chore(deps)(deps): bump @primer/primitives from 11.4.0 to 11.5.1

[dependabot]

Bumps @primer/primitives from 11.4.0 to 11.5.1.

Release notes

Sourced from @​primer/primitives's releases.

v11.5.1

Patch Changes

• #1322 af16c12 Thanks @​lukasoppermann! - Changing dark dimmed fgColor-default to previous value

v11.5.0

Minor Changes

• #1319 dccf2af Thanks @​lukasoppermann! - Add z-index design tokens for managing stacking context. Introduces base z-index scale (0-600) and 8 semantic functional tokens: behind, default, sticky, dropdown, overlay, modal, popover, and skipLink. Includes LLM metadata with usage guidance and shadow-to-z-index alignment rules.

• #1315 8bb3e76 Thanks @​lukasoppermann! - Add some missing tokens that confused the AI

• #1320 6c1af22 Thanks @​lukasoppermann! - Add negative base size tokens (negative-2 through negative-48) for sizes 2–48

Patch Changes

• #1301 423b6e1 Thanks @​lukasoppermann! - Convert duration tokens to w3c

• #1318 4d0f257 Thanks @​lukasoppermann! - Fix dark mode contrast for controlTrack and controlKnob tokens. The track now recedes (darker) and the knob stands out (lighter) in all dark mode variants, fixing the inverted visual hierarchy in SegmentedControl and ToggleSwitch.

• #1308 135dd9b Thanks @​lukasoppermann! - Update shadow tokens to use W3C DTCG object format for dimension values

  • Shadow token dimension properties (offsetX, offsetY, blur, spread) now use object format { value: number, unit: "px" } instead of legacy strings like "1px"
  • Updated shadowToCss transformer to handle W3C dimension objects
  • Updated ShadowTokenValue type to require DimensionTokenValue for dimension properties
  • Legacy string format for shadow dimensions is no longer supported

• #1306 e4e355f Thanks @​lukasoppermann! - Adding metadata for:

  • shadow tokens
  • display tokens
  • ansi colors
  • syntax colors

• #1305 305c559 Thanks @​lukasoppermann! - Change dimension tokens to W3C DTCG format (breaking change)

  • The transformers dimensionToRem, dimensionToRemPxArray, and dimensionToPixelUnitless now only accept W3C DTCG object-format dimension tokens. Legacy string-based dimension values are no longer supported and will throw errors.
  • In the W3C DTCG format, only px and rem units are supported. Support for em units has been removed.

• #1302 d5a7908 Thanks @​lukasoppermann! - Improve context for agents

Changelog

Sourced from @​primer/primitives's changelog.

11.5.1

Patch Changes

• #1322 af16c12 Thanks @​lukasoppermann! - Changing dark dimmed fgColor-default to previous value

11.5.0

Minor Changes

• #1319 dccf2af Thanks @​lukasoppermann! - Add z-index design tokens for managing stacking context. Introduces base z-index scale (0-600) and 8 semantic functional tokens: behind, default, sticky, dropdown, overlay, modal, popover, and skipLink. Includes LLM metadata with usage guidance and shadow-to-z-index alignment rules.

• #1315 8bb3e76 Thanks @​lukasoppermann! - Add some missing tokens that confused the AI

• #1320 6c1af22 Thanks @​lukasoppermann! - Add negative base size tokens (negative-2 through negative-48) for sizes 2–48

Patch Changes

• #1301 423b6e1 Thanks @​lukasoppermann! - Convert duration tokens to w3c

• #1318 4d0f257 Thanks @​lukasoppermann! - Fix dark mode contrast for controlTrack and controlKnob tokens. The track now recedes (darker) and the knob stands out (lighter) in all dark mode variants, fixing the inverted visual hierarchy in SegmentedControl and ToggleSwitch.

• #1308 135dd9b Thanks @​lukasoppermann! - Update shadow tokens to use W3C DTCG object format for dimension values

  • Shadow token dimension properties (offsetX, offsetY, blur, spread) now use object format { value: number, unit: "px" } instead of legacy strings like "1px"
  • Updated shadowToCss transformer to handle W3C dimension objects
  • Updated ShadowTokenValue type to require DimensionTokenValue for dimension properties
  • Legacy string format for shadow dimensions is no longer supported

• #1306 e4e355f Thanks @​lukasoppermann! - Adding metadata for:

  • shadow tokens
  • display tokens
  • ansi colors
  • syntax colors

• #1305 305c559 Thanks @​lukasoppermann! - Change dimension tokens to W3C DTCG format (breaking change)

  • The transformers dimensionToRem, dimensionToRemPxArray, and dimensionToPixelUnitless now only accept W3C DTCG object-format dimension tokens. Legacy string-based dimension values are no longer supported and will throw errors.
  • In the W3C DTCG format, only px and rem units are supported. Support for em units has been removed.

