Update dependency lighthouse to v6

[mend-for-github-com]

This PR contains the following updates:

Package	Type	Update	Change
lighthouse	dependencies	major	^3.2.1 -> ^6.0.0

By merging this PR, the issue #31 will be automatically resolved and closed:

Severity	CVSS Score	CVE
High	7.5	CVE-2022-25851
Medium	6.5	CVE-2021-21137
Medium	6.5	CVE-2021-21137
Medium	6.5	CVE-2022-4187
Medium	6.5	CVE-2022-4187
Medium	5.5	CVE-2020-8175

---

Release Notes

GoogleChrome/lighthouse (lighthouse)

v6.2.0

Compare Source

6.2.0 (2020-08-06)

Full Changelog

We expect this release to ship in the DevTools of Chrome 86, and to PageSpeed
Insights within 2 weeks.

New Contributors

Thanks to our new contributors 👽🐷🐰🐯🐻!

• Adam Raine @​adamraine
• Saavan Nanavati @​saavannanavati
• lemcardenas @​lemcardenas
• George Makunde Martin @​gMakunde
• David Gilman @​dgilman
• Emilio Garza @​emiliogarza
• LukasAuerMstage @​LukasAuerMstage
• Mustafa Aydemir @​mstfydmr
• Pramod Mali @​malipramod
• Robin Tom @​robintom
• Stacey Tay @​staceytay
• Wojciech Maj @​wojtekmaj
• moli @​phpmoli
• Муравьёв Семён @​Zulcom

New Audits

• move duplicated-javascript and legacy-javascript audits to default config (#​10881, #​11103)
• report animations not run on compositor (#​11138, #​11168, #​11105)
• add unsized-images audit (#​11188, #​11115, #​11217)
• add no-unload-listeners audit (#​11085)

Core

• uses-http2: convert into opportunity (#​10626)
• lantern: fallback to FCP in 0-weight SI situations (#​11174)
• stacks: timeout stack detection (#​11172)
• add FormElements gatherer (#​11062)
• cls: add back early shift events if they were ignored (#​11079)
• critical-request-chains: prune requests without an initiator (#​11151)
• error if chrome version does not support lcp metric (#​11016)
• font-display: dedupe warnings by font origin (#​11068)
• gather-runner: error on non-HTML (#​11042)
• hreflang: assert that the href is fully qualified (#​11022)
• image-elements: gather correct natural size for srcset (#​11101)
• is-on-https: add mixed-content resolution (#​10975)
• lantern: ignore circular initiators (#​11148)
• link-elements: add devtoolsNodePath (#​11061)
• link-text: removing inicio from blocklist resolves #​11026 (#​11073)
• page-functions: expose simulated throttling requestIdleCallback shim (#​11032)
• redirects: surface client-side redirects (#​11027)
• tracehouse: expose navigationStart only as timeOrigin (#​11034)
• add cap to amp stylesheet links for simulated throttling (#​11069)
• remove uses of deprecated extendedInfo field (#​10779)
• config: remove typo in a11y tables lists group (#​11099)

CLI

• clearTimeout for faster exit (#​11170)
• warn if Chrome died on its own instead of exit (#​11139)

Report

• correctly display CLS in budget table (#​11209)
• add full-page-screenshot to experimental config (#​10716)
• vertically center thumbnails (#​11220)
• truncate long attribute values in HTML snippets (#​10984)
• unused-javascript: update "learn more" link (#​10985)

Deps

• snyk: update script to prune <0.0.0 and update snapshot (#​11223)
• snyk: update snyk snapshot (#​11046)
• update dot-prop secondary dependency (#​11198)
• update jpeg-js to 0.4.x (#​11167)
• update third-party-web (#​11137)

I18n

• import strings (#​11082, #​11225)
• disallow invalid text outside complex ICU arguments (#​11135)
• update AMP Optimizer URLs (#​11088)
• log the percentage of translated messages (#​11149)

Docs

• configuration: updates and tweaks (#​11141)
• update architecture.md (#​11040, #​11089)
• readme: add Screpy to list of integrations (#​11126)
• readme: fix logging in programmatic use code example (#​11116)
• update devtools screenshot (#​11092)
• fix typo in viewer readme for loading json from url (#​11080)
• readme: update Foo integration (#​11050)

