chore(deps)(deps): bump @primer/react from 35.15.1 to 38.7.0

[dependabot]

Bumps @primer/react from 35.15.1 to 38.7.0.

Release notes

Sourced from @​primer/react's releases.

@​primer/react@​38.7.0

Minor Changes

• #7293 d418509 Thanks @​lindseywild! - Adds character counts to TextInput and TextArea components

Patch Changes

• #7354 efbebdf Thanks @​llastflowers! - update SelectPanel Multi Select Modal story

• #7426 094be60 Thanks @​kelsey-myers! - Add focusPrependedElements prop to useFocusZone, FilteredActionList, and SelectPanel

• #7349 713d5a5 Thanks @​mattcosta7! - PageLayout: Optimize drag/resize performance with inline styles and new optimizations

  Refactored:

  • Use direct attribute selectors (.Pane[data-dragging='true']) instead of descendant selectors for CSS containment (O(1) vs O(n) selector matching)
  • Extract optimization utilities to paneUtils.ts
  • Apply drag handle visual feedback via inline styles and CSS variables

  Added:

  • content-visibility: auto during drag/resize to skip off-screen content rendering
  • rAF throttle for drag updates (one update per frame, latest position wins)
  • Containment during window resize (parity with drag)

  These changes improve style recalculation performance on large DOMs (100k+ nodes) by eliminating descendant selector traversal.

• #7337 de970d6 Thanks @​mattcosta7! - perf(Autocomplete): Split context to reduce unnecessary re-renders

  Split AutocompleteContext into separate contexts for static values, setters, and dynamic state. Components now subscribe only to the context slices they need, reducing re-renders.

• #7325 cc7e10e Thanks @​mattcosta7! - perf(BaseStyles): Remove expensive :has([data-color-mode]) selectors

  Remove :has([data-color-mode]) selectors that scanned the entire DOM on every style recalculation. Input color-scheme is already handled by global selectors in the codebase.

• #7329 501a41f Thanks @​mattcosta7! - perf(Dialog): Add feature flag for CSS :has() selector performance optimization

  • Add primer_react_css_has_selector_perf feature flag (default: false)
  • When flag is OFF: uses legacy body:has(.Dialog.DisableScroll) selector
  • When flag is ON: uses optimized direct body[data-dialog-scroll-disabled] data attribute with ref counting
  • Enables gradual rollout and easy rollback of performance optimization

• #7342 a8b42b2 Thanks @​mattcosta7! - perf(hasInteractiveNodes): Optimize with combined selector and early attribute checks

  • Use combined querySelectorAll selector instead of recursive traversal
  • Check attribute-based states (disabled, hidden, inert) before getComputedStyle
  • Only call getComputedStyle when CSS-based visibility check is needed

... (truncated)

Commits

• 428469d Release tracking (#7365)
• 027562e Revert "ToggleSwitch: Add overflow: hidden to .StatusTextItem" (#7428)
• 094be60 Add focusPrependedElements prop to useFocusZone, FilteredActionList, and Sele...
• d418509 Adds character counts to TextArea and TextInput components (#7293)
• cb0e5a5 chore(deps): bump zod from 4.1.13 to 4.3.5 (#7423)
• 7a682d0 ActionBar: Add ability to change focus target on menu close (#7400)
• 713d5a5 refactor(PageLayout): drag/resize performance with inline styles and O(1) CSS...
• 06c8320 ToggleSwitch: Add overflow: hidden to .StatusTextItem (#7399)
• 501a41f perf(Dialog): Replace body:has() with direct class and scope footer selector ...
• cc7e10e perf(BaseStyles): Remove expensive :has([data-color-mode]) selectors (#7325)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for @​primer/react since your current version.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[dependabot]

Labels

The following labels could not be found: automated. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

