Skip to content

[Snyk] Upgrade @uswds/uswds from 3.8.0 to 3.13.0#330

Open
sfrederick-gsa-gov wants to merge 1 commit intomainfrom
snyk-upgrade-7b7562bc76b115bd452d03d3dc6d658a
Open

[Snyk] Upgrade @uswds/uswds from 3.8.0 to 3.13.0#330
sfrederick-gsa-gov wants to merge 1 commit intomainfrom
snyk-upgrade-7b7562bc76b115bd452d03d3dc6d658a

Conversation

@sfrederick-gsa-gov
Copy link
Copy Markdown

@sfrederick-gsa-gov sfrederick-gsa-gov commented Mar 6, 2026

snyk-top-banner

Snyk has created this PR to upgrade @uswds/uswds from 3.8.0 to 3.13.0.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

  • The recommended version is 7 versions ahead of your current version.

  • The recommended version was released 9 months ago.

Release notes
Package name: @uswds/uswds
  • 3.13.0 - 2025-05-23

    What's new in USWDS 3.13.0

    Features

    Package A11y Breaking Markup change Description
    usa-banner - - - Added a Web Component variant of banner. This release contains the first Web Component in USWDS. The addition of the usa-banner tag will make it easier for many teams to get up and running with USWDS, and we plan to add more Web Components in the future. Huge thanks to @ mejiaj who did much of the work on this component in the USWDS Elements repository (#6460)
    usa-range Yes - - Currently, the range slider has audible cues that aren't available for sighted users. This update adds a value to the slider so the current value is visible. (#6302) Thank you, @ aduth!
    uswds-core Yes - - Animated transitions now respect the system's reduced motion preference. A new transition utility handles default behavior for easing and disabling inessential animation. (#6268) Thank you, @ cathybaptista!

    Dependency updates

    Dependency name Previous version New version
    lit -- 3.2.1

    Note: While Lit is a new dependency, it's only necessary for the new Web Component banner variant. If you're using the compiled version of that component from dist, Lit's already included.

    Dev Dependency updates

    Dependency name Previous version New version
    @ rollup/plugin-commonjs -- 28.0.3
    @ spiriit/vite-plugin-svg-spritemap -- 4.0.0
    eslint-plugin-airbnb-base -- 0.0.1-security
    eslint-plugin-lit -- 2.0.0
    lit -- 3.2.1
    vite -- 6.3.5
    vite-plugin-svg-sprite -- 0.6.2
    undici 6.21.1 6.21.3

    0 vulnerabilities in regular dependencies (dependencies for USWDS projects installed with npm install @ uswds/uswds)
    55 vulnerabilities (29 moderate, 26 high) in devDependencies (development dependencies)

    Release TGZ SHA-256 hash: 6eac004fb7785490eb640f388c6949c57951501876acb109ecdd4c8ead7518b6

  • 3.12.0 - 2025-03-07

    What's new in USWDS 3.12.0

    Features

    Package A11y Breaking Markup change Description
    usa-date-picker, usa-date-range-picker - - - Enabled native JavaScript translation for date picker calendar labels. The calendar now uses the Date.toLocaleString API to automatically build translated labels based on the document's lang attribute. Thanks @ deebloo! (#5679)
    usa-in-page-navigation - - - Added the data-minimum-heading-count property to the in-page navigation component. This property hides the component when the content region does not contain the minimum number of headings. By default, this attribute hides the in-page navigation component when there are fewer than two headings in the content region.

    ✏️ Teams should customize the value of this property based on their content needs. (#6205)
    usa-tooltip - - - Enabled tooltip functionality on non-button elements. Thanks @ anmazz! (#6035)

    Bug fixes

    Package A11y Breaking Markup change Description
    usa-checkbox, usa-radio - - - Updated checkbox and radio styles so that the interactive area now matches the width of the content. Previously, the interactive area extended the full width of its container. (#6192)
    usa-in-page-navigation - - - Fixed a bug that prevented in-page navigation from scrolling to nested headings. Now, the component can smooth scroll to headings within components like card and summary box.