Tests

• istanbul ignore inpage function (#​11229)
• update chromestatus expecatations (#​11221)
• minification-est: add testcase with pre-minified bundle (#​11191)
• update to typescript 3.9.7 (#​11158)
• smoke: skip expectation with _chromeMajorVersion (#​10976)
• smoke: use caltrainschedule instead of polymer shop (#​11052)
• relax requestIdleCallback smoke expectation (#​11041)
• parallelize all the tests (#​11009)
• upgrade codecov to 3.7.0 (#​11039)
• update minor version of angular fixture redux (#​11192)
• run GitHub Actions on master and PRs (#​11035)
• run test-viewer in github actions (#​11195)
• add windows to GitHub actions CI (#​11087)
• use latest windows image on appveyor (#​11083)
• remove appveyor (#​11171)

Misc

• remove last extendedInfo in LH.Audit.Product (#​11067)
• add GCP collection scripts (#​11189)
• tighten RecursivePartial type (#​11175)
• release: tweaks (#​11021)
• compare-runs: fix error when no lh-flags arg passed (#​11015)
• annotate version-specific logic with COMPAT comments (#​11019)
• add tools to track issue response time (#​11020)
• tweak naming in element-screenshot renderer (#​11152)
• ignore coverage of page-functions (#​11136)

v6.1.1

Compare Source

6.1.1 (2020-07-07)

Full Changelog

This is a patch release to fix an issue that only occurred in 6.1.0 for Node environments. It will only be released to npm.

Core

• fetcher: ensure fetch doesn't cause unhandled promise (#​11036)

v6.1.0

Compare Source

6.1.0 (2020-06-25)

Full Changelog

We expect this release to ship to DevTools in Chrome 85 86, and to PageSpeed Insights within 2 weeks.

New Contributors

Thanks to our new contributors 👽🐷🐰🐯🐻!

• Loftie Ellis @​lpellis
• Marvin Frachet @​mfrachet
• Matt Hobbs @​Nooshu
• Peter Marshall @​psmarshall

Notable Changes

• If a page has publicly-accessible JavaScript source maps, Lighthouse will collect them to enhance the unused-javascript audit. In future versions of Lighthouse, source maps will be used for entirely new audits (#​10990).
• The report now uses KiB instead of KB. This is simply a label change; the value was and still is equal to 1024 bytes (#​10870).

New Audits

• long-tasks: a new performance diagnostic that shows the longest main-thread-blocking tasks during load (#​10736)
• crawlable-anchors: a new SEO audit that checks that anchors link to resolvable URLs (#​10662)

Core

• unused-javascript: increase threshold to 20KiB (#​10906)
• layout-shift-elements: surface CLS contribution per shifted element (#​10968)
• emulation: bump chrome versions (#​10787)
• image-size-responsive: quantize DPRs (#​10801)
• long-tasks: add startTime property (#​10942)
• improve resilience of nodeId-dependent gatherers (#​10877)
• median-run: add computeMedianRun to lib (#​10859)
• preload: ignore cross-frame requests (#​10847)
• new inspector issues gatherer for Audit.IssueAdded events (#​10664)
• subRow refactor, rename to subItem (#​10867, #​10978)

Experimental

Features hidden behind the --preset=experimental flag.

• legacy-javascript: reduce polyfills, fix core-js import in test (#​10937)
• legacy-javascript: use prescriptive language in title (#​10850)
• legacy-javascript: fix core-js 3 detection (#​10852)
• legacy-javascript: use third-party-web for scoring (#​10849)
• duplicated-javascript: display transfer size (#​10701)

Deps

• axe-core: upgrade to 3.5.5 (#​10986)
• upgrade [email protected] (#​10911)
• snyk: update snyk snapshot (#​10840, #​10940, #​10980, #​11010)
• remove bundlesize (#​10999)
• update to lhci 0.4.0 (#​10828)

Report

• metrics: use css grid so metrics are aligned (#​10789)
• don't dim disclaimer anchor links (#​10981)
• use acronyms and round metrics for shorter calc url (#​10954)
• update link for budgets audit (#​10944)
• add trailing slash to web.dev links (#​10967)
• fix the width of the 3-dots menu in topbar (#​10855)
• updated method signature typing to remove focusevent cast (#​10858)
• adjust LCP element description (#​11018)
• renderer: fix null Util.i18n in PSI renderer (#​10822)
• psi: show disclaimer and calclink (#​10936)

