Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Public-sans - POAM: September '24 #315

Merged
merged 8 commits into from
Oct 28, 2024
Merged

Conversation

mahoneycm
Copy link
Contributor

@mahoneycm mahoneycm commented Sep 10, 2024

Summary

POAM updates for September 2024

Warning

We received deprecation warnings for dependencies that are no longer supported. They are coming from USWDS compile and will be resolved in uswds/uswds-compile#122.

Important

This PR caught a Federalist build issue. The issue appears unrelated to these changes but was caught due to generating a new gemfile.lock.

The federalist pages team is investigating. Additional details in this slack thread (🔒).

In the meantime I've downgraded ruby.

Related issue

uswds/uswds-team#390
Resolves https://github.com/uswds/public-sans/security/dependabot/84
Resolves https://github.com/uswds/public-sans/security/dependabot/83
Resolves https://github.com/uswds/public-sans/security/dependabot/74
Resolves https://github.com/uswds/public-sans/security/dependabot/81
Resolves https://github.com/uswds/public-sans/security/dependabot/82

Preview link

Preview link →

Major changes

  • Ruby downgraded from 3.3.4 to 3.2.5 to resolve Cloud Pages build error
  • Updated USWDS to 3.9.0

Dependency updates

Before:

11 vulnerabilities (6 moderate, 5 high)

After

found 0 vulnerabilities

Dependency updates

Node package updates

Dependency name Old version New version
@axe-core/cl ^4.9.1 ^4.10.0
@uswds/uswds 3.8.1 3.8.2
gulp ^4.0.2 ^5.0.0
postcss ^8.4.41 ^8.4.45
sass-embedded ^1.77.8 ^1.78.0

Gem updates:

Dependency name Old version New version
@uswds/uswds 3.8.2 3.9.0
concurrent-ruby 1.3.3 1.3.4
google-protobuf 4.28.0 4.28.2
i18n 1.14.5 1.14.6
jekyll 4.3.3 4.3.4
rexml 3.3.4 3.3.8
rouge 4.3.0 4.4.0
postcss ^8.4.45 ^8.4.47
sass-embedded 1.78.0 1.79.4
strscan 3.1.0
unicode-display_width 2.5.0 2.6.0
webrick 1.8.1 1.8.2

Testing and review

Gulp commands run without error

  1. npm run start
  2. npm run serve
  3. npm run test:a11y (while localhost is being served from the serve script)
  4. Confirm no font regressions in Public Sans fonts due to Gulp update

@mahoneycm mahoneycm assigned mahoneycm and unassigned mahoneycm Sep 10, 2024
@mahoneycm mahoneycm marked this pull request as draft September 10, 2024 16:17
@mahoneycm mahoneycm changed the title Cm poam september 2024 Public-sans - POAM: September '24 Sep 10, 2024
@mahoneycm mahoneycm marked this pull request as ready for review September 17, 2024 21:04
Copy link
Contributor

@mejiaj mejiaj left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@mahoneycm thanks for the notes in the description. Hope you don't mind, I've modified the Important alert to state the workaround (last sentence - In the meantime I've downgraded ruby.

I've been able to successfully switch to Ruby 3.25 and do a clean install of both Node & Ruby dependencies without issues.

Tested using npm run serve and npm start.

@mejiaj mejiaj requested review from thisisdano and removed request for amyleadem September 18, 2024 14:02
@mahoneycm
Copy link
Contributor Author

October updates

Dependency updates

Dependency name Old version New version
@uswds/uswds 3.8.1 3.8.2
postcss ^8.4.41 ^8.4.45
sass-embedded ^1.77.8 ^1.78.0

Gem updates

Gem name Old version New version
google-protobuf 4.28.1 4.28.2
rexml 3.3.7 3.3.8
sass-embedded 1.78.0 1.79.4
webrick 1.8.1 1.8.2

@mahoneycm mahoneycm marked this pull request as draft October 9, 2024 20:36
@mahoneycm
Copy link
Contributor Author

mahoneycm commented Oct 9, 2024

IMPORTANT
Converting to draft while we review compile POAM PR

Resuming review of this PR since we would have to wait for the next compile release to resolve

@mahoneycm mahoneycm marked this pull request as ready for review October 10, 2024 18:16
@mahoneycm mahoneycm mentioned this pull request Oct 10, 2024
7 tasks
@mahoneycm mahoneycm requested a review from mejiaj October 10, 2024 18:20
Copy link
Contributor

@mejiaj mejiaj left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

I've added a note about Gulp 5 and fonts/images, but didn't see any regressions at first glance.

"@uswds/uswds": "3.8.1",
"gulp": "^4.0.2",
"@uswds/uswds": "3.9.0",
"gulp": "^5.0.0",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tip

This major Gulp update has caused issues with fonts and images. I tested npm run copy-webfonts and didn't see any issues.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I took a look at your work in uswds/uswds-compile#96 to make sure the issue that was captured and resolved there wasn't going to be an issue here! I didn't find any issues either 👍

Comment on lines +16 to +18
return src(`${WEBFONTS_SRC}/**/**`, {
encoding: false,
}).pipe(dest(WEBFONTS_DEST));
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added to address the issue fixed in uswds/uswds-compile#96 from a solution noted in gulpjs/gulp#2803

Copy link
Member

@thisisdano thisisdano left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@thisisdano thisisdano merged commit 11a9e1d into develop Oct 28, 2024
4 checks passed
@thisisdano thisisdano deleted the cm-POAM-september-2024 branch October 28, 2024 17:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
Status: Done
Development

Successfully merging this pull request may close these issues.

3 participants