Chore: Upgrade jest-environment-jsdom and auth0.js

[ankita10119]

Changes

This PR includes updates to dependencies and test configurations, targeting improved test reliability, security fixes, and compatibility enhancements.

Security Fixes

These changes are primarily aimed at resolving a security vulnerability reported in the transitive dependency form-data, which was pulled in via:

• auth0-js
• jsdom (used by jest-environment-jsdom)

By upgrading:

• auth0-js to v9.29.0
• jest-environment-jsdom to v30.2.0

, we eliminate the vulnerable versions and reduce exposure to known issues in the dependency graph.

Dependency & Environment Updates

• Upgraded auth0-js from v9.27.0 → v9.29.0
• Updated enzyme to v3.11.0 with an override for cheerio@0.22.0 to maintain compatibility.
• Updated jest-environment-jsdom to v30.2.0
• Added .npmrc file to enforce consistent registry resolution via npmjs.org
• Added overrides block in package.json to lock specific versions of nested dependencies.

Test Setup Enhancements

• Added setWindowLocation() utility using jsdom to mock window.location in tests.
• Refactored and improved tests for Auth0WebApi.setupClient() to:
  - Handle same-origin and cross-origin cases.
  - Simulate Cordova and Electron environments via window.cordova / window.electron.
  - Updated setup-tests.js to polyfill:
  - TextEncoder
  - TextDecoder

This ensures better compatibility with libraries relying on these globals (e.g., jsdom > 20).

Known Issues & Fix

Adding an override for jest-environment-jsdom introduced a version mismatch with jest-environment-jsdom-global, which was relying on an older version.

This mismatch caused tests to fail with global / window inconsistencies.

The issue was resolved by:

• Switching to explicit jsdom setup (via setWindowLocation).
• Using polyfills for environment stability.
• Avoiding reliance on automatic test environment globals.

No production logic was modified, all changes are test or config related.

Testing

Updated unit test cases to handle these changes.

Checklist

• I have read the Auth0 general contribution guidelines
• I have read the Auth0 Code of Conduct
• All code quality tools/guidelines have been run/followed
• All relevant assets have been compiled

[ankita10119]

@claude

[ankita10119]

@claude

[ankita10119]

@claude

[ankita10119]

@claude

[github-actions]

Claude finished @ankita10119's task —— View job

---

PR Review Complete

I've completed a comprehensive review of this PR. Here's my assessment:

Overall Assessment

❌ This PR is not ready to merge - Critical issues must be addressed:

Critical Issues (Must Fix)

1. Test Suite Broken - src/__tests__/core/index.test.js:49 has .only modifier, causing all other tests in the file to be skipped. This will hide test failures.

2. Runtime Error - src/__tests__/core/index.test.js:50 references undefined jsdom variable, which will cause ReferenceError when test runs.

Major Concerns (Should Fix)

3. Version Mismatch - Upgrading jest-environment-jsdom to v30 while keeping Jest at v29 creates a major version mismatch. The package-lock shows jest-environment-jsdom v30 requires Node.js 18+, but your project may target older versions.

4. Security Risk - Pinning cheerio@0.22.0 (from 2017) introduces known security vulnerabilities. This undermines the PR's security improvement goals.

5. Build Configuration Gap - babel.config.js has no explicit Node.js target, making transpilation unpredictable and dependent on browserslist defaults.

Positive Changes

• ✅ Security updates to auth0-js@9.29.0 address form-data vulnerability
• ✅ Good refactoring of test utilities with setWindowLocation helper
• ✅ Proper TextEncoder/TextDecoder polyfills for jsdom compatibility
• ✅ All CI checks passing

Recommendations

1. Immediate: Fix the .only and jsdom reference issues in index.test.js
2. Before merge: Document why cheerio@0.22.0 is required or upgrade it
3. Before merge: Either upgrade all Jest packages to v30 together, or stay on jest-environment-jsdom v29
4. Follow-up: Consider migrating from Enzyme to React Testing Library

Security Assessment

The PR achieves its primary goal of fixing the form-data vulnerability through dependency upgrades. However, the cheerio downgrade introduces new security concerns that offset some of these gains.

---

Detailed feedback provided in inline comments above.

---

Job Run | Branch: SEC-6434

[github-actions]

Security & Maintenance Risk: No explicit Node.js target specified

By only setting esmodules: false without specifying a concrete Node.js version target, the transpilation behavior becomes less predictable and depends on Babel's default browserslist configuration. This can lead to:

1. Security risk: No explicit lower bound means the code may not transpile newer syntax that could cause runtime errors on older environments
2. Inconsistent builds: Different developers/CI environments might produce different output depending on their browserslist database version

While I understand from the review comments that you're keeping this approach to maintain ES2017 compatibility for the es-check validation, I recommend:

1. Either add an explicit node: '8.0' target (as discussed in comments) OR
2. Update the project to drop Node 8 support and set a modern target like node: '14', then update the es-check script accordingly

The current configuration creates an implicit dependency on browserslist defaults which reduces build reproducibility.

[github-actions]

Pinning Cheerio Version: Why 0.22.0?

Cheerio 0.22.0 was released in 2017 and has known security vulnerabilities. Pinning to this specific old version raises concerns:

1. Security risk: Very old version likely contains unpatched vulnerabilities
2. Why this version?: The comment mentions "maintain compatibility" but doesn't specify what breaks with newer versions
3. Enzyme limitation: If this is required for enzyme@3.11.0 compatibility, it indicates enzyme itself may be outdated

Recommendation:

1. Document in a comment WHY this specific version is required
2. Investigate upgrading to React Testing Library instead of Enzyme (Enzyme is no longer actively maintained)
3. If keeping Enzyme, verify if newer cheerio versions work with enzyme 3.11.0

[github-actions]

Node.js Specific Import in Browser Test Environment

Importing TextEncoder and TextDecoder from Node.js's util module in a browser-focused test environment (jsdom) is a workaround for missing globals.

Concerns:

1. Semantic mismatch: You're polyfilling browser APIs with Node.js implementations
2. Behavior differences: Node.js TextEncoder/TextDecoder may have subtle behavioral differences from browser implementations
3. Better alternatives: Consider using a proper polyfill package like text-encoding or fast-text-encoding that provides browser-compliant implementations

Recommendation:

// Instead of Node.js util, use a proper polyfill:
import { TextEncoder, TextDecoder } from 'text-encoding';

However, if this is working in practice and jest-environment-jsdom 30.x requires it, this is acceptable with a comment explaining why.

[ankita10119]

Closing this PR as these changes are covered in another PR - #2690