renovate[bot] 50f41c2212 chore: bump up happy-dom version to v20 [SECURITY] (#13726)
This PR contains the following updates:

| Package | Change | Age | Confidence |
|---|---|---|---|
| [happy-dom](https://redirect.github.com/capricorn86/happy-dom) |
[`^18.0.0` ->
`^20.0.0`](https://renovatebot.com/diffs/npm/happy-dom/18.0.1/20.0.0) |
[![age](https://developer.mend.io/api/mc/badges/age/npm/happy-dom/20.0.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/happy-dom/18.0.1/20.0.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|

### GitHub Vulnerability Alerts

####
[CVE-2025-61927](https://redirect.github.com/capricorn86/happy-dom/security/advisories/GHSA-37j7-fg3j-429f)

# Escape of VM Context gives access to process level functionality

## Summary
Happy DOM v19 and lower contains a security vulnerability that puts the
owner system at the risk of RCE (Remote Code Execution) attacks.

A Node.js VM Context is not an isolated environment, and if the user
runs untrusted JavaScript code within the Happy DOM VM Context, it may
escape the VM and get access to process level functionality.

What the attacker can get control over depends on if the process is
using ESM or CommonJS. With CommonJS the attacker can get hold of the
`require()` function to import modules.

Happy DOM has JavaScript evaluation enabled by default. This may not be
obvious to the consumer of Happy DOM and can potentially put the user at
risk if untrusted code is executed within the environment.

## Reproduce

### CommonJS (Possible to get hold of require)

```javascript
const { Window } = require('happy-dom');
const window = new Window({ console });

window.document.write(`
  <script>
     const process = this.constructor.constructor('return process')();
     const require = process.mainModule.require;
  
     console.log('Files:', require('fs').readdirSync('.').slice(0,3));
  </script>
`);
```

### ESM (Not possible to get hold of import or require)

```javascript
const { Window } = require('happy-dom');
const window = new Window({ console });

window.document.write(`
  <script>
     const process = this.constructor.constructor('return process')();
  
     console.log('PID:', process.pid);
  </script>
`);
```

## Potential Impact

#### Server-Side Rendering (SSR)
```javascript
const { Window } = require('happy-dom');
const window = new Window();
window.document.innerHTML = userControlledHTML;
```

#### Testing Frameworks
Any test suite using Happy-DOM with untrusted content may be at risk.

## Attack Scenarios

1. **Data Exfiltration**: Access to environment variables, configuration
files, secrets
2. **Lateral Movement**: Network access for connecting to internal
systems. Happy DOM already gives access to the network by fetch, but has
protections in place (such as CORS and header validation etc.).
3. **Code Execution**: Child process access for running arbitrary
commands
4. **Persistence**: File system access

## Recommended Immediate Actions

1. Update Happy DOM to v20 or above
    - This version has JavaScript evaluation disabled by default
- This version will output a warning if JavaScript is enabled in an
insecure environment
2. Run Node.js with the "--disallow-code-generation-from-strings" if you
need JavaScript evaluation enabled
- This makes sure that evaluation can't be used at process level to
escape the VM
- `eval()` and `Function()` can still be used within the Happy DOM VM
without any known security risk
- Happy DOM v20 and above will output a warning if this flag is not in
use
4. If you can't update Happy DOM right now, it's recommended to disable
JavaScript evaluation, unless you completely trust the content within
the environment

## Technical Root Cause

All classes and functions inherit from
[Function](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Function).
By walking the constructor chain it's possible to get hold of
[Function](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Function)
at process level. As
[Function](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Function)
can evaluate code from strings, it's possible to execute code at process
level.

Running Node with the "--disallow-code-generation-from-strings" flag
protects against this.