• #1302 d5a7908 Thanks @​lukasoppermann! - Improve context for agents

Commits

• 74599a8 Version Packages (#1324)
• 0dcf7b5 Fix Update snapshots workflow crash when no snapshot artifacts exist (#1323)
• af16c12 Changing dark dimmed fgColor-default to previous value (#1322)
• 5af30f5 Version Packages (#1304)
• 4d0f257 fix: swap controlTrack/controlKnob dark mode values for correct contrast (#1318)
• dccf2af Add z-index design tokens for stacking context management (#1319)
• 6c1af22 Add negative base size tokens for sizes 2-48 (#1320)
• 87dd04a add test for ms conversion (#1317)
• b77f0fa Bump tar and storybook in /docs/storybook (#1316)
• c873be2 Bump lodash from 4.17.21 to 4.17.23 in /docs/storybook (#1296)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[dependabot]

Labels

The following labels could not be found: automated. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

Package	Version	Score	Details
npm/@primer/primitives	11.5.1	🟢 5.2	Details Check Score Reason Code-Review ⚠️ 1 Found 4/23 approved changesets -- score normalized to 1 Maintained 🟢 10 30 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Branch-Protection 🟢 4 branch protection is not maximal on development and all release branches Binary-Artifacts 🟢 10 no binaries found in the repo Security-Policy ⚠️ 0 security policy file not detected Pinned-Dependencies 🟢 3 dependency not pinned by hash detected -- score normalized to 3 SAST 🟢 10 SAST tool is run on all commits

Scanned Files

• package-lock.json

[github-actions]

🔒 NPM Security Audit Results

Found 4 vulnerabilities:

• Critical: 0
• High: 0
• Moderate: 4
• Low: 0

🔧 Suggested Fixes

Run npm audit fix to automatically fix vulnerabilities that don't require breaking changes.

For vulnerabilities requiring manual review, run npm audit fix --force.

Preview of automatic fixes

add fsevents 2.3.3
add @rollup/rollup-win32-x64-msvc 4.59.0
add @rollup/rollup-win32-x64-gnu 4.59.0
add @rollup/rollup-win32-ia32-msvc 4.59.0
add @rollup/rollup-win32-arm64-msvc 4.59.0
add @rollup/rollup-openharmony-arm64 4.59.0
add @rollup/rollup-openbsd-x64 4.59.0
add @rollup/rollup-linux-s390x-gnu 4.59.0
add @rollup/rollup-linux-riscv64-musl 4.59.0
add @rollup/rollup-linux-riscv64-gnu 4.59.0
add @rollup/rollup-linux-ppc64-musl 4.59.0
add @rollup/rollup-linux-ppc64-gnu 4.59.0
add @rollup/rollup-linux-loong64-musl 4.59.0
add @rollup/rollup-linux-loong64-gnu 4.59.0
add @rollup/rollup-linux-arm64-musl 4.59.0
add @rollup/rollup-linux-arm64-gnu 4.59.0
add @rollup/rollup-linux-arm-musleabihf 4.59.0
add @rollup/rollup-linux-arm-gnueabihf 4.59.0
add @rollup/rollup-freebsd-x64 4.59.0
add @rollup/rollup-freebsd-arm64 4.59.0
add @rollup/rollup-darwin-x64 4.59.0
add @rollup/rollup-darwin-arm64 4.59.0
add @rollup/rollup-android-arm64 4.59.0
add @rollup/rollup-android-arm-eabi 4.59.0
add @esbuild/win32-x64 0.21.5
add @esbuild/win32-ia32 0.21.5
add @esbuild/win32-arm64 0.21.5
add @esbuild/sunos-x64 0.21.5
add @esbuild/openbsd-x64 0.21.5
add @esbuild/netbsd-x64 0.21.5
add @esbuild/linux-s390x 0.21.5
add @esbuild/linux-riscv64 0.21.5
add @esbuild/linux-ppc64 0.21.5
add @esbuild/linux-mips64el 0.21.5
add @esbuild/linux-loong64 0.21.5
add @esbuild/linux-ia32 0.21.5
add @esbuild/linux-arm64 0.21.5
add @esbuild/linux-arm 0.21.5
add @esbuild/freebsd-x64 0.21.5
add @esbuild/freebsd-arm64 0.21.5
add @esbuild/darwin-x64 0.21.5
add @esbuild/darwin-arm64 0.21.5
add @esbuild/android-x64 0.21.5
add @esbuild/android-arm64 0.21.5
add @esbuild/android-arm 0.21.5
add @esbuild/aix-ppc64 0.21.5
change ajv 6.12.6 => 6.14.0

added 46 packages, changed 1 package, and audited 740 packages in 4s

194 packages are looking for funding
  run `npm fund` for details

# npm audit report

ajv  <6.14.0
Severity: moderate
ajv has ReDoS when using `$data` option - https://github.com/advisories/GHSA-2g4f-4pwh-qvx6
fix available via `npm audit fix`


esbuild  <=0.24.2
Severity: moderate
esbuild enables any website to send any requests to the development server and read the response - https://github.com/advisories/GHSA-67mh-4wv8-2f99
fix available via `npm audit fix --force`
Will install vite@7.3.1, which is a breaking change
node_modules/esbuild
  vite  0.11.0 - 6.1.6
  Depends on vulnerable versions of esbuild
  node_modules/vite
    @vitejs/plugin-react  2.0.0-alpha.0 - 4.3.3
    Depends on vulnerable versions of vite
    node_modules/@vitejs/plugin-react

4 moderate severity vulnerabilities

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

[github-actions]

Coverage Report

Status	Category	Percentage	Covered / Total
🔵	Lines	57.24%	316 / 552
🔵	Statements	57.24%	316 / 552
🔵	Functions	86.36%	38 / 44
🔵	Branches	85.18%	69 / 81

File Coverage

No changed files found.

Generated in workflow #333 for commit bb7cdd7 by the Vitest Coverage Report Action