Commit Graph

6683 Commits

Author SHA1 Message Date
dependabot[bot]
42e50f8c21
Build: Bump actions/checkout, actions/setup-node & github/codeql-action
1: Bump actions/checkout from 3.5.3 to 3.6.0

Bumps [actions/checkout](https://github.com/actions/checkout) from 3.5.3 to 3.6.0.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](c85c95e3d7...f43a0e5ff2)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

2: Bump actions/setup-node from 3.6.0 to 3.8.1

Bumps [actions/setup-node](https://github.com/actions/setup-node) from 3.6.0 to 3.8.1.
- [Release notes](https://github.com/actions/setup-node/releases)
- [Commits](64ed1c7eab...5e21ff4d9b)

---
updated-dependencies:
- dependency-name: actions/setup-node
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

3: Bump github/codeql-action from 2.20.1 to 2.21.5

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.20.1 to 2.21.5.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](f6e388ebf0...00e563ead9)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Closes gh-5311
Closes gh-5312
Closes gh-5313

Signed-off-by: dependabot[bot] <support@github.com>
2023-09-06 16:39:00 +02:00
Timo Tijhof
699bcd396f
Build: Update mailmap entry for Krinkle
Close gh-5309
2023-08-25 10:19:15 -04:00
Timmy Willison
48cc402a91
Build: replace CRLF with LF during minify
- SWC is not respecting the git setting and does not have
  an option to force LF. This fixes the build on Windows.

Close gh-5305
2023-08-10 21:13:24 -04:00
Michał Gołębiowski-Owczarek
8be4c0e4f8
Build: Add exports to package.json, export slim & esm builds
Summary of the changes:
* define the `exports` field in `package.json`; `jQuery` & `$` are also
  exported as named exports in ESM builds now
* declare `"type": "module"` globally except for the `build` folder
* add the `--esm` option to `grunt custom`, generating jQuery as an ECMAScript
  module into the `dist-module` folder
* expand `node_smoke_tests` to test the slim & ESM builds and their various
  combinations; also, test both jQuery loaded via a path to the file as well
  as from module specifiers that should be parsed via the `exports` feature
* add details about ESM usage to the release package README
* run `compare_size` on all built minified files; don't run it anymore on
  unminified files where they don't provide lots of value
* remove the remove_map_comment task; SWC doesn't insert the
`//# sourceMappingURL=` pragma by default so there's nothing to strip

Fixes gh-4592
Closes gh-5255
2023-07-10 19:14:08 +02:00
Michał Gołębiowski-Owczarek
65b85031fb
CSS: Make the reliableTrDimensions support test work with Bootstrap CSS
Bootstrap 5 includes the following CSS on the page:

```css
*,
*::before,
*::after {
  box-sizing: border-box;
}
```

That threw our `reliableTrDimensions` support test off. This change fixes the
support test and adds a unit test ensuring support test values on a page
including Bootstrap 5 CSS are the same as on a page without it.

Fixes gh-5270
Closes gh-5278
Ref gh-5279
2023-07-10 18:33:05 +02:00
Michał Gołębiowski-Owczarek
e24218758b
Build: Switch form Terser to SWC for JS minification (#5286)
Also, as part of this, fix the `file` & `sources` properties of the source map
file.

Fixes gh-5285
Closes gh-5286
Ref gh-5258
2023-07-10 18:23:07 +02:00
Michał Gołębiowski-Owczarek
198b41c8c2
Build: Make sure *.cjs & *.mjs files use UNIX line endings as well
We've had this rule for `*.js` files so far but we now have two new JS
extensions.