Scorecard details

Package	Version	Score	Details
npm/@github/mini-throttle	2.1.1	🟢 5.7	Details Check Score Reason Code-Review 🟢 7 Found 5/7 approved changesets -- score normalized to 7 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Pinned-Dependencies 🟢 3 dependency not pinned by hash detected -- score normalized to 3 Maintained ⚠️ 0 0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0 Binary-Artifacts 🟢 10 no binaries found in the repo Packaging ⚠️ -1 packaging workflow not detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Branch-Protection 🟢 3 branch protection is not maximal on development and all release branches Security-Policy 🟢 10 security policy file detected Vulnerabilities 🟢 4 6 existing vulnerabilities detected SAST ⚠️ 2 SAST tool is not run on all commits -- score normalized to 2
npm/@github/relative-time-element	4.5.1	Unknown	Unknown
npm/@github/tab-container-element	4.8.2	🟢 6.4	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Packaging ⚠️ -1 packaging workflow not detected Binary-Artifacts 🟢 10 no binaries found in the repo Maintained 🟢 5 7 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 5 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Pinned-Dependencies ⚠️ 1 dependency not pinned by hash detected -- score normalized to 1 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 10 security policy file detected Branch-Protection 🟢 6 branch protection is not maximal on development and all release branches Vulnerabilities ⚠️ 0 10 existing vulnerabilities detected SAST 🟢 5 SAST tool is not run on all commits -- score normalized to 5
npm/@lit-labs/react	1.2.1	🟢 6	Details Check Score Reason Code-Review 🟢 10 all last 30 commits are reviewed through GitHub Maintained 🟢 10 30 commit(s) out of 30 and 22 issue activity out of 30 found in the last 90 days -- score normalized to 10 CII-Best-Practices ⚠️ 0 no badge detected Vulnerabilities 🟢 10 no vulnerabilities detected Signed-Releases ⚠️ -1 no releases found Branch-Protection 🟢 8 branch protection is not maximal on development and all release branches Packaging ⚠️ -1 no published package detected Token-Permissions ⚠️ 0 non read-only tokens detected in GitHub workflows License 🟢 10 license file detected Dangerous-Workflow ⚠️ 0 dangerous workflow patterns detected Pinned-Dependencies 🟢 7 dependency not pinned by hash detected -- score normalized to 7 Binary-Artifacts 🟢 10 no binaries found in the repo Dependency-Update-Tool 🟢 10 update tool detected Security-Policy ⚠️ 0 security policy file not detected Fuzzing ⚠️ 0 project is not fuzzed
npm/@lit-labs/ssr-dom-shim	1.5.1	🟢 6	Details Check Score Reason Code-Review 🟢 10 all last 30 commits are reviewed through GitHub Maintained 🟢 10 30 commit(s) out of 30 and 22 issue activity out of 30 found in the last 90 days -- score normalized to 10 CII-Best-Practices ⚠️ 0 no badge detected Vulnerabilities 🟢 10 no vulnerabilities detected Signed-Releases ⚠️ -1 no releases found Branch-Protection 🟢 8 branch protection is not maximal on development and all release branches Packaging ⚠️ -1 no published package detected Token-Permissions ⚠️ 0 non read-only tokens detected in GitHub workflows License 🟢 10 license file detected Dangerous-Workflow ⚠️ 0 dangerous workflow patterns detected Pinned-Dependencies 🟢 7 dependency not pinned by hash detected -- score normalized to 7 Binary-Artifacts 🟢 10 no binaries found in the repo Dependency-Update-Tool 🟢 10 update tool detected Security-Policy ⚠️ 0 security policy file not detected Fuzzing ⚠️ 0 project is not fuzzed
npm/@oddbird/popover-polyfill	0.5.2	Unknown	Unknown
npm/@primer/behaviors	1.10.0	Unknown	Unknown
npm/@primer/live-region-element	0.7.2	Unknown	Unknown
npm/@primer/octicons-react	19.21.2	🟢 5.3	Details Check Score Reason Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Maintained 🟢 10 18 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 9 Found 16/17 approved changesets -- score normalized to 9 Packaging ⚠️ -1 packaging workflow not detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Binary-Artifacts 🟢 10 no binaries found in the repo Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Security-Policy ⚠️ 0 security policy file not detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Vulnerabilities ⚠️ 0 42 existing vulnerabilities detected SAST 🟢 9 SAST tool detected but not run on all commits
npm/@primer/react	38.7.0	Unknown	Unknown
npm/@styled-system/background	5.1.2	Unknown	Unknown
npm/@styled-system/border	5.1.5	Unknown	Unknown
npm/@styled-system/color	5.1.2	Unknown	Unknown
npm/@styled-system/core	5.1.2	Unknown	Unknown
npm/@styled-system/css	5.1.5	Unknown	Unknown
npm/@styled-system/flexbox	5.1.2	Unknown	Unknown
npm/@styled-system/grid	5.1.2	Unknown	Unknown
npm/@styled-system/layout	5.1.2	Unknown	Unknown
npm/@styled-system/position	5.1.2	Unknown	Unknown
npm/@styled-system/props	5.1.5	Unknown	Unknown
npm/@styled-system/shadow	5.1.2	Unknown	Unknown
npm/@styled-system/space	5.1.2	Unknown	Unknown
npm/@styled-system/typography	5.1.2	Unknown	Unknown
npm/@styled-system/variant	5.1.5	Unknown	Unknown
npm/@types/react-dom	18.0.9	🟢 7.1	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected Code-Review 🟢 10 all changesets reviewed CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected License 🟢 9 license file detected Security-Policy 🟢 10 security policy file detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Vulnerabilities 🟢 10 0 existing vulnerabilities detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies 🟢 8 dependency not pinned by hash detected -- score normalized to 8 Fuzzing ⚠️ 0 project is not fuzzed
npm/clsx	2.1.1	🟢 3.6	Details Check Score Reason Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Code-Review ⚠️ 2 Found 7/30 approved changesets -- score normalized to 2 Binary-Artifacts 🟢 10 no binaries found in the repo Maintained ⚠️ 0 0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0 Packaging ⚠️ -1 packaging workflow not detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Fuzzing ⚠️ 0 project is not fuzzed Vulnerabilities 🟢 10 0 existing vulnerabilities detected Security-Policy ⚠️ 0 security policy file not detected License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
