[Snyk] Upgrade solid-js from 1.3.17 to 1.9.5

[sumansaurabh]

User description

Snyk has created this PR to upgrade solid-js from 1.3.17 to 1.9.5.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

• The recommended version is 108 versions ahead of your current version.

• The recommended version was released 3 months ago.

Issues fixed by the recommended upgrade:

	Issue	Score	Exploit Maturity
	Cross-site Scripting (XSS) SNYK-JS-SOLIDJS-8743940	576	Proof of Concept

Release notes

Package name: solid-js

• 1.9.5 - 2025-02-21
  No content.
• 1.9.4 - 2025-01-07
  No content.
• 1.9.3 - 2024-10-22
  No content.
• 1.9.2 - 2024-10-07
  No content.
• 1.9.1 - 2024-09-25
• 1.9.0 - 2024-09-24
  

  This release like the last is focusing on small quality of life improvements and adjustments that will help us move towards 2.0. So while not the most exciting release to everyone it provides some really important features and fixes to some developers.

  And unlike many previous releases the vast majority of the work and features came from PRs from the community. So really all I can say is Looks Good to Me!

  Better JSX Validation

  While still incomplete across templates we've added JSDOM to the compiler to better detect invalid HTML at build time by comparing what we expect the template to be with what a browser would output. This now includes things that are nested we didn't detect before like putting <a> inside other <a> tags which will lead to the browser "correcting" it in less than intuitive ways.

  Improved Exports

  While each environment in solid-js/web has its own methods to be used in the compiler. We are now exporting the client methods from the server to prevent weird import errors. Now these methods will throw if used in this environment but shouldn't break your build.

  Additionally we have seen some issues in bundlers that incorrectly feed our ESM exports back through the browser field. While this is a known issue they all pointed issues at each other and with no intention of fixing it. We have removed the browser field in this release, meaning some legacy packages may have issues resolving browser if they don't support export conditions.

  This is regretful but this blocked deployments on several platforms and since this was the only fix at our disposal after two years of attempting to push this issue to the bundlers to no avail, we've moved forward with it.

  Custom Element improvements

  We have a few improvements to our custom element support in this release. First off we now detect elements with the is attribute as custom elements which means all the special behavior is afforded to them.

  We've also improved our event handler delegating retargetting to better handle shadow DOM events. There were cases where we skipped over part of the tree.

  Finally we've added the bool: attribute namespace to handle explicitly setting certain attributes according to boolean attribute rules. While this isn't necessary for built-in booleans currently we handle most attributes as properties and we lacked a specific override. But now we have it:

  <my-element bool:enable={isEnabled()}></my-element>

  Support for handleEvent Syntax in Non-Delegated Events

  A little known thing is that events actually also support objects instead of functions (See: https://developer.mozilla.org/en-US/docs/Web/API/EventTarget/addEventListener)

  We(thanks @ titoBouzout) realized we can use this mechanism as a way to set advanced rules like passive or capture on this object as way to handle all current and future event attributes that browsers might add. This way we don't need specific mechanisms like oncapture: (which is now deprecated).

  Instead using on: you can set the event properties you wish.

  <>
    <div on:click={{
      handleEvent(e) {
        console.log("clicked", e)
      },
      once:true
    }/>
    <div on:wheel={{
      handleEvent(e) {
        e.preventDefault() // only works on not passive events
        e.stopPropagation()  
        console.log("wheel stopped?")
      },
      passive: false
    }} />
  </>

  Other Updates

  We've fixed an issue with lazy images. Apparently, cloneNode doesn't handle them properly so we've updated our heuristic to treat templates with lazy images to be handled with importNode.

  We've improved our Hydration Mismatch Error to output the template of that it can't find the matching ID for. This should make it easier to track down where the hydration errors are occurring. There have been several hydration improvements over the later 1.8 releases so upgrading will likely improve the situation for those who have been facing issues.

  Finally, we've improved some of the types in the JSX and Signal Setter in this release.

  ---

  Big thanks to those who contributed to this release: @ wkelly17, @ olivercoad, @ titoBouzout, @ trusktr, @ Huliiiiii. And thanks to all of you who gave feedback on the Metadata/Head Tag RFC. While it didn't make it in this time around you've definitely given us stuff to consider for its future design.

