chore(deps)(deps): bump @primer/react from 35.15.1 to 38.6.2

[dependabot]

Bumps @primer/react from 35.15.1 to 38.6.2.

Release notes

Sourced from @​primer/react's releases.

@​primer/react@​38.6.2

Patch Changes

• #7334 ea4789f Thanks @​mattcosta7! - perf(TreeView): Cache tree items in typeahead for better INP

  • Add useTreeItemCache hook to cache DOM queries for tree items
  • Update useRovingTabIndex and useTypeahead to use cached items
  • Add documentation for acceptable :has() selector usage

• #7347 72c7a7f Thanks @​owenniblock! - Only shows the aria-describedby id for loading when the component is in the loading state

@​primer/react@​38.6.1

Patch Changes

• #7307 5dcc87c Thanks @​mattcosta7! - reapplies PageLayout resizable enhancements without INP drop from expensive selectors

@​primer/react@​38.6.0

Minor Changes

• #7157 eddd934 Thanks @​joshblack! - Add feature flag to control whether Spinner animations are synchronized

• #7277 4a1c9a5 Thanks @​kendallgassner! - Added callback prop onActiveDescendantChanged to FilteredActionList

Patch Changes

• #7305 335e9e8 Thanks @​llastflowers! - Revert PR #7275

@​primer/react@​38.5.0

Minor Changes

• #7240 79a6df1 Thanks @​TylerJDev! - FilteredActionList: Adds new prop setInitialFocus which will prevent aria-activedescendant from being set until user action

• #7240 79a6df1 Thanks @​TylerJDev! - FilteredActionList: Add prop disableSelectOnHover which will disable the ability where hovering over an item sets it as the aria-activedescendant value

Patch Changes

• #7259 c32b964 Thanks @​TylerJDev! - AvatarStack: Border was incorrectly applying to elements that were not Avatar children.

• #7259 c32b964 Thanks @​TylerJDev! - AvatarStack: The square prop was not applying to individual Avatar components.

• #7275 822c3e7 Thanks @​mattcosta7! - Improve drag performance for PageLayout

• #7242 32faa80 Thanks @​pksjce! - useFocusTrap - Fix bug related to restoring focus on scrolling

@​primer/react@​38.4.0

Minor Changes

• #7258 8e66a2c Thanks @​kendallgassner! - Make MappedActionListItem a forwardRef component

• #7250 a193d30 Thanks @​siddharthkp! - Banner: Add flush prop for use within confined spaces, such as dialogs, tables, cards, or boxes where available space is limited.

... (truncated)

Commits

• 6409504 Release tracking (#7352)
• ea4789f perf(TreeView): Cache tree items in typeahead for better INP (#7334)
• 72c7a7f Only add the loading id when loading is shown (#7347)
• e732a02 chore: add className testing util (#7231)
• 28f9c35 Add primer primitives extension to recommended VSCode extensions (#7301)
• 606d2fe chore(deps): bump actions/cache from 4 to 5 (#7315)
• a3260b9 chore(deps): bump next from 16.0.7 to 16.0.10 (#7320)
• 264109e Update turbo to 2.6.3 (#7295)
• 5d3cb72 chore(deps): bump actions/upload-artifact from 5.0.0 to 6.0.0 (#7314)
• e8096b6 chore(deps-dev): bump the eslint group with 4 updates (#7317)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for @​primer/react since your current version.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[dependabot]

Labels

The following labels could not be found: automated. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