npm/color2k	2.0.3	🟢 3.9	Details Check Score Reason Code-Review ⚠️ 0 Found 0/30 approved changesets -- score normalized to 0 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Maintained 🟢 4 5 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 4 Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies 🟢 4 dependency not pinned by hash detected -- score normalized to 4 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Security-Policy ⚠️ 0 security policy file not detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Packaging 🟢 10 packaging workflow detected Vulnerabilities ⚠️ 0 12 existing vulnerabilities detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
npm/hsluv	1.0.1	🟢 3.6	Details Check Score Reason Binary-Artifacts 🟢 10 no binaries found in the repo Maintained ⚠️ 0 0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Code-Review ⚠️ 0 Found 1/16 approved changesets -- score normalized to 0 Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies ⚠️ 2 dependency not pinned by hash detected -- score normalized to 2 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Security-Policy ⚠️ 0 security policy file not detected Vulnerabilities 🟢 10 0 existing vulnerabilities detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Packaging 🟢 10 packaging workflow detected Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
npm/lodash.isempty	4.4.0	🟢 6.8	Details Check Score Reason Binary-Artifacts 🟢 10 no binaries found in the repo Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration CI-Tests 🟢 6 13 out of 19 merged PRs checked by a CI test -- score normalized to 6 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Code-Review 🟢 6 Found 19/30 approved changesets -- score normalized to 6 Contributors 🟢 10 project has 88 contributing companies or organizations Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Dependency-Update-Tool 🟢 10 update tool detected Fuzzing 🟢 10 project is fuzzed License 🟢 9 license file detected Maintained 🟢 10 19 commit(s) and 21 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected Pinned-Dependencies ⚠️ 1 dependency not pinned by hash detected -- score normalized to 1 SAST 🟢 8 SAST tool detected but not run on all commits Security-Policy 🟢 10 security policy file detected Signed-Releases ⚠️ -1 no releases found Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Vulnerabilities ⚠️ 0 75 existing vulnerabilities detected
npm/lodash.isobject	3.0.2	🟢 6.8	Details Check Score Reason Binary-Artifacts 🟢 10 no binaries found in the repo Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration CI-Tests 🟢 6 13 out of 19 merged PRs checked by a CI test -- score normalized to 6 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Code-Review 🟢 6 Found 19/30 approved changesets -- score normalized to 6 Contributors 🟢 10 project has 88 contributing companies or organizations Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Dependency-Update-Tool 🟢 10 update tool detected Fuzzing 🟢 10 project is fuzzed License 🟢 9 license file detected Maintained 🟢 10 19 commit(s) and 21 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected Pinned-Dependencies ⚠️ 1 dependency not pinned by hash detected -- score normalized to 1 SAST 🟢 8 SAST tool detected but not run on all commits Security-Policy 🟢 10 security policy file detected Signed-Releases ⚠️ -1 no releases found Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Vulnerabilities ⚠️ 0 75 existing vulnerabilities detected
npm/object-assign	4.1.1	🟢 4.2	Details Check Score Reason Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Code-Review ⚠️ 2 Found 8/29 approved changesets -- score normalized to 2 Security-Policy 🟢 10 security policy file detected Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Maintained ⚠️ 0 0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0 Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Vulnerabilities 🟢 10 0 existing vulnerabilities detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Signed-Releases ⚠️ -1 no releases found SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
npm/react-compiler-runtime	1.0.0	🟢 5.7	Details Check Score Reason Code-Review 🟢 7 Found 22/30 approved changesets -- score normalized to 7 Maintained 🟢 10 30 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10 License 🟢 10 license file detected Security-Policy 🟢 10 security policy file detected CII-Best-Practices ⚠️ 2 badge detected: InProgress Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Signed-Releases ⚠️ -1 no releases found Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Binary-Artifacts 🟢 9 binaries present in source code SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Pinned-Dependencies ⚠️ 1 dependency not pinned by hash detected -- score normalized to 1 Fuzzing ⚠️ 0 project is not fuzzed Vulnerabilities ⚠️ 0 238 existing vulnerabilities detected
npm/react-intersection-observer	9.16.0	🟢 4.6	Details Check Score Reason Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Code-Review ⚠️ 1 Found 2/11 approved changesets -- score normalized to 1 Packaging ⚠️ -1 packaging workflow not detected Binary-Artifacts 🟢 10 no binaries found in the repo Security-Policy 🟢 10 security policy file detected Maintained 🟢 4 5 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 4 Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Vulnerabilities 🟢 6 4 existing vulnerabilities detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
npm/styled-system	5.1.5	Unknown	Unknown
npm/tslib	2.8.1	🟢 5.5	Details Check Score Reason Maintained ⚠️ 0 0 commit(s) out of 30 and 1 issue activity out of 30 found in the last 90 days -- score normalized to 0 Code-Review 🟢 7 GitHub code reviews found for 23 commits out of the last 30 -- score normalized to 7 CII-Best-Practices ⚠️ 0 no badge detected Vulnerabilities 🟢 10 no vulnerabilities detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 no published package detected Token-Permissions ⚠️ 0 non read-only tokens detected in GitHub workflows License 🟢 10 license file detected Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies 🟢 9 dependency not pinned by hash detected -- score normalized to 9 Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 10 security policy file detected Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Dependency-Update-Tool ⚠️ 0 no update tool detected Fuzzing ⚠️ -1 internal error: internal error: Client.Search.Code: Search.Code: GET https://api.github.com/search/code?q=github.com+microsoft+tslib+repo%3Agoogle%2Foss-fuzz+in%3Afile+filename%3Aproject.yaml: 400 []

