Skip to content

Bump jest-environment-jsdom/30.3.0#5739

Open
cmalonzo wants to merge 2 commits intomicrosoft:mainfrom
cmalonzo:jest-environment-jsdom/30.3.0
Open

Bump jest-environment-jsdom/30.3.0#5739
cmalonzo wants to merge 2 commits intomicrosoft:mainfrom
cmalonzo:jest-environment-jsdom/30.3.0

Conversation

@cmalonzo
Copy link
Copy Markdown
Contributor

@cmalonzo cmalonzo commented Apr 1, 2026

Bump jest-environment-jsdom to 30.3.0

Addresses: CVE GHSA-vpq2-c234-7xj6

Summary

Upgrades all Jest-related dependencies from ~29.5.0 to ~30.3.0 across heft-jest-plugin and the associated rig packages. This brings in jest-environment-jsdom 30.3.0, which ships with jsdom 26 instead of jsdom 21.

Package version bumps

Package From To
@jest/core, @jest/reporters, @jest/transform ~29.5.0 ~30.3.0
jest-config, jest-resolve, jest-snapshot ~29.5.0 ~30.3.0
jest-environment-jsdom ~29.5.0 ~30.3.0
jest-environment-node ~29.5.0 ~30.3.0

Affected packages: @rushstack/heft-jest-plugin, @rushstack/heft-web-rig, @rushstack/heft-node-rig, @rushstack/heft-vscode-extension-rig, heft-jest-preset-test, heft-jest-reporters-test.

Removed: punycode injection workaround

The previous release added patched-jest-environment-jsdom.ts, which injected the punycode npm package into Node's module cache on Node ≥ 22 to suppress DEP0040 deprecation warnings. This was needed because jsdom 21 → whatwg-url → tr46 called require('punycode') (the deprecated built-in).

jsdom 26 no longer triggers DEP0040. The tr46 dependency was updated in an earlier jsdom release to use require('punycode/') (trailing slash), which resolves the npm userland package instead of the deprecated Node.js built-in. Verified by running jsdom instantiation with --trace-deprecation on Node 24 — no DEP0040 warning fires.

As a result:

  • src/exports/patched-jest-environment-jsdom.ts has been deleted
  • The redirect logic in JestPlugin.ts that intercepted testEnvironment: "jest-environment-jsdom" and rerouted to the patched file has been removed
  • The punycode package has been removed from dependencies

Breaking changes for consumers

Jest 30 introduces several breaking changes that consumers upgrading to this version of heft-jest-plugin should be aware of:

  • window.location is now immutable in jsdom — Object.defineProperty(window, 'location', ...) throws. Use window.history.pushState() / replaceState() instead.
  • Deprecated matcher aliases removed — replace toBeCalled() → toHaveBeenCalled(), toBeCalledWith() → toHaveBeenCalledWith(), toThrowError() → toThrow().
  • Snapshots must be regenerated — error cause is now included in snapshot output.
  • Node.js minimum is 18, TypeScript minimum is 5.4.

@github-project-automation github-project-automation bot moved this to Needs triage in Bug Triage Apr 1, 2026
@cmalonzo cmalonzo changed the title Jest environment jsdom/30.3.0 Bump jest-environment-jsdom/30.3.0 Apr 1, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@iclanton iclanton Awaiting requested review from iclanton iclanton is a code owner

@octogonz octogonz Awaiting requested review from octogonz octogonz is a code owner

@apostolisms apostolisms Awaiting requested review from apostolisms apostolisms is a code owner

@dmichon-msft dmichon-msft Awaiting requested review from dmichon-msft dmichon-msft is a code owner

@jxanthony jxanthony Awaiting requested review from jxanthony jxanthony is a code owner

@bmiddha bmiddha Awaiting requested review from bmiddha bmiddha is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

Bug Triage
Status: Needs triage

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@cmalonzo