Scorecard details

Package	Version	Score	Details
npm/@github/mini-throttle	2.1.1	🟢 6.1	Details Check Score Reason Maintained 🟢 4 5 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 4 Binary-Artifacts 🟢 10 no binaries found in the repo Code-Review 🟢 7 Found 5/7 approved changesets -- score normalized to 7 Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Pinned-Dependencies 🟢 3 dependency not pinned by hash detected -- score normalized to 3 Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection 🟢 3 branch protection is not maximal on development and all release branches Security-Policy 🟢 10 security policy file detected Vulnerabilities 🟢 4 6 existing vulnerabilities detected SAST ⚠️ 2 SAST tool is not run on all commits -- score normalized to 2
npm/@github/relative-time-element	4.5.1	Unknown	Unknown
npm/@github/tab-container-element	4.8.2	🟢 6.4	Details Check Score Reason Packaging ⚠️ -1 packaging workflow not detected Code-Review 🟢 10 all changesets reviewed Maintained 🟢 5 7 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 5 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies ⚠️ 1 dependency not pinned by hash detected -- score normalized to 1 Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection 🟢 6 branch protection is not maximal on development and all release branches Security-Policy 🟢 10 security policy file detected Vulnerabilities ⚠️ 0 10 existing vulnerabilities detected SAST 🟢 5 SAST tool is not run on all commits -- score normalized to 5
npm/@lit-labs/react	1.2.1	🟢 6	Details Check Score Reason Code-Review 🟢 10 all last 30 commits are reviewed through GitHub Maintained 🟢 10 30 commit(s) out of 30 and 22 issue activity out of 30 found in the last 90 days -- score normalized to 10 CII-Best-Practices ⚠️ 0 no badge detected Vulnerabilities 🟢 10 no vulnerabilities detected Signed-Releases ⚠️ -1 no releases found Branch-Protection 🟢 8 branch protection is not maximal on development and all release branches Packaging ⚠️ -1 no published package detected Token-Permissions ⚠️ 0 non read-only tokens detected in GitHub workflows License 🟢 10 license file detected Dangerous-Workflow ⚠️ 0 dangerous workflow patterns detected Pinned-Dependencies 🟢 7 dependency not pinned by hash detected -- score normalized to 7 Binary-Artifacts 🟢 10 no binaries found in the repo Dependency-Update-Tool 🟢 10 update tool detected Security-Policy ⚠️ 0 security policy file not detected Fuzzing ⚠️ 0 project is not fuzzed
npm/@lit-labs/ssr-dom-shim	1.5.0	🟢 6	Details Check Score Reason Code-Review 🟢 10 all last 30 commits are reviewed through GitHub Maintained 🟢 10 30 commit(s) out of 30 and 22 issue activity out of 30 found in the last 90 days -- score normalized to 10 CII-Best-Practices ⚠️ 0 no badge detected Vulnerabilities 🟢 10 no vulnerabilities detected Signed-Releases ⚠️ -1 no releases found Branch-Protection 🟢 8 branch protection is not maximal on development and all release branches Packaging ⚠️ -1 no published package detected Token-Permissions ⚠️ 0 non read-only tokens detected in GitHub workflows License 🟢 10 license file detected Dangerous-Workflow ⚠️ 0 dangerous workflow patterns detected Pinned-Dependencies 🟢 7 dependency not pinned by hash detected -- score normalized to 7 Binary-Artifacts 🟢 10 no binaries found in the repo Dependency-Update-Tool 🟢 10 update tool detected Security-Policy ⚠️ 0 security policy file not detected Fuzzing ⚠️ 0 project is not fuzzed
npm/@oddbird/popover-polyfill	0.5.2	Unknown	Unknown
npm/@primer/behaviors	1.9.0	Unknown	Unknown
npm/@primer/live-region-element	0.7.2	Unknown	Unknown
npm/@primer/react	38.6.2	Unknown	Unknown
npm/@styled-system/background	5.1.2	Unknown	Unknown
npm/@styled-system/border	5.1.5	Unknown	Unknown
npm/@styled-system/color	5.1.2	Unknown	Unknown
npm/@styled-system/core	5.1.2	Unknown	Unknown
npm/@styled-system/css	5.1.5	Unknown	Unknown
npm/@styled-system/flexbox	5.1.2	Unknown	Unknown
npm/@styled-system/grid	5.1.2	Unknown	Unknown
npm/@styled-system/layout	5.1.2	Unknown	Unknown
npm/@styled-system/position	5.1.2	Unknown	Unknown
npm/@styled-system/props	5.1.5	Unknown	Unknown
npm/@styled-system/shadow	5.1.2	Unknown	Unknown
npm/@styled-system/space	5.1.2	Unknown	Unknown
npm/@styled-system/typography	5.1.2	Unknown	Unknown
npm/@styled-system/variant	5.1.5	Unknown	Unknown
npm/@types/react-dom	18.0.9	🟢 7	Details Check Score Reason Code-Review 🟢 9 Found 28/30 approved changesets -- score normalized to 9 Packaging ⚠️ -1 packaging workflow not detected Maintained 🟢 10 30 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions License 🟢 9 license file detected Security-Policy 🟢 10 security policy file detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Vulnerabilities 🟢 10 0 existing vulnerabilities detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies 🟢 8 dependency not pinned by hash detected -- score normalized to 8 Fuzzing ⚠️ 0 project is not fuzzed
npm/clsx	2.1.1	🟢 3.6	Details Check Score Reason Code-Review ⚠️ 2 Found 7/30 approved changesets -- score normalized to 2 Binary-Artifacts 🟢 10 no binaries found in the repo Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Maintained ⚠️ 0 0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0 Packaging ⚠️ -1 packaging workflow not detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Security-Policy ⚠️ 0 security policy file not detected Fuzzing ⚠️ 0 project is not fuzzed Vulnerabilities 🟢 10 0 existing vulnerabilities detected License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
npm/color2k	2.0.3	🟢 3.8	Details Check Score Reason Code-Review ⚠️ 0 Found 0/30 approved changesets -- score normalized to 0 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Maintained 🟢 3 4 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 3 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies 🟢 4 dependency not pinned by hash detected -- score normalized to 4 Security-Policy ⚠️ 0 security policy file not detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Packaging 🟢 10 packaging workflow detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Vulnerabilities ⚠️ 0 12 existing vulnerabilities detected
