Public-sans - POAM: September '24

[mahoneycm]

Summary

POAM updates for September 2024

Warning

We received deprecation warnings for dependencies that are no longer supported. They are coming from USWDS compile and will be resolved in uswds/uswds-compile#122.

Important

This PR caught a Federalist build issue. The issue appears unrelated to these changes but was caught due to generating a new gemfile.lock.

The federalist pages team is investigating. Additional details in this slack thread (🔒).

In the meantime I've downgraded ruby.

Related issue

uswds/uswds-team#390
Resolves https://github.com/uswds/public-sans/security/dependabot/84
Resolves https://github.com/uswds/public-sans/security/dependabot/83
Resolves https://github.com/uswds/public-sans/security/dependabot/74
Resolves https://github.com/uswds/public-sans/security/dependabot/81
Resolves https://github.com/uswds/public-sans/security/dependabot/82

Preview link

Preview link →

Major changes

• Ruby downgraded from 3.3.4 to 3.2.5 to resolve Cloud Pages build error
• Updated USWDS to 3.9.0

Dependency updates

Before:

11 vulnerabilities (6 moderate, 5 high)

After

found 0 vulnerabilities

Dependency updates

Node package updates

Dependency name	Old version	New version
@axe-core/cl	^4.9.1	^4.10.0
@uswds/uswds	3.8.1	3.8.2
gulp	^4.0.2	^5.0.0
postcss	^8.4.41	^8.4.45
sass-embedded	^1.77.8	^1.78.0

Gem updates:

Dependency name	Old version	New version
@uswds/uswds	3.8.2	3.9.0
concurrent-ruby	1.3.3	1.3.4
google-protobuf	4.28.0	4.28.2
i18n	1.14.5	1.14.6
jekyll	4.3.3	4.3.4
rexml	3.3.4	3.3.8
rouge	4.3.0	4.4.0
postcss	^8.4.45	^8.4.47
sass-embedded	1.78.0	1.79.4
strscan	3.1.0	—
unicode-display_width	2.5.0	2.6.0
webrick	1.8.1	1.8.2

Testing and review

Gulp commands run without error

1. npm run start
2. npm run serve
3. npm run test:a11y (while localhost is being served from the serve script)
4. Confirm no font regressions in Public Sans fonts due to Gulp update

[mejiaj]

@mahoneycm thanks for the notes in the description. Hope you don't mind, I've modified the Important alert to state the workaround (last sentence - In the meantime I've downgraded ruby.

I've been able to successfully switch to Ruby 3.25 and do a clean install of both Node & Ruby dependencies without issues.

Tested using npm run serve and npm start.

[mahoneycm]

October updates

Dependency updates

Dependency name	Old version	New version
@uswds/uswds	3.8.1	3.8.2
postcss	^8.4.41	^8.4.45
sass-embedded	^1.77.8	^1.78.0

Gem updates

Gem name	Old version	New version
google-protobuf	4.28.1	4.28.2
rexml	3.3.7	3.3.8
sass-embedded	1.78.0	1.79.4
webrick	1.8.1	1.8.2

[mahoneycm]

IMPORTANT
Converting to draft while we review compile POAM PR

Resuming review of this PR since we would have to wait for the next compile release to resolve

[mejiaj]

LGTM.

I've added a note about Gulp 5 and fonts/images, but didn't see any regressions at first glance.

[mejiaj]

Tip

This major Gulp update has caused issues with fonts and images. I tested npm run copy-webfonts and didn't see any issues.

[mahoneycm]

I took a look at your work in uswds/uswds-compile#96 to make sure the issue that was captured and resolved there wasn't going to be an issue here! I didn't find any issues either 👍

[thisisdano]

Added to address the issue fixed in uswds/uswds-compile#96 from a solution noted in gulpjs/gulp#2803

[thisisdano]

LGTM