@helixui/react@3.10.0

Patch Changes

• Updated dependencies [a6c7d38]
  • @helixui/library@3.10.0

@helixui/library@3.10.0

Minor Changes

• a6c7d38: WCAG 2.2 AAA — md interactive control target sizes + focus-appearance cert corrections.

  md-size interactive controls (hx-icon-button, hx-overflow-menu, hx-carousel
  nav buttons) now render at a genuine 44×44 target. Previously these painted at 40px
  with a min-block-size/min-inline-size clamp that satisfied the bounding box but
  not the visible hit area; they now size to 44px outright to meet WCAG 2.5.5 Target
  Size (Enhanced). Form-control md min-height fallbacks (the scoped native select
  and shared form-control surfaces) were likewise raised to 44px so a missing
  --hx-input-height-md override no longer collapses the control under the AAA target.

  Also corrects two AAA cert dimensions surfaced by the formal audit harness:

  • 2.4.13 Focus Appearance — the focus indicator is now measured by diffing the
    focused vs unfocused painted state (true focus-gain), rather than reading a static
    computed outline. The evidence prose is now precise about where the ring is painted
    and that it is gained on focus.
  • 2.4.13 — form-control focus ring is now a solid opaque indicator. The seven
    text-like form controls (hx-combobox, hx-date-picker, hx-number-input,
    hx-select, hx-text-input, hx-textarea, hx-time-picker) previously painted
    their focus ring as a 25%-alpha color-mix halo, which composites to ~1.45:1 against
    the field background and fails the WCAG 2.4.13 ≥3:1 floor. The ring is now a solid
    opaque box-shadow in the resolved focus color (--hx-focus-ring-color, #0f7078),
    matching the rest of the library (checkbox/switch/button/dialog already use opaque
    rings). Measured ring contrast is now 5.82:1 (was a translucent ~1.45:1). The same
    opaque treatment is applied to the error-state focus ring and to the scoped native
    form styles used by hx-form. This is a visible change: the focus ring is now a
    crisp solid line rather than a soft translucent glow. Theming is unchanged —
    --hx-<component>-focus-ring-color and --hx-focus-ring-color overrides still flow
    through. The --hx-focus-ring-opacity token remains defined for back-compat but no
    longer affects these rings.
  • 2.4.12 Focus Not Obscured (Enhanced) — overlay components (hx-dialog,
    hx-popover) are now audited in their open state via dedicated audit stories, so the
    criterion is evaluated against the surface a keyboard user actually focuses.

  As a measurement consequence of the refined audit harness, several components had their
  1.4.6 Contrast (Enhanced) verdict re-evaluated against the component's own painted
  surface. No component regressed: the full audit reports 0 Partially Supports and 0 Does
  Not Support across all 44 components × 11 criteria, and the full-DOM
  color-contrast-enhanced sweep remains at zero violations.

  Visible changes consumers should re-baseline

  • The seven text-like form controls render a solid opaque focus ring (≥3:1) instead
    of the prior soft 25%-alpha halo. Keyboard-focus screenshots will differ.
  • md icon-button / overflow-menu / carousel-nav default density grew 4px (40 → 44px
    per the WCAG 2.5.5 mandate). Visual icon glyph sizes are preserved; only the
    control's min target box grew.
  • Form-control md fallbacks render 4px taller when no --hx-input-height-md override
    is supplied.

  Consumers who pinned layouts to 40px control heights, or who screenshot-test these
  controls, should re-baseline. The --hx-input-height-md token default itself is
  unchanged — only component-level sizes and fallbacks moved.

  NOT a breaking change

  Component props, slots, events, CSS parts, and CSS custom property names are unchanged.
  The public API surface is stable; the Custom Elements Manifest is unaffected.

@helixui/tokens@3.9.4

Patch Changes

• c1067b7: deps: dependabot batch 2026-05 — major bumps for vitest (3→4), TypeScript (5→6), zod (3→4), eslint (9→10), commitlint (20→21), and react/react-dom alignment to 19.2 across admin, hx-react, and react-starter. CI tooling: actions/checkout v4→v6. The package surface area is unchanged — runtime dependencies are unaffected and no API has shifted — but the build/test/type toolchain has moved, so consumers running their own pipelines should expect the same toolchain bumps.

