)]
Tests: revert concurrency group change
- It's common for us to merge to main and cherry pick to 3.x-stable,
so it's best if concurrency is shared between branches, which
is effectively what we had already as it matches on workflow name
and browser. Ideally, it could also match on the corresponding commit,
but it seems the commit message is not available in the github context.
Event: Increase robustness of an inner native event in leverageNative
In Firefox, alert displayed just before blurring an element dispatches
the native blur event twice which tripped the jQuery logic if a jQuery blur
handler was not attached before the trigger call.
This was because the `leverageNative` logic part for triggering first checked if
setup was done before (which, for example, is done if a jQuery handler was
registered before for this element+event pair) and - if it was not - added
a dummy handler that just returned `true`. The `leverageNative` logic made that
`true` then saved into private data, replacing the previous `saved` array. Since
`true` passed the truthy check, the second native inner handler treated `true`
as an array, crashing on the `slice` call.
The same issue could happen if a handler returning `true` is attached before
triggering. A bare `length` check would not be enough as the user handler may
return an array-like as well. To remove this potential data shape clash, capture
the inner result in an object with a `value` property instead of saving it
directly.
Since it's impossible to call `alert()` in unit tests, simulate the issue by
replacing the `addEventListener` method on a test button with a version that
calls attached blur handlers twice.
Tests: Make the beforeunload event tests work regardless of extensions
Some browser extensions, like React DevTools, send messages to the content area.
Since our beforeunload event test listens for all messages, it used to catch
those as well, failing the test.
Add a `source` field to the payload JSON and check for it before treating the
message as coming from our own test to make sure the test passes even with such
browser extensions installed.
Liam James [Fri, 19 Apr 2024 13:47:52 +0000 (23:47 +1000)]
Offset: Increase search depth when finding the 'real' offset parent
Changes:
* Increase search depth when finding for the real offset parent
* Ignore offset for statically positioned offset parent
* Add tests for the position of an element in a table
Tests: share queue/browser handling for all worker types
- one queue to rule them all: browserstack, selenium, and jsdom
- retries and hard retries are now supported in selenium
- selenium tests now re-use browsers in the same way as browserstack
Attributes: Make `.attr( name, false )` remove for all non-ARIA attrs
The HTML spec defines boolean attributes:
https://html.spec.whatwg.org/#boolean-attributes
that often correlate with boolean properties. If the attribute is missing, it
correlates with the `false` property value, if it's present - the `true`
property value. The only valid values are an empty string or the attribute name.
jQuery tried to be helpful here and treated boolean attributes in a special way
in the `.attr()` API:
1. For the getter, as long as the attribute was present, it was returning the
attribute name lowercased, ignoring the value.
2. For the setter, it was removing the attribute when `false` was passed;
otherwise, it was ignoring the passed value and set the attribute -
interestingly, in jQuery `>=3` not lowercased anymore.
The problem is the spec occasionally converts boolean attributes into ones with
additional attribute values with special behavior - one such example is the new
`"until-found"` value for the `hidden` attribute. Our setter normalization
means passing those values is impossible with jQuery. Also, new boolean
attributes are introduced occasionally and jQuery cannot easily add them to the
list without incurring breaking changes.
This patch removes any special handling of boolean attributes - the getter
returns the value as-is and the setter sets the provided value.
To provide better backwards compatibility with the very frequent `false` value
provided to remove the attribute, this patch makes `false` trigger attribute
removal for ALL non-ARIA attributes. ARIA attributes are exempt from the rule
since many of them recognize `"false"` as a valid value with semantics different
than the attribute missing. To remove an ARIA attribute, use `.removeAttr()` or
pass `null` as the value to `.attr()` which doesn't have this exception.
Fixes gh-5388
Closes gh-5452
Co-authored-by: Richard Gibson <richard.gibson@gmail.com>
Core: Fix the exports setup to make bundlers work with ESM & CommonJS
We cannot pass a single file via the `module` condition as then
`require( "jquery" )` will not return jQuery but instead the module object
with `default`, `$` & `jQuery` as keys. Instead:
1. For Node.js, detected via the `node` condition:
1. Expose a regular CommonJS version to `require`
2. Expose a tiny wrapper over CommonJS to `import`
2. For bundlers, detected via the `module` condition:
1. Expose a regular ESM version to `import`
2. Expose a tiny wrapper over ESM to `require`
3. If neither Node.js nor bundlers are detected (no `node` or `module`
conditions`):
1. Expose a regular CommonJS version to `require`
2. Expose a regular ESM version to `import`
The reasons for such definitions are as follows:
1. In Node.js, one can synchronously import from a CommonJS file inside of
an ESM one but not vice-versa. To use an ESM file in a CommonJS one,
a dynamic import is required and that forces asynchronicity.