npm/hsluv	1.0.1	🟢 3.6	Details Check Score Reason Code-Review ⚠️ 0 Found 1/16 approved changesets -- score normalized to 0 Maintained ⚠️ 0 0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0 Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Pinned-Dependencies ⚠️ 2 dependency not pinned by hash detected -- score normalized to 2 Vulnerabilities 🟢 10 0 existing vulnerabilities detected Security-Policy ⚠️ 0 security policy file not detected License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Packaging 🟢 10 packaging workflow detected Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
npm/lodash.isempty	4.4.0	🟢 6.8	Details Check Score Reason Binary-Artifacts 🟢 10 no binaries found in the repo Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration CI-Tests 🟢 6 13 out of 19 merged PRs checked by a CI test -- score normalized to 6 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Code-Review 🟢 6 Found 19/30 approved changesets -- score normalized to 6 Contributors 🟢 10 project has 88 contributing companies or organizations Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Dependency-Update-Tool 🟢 10 update tool detected Fuzzing 🟢 10 project is fuzzed License 🟢 9 license file detected Maintained 🟢 10 19 commit(s) and 22 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected Pinned-Dependencies ⚠️ 1 dependency not pinned by hash detected -- score normalized to 1 SAST 🟢 8 SAST tool detected but not run on all commits Security-Policy 🟢 10 security policy file detected Signed-Releases ⚠️ -1 no releases found Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Vulnerabilities ⚠️ 0 74 existing vulnerabilities detected
npm/lodash.isobject	3.0.2	🟢 6.8	Details Check Score Reason Binary-Artifacts 🟢 10 no binaries found in the repo Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration CI-Tests 🟢 6 13 out of 19 merged PRs checked by a CI test -- score normalized to 6 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Code-Review 🟢 6 Found 19/30 approved changesets -- score normalized to 6 Contributors 🟢 10 project has 88 contributing companies or organizations Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Dependency-Update-Tool 🟢 10 update tool detected Fuzzing 🟢 10 project is fuzzed License 🟢 9 license file detected Maintained 🟢 10 19 commit(s) and 22 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected Pinned-Dependencies ⚠️ 1 dependency not pinned by hash detected -- score normalized to 1 SAST 🟢 8 SAST tool detected but not run on all commits Security-Policy 🟢 10 security policy file detected Signed-Releases ⚠️ -1 no releases found Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Vulnerabilities ⚠️ 0 74 existing vulnerabilities detected
npm/object-assign	4.1.1	🟢 4.2	Details Check Score Reason Packaging ⚠️ -1 packaging workflow not detected Maintained ⚠️ 0 0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Code-Review ⚠️ 2 Found 8/29 approved changesets -- score normalized to 2 Security-Policy 🟢 10 security policy file detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Vulnerabilities 🟢 10 0 existing vulnerabilities detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
npm/react-compiler-runtime	1.0.0	🟢 5.8	Details Check Score Reason Code-Review 🟢 8 Found 24/30 approved changesets -- score normalized to 8 Maintained 🟢 10 30 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 10 Security-Policy 🟢 10 security policy file detected CII-Best-Practices ⚠️ 2 badge detected: InProgress License 🟢 10 license file detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected Signed-Releases ⚠️ -1 no releases found Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Binary-Artifacts 🟢 9 binaries present in source code Pinned-Dependencies ⚠️ 1 dependency not pinned by hash detected -- score normalized to 1 SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Fuzzing ⚠️ 0 project is not fuzzed Vulnerabilities ⚠️ 0 236 existing vulnerabilities detected
npm/react-intersection-observer	9.16.0	🟢 4.7	Details Check Score Reason Code-Review ⚠️ 1 Found 2/11 approved changesets -- score normalized to 1 Maintained 🟢 5 5 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 5 Security-Policy 🟢 10 security policy file detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected License 🟢 10 license file detected Binary-Artifacts 🟢 10 no binaries found in the repo Packaging ⚠️ -1 packaging workflow not detected Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Signed-Releases ⚠️ -1 no releases found Fuzzing ⚠️ 0 project is not fuzzed SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Vulnerabilities 🟢 6 4 existing vulnerabilities detected
npm/styled-system	5.1.5	Unknown	Unknown
npm/tslib	2.8.1	🟢 5.5	Details Check Score Reason Maintained ⚠️ 0 0 commit(s) out of 30 and 1 issue activity out of 30 found in the last 90 days -- score normalized to 0 Code-Review 🟢 7 GitHub code reviews found for 23 commits out of the last 30 -- score normalized to 7 CII-Best-Practices ⚠️ 0 no badge detected Vulnerabilities 🟢 10 no vulnerabilities detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 no published package detected Token-Permissions ⚠️ 0 non read-only tokens detected in GitHub workflows License 🟢 10 license file detected Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies 🟢 9 dependency not pinned by hash detected -- score normalized to 9 Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 10 security policy file detected Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Dependency-Update-Tool ⚠️ 0 no update tool detected Fuzzing ⚠️ -1 internal error: internal error: Client.Search.Code: Search.Code: GET https://api.github.com/search/code?q=github.com+microsoft+tslib+repo%3Agoogle%2Foss-fuzz+in%3Afile+filename%3Aproject.yaml: 400 []