    ✏ Teams that use data-scroll-offset should check to make sure this change does not cause regressions in scroll behaviors. Thanks @ jhancock532! (#5878)
    uswds-core - - - Resolved Sass deprecation warnings related to the color function. This change ensures compatibility with Dart Sass 2.0.0 and eliminates the use of deprecated color functions. (#6270)
    uswds-core - - - Replaced resolve-id-refs dependency with custom JavaScript. (#6308)

    Dependencies and security

    Dependency updates

    Dependency name Previous version New version
    resolve-id-refs 0.1.0 --

    Dev dependency updates

    Dependency name Previous version New version
    @ babel/core 7.26.0 7.26.8
    @ babel/preset-env 7.26.0 7.26.8
    gulp-sass 5.1.0 6.0.0
    postcss 8.4.49 8.5.2
    sass 1.83.1 1.84.0
    sass-embedded 1.83.1 1.83.4
    sass-loader 13.3.2 16.0.4
    snyk 1.1295.0 1.1295.3
    stylelint 16.11.0 16.12.0
    typescript 5.7.2 5.7.3
    webpack 5.97.1 5.98.0

    Additional updates

    Important

    USWDS now requires a verified signature on all commits to this repository. Learn more about how to set up signature verification in our CONTRIBUTING.md file.

    Additional contributions

    • Thanks to @ aduth for making our prettier configuration more explicit. (#6269)
    • Thanks to @ szepeviktor for fixing typos. (#6251)
    • Thanks to @ jcklpe for updating broken links in the USWDS README. (#6239)
    • Thanks to @ aduth for improving the JavaScript examples in our README (#5928)
    • Thanks to @ aduth for improving our automated unit test scans (#6171)

    0 vulnerabilities in regular dependencies (dependencies for USWDS projects installed with npm install @ uswds/uswds)
    30 moderate, 26 high vulnerabilities in devDependencies (development dependencies).

    Release TGZ SHA-256 hash: 8a562ec0c24d93b7eeaeaa9056f54050054344331dd34ca96d5be161442f09cd

  • 3.11.0 - 2024-12-18

    What's new in USWDS 3.11.0

    Features

    Package A11y Breaking Markup change Description
    usa-elements - - - Removed outdated browser normalization styles. This update drops normalize support for Internet Explorer. Thanks @ aduth! (#5555)
    usa-form, usa-input-prefix-suffix, usa-input, uswds-core - - - Moved .usa-input--[width] and .usa-input-group--[width] classes out of the usa-form package. These classes are now generated in the usa-input and usa-input-prefix-suffix packages and can be used without the .usa-form parent element. Thanks @ aduth! (#6232)
    usa-table - - - Updated table header styles to be consistent across all table elements. Now, all thead th, tbody th, and tfoot th cells will all have the same visual styles. Thanks @ ajanickiv!

    ✏️ Teams should confirm that their tables display as expected. (#5986)

    Bug fixes

    Package A11y Breaking Markup change Description
    usa-button, usa-collection, usa-file-input, usa-icon-list, usa-icon, usa-input-prefix-suffix, usa-modal, usa-pagination - - Yes Replaced deprecated xlink:href references with href.

    ✏ Teams should update their markup to replace xlink:href references with href and pull in the updated loader.svg file. (#6165)
    usa-file-input Yes - - Fixed a bug that prevented screen readers from announcing the invalid file type error message. (#6168)

    ✏ Teams who support additional languages should update the error message string to match the new copy.
    usa-footer Yes - - Removed overflow: hidden from usa-footer to allow the full focus outline to show. This fix also improves horizontal alignment in the slim footer variant. Thanks @ 6TELOIV! (#6237)

    Markup changes

    MDN warns that the deprecated xlink:href attribute can stop working at any time. When referencing SVG icon sprites, teams should use href instead of the deprecated xlink:href attribute.

    <!-- usa-icon example -->
<svg class="usa-icon" aria-hidden="true" focusable="false" role="img">
- <use xlink:href="./img/sprite.svg#close"></use>
+ <use href="./img/sprite.svg#close"></use>
</svg>

    Dependencies and security

    Dependency name Previous version New version
    @ babel/core 7.25.7 7.26.0
    @ babel/preset-env 7.25.7 7.26.0
    axe-core 4.10.0 4.10.2
    cross-spawn 7.0.3 7.0.6
    html-webpack-plugin 5.6.0 5.6.3
    mocha 10.7.3 10.8.2
    nwsapi (added via npm overrides) -- 2.2.13
    postcss 8.4.47 8.4.49
    prettier 3.3.3 3.4.2
    sass 1.79.4 1.83.0
    sass-embedded 1.79.4 1.83.0
    snyk 1.1293.1 1.1294.3
    stylelint 16.9.0 16.11.0
    typescript 5.6.2 5.7.2
    webpack 5.95.0 5.97.1

    0 vulnerabilities in regular dependencies (dependencies for USWDS projects installed with npm install @ uswds/uswds)
    29 moderate, 26 high vulnerabilities in devDependencies (development dependencies).

