Web-Components - POAM: October '24

[mahoneycm]

Summary

POAM dependency updates for October 2024.

Related issues

USWDS-Team - POAM: October 2024
Resolves https://github.com/uswds/web-components/security/dependabot/12
Resolves https://github.com/uswds/web-components/security/dependabot/11
Resolves https://github.com/uswds/web-components/security/dependabot/14
Resolves https://github.com/uswds/web-components/security/dependabot/13
Resolves https://github.com/uswds/web-components/security/dependabot/10
Resolves https://github.com/uswds/web-components/security/dependabot/9
Resolves https://github.com/uswds/web-components/security/dependabot/7

Vulnerabilities

Before updates

8 vulnerabilities (1 low, 3 moderate, 4 high)

After updates

found 0 vulnerabilities

Dependency updates

Dependency Name	Old Version	New Version
@rollup/rollup-linux-x64-gnu	^4.21.2	^4.24.0
@storybook/addon-a11y	^8.2.9	^8.3.5
@storybook/addon-docs	^8.2.9	^8.3.5
@storybook/addon-essentials	^8.2.9	^8.3.5
@storybook/addon-links	^8.2.9	^8.3.5
@storybook/blocks	^8.2.9	^8.3.5
@storybook/manager-api	^8.2.9	^8.3.5
@storybook/test	^8.2.9	^8.3.5
@storybook/theming	^8.2.9	^8.3.5
@storybook/web-components	^8.2.9	^8.3.5
@storybook/web-components-vite	^8.2.9	^8.3.5
@uswds/uswds	^3.8.2	^3.9.0
axe-playwright	^2.0.2	^2.0.3
eslint	^9.10.0	^9.12.0
lit	^3.2.0	^3.2.1
sass	^1.78.0	^1.79.4
storybook	^8.2.9	^8.3.5
vite	^5.4.3	^5.4.8

Testing instructions

1. Run npm run start
2. Confirm there are no build errors
3. Confirm there are no visual regressions
4. Run prettier, and test scripts and confirm there are no issues.

[mahoneycm]

Running npm install on the develop branch moves the usa-link manifest to the bottom of the file

[mahoneycm]

eslint

We have an eslint dependency but not a script to use it.

Running npx eslint flags browser variables window and document as being undefined.

I found this was avoidable by installing a globals package and adding the global browser config to our eslint.config.js

We have #31 which outlines adding the eslint lit plugin. I could add this requirement to this issue or create a new separate issue to track.

Alternatively, we can uninstall eslint if we decide to rely on prettier linting instead.

[mahoneycm]

Sass deprecation warning

This update brings on a new Sass deprecation warning

Warning

DEPRECATION WARNING: The legacy JS API is deprecated and will be removed in Dart Sass 2.0.0.
More info →

In the bundlers section of the above guidance there is specific instructions for Vite.

Vite still defaults to the legacy API, but you can similarly switch it by setting api to "modern" or "modern-compiler". See Vite’s documentation

Currently, switching to the modern api causes an error. I think that this is due to USWDS using the deprecated sass render() function.

I've created #77 to track. I’ll readdress after completing uswds/uswds#6103.

[mejiaj]

Looks good, I was able to confirm 0 vulns after your changes.

[heymatthenry]

LGTM, thanks!