Scanned Files

• package-lock.json

[github-actions]

🔒 NPM Security Audit Results

Found 6 vulnerabilities:

• Critical: 0
• High: 2
• Moderate: 4
• Low: 0

🔧 Suggested Fixes

Run npm audit fix to automatically fix vulnerabilities that don't require breaking changes.

For vulnerabilities requiring manual review, run npm audit fix --force.

Preview of automatic fixes

add fsevents 2.3.3
add @rollup/rollup-win32-x64-msvc 4.39.0
add @rollup/rollup-win32-ia32-msvc 4.39.0
add @rollup/rollup-win32-arm64-msvc 4.39.0
add @rollup/rollup-linux-s390x-gnu 4.39.0
add @rollup/rollup-linux-riscv64-musl 4.39.0
add @rollup/rollup-linux-riscv64-gnu 4.39.0
add @rollup/rollup-linux-powerpc64le-gnu 4.39.0
add @rollup/rollup-linux-loongarch64-gnu 4.39.0
add @rollup/rollup-linux-arm64-musl 4.39.0
add @rollup/rollup-linux-arm64-gnu 4.39.0
add @rollup/rollup-linux-arm-musleabihf 4.39.0
add @rollup/rollup-linux-arm-gnueabihf 4.39.0
add @rollup/rollup-freebsd-x64 4.39.0
add @rollup/rollup-freebsd-arm64 4.39.0
add @rollup/rollup-darwin-x64 4.39.0
add @rollup/rollup-darwin-arm64 4.39.0
add @rollup/rollup-android-arm64 4.39.0
add @rollup/rollup-android-arm-eabi 4.39.0
add @esbuild/win32-x64 0.21.5
add @esbuild/win32-ia32 0.21.5
add @esbuild/win32-arm64 0.21.5
add @esbuild/sunos-x64 0.21.5
add @esbuild/openbsd-x64 0.21.5
add @esbuild/netbsd-x64 0.21.5
add @esbuild/linux-s390x 0.21.5
add @esbuild/linux-riscv64 0.21.5
add @esbuild/linux-ppc64 0.21.5
add @esbuild/linux-mips64el 0.21.5
add @esbuild/linux-loong64 0.21.5
add @esbuild/linux-ia32 0.21.5
add @esbuild/linux-arm64 0.21.5
add @esbuild/linux-arm 0.21.5
add @esbuild/freebsd-x64 0.21.5
add @esbuild/freebsd-arm64 0.21.5
add @esbuild/darwin-x64 0.21.5
add @esbuild/darwin-arm64 0.21.5
add @esbuild/android-x64 0.21.5
add @esbuild/android-arm64 0.21.5
add @esbuild/android-arm 0.21.5
add @esbuild/aix-ppc64 0.21.5

added 41 packages, and audited 740 packages in 4s

194 packages are looking for funding
  run `npm fund` for details

# npm audit report

@cypress/request  *
Severity: high
Server-Side Request Forgery in Request - https://github.com/advisories/GHSA-p8p7-x288-28g6
Depends on vulnerable versions of qs
fix available via `npm audit fix`
node_modules/@cypress/request
  cypress  4.3.0 - 12.17.4
  Depends on vulnerable versions of @cypress/request
  node_modules/cypress

esbuild  <=0.24.2
Severity: moderate
esbuild enables any website to send any requests to the development server and read the response - https://github.com/advisories/GHSA-67mh-4wv8-2f99
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/esbuild
  vite  0.11.0 - 6.1.6
  Depends on vulnerable versions of esbuild
  node_modules/vite
    @vitejs/plugin-react  2.0.0-alpha.0 - 4.3.3
    Depends on vulnerable versions of vite
    node_modules/@vitejs/plugin-react

qs  <6.14.1
Severity: high
qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion - https://github.com/advisories/GHSA-6rw7-vpxm-498p
fix available via `npm audit fix`
node_modules/qs

6 vulnerabilities (4 moderate, 2 high)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

[github-actions]

