chore(onda-12.1): bump jsdom 20 → 29 (fecha 3 vulns NPM)

[adm01-debug]

📋 Subonda 12.1 do Plano de Hardening Pré-Prod (Onda 12)

Atualiza jsdom de ^20.0.3 para ^29.1.1, fechando 3 das 5 vulnerabilidades NPM detectadas em main.

🔓 Vulnerabilidades fechadas

Pacote	Severidade	Status
@tootallnate/once	low (CVSS 3.3)	✅ Removido (era transitive de jsdom 20)
http-proxy-agent	low	✅ Removido (era transitive de jsdom 20)
jsdom	low	✅ Resolvido (upgrade direto 20→29)

npm audit: 5 vulns → 2 vulns (-3)

🎯 Vulnerabilidades restantes (alvo das próximas subondas)

Pacote	Severidade	Alvo
esbuild	moderate	Subonda 12.2 (vite 5→6 traz esbuild 0.25+)
vite	moderate	Subonda 12.3 (vite 6→7)

📦 Mudanças transitivas (50 pacotes alterados)

• ❌ nwsapi removido (CSS selector engine antigo)
• ✅ @asamuzakjp/dom-selector adicionado (novo CSS selector engine)
• ⬆️ undici v7 (modern fetch — substitui fetch jsdom-side)
• ⬆️ whatwg-url v16 (era 11)
• ⬆️ parse5 v8, lru-cache v11
• ➕ @asamuzakjp/css-color, @asamuzakjp/generational-cache

✅ Pré-requisitos satisfeitos

• ✅ jsdom@29 exige Node ^20.19 || >=22.13 — já garantido pela Sub 12.0 (PR Hardening/onda 12 0 bump node engine #203)
• ✅ vitest@3 aceita jsdom: '*' — peer dep OK
• ✅ @vitejs/plugin-react-swc@4 aceita vite ^4..^8 — sem upgrade necessário
• ✅ tests/setup.ts já tem polyfills defensivos (matchMedia, IntersectionObserver, ResizeObserver, scrollTo)

⚠️ Mudança de runtime que pode afetar testes

• fetch() agora é nativo do Node (undici v7), não mais jsdom-side
• URLs inválidas → DNS resolution real → ENOTFOUND ao invés de mock
• Em CI: secrets reais ou skip silencioso (Boolean(URL && KEY))
• Localmente: .env.local com URL fake (https://x.supabase.co) causaria fetch errors — mas .env.local está no .gitignore e não afeta CI

🔍 Análise de risk surface

Pre-flight check identificou risk surface BAIXO:

API jsdom-sensível	Ocorrências em testes
XMLHttpRequest	0 ✅
:has()/:where()/:is() selectors	0 ✅
document.cookie	0 ✅
createRange/getBoundingClientRect	0 ✅
URL/URLSearchParams	16 ⚠️ (whatwg-url 11→16 mudanças são sutis)

📈 Próximas Subondas

Sub	Conteúdo	Vulns alvo
12.2	vite@5 → 6	esbuild (moderate)
12.3	vite@6 → 7	vite (moderate)
12.4	Validação final + npm audit zerado + docs

Decisão arquitetural: pararemos em vite@7. O vite@8 substitui Rollup por Rolldown (beta) e remove rollupOptions, o que seria mudança maior.

---

Branch: hardening/onda-12-1-jsdom-29
Base: main (dc00e4635 — Sub 12.0 mergeada)
Diff: +363/-411 (package.json + package-lock.json apenas)

---

Summary by cubic

Upgrade jsdom from ^20.0.3 to ^29.1.1 to close 3 NPM vulnerabilities and align with Node 20.19+/22.13+. npm audit drops from 5 to 2 remaining issues (esbuild, vite) queued for the next sub-ondas.

• Dependencies

  • Replaced legacy selector stack with @asamuzakjp/dom-selector and css-tree.
  • Switched to Node fetch via undici@7; removed http-proxy-agent and @tootallnate/once.
  • Bumped transitive libs: whatwg-url@16, parse5@8, lru-cache@11, tough-cookie@6.
  • jsdom@29 now requires Node ^20.19 || ^22.13 || >=24 (already satisfied).

• Migration

  • fetch() is now Node-native (Undici). Invalid or fake URLs may error with ENOTFOUND.
  • No test code changes expected; existing polyfills remain fine.
  • Keep env URLs valid in local .env.local to avoid real DNS lookups.

^{Written for commit c0ea36d. Summary will update on new commits.}

Summary by CodeRabbit

• Chores
  • Atualizada dependência do ambiente de desenvolvimento para versão mais recente, melhorando compatibilidade e performance nos testes automatizados.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
promo-gifts	Ready	Preview, Comment	May 14, 2026 8:20pm

[supabase]

This pull request has been ignored for the connected project doufsxqlfjyuvxuezpln because there are no changes detected in supabase directory. You can change this behaviour in Project Integrations Settings ↗︎.

---

Preview Branches by Supabase.
Learn more about Supabase Branching ↗︎.

[coderabbitai]

Walkthrough

Atualização simples da versão do jsdom no package.json de ^20.0.3 para ^29.1.1. Mudança isolada em uma única linha que afeta apenas a versão declarada da dependência.

Changes

Atualização de dependência jsdom

Layer / File(s)	Summary
Atualização de versão do jsdom package.json	A dependência jsdom é atualizada de ^20.0.3 para ^29.1.1.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	O título é específico e descreve com clareza a mudança principal: bump do jsdom de v20 para v29, incluindo o contexto relevante de segurança (fechamento de 3 vulnerabilidades NPM).
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch hardening/onda-12-1-jsdom-29

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

Bumps jsdom from ^20.0.3 to ^29.1.1 to close 3 of 5 npm audit vulnerabilities (@tootallnate/once, http-proxy-agent, jsdom). The change is limited to package.json and package-lock.json; node engine and polyfills already satisfy the new requirements (Sub 12.0/PR #203).