Closes gh-5290
2023-07-10 18:19:52 +02:00
Timmy Willison
2b6b5e0a3b
Build: switch preferred email for timmywil
Close gh-5288
2023-07-10 10:59:12 -04:00
dependabot[bot]
4a13266efd
Build: Bump github/codeql-action & actions/checkout
1: Bump github/codeql-action from 2.3.6 to 2.20.1

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.3.6 to 2.20.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](83f0fe6c49...f6e388ebf0)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

2: Build: Bump actions/checkout from 3.5.2 to 3.5.3

Bumps [actions/checkout](https://github.com/actions/checkout) from 3.5.2 to 3.5.3.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](8e5e7e5ab8...c85c95e3d7)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Closes gh-5283
Closes gh-5284
2023-07-02 20:10:07 +02:00
Dimitri Papadopoulos Orfanos
620870a1af
Docs: Fix typos found by codespell
Closes gh-5165
2023-06-28 00:29:29 +02:00
Michał Gołębiowski-Owczarek
5701957b72
Build: Drop individual AMD modules
With this change, jQuery build no longer generates the `amd` directory with
AMD modules transpiled from source `src` ECMAScript Modules. To use individual
jQuery modules from source, ESM is now required.

Note that this DOES NOT affect the main `"jquery"` AMD module defined by built
jQuery files; those remain supported.

Closes gh-5276
2023-06-27 18:23:58 +02:00
Michał Gołębiowski-Owczarek
62b9a25834
Tests: Disable the ":lang respects escaped backslashes" test
Firefox 114+ no longer match on backslashes in `:lang()`, even when escaped.
It is an intentional change as `:lang()` parameters are supposed to be valid
BCP 47 strings. Therefore, we won't attempt to patch it.
We'll keep this test here until other browsers match the behavior.

Fixes gh-5271
Closes gh-5277
Ref https://bugzilla.mozilla.org/show_bug.cgi?id=1839747#c1
Ref https://github.com/w3c/csswg-drafts/issues/8720#issuecomment-1509242961
2023-06-27 18:05:46 +02:00
Timmy Willison
67cb1af774
Docs: remove stale gitter badge from readme
Close gh-5273
2023-06-23 09:43:26 -04:00
Gabriela Gutierrez
784b9ba6e4
Build: Reference GitHub Actions by commit SHAs
The SHAs are verified to come from the original repositories and not forks.

For reference:

https://github.com/github/codeql-action/releases/tag/v2.3.6
83f0fe6c49

https://github.com/actions/checkout/releases/tag/v3.5.2
8e5e7e5ab8

https://github.com/actions/cache/releases/tag/v3.3.1
88522ab9f3

https://github.com/actions/setup-node/releases/tag/v3.6.0
64ed1c7eab

Fixes gh-5266
Closes gh-5269

Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
2023-06-13 23:22:07 +02:00
Timo Tijhof
a75d6b52fa
Core: Fix regression in jQuery.text() on HTMLDocument objects
Fixes gh-5264
Closes gh-5265

(cherry picked from commit 44c56f87a3)
2023-06-12 23:12:33 +02:00
Michał Gołębiowski-Owczarek
338de35990
Selector: Re-expose jQuery.find.{tokenize,select,compile,setDocument}
`Sizzle.tokenize` is an internal Sizzle API, but exposed. As a result,
it has historically been available in jQuery via `jQuery.find.tokenize`.
That got dropped during Sizzle removal; this change restores the API.

Some other APIs so far only exposed on the `3.x` line are also added
back:
* `jQuery.find.select`
* `jQuery.find.compile`
* `jQuery.find.setDocument`

In addition to that, Sizzle tests have been backported for the following
APIs:
* `jQuery.find.matchesSelector`
* `jQuery.find.matches`
* `jQuery.find.compile`
* `jQuery.find.select`

A new test was also added for `jQuery.find.tokenize` - even Sizzle was
missing one.

Fixes gh-5259
Closes gh-5263
Ref gh-5260
Ref jquery/sizzle#242
Ref gh-5113
Ref gh-4395
Ref gh-4406
2023-06-12 22:58:55 +02:00
Michał Gołębiowski-Owczarek
27303c6be0
Build: Switch the minifier from UglifyJS to Terser
UglifyJS is ES5-only, while Terser supports newer ECMAScript versions. jQuery
is authored in ES5 but jQuery 4.x will also have an ESM build that cannot be
minified using UglifyJS directly.