🔍 Code Quality Check Results

Check	Status
ESLint	✅ Passed
Prettier	✅ Passed
TypeScript	❌ Failed

TypeScript Issues

Click to expand

> [email protected] typecheck
> tsc --noEmit

src/components/OctoCollection.tsx(1,10): error TS2305: Module '"@primer/react"' has no exported member 'Box'.
src/components/OctocatBox.tsx(1,10): error TS2305: Module '"@primer/react"' has no exported member 'Box'.
src/components/OctocatBox.tsx(4,20): error TS7016: Could not find a declaration file for module 'styled-components'. '/home/runner/work/github-actions-workflow/github-actions-workflow/node_modules/styled-components/dist/styled-components.cjs.js' implicitly has an 'any' type.
  Try `npm i --save-dev @types/styled-components` if it exists or add a new declaration (.d.ts) file containing `declare module 'styled-components';`
src/components/OctocatBox.tsx(21,5): error TS2769: No overload matches this call.
  Overload 1 of 2, '(props: Merge<JSX.IntrinsicElements, IconButtonProps & { as: "button"; }> | Merge<JSX.IntrinsicElements, IconButtonProps & { as: "a"; }>): ReactElement<any, string | JSXElementConstructor<any>> | null', gave the following error.
    Type '{ "aria-label": string; size: "large"; sx: { ml: number; }; variant: "danger"; icon: Icon; onClick: () => void; }' is not assignable to type 'IntrinsicAttributes & (Merge<JSX.IntrinsicElements, IconButtonProps & { as: "button"; }> | Merge<JSX.IntrinsicElements, IconButtonProps & { as: "a"; }>)'.
      Property ''aria-labelledby'' is missing in type '{ "aria-label": string; size: "large"; sx: { ml: number; }; variant: "danger"; icon: Icon; onClick: () => void; }' but required in type '{ 'aria-label'?: undefined; 'aria-labelledby': string; }'.
  Overload 2 of 2, '(props: Merge<(Pick<DetailedHTMLProps<ButtonHTMLAttributes<HTMLButtonElement>, HTMLButtonElement>, keyof ButtonHTMLAttributes<...> | "key"> & { ...; }) | (Pick<...> & { ...; }), IconButtonProps & { ...; }>): ReactElement<...> | null', gave the following error.
    Type '{ "aria-label": string; size: "large"; sx: { ml: number; }; variant: "danger"; icon: Icon; onClick: () => void; }' is not as

[github-actions]

🔒 NPM Security Audit Results

Found 6 vulnerabilities:

• Critical: 0
• High: 2
• Moderate: 4
• Low: 0

🔧 Suggested Fixes

Run npm audit fix to automatically fix vulnerabilities that don't require breaking changes.

For vulnerabilities requiring manual review, run npm audit fix --force.

Preview of automatic fixes

add fsevents 2.3.3
add @rollup/rollup-win32-x64-msvc 4.39.0
add @rollup/rollup-win32-ia32-msvc 4.39.0
add @rollup/rollup-win32-arm64-msvc 4.39.0
add @rollup/rollup-linux-s390x-gnu 4.39.0
add @rollup/rollup-linux-riscv64-musl 4.39.0
add @rollup/rollup-linux-riscv64-gnu 4.39.0
add @rollup/rollup-linux-powerpc64le-gnu 4.39.0
add @rollup/rollup-linux-loongarch64-gnu 4.39.0
add @rollup/rollup-linux-arm64-musl 4.39.0
add @rollup/rollup-linux-arm64-gnu 4.39.0
add @rollup/rollup-linux-arm-musleabihf 4.39.0
add @rollup/rollup-linux-arm-gnueabihf 4.39.0
add @rollup/rollup-freebsd-x64 4.39.0
add @rollup/rollup-freebsd-arm64 4.39.0
add @rollup/rollup-darwin-x64 4.39.0
add @rollup/rollup-darwin-arm64 4.39.0
add @rollup/rollup-android-arm64 4.39.0
add @rollup/rollup-android-arm-eabi 4.39.0
add @esbuild/win32-x64 0.21.5
add @esbuild/win32-ia32 0.21.5
add @esbuild/win32-arm64 0.21.5
add @esbuild/sunos-x64 0.21.5
add @esbuild/openbsd-x64 0.21.5
add @esbuild/netbsd-x64 0.21.5
add @esbuild/linux-s390x 0.21.5
add @esbuild/linux-riscv64 0.21.5
add @esbuild/linux-ppc64 0.21.5
add @esbuild/linux-mips64el 0.21.5
add @esbuild/linux-loong64 0.21.5
add @esbuild/linux-ia32 0.21.5
add @esbuild/linux-arm64 0.21.5
add @esbuild/linux-arm 0.21.5
add @esbuild/freebsd-x64 0.21.5
add @esbuild/freebsd-arm64 0.21.5
add @esbuild/darwin-x64 0.21.5
add @esbuild/darwin-arm64 0.21.5
add @esbuild/android-x64 0.21.5
add @esbuild/android-arm64 0.21.5
add @esbuild/android-arm 0.21.5
add @esbuild/aix-ppc64 0.21.5

added 41 packages, and audited 740 packages in 3s

195 packages are looking for funding
  run `npm fund` for details

# npm audit report

@cypress/request  *
Severity: high
Server-Side Request Forgery in Request - https://github.com/advisories/GHSA-p8p7-x288-28g6
Depends on vulnerable versions of qs
fix available via `npm audit fix`
node_modules/@cypress/request
  cypress  4.3.0 - 12.17.4
  Depends on vulnerable versions of @cypress/request
  node_modules/cypress

esbuild  <=0.24.2
Severity: moderate
esbuild enables any website to send any requests to the development server and read the response - https://github.com/advisories/GHSA-67mh-4wv8-2f99
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/esbuild
  vite  0.11.0 - 6.1.6
  Depends on vulnerable versions of esbuild
  node_modules/vite
    @vitejs/plugin-react  2.0.0-alpha.0 - 4.3.3
    Depends on vulnerable versions of vite
    node_modules/@vitejs/plugin-react

qs  <6.14.1
Severity: high
qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion - https://github.com/advisories/GHSA-6rw7-vpxm-498p
fix available via `npm audit fix`
node_modules/qs

6 vulnerabilities (4 moderate, 2 high)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