Scanned Files

• package-lock.json

[github-actions]

🔒 NPM Security Audit Results

Found 9 vulnerabilities:

• Critical: 0
• High: 5
• Moderate: 4
• Low: 0

🔧 Suggested Fixes

Run npm audit fix to automatically fix vulnerabilities that don't require breaking changes.

For vulnerabilities requiring manual review, run npm audit fix --force.

Preview of automatic fixes

add fsevents 2.3.3
add @rollup/rollup-win32-x64-msvc 4.39.0
add @rollup/rollup-win32-ia32-msvc 4.39.0
add @rollup/rollup-win32-arm64-msvc 4.39.0
add @rollup/rollup-linux-s390x-gnu 4.39.0
add @rollup/rollup-linux-riscv64-musl 4.39.0
add @rollup/rollup-linux-riscv64-gnu 4.39.0
add @rollup/rollup-linux-powerpc64le-gnu 4.39.0
add @rollup/rollup-linux-loongarch64-gnu 4.39.0
add @rollup/rollup-linux-arm64-musl 4.39.0
add @rollup/rollup-linux-arm64-gnu 4.39.0
add @rollup/rollup-linux-arm-musleabihf 4.39.0
add @rollup/rollup-linux-arm-gnueabihf 4.39.0
add @rollup/rollup-freebsd-x64 4.39.0
add @rollup/rollup-freebsd-arm64 4.39.0
add @rollup/rollup-darwin-x64 4.39.0
add @rollup/rollup-darwin-arm64 4.39.0
add @rollup/rollup-android-arm64 4.39.0
add @rollup/rollup-android-arm-eabi 4.39.0
add @esbuild/win32-x64 0.21.5
add @esbuild/win32-ia32 0.21.5
add @esbuild/win32-arm64 0.21.5
add @esbuild/sunos-x64 0.21.5
add @esbuild/openbsd-x64 0.21.5
add @esbuild/netbsd-x64 0.21.5
add @esbuild/linux-s390x 0.21.5
add @esbuild/linux-riscv64 0.21.5
add @esbuild/linux-ppc64 0.21.5
add @esbuild/linux-mips64el 0.21.5
add @esbuild/linux-loong64 0.21.5
add @esbuild/linux-ia32 0.21.5
add @esbuild/linux-arm64 0.21.5
add @esbuild/linux-arm 0.21.5
add @esbuild/freebsd-x64 0.21.5
add @esbuild/freebsd-arm64 0.21.5
add @esbuild/darwin-x64 0.21.5
add @esbuild/darwin-arm64 0.21.5
add @esbuild/android-x64 0.21.5
add @esbuild/android-arm64 0.21.5
add @esbuild/android-arm 0.21.5
add @esbuild/aix-ppc64 0.21.5