We could strip the `export` statement, minify via UglifyJS and re-add one but
that increases complexity & may not fully play nice with source maps.

On the other hand, switching to Terser increases the minfied size by just 324
bytes and the minified gzipped one by just 70 bytes. Such differences largely
disappear among bigger size gains from the `3.x-stable` line - around 2.7 KB
minified gzipped as of now.

Closes gh-5258
2023-05-31 18:59:35 +02:00
Michał Gołębiowski-Owczarek
988a56847d
Docs: Remove the "Grunt build" section from the PR template
Now that unit tests are run on GitHub Actions in all three major
engines and for multiple custom jQuery builds, the request for PR
authors to run unit tests locally and confirm they pass is needless
overhead; let's drop the checkbox.

Closes gh-5261
2023-05-31 18:57:13 +02:00
Michał Gołębiowski-Owczarek
44906a83d2
Build: Make the eslint:dev task not lint the dist/ folder
There was a mistake in paths logic that made the `dist/` folder linted
even in the `eslint:dev` task which is run before the build. Fix that by
explicitly ignoring the `dist/` folder at the end of the file list.

Closes gh-5257
2023-05-31 18:55:29 +02:00
Michał Gołębiowski-Owczarek
fd6ffc5eb2
Deprecated: Define .hover() using non-deprecated methods
Make the deprecated `.hover()` method not rely on other deprecated
methods: `.mouseenter()` & `.mouseleave()`. Use `.on()` instead.

Closes gh-5251
2023-05-22 18:23:19 +02:00
Michał Gołębiowski-Owczarek
6616acff0a
Build: Test on Node.js 20, stop testing on Node.js 14 & 19
Closes gh-5250
2023-05-22 16:21:35 +02:00
Michał Gołębiowski-Owczarek
89ef81f86f
Tests: Indicate Chrome 112 & Safari 16.4 pass the cssHas support test
Chrome 112 & Safari 16.4 introduce two changes:
* `:has()` is non-forgiving
* `CSS.supports( "selector(...)" )` parses everything in a non-forgiving way

We no longer care about the latter but the former means the `cssHas` support
test now passes.

Closes gh-5225
2023-04-05 00:34:39 +02:00
Michał Gołębiowski-Owczarek
bce13b72c1
CSS: Make offsetHeight( true ), etc. include negative margins
This regressed in gh-3656 as the added logic to include scroll gutters
in `.innerWidth()` / `.innerHeight()` didn't take negative margins into
account. This broke handling of negative margins in
`.offsetHeight( true )` and `.offsetWidth( true )`. To fix it, calculate
margin delta separately and only add it after the scroll gutter
adjustment logic.

Fixes gh-3982
Closes gh-5234
Ref gh-3656
2023-04-04 16:00:55 +02:00
Michał Gołębiowski-Owczarek
bcaeb000b7
Event: Avoid collisions between jQuery.event.special & Object.prototype
This is a follow-up to similar changes to data & event storages from
gh-4603.

Closes gh-5235
Ref gh-4603
2023-04-03 18:40:24 +02:00
Michał Gołębiowski-Owczarek
dfe212d5a1
Event: Simplify the check for saved data in leverageNative
Previously, when `leverageNative` handled async events, there was
a case where an empty placeholder object was set as a result.
Covering both such an object and `false` required a `length` check.
However, this is not necessary since gh-5223 and the check was
already simplified in other places; this one was missed.

Closes gh-5236
Ref gh-5223
2023-04-03 18:21:15 +02:00
Michał Gołębiowski-Owczarek
6ad3651dbf
Event: Make trigger(focus/blur/click) work with native handlers
In `leverageNative`, instead of calling `event.stopImmediatePropagation()`
which would abort both native & jQuery handlers, set the wrapper's
`isImmediatePropagationStopped` property to a function returning `true`.
Since for each element + type pair jQuery attaches only one native handler,
there is also only one wrapper jQuery event so this achieves the goal:
on the target element jQuery handlers don't fire but native ones do.