    Release TGZ SHA-256 hash: 1c10cd70a3c627fd14d9ee74a4071e67c4e5ba4bf14ca1c50c19c2fe5885e70a

  • 3.10.0 - 2024-11-13

    What's new in USWDS 3.10.0

    Features

    Package A11y Breaking Markup change Description
    usa-combo-box - - - Updated the order of combo box search results. The component now displays options that start with the query at the top of the list, followed by options that contain the query. This behavior more closely aligns with user expectation. (#6122)

    Bug fixes

    Package A11y Breaking Markup change Description
    usa-checkbox - - - Removed inline style tags from indeterminate checkbox SVGs. These style tags were unnecessary and caused a conflict with Cypress automated testing. (#6162)

    ✏️ Teams should update the checkbox-indeterminate.svg and checkbox-indeterminate-alt.svg files in their projects.
    usa-file-input - - - Fixed a bug that caused file input image previews to break when a Content Security Policy is enabled. The component now uses event listeners in place of inline JavaScript to handle error states. Thanks @ jeffpw-goog! (#5997)
    usa-model - - - Fixed a bug that prevented the modal package from bundling with a custom prefix. The component no longer uses hard-coded class names in its JavaScript. Thanks @ sanason! (#6026)
    usa-step-indicator Yes - Yes Removed the aria-label from the wrapper of the step indicator component. This resolves an automated testing error related to having an invalid attribute on a div element. (#6146)

    ✏️ Teams should remove the the aria-label from the .usa-step-indicator element in their step indicator markup.
    usa-time-picker Yes - Yes Updated the time picker hint text to improve clarity. This update allows the component to meet the success criteria in WCAG 3.3.2. (#6147)

    ✏️ Teams should replace the words "hh:mm" in the time picker hint text with "Select a time from the dropdown. Type into the input to filter options."

    Markup changes

    Step indicator

    To remove automated testing errors, teams should update the step indicator markup to remove the aria-label on the usa-step-indicator element:

    - <div class="usa-step-indicator" aria-label="progress">
+ <div class="usa-step-indicator">

    Time picker

    If teams are using "hh:mm" in their time picker hint text, they should update the text to "Select a time from the dropdown. Type into the input to filter options.":

    - <div class="usa-hint">hh:mm</div>
+ <div class="usa-hint">Select a time from the dropdown. Type into the input to filter options.</div>

    Dependencies and security

    Dependency updates

    Dependency name Previous version Updated version
    object-assign 4.1.1 --

    Dev Dependency updates

    Dependency name Previous version Updated version
    @ babel/core 7.25.2 7.25.7
    @ babel/preset-env 7.25.4 7.25.7
    browserify 17.0.0 17.0.1
    eslint-plugin-import 2.30.0 2.31.0
    eslint-plugin-no-unsanitized 4.1.0 4.1.2
    postcss 8.4.45 8.4.47
    sass 1.78.0 1.79.4
    sass-embedded 1.78.0 1.79.4
    snyk 1.1293.0 1.1293.1
    twig-html-loader 0.1.9 --
    webpack 5.94.0 5.95.0

    Thanks @ aduth and @ anselmbradford for contributing to our dependency updates!

    0 vulnerabilities in regular dependencies (dependencies for USWDS projects installed with npm install @ uswds/uswds)
    29 moderate, 26 high vulnerabilities in devDependencies (development dependencies).

    Release TGZ SHA-256 hash: fdd1f9fc4cbfeb0fca7feeba1c94b205ba4ee22d03f63bb916c8750982715fb7

  • 3.9.0 - 2024-10-04

    What's new in USWDS 3.9.0

    Features

    Package A11y Breaking Markup change Description
    usa-character-count - - - Enhanced the visual cue when maxlength is exceeded in the character count component. Now, the component uses standard USWDS error styles to visually enhance the error state. (#5908)
    usa-date-picker, usa-date-range-picker Yes - - Added aria-disabled to the list of expected attributes in the date picker and date range picker components. Now, the component will disable toggle when the aria-disabled attribute is present. (#6013)
    uswds-core, usa-layout-grid - - - Added new $theme-utility-breakpoints-custom setting. This setting generates responsive variants of USWDS utilities at custom breakpoints. Values must be set with px values inside a Sass map. Thanks @ jamigibbs! (#6048)

