chore: upgrade jsdom from 28 to 29

[Aureliolo]

Summary

• Upgrade jsdom devDependency from ^28 (28.1.0) to ^29 (29.0.0) in the web dashboard
• Extracted from grouped Dependabot PR chore: bump the major group across 1 directory with 3 updates #481 (which also bumps tailwindcss insiders → stable, intentionally left on nightly)

Changelog Review (28.1.0 → 29.0.0)

Breaking: Node.js v22.13.0+ minimum for v22 users (was v22.12.0+) — does not affect us (CI uses Node 20)

Improvements:

• Overhauled CSSOM implementation (replaced @acemir/cssom + cssstyle with internal css-tree-based impl)
• Document initialization performance (~0.5ms saved per Document via lazy CSS selector engine init)
• Fixed memory leak when stylesheets removed from document
• Fixed potential hang in synchronous XMLHttpRequest (race condition)
• Added bad port blocking per fetch spec

Test plan

• npm --prefix web run test — 541 tests pass (62 files)
• npm --prefix web run lint — 0 errors (17 pre-existing warnings)
• npm --prefix web run type-check — clean
• Pre-commit hooks pass

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

Package	Version	Score	Details
npm/@asamuzakjp/dom-selector	7.0.3	Unknown	Unknown
npm/@csstools/css-syntax-patches-for-csstree	1.1.1	🟢 7	Details Check Score Reason Packaging ⚠️ -1 packaging workflow not detected Code-Review ⚠️ 0 Found 0/27 approved changesets -- score normalized to 0 Maintained 🟢 10 30 commit(s) and 4 issue activity found in the last 90 days -- score normalized to 10 Security-Policy 🟢 10 security policy file detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions 🟢 9 detected GitHub workflow tokens with excessive permissions License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Pinned-Dependencies 🟢 9 dependency not pinned by hash detected -- score normalized to 9 Binary-Artifacts 🟢 10 no binaries found in the repo Branch-Protection 🟢 3 branch protection is not maximal on development and all release branches Fuzzing ⚠️ 0 project is not fuzzed SAST 🟢 10 SAST tool is run on all commits
npm/jsdom	29.0.0	🟢 6.6	Details Check Score Reason Code-Review ⚠️ 2 Found 6/27 approved changesets -- score normalized to 2 Maintained 🟢 10 30 commit(s) and 13 issue activity found in the last 90 days -- score normalized to 10 Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies 🟢 3 dependency not pinned by hash detected -- score normalized to 3 License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Fuzzing ⚠️ 0 project is not fuzzed Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Security-Policy 🟢 10 security policy file detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
npm/undici	7.24.4	🟢 7.8	Details Check Score Reason Dependency-Update-Tool 🟢 10 update tool detected Code-Review 🟢 4 Found 13/28 approved changesets -- score normalized to 4 Security-Policy 🟢 9 security policy file detected Maintained 🟢 10 30 commit(s) and 11 issue activity found in the last 90 days -- score normalized to 10 Binary-Artifacts 🟢 8 binaries present in source code Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions License 🟢 10 license file detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Pinned-Dependencies 🟢 4 dependency not pinned by hash detected -- score normalized to 4 Vulnerabilities 🟢 10 0 existing vulnerabilities detected Fuzzing 🟢 10 project is fuzzed SAST 🟢 9 SAST tool detected but not run on all commits Signed-Releases ⚠️ -1 no releases found Packaging 🟢 10 packaging workflow detected Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md CI-Tests 🟢 10 15 out of 15 merged PRs checked by a CI test -- score normalized to 10 Contributors 🟢 10 project has 81 contributing companies or organizations

Scanned Files

• web/package-lock.json

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request focuses on a significant upgrade of the jsdom development dependency to its latest major version, v29. This update is crucial for incorporating the latest performance enhancements, bug fixes, and architectural improvements, particularly in how CSSOM is handled. The change also streamlines jsdom's internal dependency tree, contributing to a more robust and efficient testing environment for the web dashboard.

Highlights

• Dependency Upgrade: Upgraded the jsdom development dependency in the web dashboard from version 28 to 29.
• CSSOM Implementation: The jsdom upgrade includes an overhauled CSSOM implementation, replacing external libraries (@acemir/cssom, cssstyle) with an internal css-tree-based solution.
• Performance Improvements: Document initialization performance in jsdom has been improved, saving approximately 0.5ms per Document via lazy CSS selector engine initialization.
• Bug Fixes: Addressed a memory leak when stylesheets were removed from a document and fixed a potential hang in synchronous XMLHttpRequest due to a race condition within jsdom.
• Dependency Streamlining: Several transitive dependencies such as agent-base, http-proxy-agent, and https-proxy-agent were removed as they are no longer direct dependencies of jsdom.

