Update @testing-library/user-event 14.5.2 → 14.6.0 (minor)

[depfu]

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ @​testing-library/user-event (14.5.2 → 14.6.0) · Repo · Changelog

Release Notes

14.6.0

14.6.0 (2025-01-15)

Features

• dispatch FocusEvent in hidden documents (#1252) (1ed8b15)

Bug Fixes

• clipboard: await DataTransferItem.getAsString() callback (#1251) (7b11b0e)
• event: assign pointer coords to MouseEvent (#1039) (8528972)
• pointer: check PointerCoords.x in isDifferentPointerPosition (#1216) (75edef5)
• pointer: check all fields of PointerCoords in isDifferentPointerPosition() (#1229) (5f3d28f)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 26 commits:

• fix(pointer): check all fields of `PointerCoords` in `isDifferentPointerPosition()` (#1229)
• fix(pointer): check `PointerCoords.x` in `isDifferentPointerPosition` (#1216)
• fix(event): assign pointer coords to MouseEvent (#1039)
• fix(clipboard): await `DataTransferItem.getAsString()` callback (#1251)
• feat: dispatch `FocusEvent` in hidden documents (#1252)
• docs: add remcovaes as a contributor for bug (#1250)
• test: reset DTL `asyncWrapper` before asserting `setTimeout` calls
• chore: add TODO to update `updateSelectionOnFocus`
• chore: add TODO to simulate `FocusEvent` in browsers
• test: convert flaky assertion on `<input type="file"/>` to TODO
• chore: upgrade testenv `react18`
• chore: print content of `console.error` calls
• test: get text nodes in wrapper per relative path
• test: `HTMLInputElement.focus()` in contenteditable changes selection in browser
• test: range on focused contenteditable is defined in browser
• test: exclude `select` events from screenshots
• test: work around race condition with event handler
• test: `Selection.setBaseAndExtent()` resets input selection in browser
• chore: add TODO to await `DataTransferItem.getAsString` callback
• test: expect `DataTransfer.types` to follow specs
• test: do not expect to report origin of `pointer-events: none` in browser
• test: `window.getComputedStyle()` returns resolved style in browser
• refactor: avoid declaring optional property per nullish coalescing assignment
• chore: upgrade TestingLib packages
• chore: update testenv `node`
• chore: update toolbox test script

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)

Summary by Sourcery

Update @testing-library/user-event to v14.6.0.

New Features:

• Adds the ability to dispatch FocusEvent in hidden documents.

Bug Fixes:

• Fixes issues with clipboard events, mouse event coordinates, and pointer position checks.

Description by Korbit AI

What change is being made?

Update @testing-library/user-event from version 14.5.2 to 14.6.0 in the package.json.

Why are these changes being made?

These changes are being made to incorporate the latest improvements and bug fixes available in the new minor version of @testing-library/user-event, ensuring our application stays up-to-date with testing utilities. No breaking changes are expected, offering a smooth upgrade path.

Is this description stale? Ask me to generate a new description by commenting /korbit-generate-pr-description

[code-genius-code-coverage]

The files' contents are under analysis for test generation.

[korbit-ai]

By default, I don't review pull requests opened by bots. If you would like me to review this pull request anyway, you can request a review via the /korbit-review command in a comment.

[secureflag-knowledge-base]

Race Condition

Play Labs on this vulnerability with SecureFlag!

Description

A Race Condition (also known as Time of Check to Time of Use) is a type of attack that exploits the order that an application carries out a task. Most commonly, the order in which a multi-threaded application performs a task. This allows an attacker to easily manipulate a shared resource to their gain.

Race Conditions are nearly always caused by poor atomic programming practices. A programmer has attempted to use threads, for example, to handle multiple inbound connections but has allowed them all to access one resource with no restrictions. However, not all race conditions cause harm; therefore, priority setting in finding and fixing problematic race conditions is crucial when correcting them.

While Race Conditions can appear in any programming language, some are much more resistant than others. An older programming language such as C, which gives full thread control and memory allocation to the programmer, is inherently more at risk due to minor mistakes having major complications. However, languages such as Go Lang come with built-in tools such as race detector, which natively support finding and fixing race conditions. These are much more resistant.

Race Conditions can be hard to find. However, many companies offer continuous bug bounties for them, as many are found once out in production where an attack could cause significant damage. Static analysis can be used internally to identify possible race conditions before pushing to production.

While not always prominent, race conditions have been around since the first multi-threaded applications, and as computer CPUs get more and more multi-threaded and, therefore, more of these applications, race conditions will not be going anywhere.