added 41 packages, and audited 741 packages in 5s

195 packages are looking for funding
  run `npm fund` for details

# npm audit report

@cypress/request  <=3.0.9
Severity: high
Server-Side Request Forgery in Request - https://github.com/advisories/GHSA-p8p7-x288-28g6
Depends on vulnerable versions of qs
fix available via `npm audit fix`
node_modules/@cypress/request
  cypress  4.3.0 - 12.17.4
  Depends on vulnerable versions of @cypress/request
  node_modules/cypress

@remix-run/router  <=1.23.1
Severity: high
React Router vulnerable to XSS via Open Redirects - https://github.com/advisories/GHSA-2w69-qvjg-hvjx
fix available via `npm audit fix --force`
Will install [email protected], which is outside the stated dependency range
node_modules/@remix-run/router
  react-router  6.0.0 - 6.30.2
  Depends on vulnerable versions of @remix-run/router
  node_modules/react-router
    react-router-dom  6.0.0-alpha.0 - 6.30.2
    Depends on vulnerable versions of @remix-run/router
    Depends on vulnerable versions of react-router
    node_modules/react-router-dom

esbuild  <=0.24.2
Severity: moderate
esbuild enables any website to send any requests to the development server and read the response - https://github.com/advisories/GHSA-67mh-4wv8-2f99
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/esbuild
  vite  0.11.0 - 6.1.6
  Depends on vulnerable versions of esbuild
  node_modules/vite
    @vitejs/plugin-react  2.0.0-alpha.0 - 4.3.3
    Depends on vulnerable versions of vite
    node_modules/@vitejs/plugin-react

qs  <6.14.1
Severity: high
qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion - https://github.com/advisories/GHSA-6rw7-vpxm-498p
fix available via `npm audit fix`
node_modules/qs


9 vulnerabilities (4 moderate, 5 high)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

[github-actions]

🔍 Code Quality Check Results

Check	Status
ESLint	✅ Passed
Prettier	✅ Passed
TypeScript	❌ Failed

TypeScript Issues

Click to expand

> [email protected] typecheck
> tsc --noEmit

src/components/OctoCollection.tsx(1,10): error TS2305: Module '"@primer/react"' has no exported member 'Box'.
src/components/OctocatBox.tsx(1,10): error TS2305: Module '"@primer/react"' has no exported member 'Box'.
src/components/OctocatBox.tsx(4,20): error TS7016: Could not find a declaration file for module 'styled-components'. '/home/runner/work/github-actions-workflow/github-actions-workflow/node_modules/styled-components/dist/styled-components.cjs.js' implicitly has an 'any' type.
  Try `npm i --save-dev @types/styled-components` if it exists or add a new declaration (.d.ts) file containing `declare module 'styled-components';`
src/components/OctocatBox.tsx(21,5): error TS2769: No overload matches this call.
  Overload 1 of 2, '(props: Merge<JSX.IntrinsicElements, IconButtonProps & { as: "button"; }> | Merge<JSX.IntrinsicElements, IconButtonProps & { as: "a"; }>): ReactElement<any, string | JSXElementConstructor<any>> | null', gave the following error.
    Type '{ "aria-label": string; size: "large"; sx: { ml: number; }; variant: "danger"; icon: Icon; onClick: () => void; }' is not assignable to type 'IntrinsicAttributes & (Merge<JSX.IntrinsicElements, IconButtonProps & { as: "button"; }> | Merge<JSX.IntrinsicElements, IconButtonProps & { as: "a"; }>)'.
      Property ''aria-labelledby'' is missing in type '{ "aria-label": string; size: "large"; sx: { ml: number; }; variant: "danger"; icon: Icon; onClick: () => void; }' but required in type '{ 'aria-label'?: undefined; 'aria-labelledby': string; }'.
  Overload 2 of 2, '(props: Merge<(Pick<DetailedHTMLProps<ButtonHTMLAttributes<HTMLButtonElement>, HTMLButtonElement>, keyof ButtonHTMLAttributes<...> | "key"> & { ...; }) | (Pick<...> & { ...; }), IconButtonProps & { ...; }>): ReactElement<...> | null', gave the following error.
    Type '{ "aria-label": string; size: "large"; sx: { ml: number; }; variant: "danger"; icon: Icon; onClick: () => void; }' is not as