---

### Release Notes

<details>
<summary>capricorn86/happy-dom (happy-dom)</summary>

###
[`v20.0.0`](https://redirect.github.com/capricorn86/happy-dom/compare/v19.0.2...819d15ba289495439eda8be360d92a614ce22405)

[Compare
Source](https://redirect.github.com/capricorn86/happy-dom/compare/v19.0.2...v20.0.0)

###
[`v19.0.2`](https://redirect.github.com/capricorn86/happy-dom/releases/tag/v19.0.2)

[Compare
Source](https://redirect.github.com/capricorn86/happy-dom/compare/v19.0.1...v19.0.2)

##### :construction\_worker\_man: Patch fixes

- Fixes issue related to CSS pseudo selector `:scope` that didn't work
correctly for direct descendants to root - By
**[@&#8203;capricorn86](https://redirect.github.com/capricorn86)** in
task
[#&#8203;1620](https://redirect.github.com/capricorn86/happy-dom/issues/1620)

###
[`v19.0.1`](https://redirect.github.com/capricorn86/happy-dom/releases/tag/v19.0.1)

[Compare
Source](https://redirect.github.com/capricorn86/happy-dom/compare/v19.0.0...v19.0.1)

##### :construction\_worker\_man: Patch fixes

- Fixes issue with sending in URLs as string in
`@happy-dom/server-renderer` config using CLI - By
**[@&#8203;capricorn86](https://redirect.github.com/capricorn86)** in
task
[#&#8203;1908](https://redirect.github.com/capricorn86/happy-dom/issues/1908)

###
[`v19.0.0`](https://redirect.github.com/capricorn86/happy-dom/releases/tag/v19.0.0)

[Compare
Source](https://redirect.github.com/capricorn86/happy-dom/compare/v18.0.1...v19.0.0)

##### 💣 Breaking Changes

- Removes support for CommonJS - By
**[@&#8203;capricorn86](https://redirect.github.com/capricorn86)** in
task
[#&#8203;1730](https://redirect.github.com/capricorn86/happy-dom/issues/1730)
- Support for CommonJS is no longer needed as Node.js v18 is deprecated
and v20 and above supports loading ES modules from CommonJS using
`require()`
- Updates Jest to v30 in the `@happy-dom/jest-environment` package - By
**[@&#8203;capricorn86](https://redirect.github.com/capricorn86)** in
task
[#&#8203;1730](https://redirect.github.com/capricorn86/happy-dom/issues/1730)
- Makes Jest packages peer dependencies to make it easier to align
versions with the project using `@happy-dom/jest-environment` - By
**[@&#8203;capricorn86](https://redirect.github.com/capricorn86)** in
task
[#&#8203;1730](https://redirect.github.com/capricorn86/happy-dom/issues/1730)