Read more

Impact

Race conditions can wreak internal havoc without even needing a malicious actor present. One of the worst bugs to directly affect human life was the Therac-25 radiotherapy machines. The company produced the software internally without much in the way of checks. After at least three people had died and many more were injured, it was discovered that a race condition was leading the machines to deliver over 100x the correct dose.

Other examples without a malicious actor can be as simple as auto deployment and CI pipelines where a simple race condition there can incorrectly configure and deploy server tools which can interrupt the availability of the pipeline.

Malicious users can use Race Conditions for personal gain, a bug on DropBox allowed users to redeem one 5GB voucher multiple times, resulting in a much larger amount given away. While not disastrous for DropBox, if this was financial or gift card related, such as this Reverb attack, it could cause much larger damage affecting the integrity of the storing database.

Scenarios

The simplest race condition is where a call is made to a method, and then another method edits a variable halfway through. For example, a method to subtract 5 from a number such as x:

def minus_five(x):
  if x > 5: # Some arbitrary check
    y = x - 5

If between x > 5 and y = x - 5, another method comes along and modifies the value of x to below five, it would allow the application to enter an "illegal" state.

The use of locks here could fix this issue by:

# Locking here
def minus_five(x):
  if x > 5: # Some arbitrary check
    y = x - 5
# Unlocking here once complete

Prevention

Prevention of Race Conditions is entirely down to developers. Correct use of atomic programming and locks when required can completely mitigate the possibility of this type of attack.

Shared synchronous variables are another way to check to see if the method is already running using a global variable that, if set, calls a wait until unset by the initial method.

Testing

Most testing of race conditions comes down to built-in tools or community-built plugins to analyze the code and attempt to find them. As mentioned above, static analysis is also valuable for finding possible race conditions.

• OWASP ASVS: 1.11.3, 11.1.6
• OWASP Testing Guide: 4.4.10 - Testing for Race Conditions

View this in the SecureFlag Knowledge Base

[sourcery-ai]

Reviewer's Guide by Sourcery

This PR updates the @testing-library/user-event package from version 14.5.2 to 14.6.0. This is a minor update that includes bug fixes and a new feature to dispatch FocusEvent in hidden documents. Notably, fixes were applied to clipboard handling, pointer event coordinates, and pointer position checks. Additionally, the update addresses an issue with awaiting DataTransferItem.getAsString callbacks.

Sequence diagram for updated clipboard handling in @testing-library/user-event

sequenceDiagram
    participant Test as Test Code
    participant UE as user-event
    participant DT as DataTransfer

    Test->>UE: Trigger clipboard operation
    UE->>DT: getAsString()
    Note over UE,DT: Now properly awaits callback
    DT-->>UE: Callback with string data
    UE-->>Test: Operation complete

Loading

Sequence diagram for FocusEvent dispatch in hidden documents

sequenceDiagram
    participant Test as Test Code
    participant UE as user-event
    participant Doc as Hidden Document

    Test->>UE: Trigger focus event
    Note over UE: New feature
    UE->>Doc: Dispatch FocusEvent
    Doc-->>UE: Event handled
    UE-->>Test: Operation complete

Loading

Class diagram for updated pointer coordinate handling

classDiagram
    class PointerCoords {
        +number x
        +number y
        +isDifferentPointerPosition()
    }

    class MouseEvent {
        +number clientX
        +number clientY
        +number pageX
        +number pageY
    }

    note for PointerCoords "Now checks all coordinate fields"
    note for MouseEvent "Now correctly assigns pointer coordinates"

Loading

File-Level Changes

Change	Details	Files
Updated the @testing-library/user-event dependency	Incremented the version of @testing-library/user-event from 14.5.2 to 14.6.0 in package.json Updated the package-lock.json file to reflect the changes in package.json	package.json package-lock.json

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time. You can also use
  this command to specify where the summary should be inserted.

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[coderabbitai]

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

---

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR. (Beta)
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[sourcery-ai]

We have skipped reviewing this pull request. It seems to have been created by a bot (hey, depfu[bot]!). We assume it knows what it's doing!

[guibranco]

Automatically approved by gstraccini[bot]

[guibranco]

@depfu merge

[github-actions]

Infisical secrets check: ✅ No secrets leaked!

💻 Scan logs

9:42PM INF scanning for exposed secrets...
9:42PM INF 451 commits scanned.
9:42PM INF scan completed in 1.12s
9:42PM INF no leaks found

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud