build(deps): bump the npm-packages group across 1 directory with 7 updates

[dependabot]

Bumps the npm-packages group with 7 updates in the / directory:

Package	From	To
@uswds/uswds	3.10.0	3.11.0
markdown-it-attrs	4.3.0	4.3.1
@11ty/eleventy	2.0.1	3.0.0
@11ty/eleventy-img	5.0.0	6.0.0
@types/node	22.10.5	22.10.6
esbuild	0.24.0	0.24.2
postcss	8.4.49	8.5.0

Updates @uswds/uswds from 3.10.0 to 3.11.0

Release notes

Sourced from @​uswds/uswds's releases.

USWDS 3.11.0

What's new in USWDS 3.11.0

Features

Package	A11y	Breaking	Markup change	Description
usa-elements	-	-	-	Removed outdated browser normalization styles. This update drops normalize support for Internet Explorer. Thanks @​aduth! (#5555)
usa-form, usa-input-prefix-suffix, usa-input, uswds-core	-	-	-	Moved .usa-input--[width] and .usa-input-group--[width] classes out of the usa-form package. These classes are now generated in the usa-input and usa-input-prefix-suffix packages and can be used without the .usa-form parent element. Thanks @​aduth! (#6232)
usa-table	-	-	-	Updated table header styles to be consistent across all table elements. Now, all thead th, tbody th, and tfoot th cells will all have the same visual styles. Thanks @​ajanickiv! ✏️ Teams should confirm that their tables display as expected. (#5986)

Bug fixes

Package	A11y	Breaking	Markup change	Description
usa-button, usa-collection, usa-file-input, usa-icon-list, usa-icon, usa-input-prefix-suffix, usa-modal, usa-pagination	-	-	Yes	Replaced deprecated xlink:href references with href. ✏ Teams should update their markup to replace xlink:href references with href and pull in the updated loader.svg file. (#6165)
usa-file-input	Yes	-	-	Fixed a bug that prevented screen readers from announcing the invalid file type error message. (#6168) ✏ Teams who support additional languages should update the error message string to match the new copy.
usa-footer	Yes	-	-	Removed overflow: hidden from usa-footer to allow the full focus outline to show. This fix also improves horizontal alignment in the slim footer variant. Thanks @​6TELOIV! (#6237)

Markup changes

MDN warns that the deprecated xlink:href attribute can stop working at any time. When referencing SVG icon sprites, teams should use href instead of the deprecated xlink:href attribute.

<!-- usa-icon example -->
<svg class="usa-icon" aria-hidden="true" focusable="false" role="img">
- <use xlink:href="./img/sprite.svg#close"></use>
+ <use href="./img/sprite.svg#close"></use>
</svg>

Dependencies and security

Dependency name	Previous version	New version
@​babel/core	7.25.7	7.26.0
@​babel/preset-env	7.25.7	7.26.0
axe-core	4.10.0	4.10.2
cross-spawn	7.0.3	7.0.6
html-webpack-plugin	5.6.0	5.6.3
mocha	10.7.3	10.8.2
nwsapi (added via npm overrides)	--	2.2.13
postcss	8.4.47	8.4.49
prettier	3.3.3	3.4.2
sass	1.79.4	1.83.0
sass-embedded	1.79.4	1.83.0
snyk	1.1293.1	1.1294.3
stylelint	16.9.0	16.11.0
typescript	5.6.2	5.7.2
webpack	5.95.0	5.97.1

0 vulnerabilities in regular dependencies (dependencies for USWDS projects installed with npm install @uswds/uswds)

... (truncated)

Commits

• 44e464c Merge pull request #6264 from uswds/release-3.11.0
• 7a84ae1 Create uswds-3.11.0-zip-hash.txt
• eaae511 3.11.0
• 7ad47c1 Merge pull request #6263 from uswds/al-3.11.0-notifications
• 01456a4 Add 3.11.0 notifications
• da92186 Merge pull request #6257 from uswds/cm-update-prettier-3.4.2
• 2897fd9 Merge pull request #6255 from uswds/cb-poam-dec-24
• 8bf3d0d Merge branch 'develop' of https://github.com/uswds/uswds into cm-update-prett...
• d201ce2 Update package-lock.json
• d19cb9d Merge branch 'develop' of github.com:uswds/uswds into cb-poam-dec-24
• Additional commits viewable in compare view

Updates markdown-it-attrs from 4.3.0 to 4.3.1

Release notes

Sourced from markdown-it-attrs's releases.

v4.3.1

Generic error handling, catches tranforms that fails, prints an error and continues.