##### 🎨 Features

- Adds a new package called `@happy-dom/server-renderer` - By
**[@&#8203;capricorn86](https://redirect.github.com/capricorn86)** in
task
[#&#8203;1730](https://redirect.github.com/capricorn86/happy-dom/issues/1730)
- This package provides a simple way to statically render (SSG) or
server-side render (SSR) your client-side application
- Read more in the Wiki under
[Server-Renderer](https://redirect.github.com/capricorn86/happy-dom/wiki/Server-Renderer)
- Adds support for `import.meta` to the ESM compiler - By
**[@&#8203;capricorn86](https://redirect.github.com/capricorn86)** in
task
[#&#8203;1730](https://redirect.github.com/capricorn86/happy-dom/issues/1730)
- Adds support for the CSS pseudo selector `:scope` - By
**[@&#8203;capricorn86](https://redirect.github.com/capricorn86)** in
task
[#&#8203;1620](https://redirect.github.com/capricorn86/happy-dom/issues/1620)
- Improves support for `MediaList` - By
**[@&#8203;capricorn86](https://redirect.github.com/capricorn86)** in
task
[#&#8203;1730](https://redirect.github.com/capricorn86/happy-dom/issues/1730)
- Adds support for `CSSKeywordValue`, `CSSStyleValue`,
`StylePropertyMap`, `StylePropertyMap`, `StylePropertyMapReadOnly` - By
**[@&#8203;capricorn86](https://redirect.github.com/capricorn86)** in
task
[#&#8203;1730](https://redirect.github.com/capricorn86/happy-dom/issues/1730)
- Improves debug information in the ESM compiler - By
**[@&#8203;capricorn86](https://redirect.github.com/capricorn86)** in
task
[#&#8203;1730](https://redirect.github.com/capricorn86/happy-dom/issues/1730)
- Adds validation of browser settings when creating a new `Browser`
instance - By
**[@&#8203;capricorn86](https://redirect.github.com/capricorn86)** in
task
[#&#8203;1730](https://redirect.github.com/capricorn86/happy-dom/issues/1730)
- Adds support for the browser setting
[navigation.beforeContentCallback](https://redirect.github.com/capricorn86/happy-dom/wiki/IBrowserSettings)
which makes it possible to inject event listeners or logic before
content is loaded to the document when navigating a browser frame - By
**[@&#8203;capricorn86](https://redirect.github.com/capricorn86)** in
task
[#&#8203;1730](https://redirect.github.com/capricorn86/happy-dom/issues/1730)
- Adds support for the browser setting
[fetch.requestHeaders](https://redirect.github.com/capricorn86/happy-dom/wiki/IBrowserSettings)
which provides with a declarative and simple way to add request headers
- By **[@&#8203;capricorn86](https://redirect.github.com/capricorn86)**
in task
[#&#8203;1730](https://redirect.github.com/capricorn86/happy-dom/issues/1730)
- Adds support for setting an object to
[timer.preventTimerLoops](https://redirect.github.com/capricorn86/happy-dom/wiki/IBrowserSettings)
which makes it possible to define different settings for `setTimeout()`
and `requestAnimationFrame()` - By
**[@&#8203;capricorn86](https://redirect.github.com/capricorn86)** in
task
[#&#8203;1730](https://redirect.github.com/capricorn86/happy-dom/issues/1730)
- Adds support for the browser setting
[viewport](https://redirect.github.com/capricorn86/happy-dom/wiki/IBrowserSettings)
which makes it possible to define a default viewport size - By
**[@&#8203;capricorn86](https://redirect.github.com/capricorn86)** in
task
[#&#8203;1730](https://redirect.github.com/capricorn86/happy-dom/issues/1730)
- Adds support for the parameters `beforeContentCallback` and `headers`
to `BrowserFrame.goto()`, `BrowserFrame.goBack()`,
`BrowserFrame.goForward()`, `BrowserFrame.goSteps()` and
`BrowserFrame.reload()` - By
**[@&#8203;capricorn86](https://redirect.github.com/capricorn86)** in
task
[#&#8203;1730](https://redirect.github.com/capricorn86/happy-dom/issues/1730)
- Adds support for `PopStateEvent` and trigger the event when navigating
the page history using `History.pushState()` - By
**[@&#8203;capricorn86](https://redirect.github.com/capricorn86)** in
task
[#&#8203;1730](https://redirect.github.com/capricorn86/happy-dom/issues/1730)
- Use local file paths for virtual server files in stack traces - By
**[@&#8203;capricorn86](https://redirect.github.com/capricorn86)** in
task
[#&#8203;1730](https://redirect.github.com/capricorn86/happy-dom/issues/1730)
- Adds support for `ResponseCache.fileSystem.load()` and
`ResponseCache.fileSystem.save()` for storing and loading cache from the
file system - By
**[@&#8203;capricorn86](https://redirect.github.com/capricorn86)** in
task
[#&#8203;1730](https://redirect.github.com/capricorn86/happy-dom/issues/1730)

##### :construction\_worker\_man: Patch fixes

- Fixes a bug in the ESM compiler that caused it to fail to parse
certain code - By
**[@&#8203;capricorn86](https://redirect.github.com/capricorn86)** in
task
[#&#8203;1730](https://redirect.github.com/capricorn86/happy-dom/issues/1730)
- Disables the same origin policy when navigating a browser frame using
`BrowserFrame.goto()` - By
**[@&#8203;capricorn86](https://redirect.github.com/capricorn86)** in
task
[#&#8203;1730](https://redirect.github.com/capricorn86/happy-dom/issues/1730)
- Fixes bug where CSS selectors with the pseudos "+" and ">" failed for
selectors without arguments - By
**[@&#8203;capricorn86](https://redirect.github.com/capricorn86)** in
task
[#&#8203;1730](https://redirect.github.com/capricorn86/happy-dom/issues/1730)
- Adds try and catch to listeners for events dispatched from
`XMLHttpRequest` to prevent it from being set to an invalid state if a
listener throws an Error - By
**[@&#8203;capricorn86](https://redirect.github.com/capricorn86)** in
task
[#&#8203;1730](https://redirect.github.com/capricorn86/happy-dom/issues/1730)