Changes:

• Update jsdom direct dependency from ^20.0.3 to ^29.1.1.
• Refresh transitive dependency tree in package-lock.json (new @asamuzakjp/*, @csstools/*, undici@7, whatwg-url@16, tough-cookie@6, etc.; removes nwsapi, abab, domexception, form-data, http-proxy-agent, https-proxy-agent, @tootallnate/once, etc.).

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated no comments.

File	Description
package.json	Bumps jsdom devDependency to ^29.1.1.
package-lock.json	Regenerated lockfile reflecting the jsdom 29 dependency tree and updated root engines field.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@package.json`:
- Line 142: The package.json engines.node range must be tightened to match
jsdom@29.1.1's minimum supported Node versions; update the engines.node semver
(the "engines.node" field) from ">=22.12.0" to ">=22.13.0 || ^20.19.0" (or the
equivalent ordered semver string "^20.19.0 || >=22.13.0") so the declared Node
requirement aligns with jsdom@^29.1.1 and prevents installs on unsupported Node
22.12.x.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: ae266d68-64be-43b4-b7ff-d8c961099c5d

📥 Commits

Reviewing files that changed from the base of the PR and between dc00e46 and c0ea36d.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json, !**/package-lock.json

📒 Files selected for processing (1)

• package.json

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "Engine declarado no package.json:"
python - <<'PY'
import json
with open("package.json", "r", encoding="utf-8") as f:
    pkg = json.load(f)
print(pkg.get("engines", {}).get("node"))
PY

echo
echo "Engine exigido por jsdom@29.1.1 (registry npm):"
python - <<'PY'
import json, urllib.request
with urllib.request.urlopen("https://registry.npmjs.org/jsdom/29.1.1", timeout=20) as r:
    data = json.load(r)
print(data.get("engines", {}).get("node"))
PY

Repository: adm01-debug/Promo_Gifts

Length of output: 2772

---

🌐 Web query:

jsdom 29.1.1 npm node version requirements engines

💡 Result:

jsdom 29.1.1 requires Node.js ^20.19.0 || ^22.13.0 || >=24.0.0, as specified in its package.json "engines" field.[1][2][3] This requirement was established starting from v27.0.1 via dependency updates, made explicit in subsequent releases including v29.0.0 which updated the minimum v22 to 22.13.0,[4][5][6] and remains the same for patch releases like 29.1.1. The project's README and multiple sources confirm to check the package.json engines field for exact Node.js compatibility.[1][7][8]

Citations:

• 1: https://npmx.dev/package/jsdom/v/%5E29.0.2
• 2: https://github.com/jsdom/jsdom/releases/tag/v27.0.1
• 3: jsdom/jsdom@v28.1.0...v29.0.1
• 4: https://github.com/jsdom/jsdom/releases/tag/v29.0.0
• 5: https://github.com/jsdom/jsdom/releases
• 6: jsdom/jsdom@00522ce
• 7: https://www.npmjs.com/package/jsdom
• 8: https://github.com/jsdom/jsdom

---

Alinhar engines.node ao requisito mínimo real do jsdom@29.1.1.

Com a mudança da Line 142 para jsdom@^29.1.1, o projeto passa a exigir Node ^20.19.0 || >=22.13.0, mas a Line 188 ainda permite >=22.12.0. Isso vai aceitar uma versão de Node que jsdom não suporta e quebrar install/test em CI ou localmente em Node 22.12.x.

🔧 Ajuste sugerido

   "engines": {
-    "node": "^20.19.0 || >=22.12.0",
+    "node": "^20.19.0 || >=22.13.0",
     "npm": ">=10.0.0"
   }

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@package.json` at line 142, The package.json engines.node range must be
tightened to match jsdom@29.1.1's minimum supported Node versions; update the
engines.node semver (the "engines.node" field) from ">=22.12.0" to ">=22.13.0 ||
^20.19.0" (or the equivalent ordered semver string "^20.19.0 || >=22.13.0") so
the declared Node requirement aligns with jsdom@^29.1.1 and prevents installs on
unsupported Node 22.12.x.

[cubic-dev-ai]

1 issue found across 2 files

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="package.json">

<violation number="1" location="package.json:142">
P2: This jsdom upgrade introduces a Node engine mismatch: project engines allow Node 23.x, but jsdom 29 does not. Align the project Node range with jsdom’s supported range to avoid install/runtime incompatibility in Node 23 environments.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review, or fix all with cubic.}

[cubic-dev-ai]

P2: This jsdom upgrade introduces a Node engine mismatch: project engines allow Node 23.x, but jsdom 29 does not. Align the project Node range with jsdom’s supported range to avoid install/runtime incompatibility in Node 23 environments.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At package.json, line 142:

<comment>This jsdom upgrade introduces a Node engine mismatch: project engines allow Node 23.x, but jsdom 29 does not. Align the project Node range with jsdom’s supported range to avoid install/runtime incompatibility in Node 23 environments.</comment>

<file context>
@@ -139,7 +139,7 @@
     "input-otp": "^1.2.4",
     "jest-axe": "^10.0.0",
-    "jsdom": "^20.0.3",
+    "jsdom": "^29.1.1",
     "jspdf": "4.2.1",
     "jspdf-autotable": "5.0.7",
</file context>