[github-actions]

🔍 Code Quality Check Results

Check	Status
ESLint	✅ Passed
Prettier	✅ Passed
TypeScript	❌ Failed

TypeScript Issues

Click to expand

> [email protected] typecheck
> tsc --noEmit

src/components/OctoCollection.tsx(1,10): error TS2305: Module '"@primer/react"' has no exported member 'Box'.
src/components/OctocatBox.tsx(1,10): error TS2305: Module '"@primer/react"' has no exported member 'Box'.
src/components/OctocatBox.tsx(4,20): error TS7016: Could not find a declaration file for module 'styled-components'. '/home/runner/work/github-actions-workflow/github-actions-workflow/node_modules/styled-components/dist/styled-components.cjs.js' implicitly has an 'any' type.
  Try `npm i --save-dev @types/styled-components` if it exists or add a new declaration (.d.ts) file containing `declare module 'styled-components';`
src/components/OctocatBox.tsx(21,5): error TS2769: No overload matches this call.
  Overload 1 of 2, '(props: Merge<JSX.IntrinsicElements, IconButtonProps & { as: "button"; }> | Merge<JSX.IntrinsicElements, IconButtonProps & { as: "a"; }>): ReactElement<any, string | JSXElementConstructor<any>> | null', gave the following error.
    Type '{ "aria-label": string; size: "large"; sx: { ml: number; }; variant: "danger"; icon: Icon; onClick: () => void; }' is not assignable to type 'IntrinsicAttributes & (Merge<JSX.IntrinsicElements, IconButtonProps & { as: "button"; }> | Merge<JSX.IntrinsicElements, IconButtonProps & { as: "a"; }>)'.
      Property ''aria-labelledby'' is missing in type '{ "aria-label": string; size: "large"; sx: { ml: number; }; variant: "danger"; icon: Icon; onClick: () => void; }' but required in type '{ 'aria-label'?: undefined; 'aria-labelledby': string; }'.
  Overload 2 of 2, '(props: Merge<(Pick<DetailedHTMLProps<ButtonHTMLAttributes<HTMLButtonElement>, HTMLButtonElement>, keyof ButtonHTMLAttributes<...> | "key"> & { ...; }) | (Pick<...> & { ...; }), IconButtonProps & { ...; }>): ReactElement<...> | null', gave the following error.
    Type '{ "aria-label": string; size: "large"; sx: { ml: number; }; variant: "danger"; icon: Icon; onClick: () => void; }' is not as

[github-actions]

🔒 NPM Security Audit Results

Found 6 vulnerabilities:

• Critical: 0
• High: 2
• Moderate: 4
• Low: 0

🔧 Suggested Fixes

Run npm audit fix to automatically fix vulnerabilities that don't require breaking changes.

For vulnerabilities requiring manual review, run npm audit fix --force.

Preview of automatic fixes

add fsevents 2.3.3
add @rollup/rollup-win32-x64-msvc 4.39.0
add @rollup/rollup-win32-ia32-msvc 4.39.0
add @rollup/rollup-win32-arm64-msvc 4.39.0
add @rollup/rollup-linux-s390x-gnu 4.39.0
add @rollup/rollup-linux-riscv64-musl 4.39.0
add @rollup/rollup-linux-riscv64-gnu 4.39.0
add @rollup/rollup-linux-powerpc64le-gnu 4.39.0
add @rollup/rollup-linux-loongarch64-gnu 4.39.0
add @rollup/rollup-linux-arm64-musl 4.39.0
add @rollup/rollup-linux-arm64-gnu 4.39.0
add @rollup/rollup-linux-arm-musleabihf 4.39.0
add @rollup/rollup-linux-arm-gnueabihf 4.39.0
add @rollup/rollup-freebsd-x64 4.39.0
add @rollup/rollup-freebsd-arm64 4.39.0
add @rollup/rollup-darwin-x64 4.39.0
add @rollup/rollup-darwin-arm64 4.39.0
add @rollup/rollup-android-arm64 4.39.0
add @rollup/rollup-android-arm-eabi 4.39.0
add @esbuild/win32-x64 0.21.5
add @esbuild/win32-ia32 0.21.5
add @esbuild/win32-arm64 0.21.5
add @esbuild/sunos-x64 0.21.5
add @esbuild/openbsd-x64 0.21.5
add @esbuild/netbsd-x64 0.21.5
add @esbuild/linux-s390x 0.21.5
add @esbuild/linux-riscv64 0.21.5
add @esbuild/linux-ppc64 0.21.5
add @esbuild/linux-mips64el 0.21.5
add @esbuild/linux-loong64 0.21.5
add @esbuild/linux-ia32 0.21.5
add @esbuild/linux-arm64 0.21.5
add @esbuild/linux-arm 0.21.5
add @esbuild/freebsd-x64 0.21.5
add @esbuild/freebsd-arm64 0.21.5
add @esbuild/darwin-x64 0.21.5
add @esbuild/darwin-arm64 0.21.5
add @esbuild/android-x64 0.21.5
add @esbuild/android-arm64 0.21.5
add @esbuild/android-arm 0.21.5
add @esbuild/aix-ppc64 0.21.5

