From aa1e72846c7977a2823f8133eb0c37ece46ce0ab Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 9 Jan 2026 10:07:53 +0100 Subject: [PATCH 01/10] Bump node-html-parser from 7.0.1 to 7.0.2 (#42659) Bumps [node-html-parser](https://github.com/taoqf/node-fast-html-parser) from 7.0.1 to 7.0.2. - [Release notes](https://github.com/taoqf/node-fast-html-parser/releases) - [Changelog](https://github.com/taoqf/node-html-parser/blob/main/CHANGELOG.md) - [Commits](https://github.com/taoqf/node-fast-html-parser/compare/v7.0.1...v7.0.2) --- updated-dependencies: - dependency-name: node-html-parser dependency-version: 7.0.2 dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- package-lock.json | 8 ++++---- package.json | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/package-lock.json b/package-lock.json index e90979428f687e3..7624c845ebe94dd 100644 --- a/package-lock.json +++ b/package-lock.json @@ -37,7 +37,7 @@ "lefthook": "^2.0.13", "markdownlint-cli2": "0.20.0", "markdownlint-rule-search-replace": "1.2.0", - "node-html-parser": "^7.0.1", + "node-html-parser": "^7.0.2", "parse-diff": "^0.11.1", "prettier": "3.7.4", "tempy": "^3.1.0", @@ -7300,9 +7300,9 @@ } }, "node_modules/node-html-parser": { - "version": "7.0.1", - "resolved": "https://registry.npmjs.org/node-html-parser/-/node-html-parser-7.0.1.tgz", - "integrity": "sha512-KGtmPY2kS0thCWGK0VuPyOS+pBKhhe8gXztzA2ilAOhbUbxa9homF1bOyKvhGzMLXUoRds9IOmr/v5lr/lqNmA==", + "version": "7.0.2", + "resolved": "https://registry.npmjs.org/node-html-parser/-/node-html-parser-7.0.2.tgz", + "integrity": "sha512-DxodLVh7a6JMkYzWyc8nBX9MaF4M0lLFYkJHlWOiu7+9/I6mwNK9u5TbAMC7qfqDJEPX9OIoWA2A9t4C2l1mUQ==", "dev": true, "license": "MIT", "dependencies": { diff --git a/package.json b/package.json index abdccfa0c0f7905..c80eecd758c006f 100644 --- a/package.json +++ b/package.json @@ -72,7 +72,7 @@ "lefthook": "^2.0.13", "markdownlint-cli2": "0.20.0", "markdownlint-rule-search-replace": "1.2.0", - "node-html-parser": "^7.0.1", + "node-html-parser": "^7.0.2", "parse-diff": "^0.11.1", "prettier": "3.7.4", "tempy": "^3.1.0", From 4df3fe06e6b6fe7061d486d6cc760f29dbe1990b Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 9 Jan 2026 10:08:32 +0100 Subject: [PATCH 02/10] chore(deps): bump qs from 6.14.0 to 6.14.1 (#42598) Bumps [qs](https://github.com/ljharb/qs) from 6.14.0 to 6.14.1. - [Changelog](https://github.com/ljharb/qs/blob/main/CHANGELOG.md) - [Commits](https://github.com/ljharb/qs/compare/v6.14.0...v6.14.1) --- updated-dependencies: - dependency-name: qs dependency-version: 6.14.1 dependency-type: indirect ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- package-lock.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/package-lock.json b/package-lock.json index 7624c845ebe94dd..34668bf60d5948c 100644 --- a/package-lock.json +++ b/package-lock.json @@ -8215,9 +8215,9 @@ } }, "node_modules/qs": { - "version": "6.14.0", - "resolved": "https://registry.npmjs.org/qs/-/qs-6.14.0.tgz", - "integrity": "sha512-YWWTjgABSKcvs/nWBi9PycY/JiPJqOD4JA6o9Sej2AtvSGarXxKC3OQSk4pAarbdQlKAh5D4FCQkJNkW+GAn3w==", + "version": "6.14.1", + "resolved": "https://registry.npmjs.org/qs/-/qs-6.14.1.tgz", + "integrity": "sha512-4EK3+xJl8Ts67nLYNwqw/dsFVnCf+qR7RgXSK9jEEm9unao3njwMDdmsdvoKBKHzxd7tCYz5e5M+SnMjdtXGQQ==", "license": "BSD-3-Clause", "dependencies": { "side-channel": "^1.1.0" From fe0a613afdb8d0399bd2af2c3e791061615167db Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 9 Jan 2026 10:13:00 +0100 Subject: [PATCH 03/10] chore(deps): bump @mdn/fred from 1.9.7 to 2.0.0 (#42702) Bumps [@mdn/fred](https://github.com/mdn/fred) from 1.9.7 to 2.0.0. - [Release notes](https://github.com/mdn/fred/releases) - [Changelog](https://github.com/mdn/fred/blob/main/CHANGELOG.md) - [Commits](https://github.com/mdn/fred/compare/v1.9.7...v2.0.0) --- updated-dependencies: - dependency-name: "@mdn/fred" dependency-version: 2.