2. In some bundlers CommonJS is not necessarily enabled - e.g. in Rollup without
the CommonJS plugin. Therefore, the ESM version needs to be pure ESM.
However, bundlers allow synchronously calling `require` on an ESM file. This
is possible since bundlers merge the files before they are passed to
the browser to execute and the final bundles no longer contain async import
code.
3. Bare ESM & CommonJS versions are provided to non-Node non-bundler
environments where we cannot assume interoperability between ESM & CommonJS
is supported.
4. Bare versions cannot be supplied to Node or bundlers as projects using both
ESM & CommonJS to fetch jQuery would result in duplicate jQuery instances,
leading to increased JS size and disjoint data storage.
In addition to the above changes, the `script` condition has been dropped. Only
Webpack documents this condition and it's not clear when exactly it's triggered.
Adding support for a new condition can be added later without a breaking change;
removing is not so easy.
The `production` & `development` conditions have been removed as well. They were
not really applied correctly; we'd need to provide both of them to each current
leaf which would double the size of the definition for the `.` & `./slim` entry
points. In jQuery, the only difference between development & production builds
is minification; there are no logic changes so we can pass unminified versions
to all the tooling, expecting minification down the line.
As for the factory entry points:
1. Node.js always gets the CommonJS version
2. Bundlers always get the ESM version
3. Other tools take the ESM version when using `import` and the CommonJS when
using `require`.
The complexity is lower than for the `.` & `./slim` entry points because there's
no default export to handle so Node/bundler wrapper files are not necessary.
Other changes:
* Tests: Change "node:assert" to "node:assert/strict"; the former is deprecated
* Docs: Mention that the CommonJS module doesn't expose named exports
* Tests: Run Node & bundler tests for all the above cases
Timmy Willison [Mon, 11 Mar 2024 14:39:38 +0000 (10:39 -0400)]
Tests: add --hard-retries option to test runner
- Add the ability to retry by restarting the worker and
getting a different browser instance, after all
normal retries have been exhausted. This can sometimes
be successful when a refresh is not.
Timmy Willison [Tue, 5 Mar 2024 19:44:01 +0000 (14:44 -0500)]
Tests: reuse browser workers in BrowserStack tests (#5428)
- reuse BrowserStack workers.
- add support for "latest" and "latest-1" in browser version filters
- add support for specifying non-final browser versions, such as beta versions
- more accurate eslint for files in test/runner
- switched `--no-isolate` command flag to `--isolate`. Now that browser instances are shared, it made more sense to me to default to no isolation unless specified. This turned out to be cleaner because the only place we isolate is in browserstack.yml.
- fixed an issue with retries where it wasn't always waiting for the retried test run
- enable strict mode in test yargs command
Timmy Willison [Mon, 26 Feb 2024 14:42:10 +0000 (09:42 -0500)]
Tests: migrate testing infrastructure to minimal dependencies
This is a complete rework of our testing infrastructure. The main goal is to modernize and drop deprecated or undermaintained dependencies (specifically, grunt, karma, and testswarm). We've achieved that by limiting our dependency list to ones that are unlikely to drop support any time soon. The new dependency list includes:
- `qunit` (our trusty unit testing library)
- `selenium-webdriver` (for spinning up local browsers)
- `express` (for starting a test server and adding middleware)
- express middleware includes uses of `body-parser` and `raw-body`
- `yargs` (for constructing a CLI with pretty help text)
- BrowserStack (for running each of our QUnit modules separately in all of our supported browsers)
- `browserstack-local` (for opening a local tunnel. This is the same package still currently used in the new Browserstack SDK)
- We are not using any other BrowserStack library. The newest BrowserStack SDK does not fit our needs (and isn't open source). Existing libraries, such as `node-browserstack` or `browserstack-runner`, either do not quite fit our needs, are under-maintained and out-of-date, or are not robust enough to meet all of our requirements. We instead call the [BrowserStack REST API](https://github.com/browserstack/api) directly.
## BrowserStack Runner
- automatically retries individual modules in case of test failure(s)
- automatically attempts to re-establish broken tunnels
- automatically refreshes the page in case a test run has stalled
- runs all browsers concurrently and uses as many sessions as are available under the BrowserStack plan. It will wait for available sessions if there are none.