Full Changelog: arve0/markdown-it-attrs@v4.3.0...v4.3.1

Commits

• 0cd968f 4.3.1
• 501eec1 generic error handling if transform fails
• See full diff in compare view

Updates @11ty/eleventy from 2.0.1 to 3.0.0

Release notes

Sourced from @​11ty/eleventy's releases.

Eleventy v3.0.0: Possums ❤️ ESM

We did it. After 22 pre-releases and over a year of work, Eleventy 3.0.0 is now available. You can try it out now on your project using:

npm install @11ty/eleventy@latest

If you’re upgrading from a previous version of Eleventy, use the Upgrade Help plugin for automated checks and help with your upgrade!

Why should you use Eleventy? Eleventy is a flexible and production-ready site generator known for its zero-client JavaScript footprint, speedy sites, speedy builds, and full control over the output.

A few numbers on the best version of Eleventy yet:

Stats	v2.0.1	v3.0.0
20% smaller	35.2 MB	28.1 MB
11% fewer dependencies	213	189
9% faster npm install	4.511s*	4.103s*

*fastest time of 3 runs (bypassing local cache)

Flagship 3.0 features

1. Eleventy is now written in ESM with full support for ESM in your projects: configuration, data files, 11ty.js templates, etc. For many projects this won’t be a breaking change and we’ll continue to support CommonJS too. Every example on the docs now includes both a CommonJS and ESM version. Docs: https://v3.11ty.dev/docs/cjs-esm/

// ESM
export default function(eleventyConfig) {}
// We’ll keep supporting CommonJS:
module.exports = function(eleventyConfig) {}

2. Supporting more package managers and runtimes: pnpm, yarn, Deno. More examples on the docs! https://v3.11ty.dev/docs/
3. Asynchronous configuration #614 Docs: https://v3.11ty.dev/docs/config/

// ESM
export default async function(eleventyConfig) {}
// CommonJS
module.exports = async function(eleventyConfig) {}

4. For-free performance improvement to built-in slugify, inputPathToUrl universal filters (via memoization) #840 Docs: https://v3.11ty.dev/docs/memoize/
5. Named config export improves consistency for plugins #3246 and set*Directory configuration API methods #1503 Docs: https://v3.11ty.dev/docs/config-shapes/#optional-export-config-object and https://v3.11ty.dev/docs/config/#configuration-options

export default function(eleventyConfig) {
  eleventyConfig.setInputDirectory(".");
</tr></table> 

... (truncated)

Commits

• 8675d68 v3.0.0
• 5960a86 Update deps
• 1b9b80e Fixes #3468 by adding resetConfig option to addWatchTarget
• dd28e89 Add _headers to extensionless allowlist #3399 https://github.com/11ty/elevent...
• 0142b7c Use v3 subdomain for links from v3 codebase
• eade9a7 Cleanup for #3399
• 6fe3645 Add allow-list for #3399, update URL
• 3840870 v3.0.0-beta.2
• 399a0f3 Bump eslint from 9.10.0 to 9.11.1 (#3466)
• dae40c4 Bump sass from 1.79.3 to 1.79.4 (#3465)
• Additional commits viewable in compare view

Updates @11ty/eleventy-img from 5.0.0 to 6.0.0

Release notes

Sourced from @​11ty/eleventy-img's releases.

Eleventy Image v6.0.0

Notably, for maximum compatibility this package is still CommonJS (not yet ESM). Node minimum is still 18+ (unchanged from Eleventy Image v4).

Breaking Changes

• useCacheValidityInHash option has been removed #146
• Transform method will reuse existing <img width> attribute (if single integer) as eleventy:widths value #234

The following changes likely require no action on your part (but are nonetheless breaking):

• Better color support (P3, AdobeRGB, et al): images retain ICC profiles by default #244
• Dependency major upgrade: @11ty/eleventy-fetch from v4 to v5
• Dependency major upgrade @11ty/eleventy-utils from v1 to v2
• Default metadata object returned will no longer include empty format arrays { jpeg: [] } #242