Unfortunately, this workaround doesn't work for handlers on ancestors
- since the native event is re-wrapped by a jQuery one on each level of
the propagation, the only way to stop it for jQuery was to stop it for
everyone via native `stopPropagation()`. This is not a problem for
`focus`/`blur` which don't bubble, but it does also stop `click` on
checkboxes and radios. We accept this limitation.

Fixes gh-5015
Closes gh-5228
2023-03-27 21:47:01 +02:00
Michał Gołębiowski-Owczarek
ce60d31893
Event: Simulate focus/blur in IE via focusin/focusout
In IE (all versions), `focus` & `blur` handlers are fired asynchronously
but `focusin` & `focusout` are run synchronously. In other browsers, all
those handlers are fired synchronously. Asynchronous behavior of these
handlers in IE caused issues for IE (gh-4856, gh-4859).

We now simulate `focus` via `focusin` & `blur` via `focusout` in IE to avoid
these issues. This also let us simplify some tests.

This commit also simplifies `leverageNative` - with IE now using `focusin`
to simulate `focus` and `focusout` to simulate `blur`, we don't have to deal
with async events in `leverageNative`. This also fixes broken `focus` triggers
after first triggering it on a hidden element - previously, `leverageNative`
assumed that the native `focus` handler not firing after calling the native 
`focus` method meant it would be handled later, asynchronously, which
was not the case (gh-4950).

Fixes gh-4856
Fixes gh-4859
Fixes gh-4950
Closes gh-5223

Co-authored-by: Richard Gibson <richard.gibson@gmail.com>
2023-03-27 21:22:38 +02:00
Michał Gołębiowski-Owczarek
992a1911d0
Ajax: Don't treat array data as binary
PR gh-5197 started treating all non-string non-plain-object
`data` values as binary. However, `jQuery.ajax` also supports
arrays as values of `data`. This change makes regular arrays
no longer be considered binary data.

Surprisingly, we had no tests for array `data` values; otherwise,
we'd detect the issue earlier. This change also adds
a few such missing tests.

Closes gh-5203
Ref gh-5197
2023-03-21 00:36:00 +01:00
Michał Gołębiowski-Owczarek
e77bd9d64f
Build: Only install Playwright dependencies when needed
PR gh-5190 added support for running tests on Playwright WebKit
in CI. For efficiency reasons, Playwright dependencies are only
installed for the `test:browser` npm script. However, that same
script is also used for Firefox ESR testing.

This change makes Playwright dependencies installed only for cases
where `WebKitHeadless` exists on the list of tested browsers.

Closes gh-5204
Ref gh-5190
2023-03-20 17:13:31 +01:00
Michał Gołębiowski-Owczarek
ce264e0789
Ajax: Allow processData: true even for binary data
The way gh-5197 implemented binary data handling, `processData`
was being explicitly set to `false`. This is expected but it made
it impossible to override it to `true`. The new logic will only
set `processData` to `false` if it wasn't explicitly passed
in original options.

Closes gh-5205
Ref gh-5197
2023-03-20 17:08:51 +01:00
Michał Gołębiowski-Owczarek
cff2899885
Tests: Test AJAX deprecated event aliases properly
PR gh-5046 erroneously changed AJAX deprecated event alias
usage in deprecated tests to `.on()` calls. This change
reverses this mistake.

Closes gh-5195
Ref gh-5046
2023-03-15 11:44:08 +01:00
Michał Gołębiowski-Owczarek
258ca1ec6a
Deferred: Rename getStackHook to getErrorHook
Rename `jQuery.Deferred.getStackHook` to `jQuery.Deferred.getErrorHook`
to indicate passing an error instance is usually a better choice - it
works with source maps while a raw stack generally does not.