    Bug fixes

    Package A11y Breaking Markup change Description
    usa-alert, usa-site-alert - Yes - Fixed a bug that caused $theme-site-margins-width to unexpectedly adjust the alignment inside the alert and site alert components. Alignment on the alert and site alert components will likely shift from this change. Confirm that your implementation of the component aligns as expected. (#5636)

    ⚠️ Considered breaking because the alignment and display of the alert may shift.
    usa-button - Yes - Updated the width of unstyled buttons at narrow screen widths. Now, unstyled buttons receive a width of auto to better match USWDS link styles. Users should confirm that the variant visually displays as expected in their projects. Thanks @ aduth! (#5631)

    ⚠️ Considered breaking because the display of unstyled buttons will change at narrow screen widths. Check your codebase for any instances of @ include button-unstyled in your custom styles. These items may be affected by this change.
    usa-card - Yes - Fixed a bug that caused the component to ignore the $theme-card-font-family setting. Confirm that your implementation of the card component displays with the expected font family. (#5974)

    ⚠️ Considered breaking because fonts in cards may change if you've set $theme-card-font-family.
    usa-combo-box Yes - - Removed custom screen reader instructions in the combo box component. Combo box now relies on the default instructions provided by screen readers. (#6022)
    usa-date-picker, usa-date-range-picker Yes - - Fixed a bug that caused mouseover events to prevent keyboard navigation. Now when you hover your mouse over the date picker buttons, only the hover state will be triggered. (#5774)
    usa-header Yes Yes - Removed the CSS order property from the mobile view in standard variants of the header component. Now, the visual order of the component matches the tab order. If you would like to visually keep the search bar at the top of the menu, you will need to reorder your markup in the mobile view. (#6037)

    ⚠️ Considered breaking because the position of the search bar will change in the mobile menu.
    usa-footer, templates Yes - Yes Added the autocomplete="email" attribute to the big footer variant and the "Create an account" template. This attribute allows the components to meet the standards outlined in WCAG 1.3.5. (#6002)

    ✏️ Teams should update their markup if they use an email field in their big footer.
    usa-identifier - - Yes Updated the USA.gov link in Spanish versions of the identifier. The link text now reads "Visite USAGov en Español" and the link url is now "https://www.usa.gov/es/". (#5892)

    ✏️ Teams should update this text if they use the Spanish-language identifier.
    usa-memorable-date Yes - Yes Removed numeric representation of months in the memorable date component. Recent usability testing indicated that having both numbers and names to represent months was confusing for screen reader users. (#6028)

    ✏️ Teams should update their memorable date component to remove the leading numbers.
    usa-pagination Yes - - Added text underline styles to pagination links. Pagination links are now visually consistent with other USWDS text links. (#5970)

    Dependencies and security

    Dependency name Previous version Updated version
    @ 18f/identity-stylelint-config 4.0.0 4.1.0
    @ babel/core 7.24.5 7.25.2
    @ babel/preset-env 7.24.5 7.25.4
    @ types/node 20.12.11 20.14.10
    autoprefixer 10.4.19 10.4.20
    axe-core 4.9.1 4.10.0
    babel-loader 9.1.3 --
    eslint-plugin-import 2.29.1 2.30.0
    eslint-plugin-no-unsanitized 4.0.2 4.1.0
    gulp-changed 4.0.3 --
    gulp-clean 0.4.0 --
    gulp-cli 2.3.0 --
    mocha 10.4.0 10.7.3
    normalize.css 8.0.1 --
    path 0.12.7 --
    postcss 8.4.38 8.4.45
    postcss-preset-env 9.5.11 9.6.0
    prettier 3.2.5 3.3.3
    sass 1.77.0 1.78.0
    sass-embedded 1.77.0 1.78.0
    snyk 1.1291.0 1.1293.0
    stylelint 16.5.0 16.9.0
    typescript 5.4.5 5.6.2
    webpack 5.91.0 5.94.0

    Thanks @ aduth for contributing to our dependency updates and @ skyf0l for fixing a typo in our package.json!

    0 vulnerabilities in regular dependencies (dependencies for USWDS projects installed with npm install @ uswds/uswds)
    29 moderate, 26 high vulnerabilities in devDependencies (development dependencies).

    Release TGZ SHA-256 hash: 140cb2162e6c60a6a6ecbc71d8d047819d4ec26f9dd6c7056bd4bd8a266af2ab

  • 3.8.2 - 2024-08-09

    What's new in USWDS 3.8.2

    Dependencies and security

    Removed the classlist-polyfill dependency. This update resolves a Denial of Service (DoS) vulnerability related to the classlist-polyfill dependency that we do not consider exploitable on the front end of applications. (#6012)

    Important

    This release may affect some functionality in Internet Explorer 11 (IE11). This update removes the polyfill that added full classList support to IE11. USWDS no longer supports IE11, but if your project does, test if this update negatively affects your users and add additional support for classList if it does.