Features

• Uses native fetch() (no more node-fetch, via eleventy-fetch upgrade) and works better with caching on remote urls, consistency on file names with sync methods #252 #262 #146
• returnType: "html" option will return the generated HTML directly instead of the metadata object #267
  • htmlOptions: {} are options passed to the generateHTML function
• Output format filtering (opt-out with formatFiltering option). Filters out output formats that do not support animation or transparency automatically.
  • Animation friendly formats #260
  • Transparency friendly formats #105
• Adds failOnError: true option to avoid throwing an error when image processing fails (and failing your build) #225 See also the eleventy:optional attribute below.
• Adds new transform hook for running your own sharp customizations 11ty/eleventy-img#52 (can be used to add custom cropping!)
• Improved error messaging when incorrectly using the default export with eleventyConfig.addPlugin #263
• Concurrency auto-scales per machine resources (between 8 min and 16 max) #258
• Support full URLs in urlPath option #239
• generateHTML: Missing sizes error relaxed when using loading="lazy" HTML, swap to use sizes="auto" instead #207
• New generateHTML option (also available via htmlOptions) forfallback: "smallest" to choose smallest image for <img> fallback and width/height dimensions #265 #129

Transform Method

• Reuse existing <img width> attribute (if single integer) as eleventy:widths value #234
• Adds eleventy:optional HTML attribute so that errors in image processing will not fail the build (in different ways) #259
  1. Remove src attribute
  2. Leave as-is eleventy:optional="keep"
  3. Replace with a transparent Data URI eleventy:optional="placeholder"
• Decode file name paths #253
• Support transforming <picture> nodes #214
• Preserve attributes on img and picture elements 11ty/eleventy-img#214 #241 #243 #251
• Fix for relative references when using permalinks with non-index.html file names #236

Full Milestone (×26 issues closed): https://github.com/11ty/eleventy-img/milestone/22?closed=1 Full Changelog (×75 commits, +2,347/-992): 11ty/eleventy-img@v5.0.0...v6.0.0

Prerelease: Eleventy Image v6.0.0-beta.5

• Fix for resize/cropping in transform callbacks #52 reported by @​jens-struct on https://indieweb.social/@​djenz/113789802133432912

Full v6 Milestone: https://github.com/11ty/eleventy-img/milestone/22?closed=1

... (truncated)

Commits

• d262378 v6.0.0
• 90cc896 v6.0.0-beta.5
• dd22b9e Support manual resize in transform callback hook #52 Important for crops.
• 0dd20c1 v6.0.0-beta.4
• 2b5d6fe Upgrade deps, fixes #262 fixes #270
• 6d7466a v6.0.0-beta.3
• 43dba7e Rename return option to returnType to match Fetch API
• 0216380 Add support for htmlOptions.imgAttributes and `htmlOptions.pictureAttribute...
• a051188 v6.0.0-beta.2
• a40fd6c Fix bug with \<picture>\<img eleventy:ignore> #214
• Additional commits viewable in compare view

Updates @types/node from 22.10.5 to 22.10.6

Commits

• See full diff in compare view

Updates esbuild from 0.24.0 to 0.24.2

Release notes

Sourced from esbuild's releases.

v0.24.2

• Fix regression with --define and import.meta (#4010, #4012, #4013)

  The previous change in version 0.24.1 to use a more expression-like parser for define values to allow quoted property names introduced a regression that removed the ability to use --define:import.meta=.... Even though import is normally a keyword that can't be used as an identifier, ES modules special-case the import.meta expression to behave like an identifier anyway. This change fixes the regression.

  This fix was contributed by @​sapphi-red.

v0.24.1

• Allow es2024 as a target in tsconfig.json (#4004)

  TypeScript recently added es2024 as a compilation target, so esbuild now supports this in the target field of tsconfig.json files, such as in the following configuration file:

  {
    "compilerOptions": {
      "target": "ES2024"
    }
  }

  As a reminder, the only thing that esbuild uses this field for is determining whether or not to use legacy TypeScript behavior for class fields. You can read more in the documentation.

  This fix was contributed by @​billyjanitsch.

• Allow automatic semicolon insertion after get/set

  This change fixes a grammar bug in the parser that incorrectly treated the following code as a syntax error:

  class Foo {
    get
    *x() {}
    set
    *y() {}
  }

  The above code will be considered valid starting with this release. This change to esbuild follows a similar change to TypeScript which will allow this syntax starting with TypeScript 5.7.

• Allow quoted property names in --define and --pure (#4008)

  The define and pure API options now accept identifier expressions containing quoted property names. Previously all identifiers in the identifier expression had to be bare identifiers. This change now makes --define and --pure consistent with --global-name, which already supported quoted property names. For example, the following is now possible:

  // The following code now transforms to "return true;\n"
  console.log(esbuild.transformSync(
    `return process.env['SOME-TEST-VAR']`,
    { define: { 'process.env["SOME-TEST-VAR"]': 'true' } },
  ))

... (truncated)

Changelog

Sourced from esbuild's changelog.

