Public-sans - POAM: September '24

[mahoneycm]

Summary

POAM updates for September 2024

Important

This PR caught a Federalist build issue. The issue appears unrelated to these changes but was caught due to generating a new gemfile.lock.

The federalist pages team is investigating. Additional details in this slack thread (🔒).

In the meantime I've downgraded ruby.

Related issue

uswds/uswds-team#390
https://github.com/uswds/public-sans/security/dependabot/74
https://github.com/uswds/public-sans/security/dependabot/81
https://github.com/uswds/public-sans/security/dependabot/82

Preview link

Preview link →

Major changes

• Ruby downgraded from 3.3.4 to 3.2.5 to resolve Cloud Pages build error

Dependency updates

Before:

11 vulnerabilities (6 moderate, 5 high)

After

found 0 vulnerabilities

Dependency updates

Node package updates

Dependency name	Old version	New version
@axe-core/cl	^4.9.1	^4.10.0
@uswds/uswds	3.8.1	3.8.2
gulp	^4.0.2	^5.0.0
postcss	^8.4.41	^8.4.45
sass-embedded	^1.77.8	^1.78.0

Gem updates:

Dependency name	Old version	New version
concurrent-ruby	1.3.3	1.3.4
google-protobuf	4.28.0	4.28.1
i18n	1.14.5	1.14.6
jekyll	4.3.3	4.3.4
rexml	3.3.4	3.3.7
rouge	4.3.0	4.4.0
sass-embedded	1.77.8	1.78.0
strscan	3.1.0	—
unicode-display_width	2.5.0	2.6.0

Testing and review

Gulp commands run without error

1. npm run start
2. npm run serve
3. npm run test:a11y (while localhost is being served from the serve script)
4. Confirm no font regressions in Public Sans fonts due to Gulp update

[mejiaj]

@mahoneycm thanks for the notes in the description. Hope you don't mind, I've modified the Important alert to state the workaround (last sentence - In the meantime I've downgraded ruby.

I've been able to successfully switch to Ruby 3.25 and do a clean install of both Node & Ruby dependencies without issues.

Tested using npm run serve and npm start.