Changelog

• web/package-lock.json
  • Upgraded jsdom from 28.1.0 to 29.0.0.
  • Removed @acemir/cssom and cssstyle packages.
  • Updated @asamuzakjp/dom-selector from 6.8.1 to 7.0.3.
  • Updated @csstools/css-syntax-patches-for-csstree from 1.1.0 to 1.1.1.
  • Removed agent-base, http-proxy-agent, and https-proxy-agent packages.
  • Updated undici from 7.24.2 to 7.24.4.
  • Adjusted Node.js engine requirement for jsdom to ^20.19.0 || ^22.13.0 || >=24.0.0.
  • Updated various transitive dependencies including css-tree, lru-cache, @exodus/bytes, tough-cookie, and whatwg-url.
• web/package.json
  • Updated jsdom devDependency from ^28 to ^29.

Activity

• All 541 web tests (npm --prefix web run test) passed successfully.
• Web linting (npm --prefix web run lint) completed with 0 errors.
• Web type-checking (npm --prefix web run type-check) reported no issues.
• All pre-commit hooks passed.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 90dc2531-e98a-4761-b23d-3fac7a7f5845

📥 Commits

Reviewing files that changed from the base of the PR and between 4bd99f7 and 635c4b8.

⛔ Files ignored due to path filters (1)

• web/package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (1)

• web/package.json

📜 Recent review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)

• GitHub Check: Build Sandbox
• GitHub Check: Build Backend
• GitHub Check: Build Web
• GitHub Check: Analyze (python)

🧰 Additional context used

📓 Path-based instructions (1)

web/package.json

📄 CodeRabbit inference engine (CLAUDE.md)

Web dashboard: Node.js 20+, dependencies in web/package.json (Vue 3, PrimeVue, Tailwind CSS, Pinia, VueFlow, ECharts, Axios, vue-draggable-plus, Vitest, fast-check, ESLint, vue-tsc)

Files:

• web/package.json

🧠 Learnings (3)

📓 Common learnings

Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-16T20:29:28.807Z
Learning: Applies to web/package.json : Web dashboard: Node.js 20+, dependencies in `web/package.json` (Vue 3, PrimeVue, Tailwind CSS, Pinia, VueFlow, ECharts, Axios, vue-draggable-plus, Vitest, fast-check, ESLint, vue-tsc)

Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-15T11:48:14.867Z
Learning: Applies to web/** : Web dashboard: Node.js 20+, dependencies in web/package.json (Vue 3, PrimeVue, Tailwind CSS, Pinia, VueFlow, ECharts, Axios, vue-draggable-plus, Vitest, fast-check, ESLint, vue-tsc).

📚 Learning: 2026-03-16T20:29:28.807Z

Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-16T20:29:28.807Z
Learning: Applies to web/package.json : Web dashboard: Node.js 20+, dependencies in `web/package.json` (Vue 3, PrimeVue, Tailwind CSS, Pinia, VueFlow, ECharts, Axios, vue-draggable-plus, Vitest, fast-check, ESLint, vue-tsc)

Applied to files:

• web/package.json

📚 Learning: 2026-03-15T11:48:14.867Z

Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-15T11:48:14.867Z
Learning: Applies to web/** : Web dashboard: Node.js 20+, dependencies in web/package.json (Vue 3, PrimeVue, Tailwind CSS, Pinia, VueFlow, ECharts, Axios, vue-draggable-plus, Vitest, fast-check, ESLint, vue-tsc).

Applied to files:

• web/package.json

🔇 Additional comments (1)

web/package.json (1)

43-43: Dependency bump is clean and the lockfile is correctly resolved.

No blockers on Line 43. The jsdom upgrade (29.0.0) is isolated to devDependencies and is compatible with the repository's Node.js 22 baseline used in CI. The test, lint, and type-check runs confirm safe adoption in this PR.

---

📝 Walkthrough

Summary by CodeRabbit

• Chores
  • Updated development dependency for testing framework compatibility.

Walkthrough

Updated the jsdom devDependency version in web/package.json from ^28 to ^29. This is a straightforward dependency version bump with no functional code changes.

Changes

Cohort / File(s)	Summary
Dependency Update web/package.json	Updated jsdom devDependency version from ^28 to ^29.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely summarizes the main change: upgrading jsdom from version 28 to 29 in the web package.
Description check	✅ Passed	The description is comprehensive and directly related to the changeset, explaining the upgrade rationale, changelog highlights, and thorough test verification.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch chore/upgrade-jsdom-29

✨ Simplify code

• Create PR with simplified code
• Commit simplified code in branch chore/upgrade-jsdom-29

📝 Coding Plan

• Generate coding plan for human review comments

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	npm/​jsdom@​28.1.0 ⏵ 29.0.0	+26		+1	-3

View full report

[gemini-code-assist]

Code Review

This pull request upgrades the jsdom development dependency from version 28 to 29. The changes are confined to package.json and package-lock.json and are consistent with the upgrade. The pull request description includes a review of the jsdom changelog and a test plan showing that all checks pass. The changes appear correct and I have no further feedback.