Docs

• add note about git repo required for @​lhci/cli usage (#​11006)
• contributing: add tips for audit and gatherer PRs (#​10690)
• readme: update programmatic usage recipe (#​10878)
• readme: add new and updated integrations (#​10838, #​10901, #​10826, #​10818)

Tests

• move proto roundtrip json to .tmp/ (#​10995)
• add heading key tests (#​10746)
• run ToT and stable Chrome for smoke tests in github workflow (#​10989)
• legacy-javascript: exit code 1 on failure (#​10946)
• smoke: use --debug in github action (#​10919)
• smokehouse: do not assert on flaky node path (#​10827)

Misc

• rename subHeading to subItemsHeading (#​10979, #​10983)
• viewer: expose LHR as __LIGHTHOUSE_JSON__ (#​10879)
• use more inclusive and descriptive language (#​10949)
• update changelog for v6.0.0 (#​10821, #​10807)

v6.0.0

Compare Source

Raw commit changelog

We expect this release to ship in the DevTools of Chrome 84.

Notable changes

So many! See the Lighthouse 6.0: What's New blog post for an in-depth look.

🆕 New audits

• Largest Contentful Paint (LCP) is a new metric that measures the time from navigation until the largest content element in the viewport is rendered (#​9905, #​10213, #​10452, #​10529).
  • largest-contentful-paint-element is a companion audit that gives information about which element triggered the LCP (#​10517, #​10713).
• Cumulative Layout Shift (CLS) is a new metric that measures the amount of unexpected movement of content as a page loads (#​9037, #​10427, #​10495, #​10570, #​10728).
  • layout-shift-elements is another companion diagnostic that gives information about the elements that shifted as the page loaded (#​10702).
• unused-javascript is an audit that has been kicking around for some time but is only now turned on by default. It accounts for what JavaScript was loaded but never executed during page load and estimates the load time that could be saved via code splitting, dead code elimination, or judicious use of the delete key (#​9854).
• A PWA maskable-icon just looks better on your homescreen, so this new audit encourages you to have at least one available in your manifest (#​10370).
• timing-budget expands budget assertions to now be settable on all the performance metrics (#​9901, #​9925).
• The new charset audit ensures a proper character encoding for page content (#​10284, #​10389, #​10689).
• image-size-responsive checks that images have an aspect ratio and resolution that match well with how they are displayed on a page (#​10460).
• Updating to the latest version of axe-core has unlocked a number of new accessibility audits: aria-hidden-body, aria-hidden-focus, aria-input-field-name, aria-toggle-field-name, duplicate-id-active, duplicate-id-aria, form-field-multiple-labels, heading-order (#​9798).

⚗️ Experimental audits

These audits are not yet part of the default Lighthouse experience, but they will provide performance advice based on analysis of a page's JavaScript bundles. They can be tested today on the command line with the --preset=experimental flag.

• legacy-javascript rummages through your bundles looking for polyfills and bundler transforms that aren't necessary or are outdated (#​10303, #​10568, #​10564).
• duplicated-javascript also takes a dive through a page's JavaScript looking for code that has ended up duplicated within bundles or across multiple bundles (#​10314).
• unused-javascript now runs by default (as mentioned above), but when run under experimental, the audit can use source maps to show what original source code was never run and could be postponed or eliminated (#​10090).

New contributors!

Thanks to @​TGiles, @​roelfjan, @​chruxin, @​warrengm, @​alexgreencode, @​mikedijkstra, @​egsweeny, @​johnsampson, @​jazyan, @​b3none, @​mattjared, @​Malvoz, @​Beytoven, @​Munter, @​jayaddison, @​msomji, @​piotrzarycki, @​awdltd, @​mathiasbynens, @​Carr1005, @​staabm, @​SphinxKnight, @​sk-, @​AndreasKubasa, @​jantimon, @​kmanuel, @​Kikobeats, @​RolandBurrows, @​nxqamar, @​catalinred, and @​baseeee for their first contributions! So many!