0.24.2

• Fix regression with --define and import.meta (#4010, #4012, #4013)

  The previous change in version 0.24.1 to use a more expression-like parser for define values to allow quoted property names introduced a regression that removed the ability to use --define:import.meta=.... Even though import is normally a keyword that can't be used as an identifier, ES modules special-case the import.meta expression to behave like an identifier anyway. This change fixes the regression.

  This fix was contributed by @​sapphi-red.

0.24.1

• Allow es2024 as a target in tsconfig.json (#4004)

  TypeScript recently added es2024 as a compilation target, so esbuild now supports this in the target field of tsconfig.json files, such as in the following configuration file:

  {
    "compilerOptions": {
      "target": "ES2024"
    }
  }

  As a reminder, the only thing that esbuild uses this field for is determining whether or not to use legacy TypeScript behavior for class fields. You can read more in the documentation.

  This fix was contributed by @​billyjanitsch.

• Allow automatic semicolon insertion after get/set

  This change fixes a grammar bug in the parser that incorrectly treated the following code as a syntax error:

  class Foo {
    get
    *x() {}
    set
    *y() {}
  }

  The above code will be considered valid starting with this release. This change to esbuild follows a similar change to TypeScript which will allow this syntax starting with TypeScript 5.7.

• Allow quoted property names in --define and --pure (#4008)

  The define and pure API options now accept identifier expressions containing quoted property names. Previously all identifiers in the identifier expression had to be bare identifiers. This change now makes --define and --pure consistent with --global-name, which already supported quoted property names. For example, the following is now possible:

  // The following code now transforms to "return true;\n"
  console.log(esbuild.transformSync(
    `return process.env['SOME-TEST-VAR']`,
    { define: { 'process.env["SOME-TEST-VAR"]': 'true' } },

... (truncated)

Commits

• 745abd9 publish 0.24.2 to npm
• 79fd0b0 skip nulls in source map finalization (#4011)
• 4b9322f source map: avoid null entry for 0-length parts
• 199a0d3 close #4013: credit to @​sapphi-red for the fix
• 947f99f fix #4010, fix #4012: import.meta regression
• de9598f publish 0.24.1 to npm
• 15d56ca emit null source mappings for empty chunk content
• 8d98f6f fix #3985: entryPoint metadata for copy loader
• 0db1b82 fix #3998: avoid outbase in identifier names
• 7236472 close #3974: add support for netbsd on arm64
• Additional commits viewable in compare view

Updates postcss from 8.4.49 to 8.5.0

Release notes

Sourced from postcss's releases.

8.5 “Duke Alloces”

PostCSS 8.5 brought API to work better with non-CSS sources like HTML, Vue.js/Svelte sources or CSS-in-JS.

@​romainmenke during his work on Stylelint added Input#document in additional to Input#css.

root.source.input.document //=> "<p>Hello</p>
                           //    <style>
                           //    p {
                           //      color: green;
                           //    }
                           //    </style>"
root.source.input.css      //=> "p {
                           //      color: green;
                           //    }"

Thanks to Sponsors

This release was possible thanks to our community.

If your company wants to support the sustainability of front-end infrastructure or wants to give some love to PostCSS, you can join our supporters by:

• Tidelift with a Spotify-like subscription model supporting all projects from your lock file.
• Direct donations at GitHub Sponsors or Open Collective.

Changelog

Sourced from postcss's changelog.

Change Log

This project adheres to Semantic Versioning.

8.5 “Duke Alloces”

• Added Input#document for sources like CSS-in-JS or HTML (by @​romainmenke).

Commits

• 6873270 Release 8.5 version
• 4223bb9 Fix 80 columns limit
• 80e2401 Add Input#document (#1996)
• 6f86879 Update dependencies
• 85cbbec Fix pnpm version on CI
• 76caa57 Update dependencies
• 46ff246 Move to pnpm 10
• 99da2f2 Fix the documentation for RuleRaws.ownSemicolon (#1994)
• 4493eed Pins nanoid to ^3.3.8 (#1992)
• 2acd7c7 Bump nanoid from 3.3.7 to 3.3.8 (#1989)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[dependabot]

Dependabot couldn't access the repository. Because of this, Dependabot cannot update this pull request.

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.