Public Sans - POAM: April '24

[mahoneycm]

Summary

Updated vulerable and non-vulnerable dependencies. Added chromedriver devDependency to specify which version of chrome axe testing should use. This will allow us to maintain uniform tests across machines.

Current vulnerabilities:

5 moderate severity vulnerabilities

Vulnerabilities after fix:

4 moderate severity vulnerabilities

Related issue

Closes https://github.com/uswds/public-sans/security/dependabot/72

Testing instructions

1. Running start and serve run without error
2. Gulp commands run without error
3. npm run start
4. npm run serve
5. npm run test:a11y (while localhost is being served from the serve script)

Dependency updates

Dependency	Old version	New version
@uswds/swds	3.7.1	3.8.0
postcss	8.4.32	8.4.38
sass-embedded	1.69.5	1.74.1
@axe-core/cli (devDependency)	4.8.2	4.9.0
chromedriver (devDependency)	-	123.0.3

[mejiaj]

@mahoneycm based on deps updated I tested:

• SASS Compile via npm start.
• AXE testing via npm run test:a11y.

Compile works, but axe give this error:

Running axe-core 4.9.0 in chrome-headless
Error: session not created: This version of ChromeDriver only supports Chrome version 120
Current browser version is 123.0.6312.123 with binary path /Applications/Google Chrome.app/Contents/MacOS/Google Chrome

Also, on running local site I got this info message:

A new release of RubyGems is available: 3.4.10 → 3.5.9!
Run `gem update --system 3.5.9` to update your installation.

[mahoneycm]

@mejiaj Ready for re-review! The new RubyGems version caused my Gemfile.lock to update after rebuilding the site. Mostly patch fixes.