happy-dom 14.12.3 vulnerabilities #7484

Nick-Minutello · 2025-02-13T15:27:42Z

Nick-Minutello
Feb 13, 2025

npm ls --all is showing that vitest (latest:3.0.5) is bringing in happy-dom 14.12.3 (which has some critical vulnerabilities).
(That said, I don't actually see happy-dom in the package.json.)

If indeed vitest is using happy-dom, can it be upgraded ?

sheremet-va · 2025-02-13T15:35:12Z

sheremet-va
Feb 13, 2025
Maintainer

Vitest doesn't specify happy-dom in dependencies, only in peerDependencies. We also don't specify the version, so you can use any version.

2 replies

Nick-Minutello Feb 13, 2025
Author

Thanks!
(How are the peerDependencies specified/derived?)

sheremet-va Feb 13, 2025
Maintainer

peer dependencies are dependencies that are not required for the package to work, but the consumer can install them to unlock a certain functionality

peer dependencies are specified here:

vitest/packages/vitest/package.json

Line 124 in 01b91b5

"peerDependencies": {

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

happy-dom 14.12.3 vulnerabilities #7484

{{title}}

Replies: 1 comment 2 replies

{{title}}

{{title}}

{{title}}

Select a reply

happy-dom 14.12.3 vulnerabilities #7484

Nick-Minutello Feb 13, 2025

Replies: 1 comment · 2 replies

sheremet-va Feb 13, 2025 Maintainer

Nick-Minutello Feb 13, 2025 Author

sheremet-va Feb 13, 2025 Maintainer

Nick-Minutello
Feb 13, 2025

Replies: 1 comment 2 replies

sheremet-va
Feb 13, 2025
Maintainer

Nick-Minutello Feb 13, 2025
Author

sheremet-va Feb 13, 2025
Maintainer