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- package-lock.json | 10 +++++----- package.json | 2 +- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/package-lock.json b/package-lock.json index 34668bf60d5948c..aaae1fb89e8d653 100644 --- a/package-lock.json +++ b/package-lock.json @@ -10,7 +10,7 @@ "license": "SEE LICENSE IN LICENSE.md", "dependencies": { "@apideck/better-ajv-errors": "^0.3.6", - "@mdn/fred": "1.9.7", + "@mdn/fred": "2.0.0", "@octokit/rest": "^22.0.1", "ajv": "^8.17.1", "ajv-formats": "^3.0.1", @@ -1023,9 +1023,9 @@ "license": "MIT" }, "node_modules/@mdn/fred": { - "version": "1.9.7", - "resolved": "https://registry.npmjs.org/@mdn/fred/-/fred-1.9.7.tgz", - "integrity": "sha512-2qQs/cVQDfBf4lQxM3RqjcEI7Nha62ozBK8tROD4oZgtqvzoowu/K6RFjKrBZ8fyLaEjuZslrTl/VyWM7d+4mg==", + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/@mdn/fred/-/fred-2.0.0.tgz", + "integrity": "sha512-rD+TQh/6cYNeY8g/+rbrFao3yYdriiF1wo8+ut+vyFmh4UJzQp2bFN/QEwo7XRUHGIqDQcgyVXAedspEBlRrcA==", "license": "MPL-2.0", "dependencies": { "@codemirror/lang-css": "^6.3.1", @@ -1062,7 +1062,7 @@ "fred-ssr": "build/ssr.js" }, "engines": { - "node": ">=22" + "node": ">=24" } }, "node_modules/@mdn/rari": { diff --git a/package.json b/package.json index c80eecd758c006f..61c2d39a6c6ad97 100644 --- a/package.json +++ b/package.json @@ -45,7 +45,7 @@ }, "dependencies": { "@apideck/better-ajv-errors": "^0.3.6", - "@mdn/fred": "1.9.7", + "@mdn/fred": "2.0.0", "@octokit/rest": "^22.0.1", "ajv": "^8.17.1", "ajv-formats": "^3.0.1", From 17fe7cfd4967960c9ee8ec2c423aaf27c66575ba Mon Sep 17 00:00:00 2001 From: Estelle Weyl Date: Fri, 9 Jan 2026 12:49:16 +0100 Subject: [PATCH 04/10] Add description to background shorthand property (#42695) * Add description to background shorthand property * containment exception * containment exception * Apply suggestions from code review Co-authored-by: Chris Mills * comments * comments * Update files/en-us/web/css/reference/properties/background/index.md Co-authored-by: Chris Mills --------- Co-authored-by: Chris Mills --- .../reference/properties/background/index.md | 62 +++++++++++++------ 1 file changed, 44 insertions(+), 18 deletions(-) diff --git a/files/en-us/web/css/reference/properties/background/index.md b/files/en-us/web/css/reference/properties/background/index.md index 226ce057e0a5fc6..a884bb267d5ad6d 100644 --- a/files/en-us/web/css/reference/properties/background/index.md +++ b/files/en-us/web/css/reference/properties/background/index.md @@ -6,7 +6,7 @@ browser-compat: css.properties.background sidebar: cssref --- -The **`background`** [shorthand](/en-US/docs/Web/CSS/Guides/Cascade/Shorthand_properties) [CSS](/en-US/docs/Web/CSS) property sets all background style properties at once, such as color, image, origin and size, or repeat method. Component properties not set in the `background` shorthand property value declaration are set to their default values. +The **`background`** [shorthand](/en-US/docs/Web/CSS/Guides/Cascade/Shorthand_properties) [CSS](/en-US/docs/Web/CSS) property sets all background style properties at once, such as color, image, origin, size, and repeat method. {{InteractiveExample("CSS Demo: background")}} @@ -84,21 +84,6 @@ background: revert-layer; background: unset; ``` -The `background` property is specified as one or more background layers, separated by commas. - -The syntax of each layer is as follows: - -- Each layer may include zero or one occurrences of any of the following values: - - `` - - `` - - `` - - `` - - `` - -- The `` value may only be included immediately after ``, separated with the '/' character, like this: `center/80%`. -- The `` value may be included zero, one, or two times. If included once, it sets both {{cssxref("background-origin")}} and {{cssxref("background-clip")}}. If it is included twice, the first occurrence sets {{cssxref("background-origin")}}, and the second sets {{cssxref("background-clip")}}. -- The `<'background-color'>` value may only be included in the last layer specified. - ### Values - `` @@ -110,13 +95,42 @@ The syntax of each layer is as follows: - `` - : See {{Cssxref("background-image")}}. Default: `none`. - `` - - : See {{cssxref("background-position")}}. Default: 0% 0%. + - : See {{cssxref("background-position")}}. Default: `0% 0%`. - `` - : See {{cssxref("background-repeat")}}. Default: `repeat`. - `` - : See {{cssxref("background-size")}}. Default: `auto`. -The following three lines of CSS are equivalent: +## Description + +The `background` shorthand property enables you to declare all CSS background properties in a single declaration. The background lies underneath the content of an element. When you have multiple, comma-separated background values, each is a background layer that is painted on top of the previous layers. + +The `background` property is specified as one or more background layers, separated by commas. Each layer may include zero, one, or two `` components and zero or one ``, ``, ``, ``, and `` components. If two ``, ``, or `` components are specified, the first value is the horizontal value and the second value is the vertical value. If only a single value is set, that value is applied to both dimensions. + +The `<'background-color'>` component may only be included in the last background layer specified. + +Component properties not set in the `background` shorthand property value declaration are set to their default values. + +### Component property order + +Because some of the component properties share value types, the order of those component properties within the shorthand is important. + +The `` value may only be included immediately after ``, separated with the `/` character. For example: `10px 10px / 80% 80%` means the background image is `80%` as tall and as wide as the element, and will be positioned `10px` from the top and `10px` from the left of the element's top-left corner. Within the ``, if both values are lengths, or one is a length and the other is `center`, the first value refers to the horizontal position and the second value refers to the vertical position. + +Each background layer can include zero, one, or two [``](/en-US/docs/Web/CSS/Reference/Values/box-edge#visual-box) values. If only one value is included, it sets both {{cssxref("background-origin")}} and {{cssxref("background-clip")}}. If two values are present, the first occurrence specifies the `background-origin` and the second specifies the `background-clip` value. If no `` values are present, the `background-origin` defaults to `border-box` and the `background-clip` defaults to `padding-box`. + +While there is no order requirement for the other background properties, the following order is recommended for consistency and legibility; remember that none of the values are required: + +` / <'background-color'>` + +The following `background` explicitly sets all the default values in this order: + +```css +background: none 0% 0% / auto auto repeat scroll border-box padding-box + transparent; +``` + +The following three lines of CSS are equivalent to the above, even if the order differs: ```css background: none; @@ -124,6 +138,18 @@ background: transparent; background: repeat scroll 0% 0% / auto padding-box border-box none transparent; ``` +### Image painting order + +If multiple comma-separated backgrounds are included, they create multiple background layers on top of one another. The first background in the list creates the top layer. If the top layer contains no transparent areas, this is the only layer that will be visible. + +The last layer is the bottom layer. The background color is always included in this layer. + +### Body background applied to the entire document + +If the document {{htmlelement("html")}} `:root` element's computed `background-image` value is `none` and its `background-color` is `transparent`, the browser will transfer the `background` styles set on the {{htmlelement("body")}} element onto the `:root` and treat the `` as if `background: initial` were set. In other words, the `` element gets all the `background` styles set on the `` element, and the `` element's background properties are set to their initial values. + +Because of this behavior, the specification authors recommend setting your