    Dependency name Previous version New version
    classlist-polyfill 1.2.0 --

    Thanks @ aduth for the initial work on removing this dependency.

    0 vulnerabilities in regular dependencies (dependencies for USWDS projects installed with npm install @ uswds/uswds)
    5 low, 11 moderate, 44 high vulnerabilities in devDependencies (development dependencies).

    Release TGZ SHA-256 hash: 94049e150c2a67dfdb75f140fc664d2e936ef652480a2f88dfdd96922e0a940c

  • 3.8.1 - 2024-05-31

    What's new in USWDS 3.8.1

    Bug fixes

    Package A11Y Breaking Markup change Description
    usa-button-group Improved styles for nested button groups. Now, nested button groups should match the height of their parents. (#5885)
    usa-footer Restored the usa-layout-grid dependency in the footer package and removed layout grid styles from the footer stylesheet. This update prevents visual regressions in footer and other components with layout grid utility classes in their markup. (#5930)
    usa-identifier Yes Fixed a bug that added the English word "An" to Spanish variants of the identifier component. This was accidentally added to our component preview templates because of a data error. (#5857)
    usa-in-page-navigation Updated an outdated reference to the data-header-selector attribute in an in-page navigation JavaScript error message. The error message now correctly references the data-heading-elements attribute. (#5856)
    usa-input-mask Fixed a bug that caused input mask to break when it is not a direct child of a form. Nested input masks will now initialize and work properly. Thanks @ chrislarrycarl! (#5518)
    usa-tooltip Yes Updated the behavior of the tooltip component to allow users to hover over tooltip content. This allows the component to meet the "hoverable" standard outlined in WCAG 1.4.13. (#5919)
    usa-tooltip Yes Updated tooltip component behavior to close active tooltips when the escape key is pressed. This allows the component to meet the "dismissible" standard outlined in WCAG 1.4.13. (#5909)
    usa-validation Yes Fixed a bug that caused non-interactive checklist items in the validation component to receive focus. Now, only the interactive input will receive focus. (#5835)
    uswds-utilities Updated the code comments on utility Sass partials. These comments now reflect the correct utility class names and values. Thanks @ aduth! (#5859)

    Dependencies and security

    Dependency name Previous version New version
    @ 18f/identity-stylelint-config 2.0.0 4.0.0
    @ babel/core 7.23.6 7.24.5
    @ babel/preset-env 7.23.6 7.24.5
    @ types/node 20.10.4 20.12.11
    autoprefixer 10.4.16 10.4.19
    axe-core 4.8.2 4.9.1
    eslint 8.55.0 8.56.0
    eslint-plugin-import 2.29.0 2.29.1
    html-webpack-plugin 5.5.4 5.6.0
    mocha 10.2.0 10.4.0
    postcss 8.4.32 8.4.38
    postcss-discard-comments 6.0.0 6.0.2
    postcss-preset-env 9.3.0 9.5.11
    prettier 2.8.8 3.2.5
    sass 1.69.5 1.77.0
    sass-embedded 1.69.5 1.77.0
    snyk 1.1262.0 1.1291.0
    stylelint 15.11.0 16.5.0
    svgo 3.1.0 3.3.2
    typescript 5.3.3 5.4.5
    webpack 5.89.0 5.91.0

    Thanks @ anselmbradford for the dependency updates!

    0 vulnerabilities in regular dependencies (dependencies for USWDS projects installed with npm install @ uswds/uswds)
    13 moderate, 28 high vulnerabilities in devDependencies (development dependencies).

    Release TGZ SHA-256 hash: a86fa133b842ce28d1eed2226216c478debf31bf6c16ffcd96fecf061fdf4583

  • 3.8.0 - 2024-03-11<...

@snyk-bot
fix: upgrade @uswds/uswds from 3.8.0 to 3.13.0
b7454c4 
Snyk has created this PR to upgrade @uswds/uswds from 3.8.0 to 3.13.0.

See this package in npm:
@uswds/uswds

See this project in Snyk:
https://app.snyk.io/org/gsa-pages/project/3f1ed618-0f12-4948-866b-e07354fe94c4?utm_source=github&utm_medium=referral&page=upgrade-pr
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@sfrederick-gsa-gov @snyk-bot