added 41 packages, and audited 740 packages in 4s

195 packages are looking for funding
  run `npm fund` for details

# npm audit report

@cypress/request  *
Severity: high
Server-Side Request Forgery in Request - https://github.com/advisories/GHSA-p8p7-x288-28g6
Depends on vulnerable versions of qs
fix available via `npm audit fix`
node_modules/@cypress/request
  cypress  4.3.0 - 12.17.4
  Depends on vulnerable versions of @cypress/request
  node_modules/cypress

esbuild  <=0.24.2
Severity: moderate
esbuild enables any website to send any requests to the development server and read the response - https://github.com/advisories/GHSA-67mh-4wv8-2f99
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/esbuild
  vite  0.11.0 - 6.1.6
  Depends on vulnerable versions of esbuild
  node_modules/vite
    @vitejs/plugin-react  2.0.0-alpha.0 - 4.3.3
    Depends on vulnerable versions of vite
    node_modules/@vitejs/plugin-react

qs  <6.14.1
Severity: high
qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion - https://github.com/advisories/GHSA-6rw7-vpxm-498p
fix available via `npm audit fix`
node_modules/qs

6 vulnerabilities (4 moderate, 2 high)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

[github-actions]

🔍 Code Quality Check Results

Check	Status
ESLint	✅ Passed
Prettier	✅ Passed
TypeScript	❌ Failed

TypeScript Issues

Click to expand

> [email protected] typecheck
> tsc --noEmit

src/components/OctoCollection.tsx(1,10): error TS2305: Module '"@primer/react"' has no exported member 'Box'.
src/components/OctocatBox.tsx(1,10): error TS2305: Module '"@primer/react"' has no exported member 'Box'.
src/components/OctocatBox.tsx(4,20): error TS7016: Could not find a declaration file for module 'styled-components'. '/home/runner/work/github-actions-workflow/github-actions-workflow/node_modules/styled-components/dist/styled-components.cjs.js' implicitly has an 'any' type.
  Try `npm i --save-dev @types/styled-components` if it exists or add a new declaration (.d.ts) file containing `declare module 'styled-components';`
src/components/OctocatBox.tsx(21,5): error TS2769: No overload matches this call.
  Overload 1 of 2, '(props: Merge<JSX.IntrinsicElements, IconButtonProps & { as: "button"; }> | Merge<JSX.IntrinsicElements, IconButtonProps & { as: "a"; }>): ReactElement<any, string | JSXElementConstructor<any>> | null', gave the following error.
    Type '{ "aria-label": string; size: "large"; sx: { ml: number; }; variant: "danger"; icon: Icon; onClick: () => void; }' is not assignable to type 'IntrinsicAttributes & (Merge<JSX.IntrinsicElements, IconButtonProps & { as: "button"; }> | Merge<JSX.IntrinsicElements, IconButtonProps & { as: "a"; }>)'.
      Property ''aria-labelledby'' is missing in type '{ "aria-label": string; size: "large"; sx: { ml: number; }; variant: "danger"; icon: Icon; onClick: () => void; }' but required in type '{ 'aria-label'?: undefined; 'aria-labelledby': string; }'.
  Overload 2 of 2, '(props: Merge<(Pick<DetailedHTMLProps<ButtonHTMLAttributes<HTMLButtonElement>, HTMLButtonElement>, keyof ButtonHTMLAttributes<...> | "key"> & { ...; }) | (Pick<...> & { ...; }), IconButtonProps & { ...; }>): ReactElement<...> | null', gave the following error.
    Type '{ "aria-label": string; size: "large"; sx: { ml: number; }; variant: "danger"; icon: Icon; onClick: () => void; }' is not as

[github-actions]

🔒 NPM Security Audit Results

Found 6 vulnerabilities:

• Critical: 0
• High: 2
• Moderate: 4
• Low: 0

🔧 Suggested Fixes

Run npm audit fix to automatically fix vulnerabilities that don't require breaking changes.

For vulnerabilities requiring manual review, run npm audit fix --force.

