Changes:
1. Commit package-lock.json.
2. Use cache settings built into `actions/setup-node`, drop `actions/cache` - it
is simpler to maintain that way and it fixes Windows-specific issues.
3. Switch from `npm install` to `npm ci` in CI.
4. Update `actions/checkout` from v4.2.2 to v5.0.0.
Closes gh-2369
There was a typo in the test command for Edge on Windows - a double `--`. This
worked with npm included with Node.js 22.17.1, but started failing with 22.18.0.
Closes gh-2367
Changes:
* Checkboxradio: Change `.attr( "checked", true )` to
`.attr( "checked", "checked" )
* Selectmenu: Disable the `boolean-attributes` patch for one assertion where
it's impossible to avoid
Closes gh-2364
Prior to jQuery UI 1.14.1, hashes in anchor hrefs were used directly. In
gh-2307, that was changed - by decoding - to support more complex IDs, e.g.
containing emojis which are automatically encoded in `anchor.hash`.
Unfortunately, that broke cases where the panel ID is decoded as well.
It turns out the spec mandates checking both. In the "scrolling to a fragment"
section of the HTML spec[^1]. That uses a concept of document's indicated
part[^2]. Slightly below there's an algorithm to compute the indicated part[^3].
The interesting parts are steps 4 to 9:
4. Let potentialIndicatedElement be the result of finding a potential
indicated element given document and fragment.
5. If potentialIndicatedElement is not null, then return
potentialIndicatedElement.
6. Let fragmentBytes be the result of percent-decoding fragment.
7. Let decodedFragment be the result of running UTF-8 decode without BOM on
fragmentBytes.
8. Set potentialIndicatedElement to the result of finding a potential indicated
element given document and decodedFragment.
9. If potentialIndicatedElement is not null, then return
potentialIndicatedElement.
First, in steps 4-5, the algorithm tries the hash as-is, without decoding. Then,
if one is not found, the same is attempted with a decoded hash.
This change replicates this logic by first trying the hash as-is and then
decoding it.
Fixes gh-2344
Closes gh-2345
Ref gh-2307
[^1]: https://html.spec.whatwg.org/#scrolling-to-a-fragment
[^2]: https://html.spec.whatwg.org/#the-indicated-part-of-the-document
[^3]: https://html.spec.whatwg.org/#select-the-indicated-part
When credentials are provided directly in the URL, e.g.:
https://username:password@www.example.com/
`location.href` strips out the auth part, but anchor links contain them, making
our `isLocal` computation broken. This fixes it by only looking at `origin`,
`pathname` & `search`.
Fixes gh-2213
Closes gh-2345
As of gh-2338, if one has loaded the jQuery MouseWheel plugin, the `mousewheel`
handler would fire the `wheel` one, but the `wheel` one would also run in
response to the native `wheel` event, resulting in double the distance handled
by the spinner. To prevent the issue, only fire the `wheel` handler from inside
the `mousewheel` on if the event was triggered by jQuery - jQuery will not care
that the underlying event is `wheel` and will only fire handlers for
`mousewheel`.
Also, add an iframe test using jQuery MouseWheel to not affect all the other
tests.
Plus, migrate from `QUnit.reset` to `QUnit.done` (see qunitjs/qunit#354).
Closes gh-2342
Ref gh-2338
1. Listen to the native `wheel` event without depending on any wrapper plugins.
2. Keep listening to the `mousewheel` event for compatibility with projects
using the jQuery Mousewheel plugin but route it to the `wheel` handler.
Closes gh-2338
More recent UglifyJS versions have started converting regular functions to arrow
ones, making ES5 source file migrated to a ES2015+ minified one. We want to
avoid that even in 1.14.x as long as we keep the source file in ES5.
Closes gh-2335
Ref mishoo/UglifyJS#5967
Ref jquery/download.jqueryui.com#629
This is an edge case and it only affects code accepting untrusted input as
a widget name, but it's still technically correct to filter these out.
Closes gh-2310
The test server has a rule for `/tests/unit/*/*.html` paths that serves
a proper local file. However, the parameters after `/unit/` so far accepted
many characters that have special meaning, leading to possibly reading a file
from outside of the Git repository. Fix that by only accepting alphanumeric
characters, `-` or `_`.
This should resolve one CodeQL alert.
Closes gh-2309
The previous private `_sanitizeSelector` API was not correctly escaping
backslashes and is now removed. The native API should always be correct.
Closes gh-2307
The ESLint config for `demos` extends the one for the `ui` directory. However,
the `ui` one used to not be a root one, making the `demos` one effectively not
depend on the `jquery` preset. Fix that and fix lots of lint violations in
`demos/search.js`.
Closes gh-2303
The transfer effect is deprecated and not present unless `$.uiBackCompat` is set
to `true`. In previous UI versions, the default was including the backwards
compat layer so these demos & tests worked; now they do not by default. Just
remove them.
Fixes gh-2278
Closes gh-2291
Implement a new option: `uiDialogTitleHeadingLevel`, allowing to change
the `span` wrapping the dialog title into a heading element (`h1`-`h6`).
Value `0` represents the `span`, values 1-6 - a heading at the specified
level.
Fixes gh-2271
Closes gh-2275
The "common widget" tests, checking if a widget doesn't overwrite some
core widget APIs wasn't running as it was incorrectly checking for
`$.uiBackCompat === false` instead of `$.uiBackCompat !== true` after the
default changed in gh-2250.
Fixing the check uncovered that the draggable & sortable modules do
overwrite the `_trigger` method. Add an exception in the test for that;
at this stage of the project we don't plan to change the implementation.
Closes gh-2286
Ref gh-2250
When the datepicker UI is shown and then destroyed programmatically:
```js
$( "#datepicker" ).datepicker( "destroy" );
```
hide the datepicker UI without the need for an explicit user action.
Previously, in 1.12 the UI would not disappear immediately but only after the
first `mousedown`. In later 1.13 versions, the UI would not disappear at all.
Fixes gh-2178
Closes gh-2268
Apart from updating jQuery Migrate, the setup is now changed so that exact
Migrate versions are only references when fetching npm packages; other than
that, they're represented as `jquery-migrate-1.x` & `jquery-migrate-3.x`. This
will allow smaller changes when updating jQuery Migrate in the future.
Closes gh-2273
The `jqueryui.com` demos build process deAMDifies HTML files, replacing required
JS files with direct script tags. On the other hand, when running demos locally
from the jQuery UI repository, RequireJS is used.
This used to work fine until we got a new `search.js` file introduced in
gh-2187. The deAMDifying process doesn't touch non-HTML files which made loading
autocomplete demos crash on "require is not a function"
To resolve the issues without a major rearchitecture of the build process,
the `search.js` file now detects AMD and uses `require`, falling back to relying
on the `jQuery` global in the other case.
Closes gh-2274
Ref gh-2187
Ref jquery/jqueryui.com#216
We have monthly automatic dependabot PRs for GitHub Actions. Unfortunately,
as of now we get a separate PR for every dependency which is a bit spammy
compared to regular commits updating source.
Thankfully, there's now a way to tell dependabot to submit a single PR per
a defined group. This change defines a single group to have a single dependabot
PR for all action updates.
Closes gh-2267
Ref jquery/jquery#5503