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no
schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/toeverything/AFFiNE).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MS4xNDMuMSIsInVwZGF0ZWRJblZlciI6IjQxLjE0My4xIiwidGFyZ2V0QnJhbmNoIjoiY2FuYXJ5IiwibGFiZWxzIjpbImRlcGVuZGVuY2llcyJdfQ==-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2025-10-13 14:07:31 +00:00
2025-06-24 14:43:39 +08:00
2023-07-10 06:19:59 +00:00
2023-04-13 20:30:18 +00:00
2023-05-03 00:47:43 -05:00
2023-09-15 07:50:00 +00:00
2025-10-04 19:29:45 +08:00

AFFiNE.Pro
Write, Draw and Plan All at Once

affine logo

A privacy-focused, local-first, open-source, and ready-to-use alternative for Notion & Miro.
One hyper-fused platform for wildly creative minds.



AFFiNE - One app for all - Where Notion meets Miro | Product Hunt


Special thanks to Blaze for their support of this project. They provide high-performance Apple Silicon macOS and Linux (AMD64 & ARM64) runners for GitHub Actions, greatly reducing our automated build times.




Releases All Contributors TypeScript-version-icon


Docs, canvas and tables are hyper-merged with AFFiNE - just like the word affine (əˈfʌɪn | a-fine).

Getting started & staying tuned with us.

Star us, and you will receive all release notifications from GitHub without any delay!

What is AFFiNE

AFFiNE is an open-source, all-in-one workspace and an operating system for all the building blocks that assemble your knowledge base and much more -- wiki, knowledge management, presentation and digital assets. It's a better alternative to Notion and Miro.

Features

A true canvas for blocks in any form. Docs and whiteboard are now fully merged.

  • Many editor apps claim to be a canvas for productivity, but AFFiNE is one of the very few which allows you to put any building block on an edgeless canvas -- rich text, sticky notes, any embedded web pages, multi-view databases, linked pages, shapes and even slides. We have it all.

Multimodal AI partner ready to kick in any work

  • Write up professional work report? Turn an outline into expressive and presentable slides? Summary an article into a well-structured mindmap? Sorting your job plan and backlog for tasks? Or... draw and code prototype apps and web pages directly all with one prompt? With you, AFFiNE AI pushes your creativity to the edge of your imagination, just like Canvas AI to generate mind map for brainstorming.

Local-first & Real-time collaborative

  • We love the idea of local-first that you always own your data on your disk, in spite of the cloud. Furthermore, AFFiNE supports real-time sync and collaborations on web and cross-platform clients.

Self-host & Shape your own AFFiNE

  • You have the freedom to manage, self-host, fork and build your own AFFiNE. Plugin community and third-party blocks are coming soon. More tractions on Blocksuite. Check there to learn how to self-host AFFiNE.

Acknowledgement

“We shape our tools and thereafter our tools shape us”. A lot of pioneers have inspired us along the way, e.g.:

  • Quip & Notion with their great concept of “everything is a block”
  • Trello with their Kanban
  • Airtable & Miro with their no-code programmable datasheets
  • Miro & Whimiscal with their edgeless visual whiteboard
  • Remote & Capacities with their object-based tag system

There is a large overlap of their atomic “building blocks” between these apps. They are not open source, nor do they have a plugin system like Vscode for contributors to customize. We want to have something that contains all the features we love and also goes one step even further.

Thanks for checking us out, we appreciate your interest and sincerely hope that AFFiNE resonates with you! 🎵 Checking https://affine.pro/ for more details ions.

Contributing

Bug Reports Feature Requests Questions/Discussions AFFiNE Community
Create a bug report Submit a feature request Check GitHub Discussion Vist the AFFiNE Community
Something isn't working as expected An idea for a new feature, or improvements Discuss and ask questions A place to ask, learn and engage with others

Calling all developers, testers, tech writers and more! Contributions of all types are more than welcome, you can read more in docs/types-of-contributions.md. If you are interested in contributing code, read our docs/CONTRIBUTING.md and feel free to check out our GitHub issues to get stuck in to show us what youre made of.