[github-actions]

🔍 Code Quality Check Results

Check	Status
ESLint	✅ Passed
Prettier	✅ Passed
TypeScript	❌ Failed

TypeScript Issues

Click to expand

> [email protected] typecheck
> tsc --noEmit

src/components/OctoCollection.tsx(1,10): error TS2305: Module '"@primer/react"' has no exported member 'Box'.
src/components/OctocatBox.tsx(1,10): error TS2305: Module '"@primer/react"' has no exported member 'Box'.
src/components/OctocatBox.tsx(4,20): error TS7016: Could not find a declaration file for module 'styled-components'. '/home/runner/work/github-actions-workflow/github-actions-workflow/node_modules/styled-components/dist/styled-components.cjs.js' implicitly has an 'any' type.
  Try `npm i --save-dev @types/styled-components` if it exists or add a new declaration (.d.ts) file containing `declare module 'styled-components';`
src/components/OctocatBox.tsx(21,5): error TS2769: No overload matches this call.
  Overload 1 of 2, '(props: Merge<JSX.IntrinsicElements, IconButtonProps & { as: "button"; }> | Merge<JSX.IntrinsicElements, IconButtonProps & { as: "a"; }>): ReactElement<any, string | JSXElementConstructor<any>> | null', gave the following error.
    Type '{ "aria-label": string; size: "large"; sx: { ml: number; }; variant: "danger"; icon: Icon; onClick: () => void; }' is not assignable to type 'IntrinsicAttributes & (Merge<JSX.IntrinsicElements, IconButtonProps & { as: "button"; }> | Merge<JSX.IntrinsicElements, IconButtonProps & { as: "a"; }>)'.
      Property ''aria-labelledby'' is missing in type '{ "aria-label": string; size: "large"; sx: { ml: number; }; variant: "danger"; icon: Icon; onClick: () => void; }' but required in type '{ 'aria-label'?: undefined; 'aria-labelledby': string; }'.
  Overload 2 of 2, '(props: Merge<(Pick<DetailedHTMLProps<ButtonHTMLAttributes<HTMLButtonElement>, HTMLButtonElement>, keyof ButtonHTMLAttributes<...> | "key"> & { ...; }) | (Pick<...> & { ...; }), IconButtonProps & { ...; }>): ReactElement<...> | null', gave the following error.
    Type '{ "aria-label": string; size: "large"; sx: { ml: number; }; variant: "danger"; icon: Icon; onClick: () => void; }' is not as

[github-actions]

🔒 NPM Security Audit Results

Found 6 vulnerabilities:

• Critical: 0
• High: 2
• Moderate: 4
• Low: 0

🔧 Suggested Fixes

Run npm audit fix to automatically fix vulnerabilities that don't require breaking changes.

For vulnerabilities requiring manual review, run npm audit fix --force.

Preview of automatic fixes

add fsevents 2.3.3
add @rollup/rollup-win32-x64-msvc 4.39.0
add @rollup/rollup-win32-ia32-msvc 4.39.0
add @rollup/rollup-win32-arm64-msvc 4.39.0
add @rollup/rollup-linux-s390x-gnu 4.39.0
add @rollup/rollup-linux-riscv64-musl 4.39.0
add @rollup/rollup-linux-riscv64-gnu 4.39.0
add @rollup/rollup-linux-powerpc64le-gnu 4.39.0
add @rollup/rollup-linux-loongarch64-gnu 4.39.0
add @rollup/rollup-linux-arm64-musl 4.39.0
add @rollup/rollup-linux-arm64-gnu 4.39.0
add @rollup/rollup-linux-arm-musleabihf 4.39.0
add @rollup/rollup-linux-arm-gnueabihf 4.39.0
add @rollup/rollup-freebsd-x64 4.39.0
add @rollup/rollup-freebsd-arm64 4.39.0
add @rollup/rollup-darwin-x64 4.39.0
add @rollup/rollup-darwin-arm64 4.39.0
add @rollup/rollup-android-arm64 4.39.0
add @rollup/rollup-android-arm-eabi 4.39.0
add @esbuild/win32-x64 0.21.5
add @esbuild/win32-ia32 0.21.5
add @esbuild/win32-arm64 0.21.5
add @esbuild/sunos-x64 0.21.5
add @esbuild/openbsd-x64 0.21.5
add @esbuild/netbsd-x64 0.21.5
add @esbuild/linux-s390x 0.21.5
add @esbuild/linux-riscv64 0.21.5
add @esbuild/linux-ppc64 0.21.5
add @esbuild/linux-mips64el 0.21.5
add @esbuild/linux-loong64 0.21.5
add @esbuild/linux-ia32 0.21.5
add @esbuild/linux-arm64 0.21.5
add @esbuild/linux-arm 0.21.5
add @esbuild/freebsd-x64 0.21.5
add @esbuild/freebsd-arm64 0.21.5
add @esbuild/darwin-x64 0.21.5
add @esbuild/darwin-arm64 0.21.5
add @esbuild/android-x64 0.21.5
add @esbuild/android-arm64 0.21.5
add @esbuild/android-arm 0.21.5
add @esbuild/aix-ppc64 0.21.5