In jQuery `3.7.0`, we'll keep both names, marking the old one as
deprecated. In jQuery `4.0.0` we'll just keep the new one. This
change implements the `4.0.0` version; PR gh-5212 implements
the `3.7.0` one.

Fixes gh-5201
Closes gh-5211
Ref gh-5212
2023-03-14 22:32:45 +01:00
Timmy Willison
f088c36631
Release: add support for md5 sums in windows
Close gh-5219
2023-03-09 20:19:07 +00:00
Michał Gołębiowski-Owczarek
68aa2ef757
Selector: Stop relying on CSS.supports( "selector(...)" )
`CSS.supports( "selector(...)" )` has different semantics than selectors passed
to `querySelectorAll`. Apart from the fact that the former returns `false` for
unrecognized selectors and the latter throws, `qSA` is more forgiving and
accepts some invalid selectors, auto-correcting them where needed - for
example, mismatched brackers are auto-closed. This behavior difference is
breaking for many users.

To add to that, a recent CSSWG resolution made `:is()` & `:where()` the only
pseudos with forgiving parsing; browsers are in the process of making `:has()`
parsing unforgiving.

Taking all that into account, we go back to our previous try-catch approach
without relying on `CSS.supports( "selector(...)" )`. The only difference
is we detect forgiving parsing in `:has()` and mark the selector as buggy.

The PR also updates `playwright-webkit` so that we test against a version
of WebKit that already has non-forgiving `:has()`.

Fixes gh-5194
Closes gh-5206
Ref gh-5098
Ref gh-5107
Ref w3c/csswg-drafts#7676

Co-authored-by: Richard Gibson <richard.gibson@gmail.com>
2023-02-14 10:11:40 +01:00
Michał Gołębiowski-Owczarek
2e644e8450
Selector: Backport jQuery selection context logic to selector-native
This makes:
```js
$div.find("div > *")
```
no longer matching children of `$div`.

Also, leading combinators now work, e.g.:
```js
$div.find( "> *" );
```
returns children of `$div`.

As a result of that, a number of tests are no longer skipped in the
`selector-native` mode.

Also, rename `rcombinators` to `rleadingCombinator`.

Fixes gh-5185
Closes gh-5186
Ref gh-5085
2023-02-13 18:34:41 +01:00
dependabot[bot]
7e7bd06207
Build: Bump actions/setup-node from 3.5.1 to 3.6.0
Bumps [actions/setup-node](https://github.com/actions/setup-node) from 3.5.1 to 3.6.0.
- [Release notes](https://github.com/actions/setup-node/releases)
- [Commits](https://github.com/actions/setup-node/compare/v3.5.1...v3.6.0)

Closes gh-5200

---
updated-dependencies:
- dependency-name: actions/setup-node
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-02-02 01:43:00 +01:00
Michał Gołębiowski-Owczarek
a7ed9a7b63
Ajax: Support binary data (including FormData)
Two changes have been applied:
* prefilters are now applied before data is converted to a string;
  this allows prefilters to disable such a conversion
* a prefilter for binary data is added; it disables data conversion
  for non-string non-plain-object `data`; for `FormData` bodies, it
  removes manually-set `Content-Type` header - this is required
  as browsers need to append their own boundary to the header

Ref gh-4150
Closes gh-5197
2023-02-01 13:48:35 +01:00
Michał Gołębiowski-Owczarek
0b9c5037f7
Deferred: Respect source maps in jQuery.Deferred.exceptionHook
So far, `jQuery.Deferred.exceptionHook` used to log error message and stack
separately. However, that breaks browser applying source maps against the stack
trace - most browsers require logging an error instance. This change makes us
do exactly that.

One drawback of the change is that in IE 11 previously stack was printed
directly and now just the error summary; to get to the actual stack
trace, three clicks are required. This seems to be a low price to pay
for having source maps work in all the other browsers, though.

Safari with the new change requires one click to get to the stack trace
which sounds manageable.

