deps: Bump jsdom from 27.4.0 to 28.0.0

[dependabot]

⚠️ Dependabot is rebasing this PR ⚠️

Rebasing might not happen immediately, so don't worry if this takes some time.

Note: if you make any changes to this PR yourself, they will take precedence over the rebase.

---

Bumps jsdom from 27.4.0 to 28.0.0.

Release notes

Sourced from jsdom's releases.

Version 28.0.0

• Overhauled resource loading customization. See the new README for details on the new API.
• Added MIME type sniffing to <iframe> and <frame> loads.
• Regression: WebSockets are no longer correctly throttled to one connection per origin. This is a result of the bug at nodejs/undici#4743.
• Fixed decoding of the query components of <a> and <area> elements in non-UTF-8 documents.
• Fixed XMLHttpRequest fetches and WebSocket upgrade requests to be interceptable by the new customizable resource loading. (Except synchronous XMLHttpRequests.)
• Fixed the referrer of a document to be set correctly when redirects are involved; it is now the initiating page, not the last hop in the redirect chain.
• Fixed correctness bugs when passing ArrayBuffers or typed arrays to various APIs, where they would not correctly snapshot the data.
• Fixed require("url").parse() deprecation warning when using WebSockets.
• Fixed <iframe>, <frame>, and <img> (when canvas is installed) to fire load events, not error events, on non-OK HTTP responses.
• Fixed many small issues in XMLHttpRequest.

Changelog

Sourced from jsdom's changelog.

28.0.0

• Overhauled resource loading customization. See the new README for details on the new API.
• Added MIME type sniffing to <iframe> and <frame> loads.
• Regression: WebSockets are no longer correctly throttled to one connection per origin. This is a result of the bug at nodejs/undici#4743.
• Fixed decoding of the query components of <a> and <area> elements in non-UTF-8 documents.
• Fixed XMLHttpRequest fetches and WebSocket upgrade requests to be interceptable by the new customizable resource loading. (Except synchronous XMLHttpRequests.)
• Fixed the referrer of a document to be set correctly when redirects are involved; it is now the initiating page, not the last hop in the redirect chain.
• Fixed correctness bugs when passing ArrayBuffers or typed arrays to various APIs, where they would not correctly snapshot the data.
• Fixed require("url").parse() deprecation warning when using WebSockets.
• Fixed <iframe>, <frame>, and <img> (when canvas is installed) to fire load events, not error events, on non-OK HTTP responses.
• Fixed many small issues in XMLHttpRequest.

Commits

• 20f614d Version 28.0.0
• 2b65c6a Replace the resource loader API
• 638bd68 Decode <a> and <area> query strings using document's encoding
• 457bd4b Add AGENTS.md (and CLAUDE.md)
• bf1dc15 Mark header-values tests as fail-slow due to Node.js bug
• 92f269e Update dependencies and dev dependencies
• 7d6e667 Improve spec alignment of Headers and header type tests
• 2c29aed Fix Windows-specific task kill timeouts
• d941216 Add failing regression test for animation-name case-sensitivity
• 56a833d Update style benchmark
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

---

Summary by cubic

Upgrade jsdom from 27.4.0 to 28.0.0 to adopt the new subresource loading API and recent spec fixes in our test environment.

• Dependencies

  • jsdom: ^28.0.0
  • Notable transitive updates: whatwg-url 16, whatwg-mimetype 5, data-urls 7, undici 7

• Migration

  • Requires Node >= 20.19 (or 22.12+/24). Update local and CI Node versions.
  • If you use jsdom’s custom resource loading/RequestManager, migrate to the new API.
  • Be aware of an upstream WebSocket throttling regression (per-origin limit not enforced). Adjust tests if they assume throttling.

^{Written for commit 1eb4943. Summary will update on new commits.}

[dependabot]

Labels

The following labels could not be found: dependencies, npm. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
continuum	Ready	Preview, Comment	Feb 5, 2026 4:44am

[coderabbitai]

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

• 🔍 Trigger a full review

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[cubic-dev-ai]

No issues found across 2 files