💥 Breaking changes

• Performance metric scores have been reweighted to better reflect a user's loading experience (#​9949).
• Metric score curves have been updated when running a desktop Lighthouse test to account for the faster connection and CPU (#​9911, #​10756).
• frameNavigated events are now used to track redirects, which means JS redirects are now accounted for when determining the run's finalUrl (#​10339).
• The emulated mobile device has moved from the Nexus 5x to the Moto G4 (but the existing DPR has been left unchanged) (#​10191, #​10749).
• The mixed-content preset has been removed as it was not widely used and takes too long to be added to the default Lighthouse experience (#​10159, #​10750).
• The full preset has been renamed experimental to signify that the code there may not be ready for running by default (#​9930, #​10311, #​10333, #​10585).
• The emulated Chrome UA string has been updated to Chrome 80 (#​9967).
• installable-manifest: icons in the Web app manifest must be fetchable to be considered installable (#​10168, #​10320)

🤖💥 Breaking changes for programmatic users

These changes are unlikely to affect end users, but may be important if you are writing custom configs, plugins, or processing the Lighthouse JSON output.

• LH.Audit.Context passed into audits is now treated as immutable. If code previously pushed to context.LighthouseRunWarnings to get a top-level warning, it should now pass that back in runWarnings on the audit's product (#​10555).
• Audit.computeLogNormalScore has been redefined to specify log-normal curves with median and p10 points (dropping the "point of diminishing returns"). Existing audits have been moved to this new definition so that no score changes should occur (#​10715).
• A loadFailureMode setting has been added to Config passes to control behavior in case of page load failure. Previously this was implicitly controlled (e.g. no offline page available did not cause an error) (#​9987)
• time-to-first-byte has been renamed server-response-time to better reflect what is being measured by the audit (#​10735).
• resource-summary: details.items.size has been renamed to transferSize for clarity (#​10700, #​10743).

🧱 Core

Improvements, bug fixes, clarifications

The following changes are considered to be bug fixes or updates to better match what was intended to be audited, but the changes may cause adjustments in audit scores or behavior.

• add top-level warning if Lighthouse hit a timeout before load was complete (#​10538)
• add top-level warning if tested URL was redirected (#​10157)
• FCP + 5 seconds is now included as a minimum time that must be reached before the test page is considered loaded (#​10505, #​10516)
• load simulation: add edges from initiatorRequest when there are duplicate records (#​10097)
• load simulation: keep first layout/paint/parse events regardless of duration (#​9922)
• load simulation: do not create self-dependencies via timers (#​10280)
• load simulation: remove min task duration on CPU nodes (#​9910)
• load simulation: use fixed times for data URLs since they've already been loaded (#​9932)
• load simulation: link layout nodes to root frame request (#​9727)
• tracehouse: improved attribution for XHRs + paint/layout/HTML (#​10001)
• offscreen-images: look outside three viewports for possible images to defer (#​10643)
• uses-responsive-images: include offscreen images larger than viewport (#​10506, #​10561)
• accessibility: include axe-core 'incomplete' results in artifact to include even partial a11y results (#​10072, #​10270)
• audio-caption: remove check that has been disabled by axe-core (#​10453)
• link-text: Add more keywords to blocklist (#​9986)
• font-size: don't allow a deleted node to fail gatherer (#​9928)
• installable-manifest: lower required icon size from 192px to 144px (#​10175)
• is-on-https: add filesystem to secure schemes (#​10073)
• offscreen-images: exclude lazy or eager loading images (#​10117)
• resource-summary: don't include favicon.ico in summary (#​10190)
• uses-rel-preconnect: warn if more than three preconnects found (#​9903, #​10293)
• third-party-summary: don't include main resource if origin in third-party list (#​10006)
• js-lib-detector: handle new fast lib detection entries, version heterogeneity (#​9888, #​10295, #​10176)
• is-on-https: update description to reference mixed content (#​10712)
• definition-list: mention <div> is allowed to group content in <dl> (#​10479)
• offline-start-url: improve failure messages (#​9982)
• update and fix links to docs in audit and stack-pack descriptions (#​9850, #​9863, #​10019, #​10069, #​10246, #​10496, #​10714)