added 41 packages, and audited 742 packages in 5s

196 packages are looking for funding
  run `npm fund` for details

# npm audit report

@cypress/request  <=3.0.9
Severity: high
Server-Side Request Forgery in Request - https://github.com/advisories/GHSA-p8p7-x288-28g6
Depends on vulnerable versions of qs
fix available via `npm audit fix`
node_modules/@cypress/request
  cypress  4.3.0 - 12.17.4
  Depends on vulnerable versions of @cypress/request
  node_modules/cypress

esbuild  <=0.24.2
Severity: moderate
esbuild enables any website to send any requests to the development server and read the response - https://github.com/advisories/GHSA-67mh-4wv8-2f99
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/esbuild
  vite  0.11.0 - 6.1.6
  Depends on vulnerable versions of esbuild
  node_modules/vite
    @vitejs/plugin-react  2.0.0-alpha.0 - 4.3.3
    Depends on vulnerable versions of vite
    node_modules/@vitejs/plugin-react

qs  <6.14.1
Severity: high
qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion - https://github.com/advisories/GHSA-6rw7-vpxm-498p
fix available via `npm audit fix`
node_modules/qs

6 vulnerabilities (4 moderate, 2 high)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

[github-actions]

🔒 NPM Security Audit Results

Found 3 vulnerabilities:

• Critical: 0
• High: 0
• Moderate: 3
• Low: 0

🔧 Suggested Fixes

Run npm audit fix to automatically fix vulnerabilities that don't require breaking changes.

For vulnerabilities requiring manual review, run npm audit fix --force.

Preview of automatic fixes

add fsevents 2.3.3
add @rollup/rollup-win32-x64-msvc 4.39.0
add @rollup/rollup-win32-ia32-msvc 4.39.0
add @rollup/rollup-win32-arm64-msvc 4.39.0
add @rollup/rollup-linux-s390x-gnu 4.39.0
add @rollup/rollup-linux-riscv64-musl 4.39.0
add @rollup/rollup-linux-riscv64-gnu 4.39.0
add @rollup/rollup-linux-powerpc64le-gnu 4.39.0
add @rollup/rollup-linux-loongarch64-gnu 4.39.0
add @rollup/rollup-linux-arm64-musl 4.39.0
add @rollup/rollup-linux-arm64-gnu 4.39.0
add @rollup/rollup-linux-arm-musleabihf 4.39.0
add @rollup/rollup-linux-arm-gnueabihf 4.39.0
add @rollup/rollup-freebsd-x64 4.39.0
add @rollup/rollup-freebsd-arm64 4.39.0
add @rollup/rollup-darwin-x64 4.39.0
add @rollup/rollup-darwin-arm64 4.39.0
add @rollup/rollup-android-arm64 4.39.0
add @rollup/rollup-android-arm-eabi 4.39.0
add @esbuild/win32-x64 0.21.5
add @esbuild/win32-ia32 0.21.5
add @esbuild/win32-arm64 0.21.5
add @esbuild/sunos-x64 0.21.5
add @esbuild/openbsd-x64 0.21.5
add @esbuild/netbsd-x64 0.21.5
add @esbuild/linux-s390x 0.21.5
add @esbuild/linux-riscv64 0.21.5
add @esbuild/linux-ppc64 0.21.5
add @esbuild/linux-mips64el 0.21.5
add @esbuild/linux-loong64 0.21.5
add @esbuild/linux-ia32 0.21.5
add @esbuild/linux-arm64 0.21.5
add @esbuild/linux-arm 0.21.5
add @esbuild/freebsd-x64 0.21.5
add @esbuild/freebsd-arm64 0.21.5
add @esbuild/darwin-x64 0.21.5
add @esbuild/darwin-arm64 0.21.5
add @esbuild/android-x64 0.21.5
add @esbuild/android-arm64 0.21.5
add @esbuild/android-arm 0.21.5
add @esbuild/aix-ppc64 0.21.5

