chore: fix vulnerabilities and Windows unit tests

[Blackbaud-TrevorBurch]

Summary by CodeRabbit

• Chores
  • Updated several development dependencies and build tools to newer versions for improved stability and performance.
• Refactor
  • Improved project-scaffolding script to handle filesystem paths more robustly when generating example projects.
• Tests
  • Tightened test assertions to use cross-platform pattern matching for more consistent verification across operating systems.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Enterprise

Run ID: 455e8179-fed4-4286-9b1e-511805918f6f

📥 Commits

Reviewing files that changed from the base of the PR and between 1c90336 and e341bca.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (1)

• package.json

🚧 Files skipped from review as they are similar to previous changes (1)

• package.json

---

📝 Walkthrough

Walkthrough

This PR modernizes the StackBlitz link creation script by correcting __dirname derivation for cross-platform ESM compatibility, updating test assertions to use regex-based path matching for cross-platform file operation verification, and bumping three dev dependencies to newer releases.

Changes

StackBlitz Link Creation Script Update

Layer / File(s)	Summary
Path Handling Implementation scripts/create-stackblitz-link.mjs	__dirname computation is updated to use fileURLToPath(import.meta.url) instead of URL pathname manipulation for correct cross-platform path decoding.
Test Assertion Updates scripts/create-stackblitz-link.test.js	File operation path checks (rm, cp -R, fs.readFileSync, fs.writeFileSync) are updated from substring matching to regex-based matching to handle cross-platform path separators.
Dev Dependency Versions package.json	@skyux/dev-infra-private bumped to 12.0.0-alpha.23, @xmldom/xmldom to 0.9.10, and glob to 13.0.6.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Poem

🐰 A script that builds on every shore,
Now finds its path the proper way,
With tests that match both slash and door,
Regex brings cross-platform day! 🌍✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main changes: vulnerability fixes via dependency updates and Windows unit test fixes via cross-platform path handling improvements.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch vuln-5-8-26

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

scripts/create-stackblitz-link.mjs (1)

6-10: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Fix Windows-fragile direct-execution check using pathToFileURL.

Line 9 constructs a file URL via string interpolation, which is unreliable on Windows and symlinked scenarios. import.meta.url is a proper file: URL (e.g., file:///C:/path/script.mjs), while process.argv[1] is a filesystem path string. Direct comparison fails due to format mismatches, incorrect escaping, and symlink differences.

Use pathToFileURL(path.resolve(process.argv[1])).href to reliably normalize the filesystem path to a canonical file URL before comparing:

Proposed fix

-import { fileURLToPath } from 'node:url';
+import { fileURLToPath, pathToFileURL } from 'node:url';

 const __dirname = path.dirname(fileURLToPath(import.meta.url));

 /* c8 ignore start */
-if (import.meta.url === `file://${process.argv[1]}`) {
+if (
+  process.argv[1] &&
+  import.meta.url === pathToFileURL(path.resolve(process.argv[1])).href
+) {
   createStackblitzLink();
 }
 /* c8 ignore stop */

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@scripts/create-stackblitz-link.mjs` around lines 6 - 10, The direct-execution
check comparing import.meta.url to a string-built file URL from process.argv[1]
is fragile on Windows/symlinks; update the check in the createStackblitzLink
invocation to normalize process.argv[1] into a canonical file: URL before
comparing by using pathToFileURL(path.resolve(process.argv[1])).href and compare
that to import.meta.url (keep symbols: createStackblitzLink, import.meta.url,
process.argv[1], pathToFileURL, path.resolve).

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@scripts/create-stackblitz-link.mjs`:
- Around line 6-10: The direct-execution check comparing import.meta.url to a
string-built file URL from process.argv[1] is fragile on Windows/symlinks;
update the check in the createStackblitzLink invocation to normalize
process.argv[1] into a canonical file: URL before comparing by using
pathToFileURL(path.resolve(process.argv[1])).href and compare that to
import.meta.url (keep symbols: createStackblitzLink, import.meta.url,
process.argv[1], pathToFileURL, path.resolve).

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Enterprise

Run ID: 9f1935e4-1c44-4729-a4c5-6b9447d6c4a8

📥 Commits

Reviewing files that changed from the base of the PR and between f0e842b and 1c90336.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (3)

• package.json
• scripts/create-stackblitz-link.mjs
• scripts/create-stackblitz-link.test.js

[blackbaud-sky-build-user]

Component Storybooks:

• forms-storybook
• icon-storybook
• indicators-storybook
• layout-storybook
• lists-storybook
• pages-storybook
• tabs-storybook

Apps:

• playground
• stackblitz