New things for programmatic users

• audit results now have a numericUnit property to specify the units for their numericResult (#​9979)
• ImageElements: add usesPixelArtScaling and usesSrcSetDensityDescriptor properties (#​10481)
• MetaElements: include property attribute (#​9978)
• add new base artifact HostFormFactor (#​9923)
• refactor to share unused-javascript-summary as a computed artifact (#​10387, #​10634)
• add new source-map computed artifact, js-bundles (#​10078)
• refactor to share unused-css as a computed artifact (#​10160)
• refactor to share metric timing as a computed artifact (#​9814)
• budgets: add support for CLS and LCP budgets (#​10579, #​10625)
• budgets: add firstPartyHostnames to the API (#​10105, #​10324)
• budgets: remove unused tolerance property from API (#​9770)

Internal refactors and improvements

• ensure axe-core errors are properly serialized (#​10646)
• cleanup of audit-details type names (#​10603)
• include finished state on hidden network-requests audit (#​10530)
• fetch source maps outside of test page so not blocked by CORS (#​9459)
• driver: dead code cleanup (#​10491, #​10571)
• add internal-only __internalOptionalArtifacts for experimental artifacts (#​10355)
• font-size: use DOMSnapshot.captureSnapshot for better performance (#​10200)
• use isolated evaluateAsync when fetching content from the test page (#​10130)
• budgets: centralize path-matching logic (#​9895)
• script-elements: fetch script content in parallel (#​9713)
• include GatherRunner.runPass in internal perf timing numbers (#​10205)
• rename GatherRunner.isPerfPass for clarity (#​9896)
• migrate to flattened Chrome DevTools Protocol (#​9783)

💻 CLI

• add support for multiple --chrome-flags (#​10607)
• allow comma-separated values for --output (#​10188)
• add --chrome-ignore-default-flags (#​10184)
• allow --extra-headers as object (#​9962)

📔 Report

• add "Trust and Safety" group in the Best Practices category (#​10623)
• add link to score calculator populated with current metric scores (#​10754, #​10763, #​10773, #​10767)
• improve display of top-level warnings (#​10636, #​10765)
• external-anchors-use-rel-noopener: use node audit details type (#​10242)
• is-crawlable: include robots.txt line number that blocks crawling (#​10154)
• temporary test of css grid for metrics (#​10695, #​10778)
• define monospace font-size relative to report-font-size (#​10761)
• link to updated scoring documentation (#​10725)
• add non-null jsdoc type annotations for internal linter (#​10454)
• clarify "size" as either transfer or resource size (#​10420)
• update table and inline code formatting (#​10437)
• fix link contrast in dark mode (#​10364)
• add channel to runtime settings (#​10099)
• align audit warnings (#​10232)
• close drop-down menu when focus is lost (#​10208)
• hide drop-down menu when printing (#​10216)
• move Util.UIStrings to Util.i18n (#​10153)
• add initial support for subrows within a table (#​10084)
• adjust score gauge's arc length to account for rounded linecap (#​9913)
• fix header-shifting flicker during scrolling (#​9955)
• add source-location details for linking to source code (#​9354)
• CSV report: add tested URLs to entries (#​10656, #​10675)
• viewer: add option for loading JSON from any URL (#​10608)
• viewer: mention other lighthouse channels (#​10384)
• viewer: add page and cursor styling to signal loading (#​10305, #​10348)
• viewer: use new logo (#​9991, #​9999, #​10002)

👥 Clients

• retire extension; replace with PSI launcher (#​9193, #​9988, #​9989)
• extension: add firefox support (#​10332)
• extension: remove content security policy (#​10380)
• devtools: share desktop throttling settings with lightrider (#​10322)
• devtools: split up runLighthouseInWorker and expose to worker (#​10005)
• devtools: add settings.internalDisableDeviceScreenEmulation (#​9377)
• devtools: include lighthouse-plugin-publisher-ads in bundle (#​9924, #​10583, #​10682)
• devtools: update roll-to-devtools and track upstream changes (#​9942, #​10310, #​10036, #​10758, #​10762)

🌍 i18n

• new strings: audits, stack packs, headings, and corrections (#​9940, #​10244, #​10245, #​10645)
• localize runtime settings and tools in report (#​9166)
• don't give unused arguments for localized protocol errors (#​9935)
• use log.verbose() for outdated-strings warning (#​9931)
• centralize strings for metric names (#​9871)