added 41 packages, and audited 743 packages in 4s

198 packages are looking for funding
  run `npm fund` for details

# npm audit report

esbuild  <=0.24.2
Severity: moderate
esbuild enables any website to send any requests to the development server and read the response - https://github.com/advisories/GHSA-67mh-4wv8-2f99
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/esbuild
  vite  0.11.0 - 6.1.6
  Depends on vulnerable versions of esbuild
  node_modules/vite
    @vitejs/plugin-react  2.0.0-alpha.0 - 4.3.3
    Depends on vulnerable versions of vite
    node_modules/@vitejs/plugin-react

3 moderate severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force

[github-actions]

🔍 Code Quality Check Results

Check	Status
ESLint	✅ Passed
Prettier	✅ Passed
TypeScript	❌ Failed

TypeScript Issues

Click to expand

> [email protected] typecheck
> tsc --noEmit

src/components/OctoCollection.tsx(1,10): error TS2305: Module '"@primer/react"' has no exported member 'Box'.
src/components/OctocatBox.tsx(1,10): error TS2305: Module '"@primer/react"' has no exported member 'Box'.
src/components/OctocatBox.tsx(4,20): error TS7016: Could not find a declaration file for module 'styled-components'. '/home/runner/work/github-actions-workflow/github-actions-workflow/node_modules/styled-components/dist/styled-components.cjs.js' implicitly has an 'any' type.
  Try `npm i --save-dev @types/styled-components` if it exists or add a new declaration (.d.ts) file containing `declare module 'styled-components';`
src/components/OctocatBox.tsx(21,5): error TS2769: No overload matches this call.
  Overload 1 of 2, '(props: Merge<JSX.IntrinsicElements, IconButtonProps & { as: "button"; }> | Merge<JSX.IntrinsicElements, IconButtonProps & { as: "a"; }>): ReactElement<any, string | JSXElementConstructor<any>> | null', gave the following error.
    Type '{ "aria-label": string; size: "large"; sx: { ml: number; }; variant: "danger"; icon: Icon; onClick: () => void; }' is not assignable to type 'IntrinsicAttributes & (Merge<JSX.IntrinsicElements, IconButtonProps & { as: "button"; }> | Merge<JSX.IntrinsicElements, IconButtonProps & { as: "a"; }>)'.
      Property ''aria-labelledby'' is missing in type '{ "aria-label": string; size: "large"; sx: { ml: number; }; variant: "danger"; icon: Icon; onClick: () => void; }' but required in type '{ 'aria-label'?: undefined; 'aria-labelledby': string; }'.
  Overload 2 of 2, '(props: Merge<(Pick<DetailedHTMLProps<ButtonHTMLAttributes<HTMLButtonElement>, HTMLButtonElement>, keyof ButtonHTMLAttributes<...> | "key"> & { ...; }) | (Pick<...> & { ...; }), IconButtonProps & { ...; }>): ReactElement<...> | null', gave the following error.
    Type '{ "aria-label": string; size: "large"; sx: { ml: number; }; variant: "danger"; icon: Icon; onClick: () => void; }' is not as

[Copilot]

Pull request overview

This PR updates @primer/react from version 35.15.1 to 38.7.0, a major version bump spanning three major versions. The update includes significant dependency changes, performance improvements, and new features such as character counts for TextInput/TextArea components and optimizations for PageLayout, Autocomplete, and Dialog components.

Changes:

• Updated @primer/react from 35.15.1 to 38.7.0
• Updated transitive dependencies including new packages (@lit-labs/react, @oddbird/popover-polyfill, @primer/live-region-element) and removed packages (@github/combobox-nav, @styled-system/theme-get, etc.)
• Changed peer dependency requirements for React (now requires 18.x || 19.x instead of ^17.0.0 || ^18.0.0)

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated 1 comment.

File	Description
package.json	Updated @primer/react version from 35.15.1 to 38.7.0
package-lock.json	Updated lockfile with new transitive dependencies, including new packages for performance optimizations and removed styled-system peer dependencies

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.