document's background styles in your `body` style block rather than your `html` style block. However, it's important to note that using containment disables this behavior. When the {{cssxref("contain")}} property is set to anything other than `none` on either the `` or `` element, the `background` property and any longhand components do not propagate from the `` element to the root `` element. + ## Formal definition {{cssinfo}} From f3bff6f28c3f117b1a725d42971657f423136562 Mon Sep 17 00:00:00 2001 From: MUSKAN NISHAD Date: Fri, 9 Jan 2026 17:23:50 +0530 Subject: [PATCH 05/10] Explain value repetition when fewer background values are specified (#42627) * Explain value repetition for multiple CSS backgrounds * Fix formatting for value repetition section * Update files/en-us/web/css/guides/backgrounds_and_borders/using_multiple_backgrounds/index.md Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> --------- Co-authored-by: Estelle Weyl Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> --- .../using_multiple_backgrounds/index.md | 25 +++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/files/en-us/web/css/guides/backgrounds_and_borders/using_multiple_backgrounds/index.md b/files/en-us/web/css/guides/backgrounds_and_borders/using_multiple_backgrounds/index.md index 4c66ec89359ce56..d4c65ba63e1dc90 100644 --- a/files/en-us/web/css/guides/backgrounds_and_borders/using_multiple_backgrounds/index.md +++ b/files/en-us/web/css/guides/backgrounds_and_borders/using_multiple_backgrounds/index.md @@ -42,6 +42,31 @@ In this example, three backgrounds are stacked: the Firefox logo, an image of bu As you can see here, the Firefox logo (listed first within {{ cssxref("background-image") }}) is on top, directly above the bubbles graphic, followed by the gradient (listed last) sitting underneath all previous 'images'. Each subsequent sub-property ({{ cssxref("background-repeat") }} and {{ cssxref("background-position") }}) applies to the corresponding backgrounds. So the first listed value for {{ cssxref("background-repeat") }} applies to the first (frontmost) background, and so forth. +## Value repetition for multiple backgrounds + +When using multiple backgrounds, if a background-related property is given fewer comma-separated values than the number of background layers, the user agent repeats the list of values until there are enough values for all layers. + +For example: + +```css +.element { + background-image: url(a.png), url(b.png), url(c.png); + background-position: left top; +} +``` + + +This is equivalent to: + +```css +.element { + background-position: + left top, + left top, + left top; +} +``` + ## See also - [CSS backgrounds and borders](/en-US/docs/Web/CSS/Guides/Backgrounds_and_borders) module From 8e63458cb0b618a8a8a43bd318ba255ff5fef285 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 9 Jan 2026 13:15:02 +0100 Subject: [PATCH 06/10] ci(deps): bump peter-evans/create-pull-request from 7.0.11 to 8.0.0 (#42403) Bumps [peter-evans/create-pull-request](https://github.com/peter-evans/create-pull-request) from 7.0.11 to 8.0.0. - [Release notes](https://github.com/peter-evans/create-pull-request/releases) - [Commits](https://github.com/peter-evans/create-pull-request/compare/22a9089034f40e5a961c8808d113e2c98fb63676...98357b18bf14b5342f975ff684046ec3b2a07725) --- updated-dependencies: - dependency-name: peter-evans/create-pull-request dependency-version: 8.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/auto-cleanup-bot.yml | 4 ++-- .github/workflows/interfacedata-updater.yml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/auto-cleanup-bot.yml b/.github/workflows/auto-cleanup-bot.yml index 888970356b7c16e..b5d6c9d9a69b4bd 100644 --- a/.github/workflows/auto-cleanup-bot.yml +++ b/.github/workflows/auto-cleanup-bot.yml @@ -44,7 +44,7 @@ jobs: - name: Create PR with only fixable issues if: success() - uses: peter-evans/create-pull-request@22a9089034f40e5a961c8808d113e2c98fb63676 # v7.0.11 + uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v8.0.0 with: commit-message: "chore: auto-fix Markdownlint, Prettier, and front-matter issues" branch: markdownlint-auto-cleanup @@ -61,7 +61,7 @@ jobs: - name: Create PR with notice on unfixed issues if: failure() - uses: peter-evans/create-pull-request@22a9089034f40e5a961c8808d113e2c98fb63676 # v7.0.11 + uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v8.0.0 with: commit-message: "chore: auto-fix Markdownlint, Prettier, and front-matter issues" branch: markdownlint-auto-cleanup diff --git a/.github/workflows/interfacedata-updater.yml b/.github/workflows/interfacedata-updater.yml index b19f06819404791..2a28809a749bfec 100644 --- a/.github/workflows/interfacedata-updater.yml +++ b/.github/workflows/interfacedata-updater.yml @@ -41,7 +41,7 @@ jobs: run: node scripts/update-interface-data.js ../webref/ - name: Create pull request - uses: peter-evans/create-pull-request@22a9089034f40e5a961c8808d113e2c98fb63676 # v7.0.11 + uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v8.0.0 with: path: mdn-content token: ${{ secrets.AUTOMERGE_TOKEN }} From 88685f35fe351e8fc0d90a695ab1037c99fde5ec Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 9 Jan 2026 13:15:40 +0100 Subject: [PATCH 07/10] ci(deps): bump actions/upload-artifact from 5.0.0 to 6.0.0 (#42402) Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 5.0.0 to 6.0.0. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](https://github.com/actions/upload-artifact/compare/330a01c490aca151604b8cf639adc76d48f6c5d4...b7c566a772e6b6bfb58ed0dc250532a479d7789f) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-version: 6.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/pr-test.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pr-test.yml b/.github/workflows/pr-test.yml index 467d7229a3e639c..e2155aadeeb2bbb 100644 --- a/.github/workflows/pr-test.yml +++ b/.github/workflows/pr-test.yml @@ -157,7 +157,7 @@ jobs: if: steps.check.outputs.HAS_MD_FILES == 'true' run: du -sh $BUILD_OUT_ROOT - - uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 + - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 if: steps.check.outputs.HAS_MD_FILES == 'true' with: name: build From cbe3015cee8afa87b9666c186afc8e3ba4d33e6b Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 9 Jan 2026 13:15:50 +0100 Subject: [PATCH 08/10] ci(deps): bump actions/download-artifact from 6.0.0 to 7.0.0 (#42404) Bumps [actions/download-artifact](https://github.com/actions/download-artifact) from 6.0.0 to 7.0.0. - [Release notes](https://github.com/actions/download-artifact/releases) - [Commits](https://github.com/actions/download-artifact/compare/018cc2cf5baa6db3ef3c5f8a56943fffe632ef53...37930b1c2abaa49bbe596cd826c3c89aef350131) --- updated-dependencies: - dependency-name: actions/download-artifact dependency-version: 7.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/pr-review-companion.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pr-review-companion.yml b/.github/workflows/pr-review-companion.yml index 6bb957de5fd487b..1d45ad5b1b64e61 100644 --- a/.github/workflows/pr-review-companion.yml +++ b/.github/workflows/pr-review-companion.yml @@ -39,7 +39,7 @@ jobs: STATUS_TARGET: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }} steps: - name: Download artifact - uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 + uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 with: pattern: build path: build From a8fd1f407fafb093ec7805f61ccf7e410ca60686 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 9 Jan 2026 13:17:52 +0100 Subject: [PATCH 09/10] chore(deps-dev): bump fs-extra from 11.3.2 to 11.3.3 (#42468) Bumps [fs-extra](https://github.com/jprichardson/node-fs-extra) from 11.3.2 to 11.3.3. - [Changelog](https://github.com/jprichardson/node-fs-extra/blob/master/CHANGELOG.md) - [Commits](https://github.com/jprichardson/node-fs-extra/compare/11.3.2...11.3.3) --- updated-dependencies: - dependency-name: fs-extra dependency-version: 11.3.3 dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- package-lock.json | 8 ++++---- package.json | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/package-lock.json b/package-lock.json index aaae1fb89e8d653..43bd35d32789f9a 100644 --- a/package-lock.json +++ b/package-lock.json @@ -27,7 +27,7 @@ "cspell": "9.4.0", "cspell-group-by-file-reporter": "^1.0.1", "file-type": "^21.3.0", - "fs-extra": "^11.3.2", + "fs-extra": "^11.3.3", "imagemin": "^9.0.1", "imagemin-gifsicle": "^7.0.0", "imagemin-mozjpeg": "^10.0.0", @@ -4378,9 +4378,9 @@ "license": "MIT" }, "node_modules/fs-extra": { - "version": "11.3.2", - "resolved": "https://registry.npmjs.org/fs-extra/-/fs-extra-11.3.2.tgz", - "integrity": "sha512-Xr9F6z6up6Ws+NjzMCZc6WXg2YFRlrLP9NQDO3VQrWrfiojdhS56TzueT88ze0uBdCTwEIhQ3ptnmKeWGFAe0A==", + "version": "11.3.3", + "resolved": "https://registry.npmjs.org/fs-extra/-/fs-extra-11.3.3.tgz", + "integrity": "sha512-VWSRii4t0AFm6ixFFmLLx1t7wS1gh+ckoa84aOeapGum0h+EZd1EhEumSB+ZdDLnEPuucsVB9oB7cxJHap6Afg==", "dev": true, "license": "MIT", "dependencies": { diff --git a/package.json b/package.json index 61c2d39a6c6ad97..6cda6a12ed9ea21 100644 --- a/package.json +++ b/package.json @@ -62,7 +62,7 @@ "cspell": "9.4.0", "cspell-group-by-file-reporter": "^1.0.1", "file-type": "^21.3.0", - "fs-extra": "^11.3.2", + "fs-extra": "^11.3.3", "imagemin": "^9.0.1", "imagemin-gifsicle": "^7.0.0", "imagemin-mozjpeg": "^10.0.0", From ca28b2bcdde45055e29c568c981fcde0684fba3b Mon Sep 17 00:00:00 2001 From: misha <162063292+addsoupbase@users.noreply.github.com> Date: Fri, 9 Jan 2026 08:06:36 -0500 Subject: [PATCH 10/10] Update warnings about event handler attributes (#42347) * Update warnings about event handler attributes Added the implicit `with` statement wrapping that event handler attributes do, and the issues that come with it * Apply suggestions from code review Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> --------- Co-authored-by: Vadim Makeev Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> --- .../web/html/reference/attributes/index.md | 20 +++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/files/en-us/web/html/reference/attributes/index.md b/files/en-us/web/html/reference/attributes/index.md index 3bca961798adc03..a55910abd2ed856 100644 --- a/files/en-us/web/html/reference/attributes/index.md +++ b/files/en-us/web/html/reference/attributes/index.md @@ -1432,6 +1432,26 @@ To be clear, the values `"true"` and `"false"` are not allowed on boolean attrib > [!WARNING] > The use of event handler content attributes is discouraged. The mix of HTML and JavaScript often produces unmaintainable code, and the execution of event handler attributes may also be blocked by content security policies. +> [!WARNING] +> While not visible by calling the `Function.prototype.toString()` method on the handler, event handler attributes will implicitly wrap code inside of 2 `with` statements, and may produce unexpected results. For example: +> +> ```html +>
Bad Example
+> ``` +> +> Essentially becomes: +> +> ```js example-bad +> function onclick(event) { +> with (this.ownerDocument) { +> with (this) { +> console.log(new URL(location)); // 'URL' now resolves to document.URL instead of window.URL +> // TypeError: URL is not a constructor +> } +> } +> } +> ``` + In addition to the attributes listed in the table above, global [event handlers](/en-US/docs/Web/API/Document_Object_Model/Events#using_onevent_properties) — such as [`onclick`](/en-US/docs/Web/API/Element/click_event) — can also be specified as [content attributes](#content_versus_idl_attributes) on all elements. All event handler attributes accept a string. The string will be used to synthesize a [JavaScript function](/en-US/docs/Web/JavaScript/Reference/Functions) like `function name(/*args*/) {body}`, where `name` is the attribute's name, and `body` is the attribute's value. The handler receives the same parameters as its JavaScript event handler counterpart — most handlers receive only one `event` parameter, while `onerror` receives five: `event`, `source`, `lineno`, `colno`, `error`. This means you can, in general, use the `event` variable within the attribute.