[Snyk] Upgrade uswds from 2.13.3 to 2.14.0

[GaryGapinski]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to upgrade uswds from 2.13.3 to 2.14.0.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

• The recommended version is 2 versions ahead of your current version.
• The recommended version was released 3 months ago, on 2023-04-07.

Release notes

Package name: uswds

• 2.14.0 - 2023-04-07
  

  Long-term archive of Version 2

  As we noted when we released Version 3.0, we will support Version 2 through May 2023. As a part of our long-term archive support for Version 2.x, we're releasing USWDS 2.14.0. This release has no functional changes, but it strips all nonessential development dependencies from the codebase. This will allow both the design system and long-term users of 2.x to treat this and any subsequent 2.x release as a long-term archival release, with a limited security vulnerability footprint.

  If you use USWDS 2.13.3 and will not be upgrading to 3.0, consider updating to USWDS 2.14.0.

  Details

  This release removes all dependencies, except those required to build and release. There were no vulnerabilities in the standard dependencies, but there were critical vulnerabilities in a few development dependencies:

  • Component library
    • @ frctl/fractal
    • @ frctl/mandelbrot
    • @ frctl/nunjucks
  • Testing
    • mocha
    • gulp-spawn-mocha
  • Compiling
    • nswatch: Legacy watch task, wasn't used.
    • gulp-svg-sprite: Added compiled SVG to repo.
    • handlebars and handlebars-helpers: Used in generating formatted tokens
      in SASS

  We removed all these dependencies and committed any necessary static assets to the package. We've committed an archival version of the Fractal site in GitHub, but it is not included in the package.

  Finally, we added an overrides field to package.json to handle the last remaining vulnerability in gulp.

  Security and dependencies

  • 37 total dependency changes
  • 19 dependencies removed

  Dependency name	Previous version	New version
  classlist-polyfill	1.0.3	1.2.0
  @ babel/preset-env	7.15.8	7.20.2
  @ frctl/fractal	1.5.11	-
  @ frctl/mandelbrot	1.10.1	-
  @ frctl/nunjucks	2.0.13	-
  @ types/node	16.11.6	18.15.5
  ansi-colors	4.1.1	4.1.3
  autoprefixer	10.3.7	10.4.14
  axe-core	4.3.4	-
  chrome-launcher	0.15.0	-
  chrome-remote-interface	0.31.0	-
  eslint	8.4.1	8.36.0
  eslint-config-prettier	8.3.0	8.8.0
  eslint-plugin-import	2.52.2	2.27.5
  eslint-plugin-no-unsanitized	4.0.1	4.0.2
  glob-parent ― Note: added via NPM overrides	-	6.0.2 (last updated 2 years ago)
  gulp-replace	1.1.1	1.1.4
  gulp-spawn-mocha	6.0.0	-
  gulp-svg-sprite	1.5.0	-
  handlebars	4.7.7	-
  handlebars-helpers	0.10.0	-
  jsdom	19.0.0	-
  jsdom-global	3.0.2	-
  mocha	6.2.3	-
  node-notifier	10.0.0	10.0.1
  nswatch	0.2.0	-
  nyc	15.1.0	-
  postcss	8.3.11	8.4.21
  postcss-csso	6.0.0	6.0.1
  prettier	2.4.1	2.8.6
  resemblejs	4.0.0	-
  sass	1.43.4	1.59.3
  sass-true	6.0.1	-
  sinon	12.0.1	-
  snyk	1.746.0	1.1123.0
  stylelint	14.1.0	14.9.1
  typescript	4.4.4	5.0.2
  yargs	17.2.1	-

  0 vulnerabilities in regular dependencies (dependencies for USWDS projects installed with npm install uswds) from npm audit

  Internal only: 0 vulnerabilities in devDependencies (development dependencies) from npm audit

  Release ZIP SHA-256 hash: 8fb2fc84bcb73f3e7155fcacd35b2f96ae3be872716a91118b69991c6e0bb44b

• 2.14.0-beta.1 - 2021-07-09
• 2.13.3 - 2022-04-11

from uswds GitHub release notes

Commit messages

Package name: uswds

• 41fb7c8 Merge pull request #5221 from uswds/release-2.14.0
• f54a1b3 Update uswds-2.14.0-zip-hash.txt
• b6e7fd2 Publish from the v2-main branch
• 5437030 Merge pull request #5220 from uswds/release-2.14.0
• d25b704 Update uswds-2.14.0-zip-hash.txt
• f7ba7b9 Update remaining 2.13.3 references
• 8f12c07 Create uswds-2.14.0-zip-hash.txt
• 2912c07 2.14.0
• f791025 Update circle script name
• 4615410 Use a tag that matches what we used for 1.x [see more...]
• 5d955fd Tag with `v2` to prevent appearing as `latest`
• 0eb9072 Update references to 2.14.0
• fdb1225 Merge pull request #5191 from uswds/jm-v2-core-deps
• 1ae98a8 Add override for gulp dependency, glob-parent
• 4b2d7cc Revert "Remove site directory from npmignore"
• 0ccbf40 Add support for more modern version management
• 88a02f4 Remove site directory from npmignore
• 2a02674 Remove unit test reference in lint task
• dfbd7ce Include all fractal build assets
• 09ee8e1 Update 2x note in README
• f25439f Remove badges from README
• df2df83 Remove coverage report from circle
• 0772f3f Remove test overrides
• 53cf934 Revert stylelint and override glob-parent

Compare

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

🧐 View latest project report

🛠 Adjust upgrade PR settings

🔕 Ignore this dependency or unsubscribe from future upgrade PRs