Preview of automatic fixes

add fsevents 2.3.3
add @rollup/rollup-win32-x64-msvc 4.39.0
add @rollup/rollup-win32-ia32-msvc 4.39.0
add @rollup/rollup-win32-arm64-msvc 4.39.0
add @rollup/rollup-linux-s390x-gnu 4.39.0
add @rollup/rollup-linux-riscv64-musl 4.39.0
add @rollup/rollup-linux-riscv64-gnu 4.39.0
add @rollup/rollup-linux-powerpc64le-gnu 4.39.0
add @rollup/rollup-linux-loongarch64-gnu 4.39.0
add @rollup/rollup-linux-arm64-musl 4.39.0
add @rollup/rollup-linux-arm64-gnu 4.39.0
add @rollup/rollup-linux-arm-musleabihf 4.39.0
add @rollup/rollup-linux-arm-gnueabihf 4.39.0
add @rollup/rollup-freebsd-x64 4.39.0
add @rollup/rollup-freebsd-arm64 4.39.0
add @rollup/rollup-darwin-x64 4.39.0
add @rollup/rollup-darwin-arm64 4.39.0
add @rollup/rollup-android-arm64 4.39.0
add @rollup/rollup-android-arm-eabi 4.39.0
add @esbuild/win32-x64 0.21.5
add @esbuild/win32-ia32 0.21.5
add @esbuild/win32-arm64 0.21.5
add @esbuild/sunos-x64 0.21.5
add @esbuild/openbsd-x64 0.21.5
add @esbuild/netbsd-x64 0.21.5
add @esbuild/linux-s390x 0.21.5
add @esbuild/linux-riscv64 0.21.5
add @esbuild/linux-ppc64 0.21.5
add @esbuild/linux-mips64el 0.21.5
add @esbuild/linux-loong64 0.21.5
add @esbuild/linux-ia32 0.21.5
add @esbuild/linux-arm64 0.21.5
add @esbuild/linux-arm 0.21.5
add @esbuild/freebsd-x64 0.21.5
add @esbuild/freebsd-arm64 0.21.5
add @esbuild/darwin-x64 0.21.5
add @esbuild/darwin-arm64 0.21.5
add @esbuild/android-x64 0.21.5
add @esbuild/android-arm64 0.21.5
add @esbuild/android-arm 0.21.5
add @esbuild/aix-ppc64 0.21.5

added 41 packages, and audited 740 packages in 4s

195 packages are looking for funding
  run `npm fund` for details

# npm audit report

@cypress/request  *
Severity: high
Server-Side Request Forgery in Request - https://github.com/advisories/GHSA-p8p7-x288-28g6
Depends on vulnerable versions of qs
fix available via `npm audit fix`
node_modules/@cypress/request
  cypress  4.3.0 - 12.17.4
  Depends on vulnerable versions of @cypress/request
  node_modules/cypress

esbuild  <=0.24.2
Severity: moderate
esbuild enables any website to send any requests to the development server and read the response - https://github.com/advisories/GHSA-67mh-4wv8-2f99
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/esbuild
  vite  0.11.0 - 6.1.6
  Depends on vulnerable versions of esbuild
  node_modules/vite
    @vitejs/plugin-react  2.0.0-alpha.0 - 4.3.3
    Depends on vulnerable versions of vite
    node_modules/@vitejs/plugin-react

qs  <6.14.1
Severity: high
qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion - https://github.com/advisories/GHSA-6rw7-vpxm-498p
fix available via `npm audit fix`
node_modules/qs

6 vulnerabilities (4 moderate, 2 high)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

[github-actions]

🔍 Code Quality Check Results

Check	Status
ESLint	✅ Passed
Prettier	✅ Passed
TypeScript	❌ Failed

TypeScript Issues

Click to expand

> [email protected] typecheck
> tsc --noEmit

src/components/OctoCollection.tsx(1,10): error TS2305: Module '"@primer/react"' has no exported member 'Box'.
src/components/OctocatBox.tsx(1,10): error TS2305: Module '"@primer/react"' has no exported member 'Box'.
src/components/OctocatBox.tsx(4,20): error TS7016: Could not find a declaration file for module 'styled-components'. '/home/runner/work/github-actions-workflow/github-actions-workflow/node_modules/styled-components/dist/styled-components.cjs.js' implicitly has an 'any' type.
  Try `npm i --save-dev @types/styled-components` if it exists or add a new declaration (.d.ts) file containing `declare module 'styled-components';`
src/components/OctocatBox.tsx(21,5): error TS2769: No overload matches this call.
  Overload 1 of 2, '(props: Merge<JSX.IntrinsicElements, IconButtonProps & { as: "button"; }> | Merge<JSX.IntrinsicElements, IconButtonProps & { as: "a"; }>): ReactElement<any, string | JSXElementConstructor<any>> | null', gave the following error.
    Type '{ "aria-label": string; size: "large"; sx: { ml: number; }; variant: "danger"; icon: Icon; onClick: () => void; }' is not assignable to type 'IntrinsicAttributes & (Merge<JSX.IntrinsicElements, IconButtonProps & { as: "button"; }> | Merge<JSX.IntrinsicElements, IconButtonProps & { as: "a"; }>)'.
      Property ''aria-labelledby'' is missing in type '{ "aria-label": string; size: "large"; sx: { ml: number; }; variant: "danger"; icon: Icon; onClick: () => void; }' but required in type '{ 'aria-label'?: undefined; 'aria-labelledby': string; }'.
  Overload 2 of 2, '(props: Merge<(Pick<DetailedHTMLProps<ButtonHTMLAttributes<HTMLButtonElement>, HTMLButtonElement>, keyof ButtonHTMLAttributes<...> | "key"> & { ...; }) | (Pick<...> & { ...; }), IconButtonProps & { ...; }>): ReactElement<...> | null', gave the following error.
    Type '{ "aria-label": string; size: "large"; sx: { ml: number; }; variant: "danger"; icon: Icon; onClick: () => void; }' is not as

[dependabot]

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.