  Two dependabot PRs are intentionally NOT in this batch:

  • #1628 vite 6→8 (with vite-plugin-dts 4→5 and @vitejs/plugin-react 4→6). Bisecting the a11y CI regression on this PR pinned the cause to the vite 8 upgrade: under vite 8's bundle output, axe-core surfaces three previously-hidden AAA violations on Components/Breadcrumb and Components/OverflowMenu (two aria-required-parent critical findings, one color-contrast-enhanced serious). Both issues are real latent ARIA defects exposed by vite 8's transpile/bundle output; they need component-level fixes (light-DOM role placement, story-level color override) before vite 8 can ship.
  • #1608 playwright 1.50→1.60. Same shape — newer vendored Chromium surfaces ARIA issues that axe couldn't see before. Held until the breadcrumb-item/overflow-menu work lands.

  Also included: small AAA-compliant fix to the overflow-menu Delete story's inline color (#A21312 → #7a0e0e, the prior value hit 6.92:1 on the panel's #efefef background which is below the AAA 7:1 threshold) and a host-role fix on hx-breadcrumb-item that moves role="listitem" from the inner span to the host element so axe's parent search resolves in the light tree without crossing the shadow boundary.

@helixui/react@3.9.4

Patch Changes

• c1067b7: deps: dependabot batch 2026-05 — major bumps for vitest (3→4), TypeScript (5→6), zod (3→4), eslint (9→10), commitlint (20→21), and react/react-dom alignment to 19.2 across admin, hx-react, and react-starter. CI tooling: actions/checkout v4→v6. The package surface area is unchanged — runtime dependencies are unaffected and no API has shifted — but the build/test/type toolchain has moved, so consumers running their own pipelines should expect the same toolchain bumps.

  Two dependabot PRs are intentionally NOT in this batch:

  • #1628 vite 6→8 (with vite-plugin-dts 4→5 and @vitejs/plugin-react 4→6). Bisecting the a11y CI regression on this PR pinned the cause to the vite 8 upgrade: under vite 8's bundle output, axe-core surfaces three previously-hidden AAA violations on Components/Breadcrumb and Components/OverflowMenu (two aria-required-parent critical findings, one color-contrast-enhanced serious). Both issues are real latent ARIA defects exposed by vite 8's transpile/bundle output; they need component-level fixes (light-DOM role placement, story-level color override) before vite 8 can ship.
  • #1608 playwright 1.50→1.60. Same shape — newer vendored Chromium surfaces ARIA issues that axe couldn't see before. Held until the breadcrumb-item/overflow-menu work lands.

  Also included: small AAA-compliant fix to the overflow-menu Delete story's inline color (#A21312 → #7a0e0e, the prior value hit 6.92:1 on the panel's #efefef background which is below the AAA 7:1 threshold) and a host-role fix on hx-breadcrumb-item that moves role="listitem" from the inner span to the host element so axe's parent search resolves in the light tree without crossing the shadow boundary.

• Updated dependencies [c1067b7]

  • @helixui/library@3.9.4

@helixui/library@3.9.4

Patch Changes

• c1067b7: deps: dependabot batch 2026-05 — major bumps for vitest (3→4), TypeScript (5→6), zod (3→4), eslint (9→10), commitlint (20→21), and react/react-dom alignment to 19.2 across admin, hx-react, and react-starter. CI tooling: actions/checkout v4→v6. The package surface area is unchanged — runtime dependencies are unaffected and no API has shifted — but the build/test/type toolchain has moved, so consumers running their own pipelines should expect the same toolchain bumps.

  Two dependabot PRs are intentionally NOT in this batch:

  • #1628 vite 6→8 (with vite-plugin-dts 4→5 and @vitejs/plugin-react 4→6). Bisecting the a11y CI regression on this PR pinned the cause to the vite 8 upgrade: under vite 8's bundle output, axe-core surfaces three previously-hidden AAA violations on Components/Breadcrumb and Components/OverflowMenu (two aria-required-parent critical findings, one color-contrast-enhanced serious). Both issues are real latent ARIA defects exposed by vite 8's transpile/bundle output; they need component-level fixes (light-DOM role placement, story-level color override) before vite 8 can ship.
  • #1608 playwright 1.50→1.60. Same shape — newer vendored Chromium surfaces ARIA issues that axe couldn't see before. Held until the breadcrumb-item/overflow-menu work lands.

  Also included: small AAA-compliant fix to the overflow-menu Delete story's inline color (#A21312 → #7a0e0e, the prior value hit 6.92:1 on the panel's #efefef background which is below the AAA 7:1 threshold) and a host-role fix on hx-breadcrumb-item that moves role="listitem" from the inner span to the host element so axe's parent search resolves in the light tree without crossing the shadow boundary.