Fixes gh-3179
Closes gh-5192
Ref https://crbug.com/622227
2023-02-01 13:46:44 +01:00
Michał Gołębiowski-Owczarek
6d1364431b
Ajax: Support headers for script transport even when cross-domain
The AJAX script transport has two versions: XHR + `jQuery.globalEval` or
appending a script tag (note that `jQuery.globalEval` also appends a
script tag now, but inline). The former cannot support the `headers`
option which has so far not been taken into account.

For jQuery 3.x, the main consequence was the option not being respected
for cross-domain requests. Since in 4.x we use the latter way more
often, the option was being ignored in more cases.

The transport now checks whether the `headers` option is specified and
uses the XHR way unless `scriptAttrs` are specified as well.

Fixes gh-5142
Closes gh-5193
2023-02-01 13:40:55 +01:00
Michał Gołębiowski-Owczarek
b02a257f98
Build: Run GitHub Action browser tests on Playwright WebKit
So far, we've been running browser tests on GitHub Actions in Chrome
and Firefox. Regular Safari is not available in GitHub Actions but
Playwright WebKit comes close to a dev version of Safari.

With this change, our GitHub CI & local test runs will invoke tests on
all actively developed browser engines on all PRs.

Also, our GitHub Actions browser tests are now running on Node.js 18.

Detection of the Playwright WebKit browser in support unit tests is done
by checking if the `test_browser` query parameter is set to `"Playwright"`;
this is a `karma-webkit-launcher` feature. Detecting that browser via
user agent as we normally do is hard as the UA on Linux is very similar
to a real Safari one but it actually uses a newer version of the engine.

In addition, we now allow to pass custom browsers when one needs it;
e.g., to run the tests in all three engines on Linux/macOS, run:
```
grunt && BROWSERS=ChromeHeadless,FirefoxHeadless,WebkitHeadless grunt karma:main
```

Closes gh-5190
2023-01-23 23:49:44 +01:00
Michał Gołębiowski-Owczarek
ce90a48450
Build: Migrate middleware-mockserver to modern JS
The `test/middleware-mockserver.js` file used to have the same ESLint
settings applied as other test files that are directly run in tested
browsers. Now it shares settings of other Node.js files.

The file is now also written using modern JS, leveraging ES2018.

Closes gh-5196
2023-01-23 23:20:08 +01:00
Timmy Willison
c66d4700dc
Build: remove stale Insight package from custom builds
Close gh-5182
2022-12-20 20:57:49 +00:00
Michał Gołębiowski-Owczarek
09d988b774
Selector: Make selector lists work with qSA again
jQuery 3.6.2 started using `CSS.supports( "selector(SELECTOR)" )` before using
`querySelectorAll` on the selector. This was to solve gh-5098 - some selectors,
like `:has()`, now had their parameters parsed in a forgiving way, meaning
that `:has(:fakepseudo)` no longer throws but just returns 0 results, breaking
that jQuery mechanism.

A recent spec change made `CSS.supports( "selector(SELECTOR)" )` always use
non-forgiving parsing, allowing us to use this API for what we've used
`try-catch` before.

To solve the issue on the spec side for older jQuery versions, `:has()`
parameters are no longer using forgiving parsing in the latest spec update
but our new mechanism is more future-proof anyway.

However, the jQuery implementation has a bug - in
`CSS.supports( "selector(SELECTOR)" )`, `SELECTOR` needs to be
a `<complex-selector>` and not a `<complex-selector-list>`. Which means that
selector lists now skip `qSA` and go to the jQuery custom traversal:
```js
CSS.supports("selector(div:valid, span)"); // false
CSS.supports("selector(div:valid)"); // true
CSS.supports("selector(span)"); // true
```

To solve this, this commit wraps the selector list passed to
`CSS.supports( "selector(:is(SELECTOR))" )` with `:is`, making it a single
selector again.