  Best,
  @ ryansolid

• 1.8.23 - 2024-09-23
  No content.
• 1.8.22 - 2024-08-27
  No content.
• 1.8.21 - 2024-08-13
• 1.8.20 - 2024-08-08
• 1.8.19 - 2024-07-24
• 1.8.18 - 2024-06-28
• 1.8.17 - 2024-04-22
• 1.8.16 - 2024-03-19
• 1.8.15 - 2024-02-14
• 1.8.14 - 2024-02-05
• 1.8.13 - 2024-02-05
• 1.8.12 - 2024-01-23
• 1.8.11 - 2024-01-12
• 1.8.10 - 2024-01-09
• 1.8.9 - 2024-01-08
• 1.8.8 - 2024-01-03
• 1.8.7 - 2023-12-01
• 1.8.6 - 2023-11-22
• 1.8.5 - 2023-10-30
• 1.8.4 - 2023-10-26
• 1.8.3 - 2023-10-18
• 1.8.2 - 2023-10-18
• 1.8.1 - 2023-10-10
• 1.8.0 - 2023-10-09
• 1.8.0-beta.2 - 2023-10-09
• 1.8.0-beta.1 - 2023-10-04
• 1.8.0-beta.0 - 2023-09-28
• 1.7.12 - 2023-09-18
• 1.7.11 - 2023-08-10
• 1.7.10 - 2023-08-09
• 1.7.9 - 2023-08-04
• 1.7.8 - 2023-07-11
• 1.7.7 - 2023-06-26
• 1.7.6 - 2023-05-31
• 1.7.5 - 2023-05-06
• 1.7.4 - 2023-05-01
• 1.7.3 - 2023-04-07
• 1.7.2 - 2023-04-04
• 1.7.1 - 2023-04-02
• 1.7.0 - 2023-03-30
• 1.7.0-beta.5 - 2023-03-27
• 1.7.0-beta.4 - 2023-03-23
• 1.7.0-beta.3 - 2023-03-21
• 1.7.0-beta.2 - 2023-03-20
• 1.7.0-beta.1 - 2023-03-17
• 1.7.0-beta.0 - 2023-02-17
• 1.6.16 - 2023-03-27
• 1.6.15 - 2023-03-16
• 1.6.14 - 2023-03-11
• 1.6.13 - 2023-03-09
• 1.6.12 - 2023-03-06
• 1.6.11 - 2023-02-14
• 1.6.10 - 2023-01-31
• 1.6.9 - 2023-01-13
• 1.6.8 - 2023-01-05
• 1.6.7 - 2023-01-04
• 1.6.6 - 2022-12-21
• 1.6.5 - 2022-12-13
• 1.6.4 - 2022-12-09
• 1.6.3 - 2022-12-07
• 1.6.2 - 2022-11-11
• 1.6.1 - 2022-10-30
• 1.6.0 - 2022-10-20
• 1.6.0-beta.4 - 2022-10-19
• 1.6.0-beta.3 - 2022-10-18
• 1.6.0-beta.2 - 2022-10-17
• 1.6.0-beta.1 - 2022-10-17
• 1.6.0-beta.0 - 2022-10-16
• 1.5.9 - 2022-10-17
• 1.5.8 - 2022-10-17
• 1.5.7 - 2022-09-29
• 1.5.6 - 2022-09-22
• 1.5.5 - 2022-09-15
• 1.5.4 - 2022-09-02
• 1.5.3 - 2022-08-31
• 1.5.2 - 2022-08-29
• 1.5.1 - 2022-08-26
• 1.5.0 - 2022-08-26
• 1.5.0-beta.7 - 2022-08-25
• 1.5.0-beta.6 - 2022-08-24
• 1.5.0-beta.5 - 2022-08-19
• 1.5.0-beta.4 - 2022-08-15
• 1.5.0-beta.3 - 2022-08-09
• 1.5.0-beta.2 - 2022-08-02
• 1.5.0-beta.1 - 2022-07-21
• 1.5.0-beta.0 - 2022-07-17
• 1.4.8 - 2022-07-24
• 1.4.7 - 2022-07-07
• 1.4.6 - 2022-07-03
• 1.4.5 - 2022-06-28
• 1.4.4 - 2022-06-10
• 1.4.3 - 2022-05-26
• 1.4.2 - 2022-05-19
• 1.4.1 - 2022-05-14
• 1.4.0 - 2022-05-12
• 1.4.0-beta.6 - 2022-05-11
• 1.4.0-beta.5 - 2022-05-09
• 1.4.0-beta.4 - 2022-05-09
• 1.4.0-beta.3 - 2022-05-08
• 1.4.0-beta.2 - 2022-05-07
• 1.4.0-beta.1 - 2022-05-03
• 1.4.0-beta.0 - 2022-05-02
• 1.3.17 - 2022-04-25

from solid-js GitHub release notes

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• This PR was automatically created by Snyk using the credentials of a real user.
• Max score is 1000. Note that the real score may have changed since the PR was raised.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