Before you start contributing, please make sure you have read and accepted our Contributor License Agreement. To indicate your agreement, simply edit this file and submit a pull request.

For bug reports, feature requests and other suggestions you can also create a new issue and choose the most appropriate template for your feedback.

For translation and language support you can visit our i18n General Space.

Looking for other ways to contribute and wondering where to start? Check out the AFFiNE Ambassador program, we work closely with passionate community members and provide them with a wide range of support and resources.

If you have questions, you are welcome to contact us. One of the best places to get more info and learn more is in the AFFiNE Community where you can engage with other like-minded individuals.

Templates

AFFiNE now provides pre-built templates from our team. Following are the Top 10 most popular templates among AFFiNE users,if you want to contribute, you can contribute your own template so other people can use it too.

Blog

Welcome to the AFFiNE blog section! Here, youll find the latest insights, tips, and guides on how to maximize your experience with AFFiNE and AFFiNE AI, the leading Canvas AI tool for flexible note-taking and creative organization.

Ecosystem

Name
@affine/component AFFiNE Component Resources
@toeverything/theme AFFiNE theme

Upstreams

We would also like to give thanks to open-source projects that make AFFiNE possible:

  • Blocksuite - 💠 BlockSuite is the open-source collaborative editor project behind AFFiNE.
  • OctoBase - 🐙 OctoBase is the open-source database behind AFFiNE, local-first, yet collaborative. A light-weight, scalable, data engine written in Rust.
  • yjs - Fundamental support of CRDTs for our implementation on state management and data sync.
  • electron - Build cross-platform desktop apps with JavaScript, HTML, and CSS.
  • React - The library for web and native user interfaces.
  • napi-rs - A framework for building compiled Node.js add-ons in Rust via Node-API.
  • Jotai - Primitive and flexible state management for React.
  • async-call-rpc - A lightweight JSON RPC client & server.
  • Vite - Next generation frontend tooling.
  • Other upstream dependencies.

Thanks a lot to the community for providing such powerful and simple libraries, so that we can focus more on the implementation of the product logic, and we hope that in the future our projects will also provide a more easy-to-use knowledge base for everyone.

Contributors

We would like to express our gratitude to all the individuals who have already contributed to AFFiNE! If you have any AFFiNE-related project, documentation, tool or template, please feel free to contribute it by submitting a pull request to our curated list on GitHub: awesome-affine.

contributors

Self-Host

Begin with Docker to deploy your own feature-rich, unrestricted version of AFFiNE. Our team is diligently updating to the latest version. For more information on how to self-host AFFiNE, please refer to our documentation.

Run on ClawCloud

Hiring

Some amazing companies, including AFFiNE, are looking for developers! Are you interested in joining AFFiNE or its partners? Check out our Discord channel for some of the latest jobs available.

Feature Request

For feature requests, please see community.affine.pro.

Building

Codespaces

From the GitHub repo main page, click the green "Code" button and select "Create codespace on master". This will open a new Codespace with the (supposedly auto-forked AFFiNE repo cloned, built, and ready to go.

Local

See BUILDING.md for instructions on how to build AFFiNE from source code.

Contributing

We welcome contributions from everyone. See docs/contributing/tutorial.md for details.

Thanks

Chromatic

Thanks to Chromatic for providing the visual testing platform that helps us review UI changes and catch visual regressions.

License

Editions

  • AFFiNE Community Edition (CE) is the current available version, it's free for self-host under the MIT license.

  • AFFiNE Enterprise Edition (EE) is yet to be published, it will have more advanced features and enterprise-oriented offerings, including but not exclusive to rebranding and SSO, advanced admin and audit, etc., you may refer to https://affine.pro/pricing for more information

See LICENSE for details.

Languages
TypeScript 89.5%
Rust 4.2%
Swift 4.2%
Kotlin 1%
JavaScript 0.4%
Other 0.5%