See:
* https://w3c.github.io/csswg-drafts/css-conditional-4/#at-supports-ext
* https://w3c.github.io/csswg-drafts/selectors-4/#typedef-complex-selector
* https://w3c.github.io/csswg-drafts/selectors-4/#typedef-complex-selector-list

Fixes gh-5177
Closes gh-5178
Ref w3c/csswg-drafts#7280
2022-12-19 18:43:30 +01:00
Michał Gołębiowski-Owczarek
024d87195a
Core:Selector: Move jQuery.contains from the selector to the core module
The `jQuery.contains` method is quite simple in jQuery 4+. On the other side,
it's a dependency of the core `isAttached` util which is not ideal; moving
it from the `selector` the `core` module resolves the issue.

Closes gh-5167
2022-12-12 22:27:59 +01:00
Alex
c909d6b1ff
Build: Limit permissions for GitHub workflows
Add explicit permissions section[^1] to workflows. This is a security
best practice because by default workflows run with extended set
of permissions[^2] (except from `on: pull_request` from external forks[^3].
By specifying any permission explicitly all others are set to none. By using
the principle of least privilege the damage a compromised workflow can do
(because of an injection[^4] or compromised third party tool or action) is
restricted. It is recommended to have most strict permissions on the top
level[^5] and grant write permissions on job level[^6] on a case by case
basis.

[^1]: https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
[^2]: https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token
[^3]: https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
[^4]: https://securitylab.github.com/research/github-actions-untrusted-input/
[^5]: https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions
[^6]: https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs

Closes gh-5119
2022-12-01 14:23:17 +01:00
Michał Gołębiowski-Owczarek
5266f23cf4
Selector: Implement the uniqueSort chainable method
Some APIs, like `.prevAll()`, return elements in the reversed order, causing
confusing behavior when used with wrapping methods (see gh-5149 for more info)
 To provide an easy workaround, this commit implements a chainable `uniqueSort`
method on jQuery objects, an equivalent of `jQuery.uniqueSort`.

Fixes gh-5166
Closes gh-5168
2022-11-28 18:10:33 +01:00
Michał Gołębiowski-Owczarek
716130e094
Tests: Indicate Firefox 106+ passes the cssSupportsSelector test
Firefox 106 adjusted to the spec mandating that `CSS.supports("selector(...)")`
uses non-forgiving parsing which makes it pass the relevant support test.

Closes gh-5141
2022-11-25 00:54:56 +01:00
Michał Gołębiowski-Owczarek
4c1171f2ed
Selector: Re-introduce selector-native.js
Re-introduce the `selector-native` similar to the one on the `3.x-stable`
branch. One difference is since the `main` branch inlined Sizzle, some
selector utils can be shared between the main `selector` module and
`selector-native`.

The main `selector` module can be disabled in favor of `selector-native`
via:

    grunt custom:-selector

Other changes:
* Tests: Fix Safari detection - Chrome Headless has a different user
  agent than Safari and a browser check in selector tests didn't take
  that into account.
* Tests: Run selector-native tests in `npm test`
* Selector: Fix querying on document fragments

Ref gh-4395
Closes gh-5085
2022-11-21 23:23:39 +01:00
Michał Gołębiowski-Owczarek
f62d8e2159
Build: Test on Node.js 18 & 19, stop testing on Node 12
Closes gh-5160
2022-11-17 13:22:21 +01:00
Michał Gołębiowski-Owczarek
3299236c89
Selector:Manipulation: Fix DOM manip within template contents
The `<template/>` element `contents` property is a document fragment that may
have a `null` `documentElement`. In Safari 16 this happens in more cases due
to recent spec changes - in particular, even if that document fragment is
explicitly adopted into an outer document. We're testing both of those cases
now.

The crash used to happen in `jQuery.contains`. As it turns out, we don't need
to query the supposed container `documentElement` if it has the
`Node.DOCUMENT_NODE` (9) `nodeType`; we can call `.contains()` directly on
the `document`. That avoids the crash.

Fixes gh-5147
Closes gh-5158
2022-11-14 23:17:23 +01:00