- supports filtering the available list of browsers by browser name, browser version, device, OS, and OS version (see `npm run test:unit -- --list-browsers` for more info). It will retrieve the latest matching browser available if any of those parameters are not specified.
- cleans up after itself (closes the local tunnel, stops the test server, etc.)
- Requires `BROWSERSTACK_USERNAME` and `BROWSERSTACK_ACCESS_KEY` environment variables.
## Selenium Runner
- supports running any local browser as long as the driver is installed, including support for headless mode in Chrome, FF, and Edge
- supports running `basic` tests on the latest [jsdom](https://github.com/jsdom/jsdom#readme), which can be seen in action in this PR (see `test:browserless`)
- Node tests will run as before in PRs and all non-dependabot branches, but now includes tests on real Safari in a GH actions macos image instead of playwright-webkit.
- can run multiple browsers and multiple modules concurrently
Other notes:
- Stale dependencies have been removed and all remaining dependencies have been upgraded with a few exceptions:
- `sinon`: stopped supporting IE in version 10. But, `sinon` has been updated to 9.x.
- `husky`: latest does not support Node 10 and runs on `npm install`. Needed for now until git builds are migrated to GitHub Actions.
- `rollup`: latest does not support Node 10. Needed for now until git builds are migrated to GitHub Actions.
- BrowserStack tests are set to run on each `main` branch commit
- `debug` mode leaves Selenium browsers open whether they pass or fail and leaves browsers with test failures open on BrowserStack. The latter is to avoid leaving open too many sessions.
- This PR includes a workflow to dispatch BrowserStack runs on-demand
- The Node version used for most workflow tests has been upgraded to 20.x
- updated supportjQuery to 3.7.1
Run `npm run test:unit -- --help` for CLI documentation
Node.js 20 started throwing errors when `writeHead` is called twice on
a response. This might have already been invalid before but it wasn't throwing
on Node.js 18.
Compute the headers object and call `writeHead` once to avoid the issue.
Timmy Willison [Tue, 6 Feb 2024 14:53:30 +0000 (09:53 -0500)]
Release: use buildDefaultFiles directly and pass version
- also add the ability to pass VERSION in env to test final builds
- adjust sha regex to account for lack of shas
- set the version on the dist package.json
The `attrHooks` entries for boolean attributes are only defined for jQuery 4+;
jQuery 3.x used a separate mechanism - assigning them to
`jQuery.expr.attrHandle`. That object used to be maintained by Sizzle, since
jQuery 3.7.0 it's kept in the selector module. Because of that, the `isXMLDoc`
check used to be require in this hook.
Now that standard `attrHooks` are used, the `isXMLDoc` check already happens
inside of `jQuery.attr` and there's no need to repeat it in the test. Note that
this repetition is even incorrect - while Sizzle's `jQuery.find.attr` used to
treat an `undefined` output of the hooks from `jQuery.expr.attrHandle` as a way
to opt out of the hook, jQuery's `attrHooks` use `null` to opt out of a getter
hook.
Apart from the size, this patch also avoids unnecessary extra checks.
Selector: Eliminate `selector.js` depenencies from various modules
There are two main reasons for why some of those dependencies are no longer
needed:
1. `jQuery.contains` which is now a part of `core`.
2. `jQuery.find.attr` no longer exists, native `getAttribute` is used instead.
Build was already happening in scripts like `test:browser` but those scripts
were missing `pretest`, meaning that running `npm install && npm test:browser`
may have failed if `pretest` wasn't run before or if its results were out of
date.
Even worse, with such stale data some tests may erroneously succeed.
This also removes a separate `pretest` step from GitHub Actions as it's no
longer needed.
The package README used to show examples importing from a regular jQuery file;
this won't work natively. Instead, use module versions of jQuery in these
examples.
CSS:Selector: Align with 3.x, remove the outer `selector.js` wrapper
Bring some changes from `3.x-stable`:
* rename `rtrim` to `rtrimCSS` to distinguish from the previous `rtrim`
regex used for `jQuery.trim`
* backport one `id` selector test that avoids the selector engine path
Other changes:
* remove the inner function wrapper from `selector.js` by renaming
the imported `document.js` value
* use `jQuery.error` in `selectorError`
* make Selector tests pass in all-modules runs by fixing a sinon mistake
in Core tests - Core tests had a spy set up for `jQuery.error` that wasn't
cleaned up, influencing Selector tests when all were run together
projects / jquery.git / log