• 🧐 View latest project report
• 📜 Customise PR templates
• 🛠 Adjust upgrade PR settings
• 🔕 Ignore this dependency or unsubscribe from future upgrade PRs

---

Description

• Upgraded solid-js to version 1.9.5 to improve security and performance.
• Added new dependencies csstype and seroval to support the latest features.
• This upgrade addresses vulnerabilities and keeps the project up-to-date with the latest releases.

---

Changes walkthrough 📝

Relevant files

Enhancement

package-lock.json Upgrade solid-js and add new dependencies                                frameworks/hello-world-solidjs/webview-ui/package-lock.json Upgraded solid-js from version 1.3.17 to 1.9.5. Added new dependencies: csstype and seroval with their respective versions. Updated integrity hashes for the solid-js package. +61/-7    package.json Update solid-js version in package.json                                    frameworks/hello-world-solidjs/webview-ui/package.json Updated solid-js dependency version from ^1.3.13 to ^1.9.5. +1/-1

---

💡 Penify usage:
Comment /help on the PR to get a list of all available Penify tools and their descriptions

[penify-dev]

PR Review 🔍

⏱️ Estimated effort to review [1-5]	2, because the changes are primarily version upgrades in package files, which are straightforward to review.
🧪 Relevant tests	No
⚡ Possible issues	No
🔒 Security concerns	No

[penify-dev]

PR Code Suggestions ✨

Category	Suggestion	Score
Security	Validate the integrity hashes of new packages for security Check the integrity hashes of the new packages to ensure they have not been tampered with. frameworks/hello-world-solidjs/webview-ui/package-lock.json [2425] -"integrity": "sha512-F+T9EQPdLzgdewgxnBh4mSc+vde+EOkU6dC9BDuu/bfGb+UyUlqM6t8znFCTPQSuai/ZcfFg0gu79h+bVW2O0w==" +// Verify integrity hash Suggestion importance[1-10]: 7 Why: Validating integrity hashes is a good security practice, and this suggestion highlights an important aspect of package management, although it could be more specific about how to perform this check.	7
Maintainability	Confirm the necessity of newly added dependencies Verify that the new dependencies added (seroval and seroval-plugins) are necessary and do not introduce any unused packages. frameworks/hello-world-solidjs/webview-ui/package-lock.json [2422-2425] -"seroval": { - "version": "1.3.1", - "resolved": "https://registry.npmjs.org/seroval/-/seroval-1.3.1.tgz", - "integrity": "sha512-F+T9EQPdLzgdewgxnBh4mSc+vde+EOkU6dC9BDuu/bfGb+UyUlqM6t8znFCTPQSuai/ZcfFg0gu79h+bVW2O0w==" -}, +// Verify necessity of `seroval` and `seroval-plugins` Suggestion importance[1-10]: 6 Why: This suggestion addresses maintainability by questioning the necessity of new dependencies, which is a valid concern, but it lacks specific guidance on how to verify their necessity.	6
Compatibility	Check for compatibility of the new version with existing dependencies Ensure that the version of solid-js is compatible with other dependencies in the project to avoid potential conflicts. frameworks/hello-world-solidjs/webview-ui/package-lock.json [12] -"solid-js": "^1.9.5" +"solid-js": "^1.9.5" // Ensure compatibility Suggestion importance[1-10]: 5 Why: While ensuring compatibility is important, the suggestion does not provide actionable steps to verify compatibility, making it more of a general reminder than a concrete improvement.	5
Enhancement	Evaluate the possibility of updating existing dependencies for improvements Consider updating the version of @vscode/webview-ui-toolkit if there are newer versions available that may provide enhancements or bug fixes. frameworks/hello-world-solidjs/webview-ui/package-lock.json [11] -"@vscode/webview-ui-toolkit": "^1.2.2" +"@vscode/webview-ui-toolkit": "^1.2.2" // Consider updating Suggestion importance[1-10]: 4 Why: While updating dependencies can be beneficial, this suggestion is vague and does not address any immediate issues or improvements related to the current PR changes.	4