Docs

• plugins: update recipe and docs to use NODE_PATH (#​9997, #​10028)
• plugins: update example list (#​9917)
• scoring: update for v6, defer to web.dev for performance (#​10223, #​10633, #​10676)
• lantern: add deep-dive video (#​10546)
• new-audits: emphasize what makes a good audit (#​10376)
• hacking-tips: link to gist on using audit results directly (#​10480)
• variability: expand on hardware recommendations (#​10483)
• throttling: add devtools-throttling deprecation notice (#​9933)
• auth: use --disable-storage-reset in recipe (#​10189)
• tweak authenticated-pages and puppeteer docs (#​10277)
• add integration-test recipe for using Lighthouse and Jest (#​9722)
• add performance-budgets doc (#​10542)
• add recipe for using puppeteer in a custom gatherer (#​10253, #​10447)
• add readme for build/ directory (#​10004)
• readme: add variability and throttling to FAQ (#​10631)
• readme: add a table of contents (#​10283)
• readme: add note about yarn test-docs (#​10263)
• readme: fix typos (#​10179, #​10694)
• readme: add protobuf install directions (#​10250)
• readme: separate free and paid integrations (#​10027)
• readme: add new and updated integrations (#​9954, #​9984, #​10018, #​9985, #​10156, #​9836, #​10385, #​10466, #​10475, #​10609, #​10745)

Tests

• remove protobuf roundtrip check (and local protobuf dev requirement) from yarn update:sample-json (#​10557, #​10661)
• run CI tests on new github action (#​10418, #​10551, #​10620, #​10622, #​10627)
• report to buildtracker on commit via CI github action (#​10550, #​10718)
• lantern: update golden trace collection script and recollect them (#​9662, #​10129, #​10209, #​10279, #​10663)
• smokehouse: refactor to be able to integration test all lighthouse clients (#​9843, #​10158)
• smokehouse: add bundle.js runner for driving bundled lighthouse tests (#​9943)
• bundle smokehouse + bundle.js runner + bundled lighthouse for integration testing in a browser (#​9873, #​10727)
• smokehouse: use ranges for some expectations to work in varying environments (#​10227, #​10473)
• smokehouse: add static-server hook to modify response body (#​9872)
• smokehouse: adjust expectation handling and logging for compatibility (#​10361)
• smokehouse: commit copy of pwa.rocks for testing (#​10648)
• add type checking to driver-test (#​10135, #​10123)
• add type checking to gather-runner-test (#​10136, #​10215, #​10230)
• fix i18n-test.js bugs in Node 13 (#​10595)
• i18n: add check of locale files for strings that are probably wrong (#​9847)
• use assert in strict assertion mode (#​10606, #​10733)
• report-ui-features: add tests and remove interdependencies (#​10199, #​10201)
• update coveragePathIgnore jest configuration (#​10448)
• speedline: remove flaky test (#​10181)
• remove global.URL for jsdom tests (#​10186)
• viewer-test: don't override puppeteer's chromium (#​9877)
• fix appveyor cache failures (#​10281)
• use lighthouse tarball for recipe tests (#​10254)
• stage viewer per PR with yarn now-build (#​10151)

Misc

• update license headers to credit Lighthouse Authors (#​10469)
• add timings-data/ to .npmignore (#​10584)
• update commitlint config to latest, loosen subject-case (#​10371)
• tweak CODEOWNERS for codereview assignment (#​10265, #​10274, #​10282)
• release script push tag (#​10193)
• add a bump-versions.js release script (#​9998)
• add comment about minimum chrome version for LCP (#​9889)
• update changelog order and add chrome note placeholder (#​9859)
• add .mailmap file (#​10766)
• add chrome version field to bug report template (#​9866)
• upgrade Lighthouse CI dogfood script (#​9879, #​9951, #​9972, #​10482)
• updates and new features for internal compare-runs script (#​10296, #​10519, #​10526, #​10652)
• add git3po scripts for managing Github issues and PRs (#​10231, #​10266, #​10255, #​10271, #​10338, #​10256, #​10304, #​10658, #​10257)

Deps

• lighthouse-plugin-publisher-ads: upgrade to 1.1.0-beta.0 (#​10544, #​10776)
• chrome-launcher: upgrade to 0.13.2 (#​9904, #​10535, #​10724)
• yargs-parser: upgrade to 18.1.3 (#​10723)
• third-party-web: upgrade to 0.11.1 (#​10711)
• axe-core: upgrade to 3.5.3 (#​10056, #​10344, #​10637)
• `