• Updated dependencies [c1067b7]

  • @helixui/tokens@3.9.4
  • @helixui/icons@1.0.4

@helixui/icons@1.0.4

Patch Changes

• c1067b7: deps: dependabot batch 2026-05 — major bumps for vitest (3→4), TypeScript (5→6), zod (3→4), eslint (9→10), commitlint (20→21), and react/react-dom alignment to 19.2 across admin, hx-react, and react-starter. CI tooling: actions/checkout v4→v6. The package surface area is unchanged — runtime dependencies are unaffected and no API has shifted — but the build/test/type toolchain has moved, so consumers running their own pipelines should expect the same toolchain bumps.

  Two dependabot PRs are intentionally NOT in this batch:

  • #1628 vite 6→8 (with vite-plugin-dts 4→5 and @vitejs/plugin-react 4→6). Bisecting the a11y CI regression on this PR pinned the cause to the vite 8 upgrade: under vite 8's bundle output, axe-core surfaces three previously-hidden AAA violations on Components/Breadcrumb and Components/OverflowMenu (two aria-required-parent critical findings, one color-contrast-enhanced serious). Both issues are real latent ARIA defects exposed by vite 8's transpile/bundle output; they need component-level fixes (light-DOM role placement, story-level color override) before vite 8 can ship.
  • #1608 playwright 1.50→1.60. Same shape — newer vendored Chromium surfaces ARIA issues that axe couldn't see before. Held until the breadcrumb-item/overflow-menu work lands.

  Also included: small AAA-compliant fix to the overflow-menu Delete story's inline color (#A21312 → #7a0e0e, the prior value hit 6.92:1 on the panel's #efefef background which is below the AAA 7:1 threshold) and a host-role fix on hx-breadcrumb-item that moves role="listitem" from the inner span to the host element so axe's parent search resolves in the light tree without crossing the shadow boundary.

@helixui/react@3.9.3

Patch Changes

• @helixui/library@3.9.3

@helixui/library@3.9.3

Patch Changes

• Updated dependencies [9c5f0ac]
  • @helixui/icons@1.0.3

@helixui/icons@1.0.3

Patch Changes

• 9c5f0ac: chore: pin npm 11.5.1 in publish job for OIDC trusted publishing

  The publish job authenticates to npm via GitHub Actions OIDC token federation
  (Trusted Publishing), but changeset publish delegates the registry PUT to the
  global npm binary. Node 22 bundles npm 10.x, which signs provenance but lacks
  trusted-publishing OIDC auth, so the PUT went out unauthenticated and the
  registry returned a misleading E404 ... is not in this registry. Pinning npm
  to 11.5.1 before publish gives changeset publish a TP-capable npm. This is an
  infrastructure-only change with no consumer-facing API impact.

@helixui/tokens@3.9.1

Patch Changes

• c4208b2: Docs deep fact-check audit — every package README + the Starlight docs
  site + the Storybook MDX surface validated against source-of-truth, with new
  preflight enforcement.

  Per-package README accuracy fixes (@helixui/library, @helixui/tokens,
  @helixui/icons, @helixui/react, @helixui/drupal-behaviors,
  @helixui/drupal-starter):

  • Install snippets, CDN URLs, and import maps now pin to verified current
    versions (@helixui/library@3.9.0, @helixui/tokens@3.9.0,
    @helixui/icons@1.0.0) — stale ^1.0.0 / ^0.3.0 / older pins removed.
  • Component API claims (events, slots, attributes) reconciled with the
    Custom Elements Manifest. Fabricated tags, events, and CSS parts removed.
  • Drupal behaviors README re-aligned to the actual hxDrawer /
    hxMenu / hxTabs source (real data-direction / data-size /
    data-active-tab attribute names; real hx-change.detail.value event
    contract).
  • @helixui/drupal-starter/theme/README.md rewritten to use raw
    CSSStyleSheet + adoptedStyleSheets primitives — the previous draft
    referenced a fictional @helixui/adopted-stylesheets npm package.

  New preflight gates (release-critical infrastructure, no consumer-facing
  shape change for these packages):

  • Gate 11 (docs version drift, scripts/check-version-drift.mjs) — extended
    to scan packages/**/README.md (was apps-only), so future patch releases
    cannot ship stale CDN URLs in package READMEs without tripping preflight.
  • Gate 12 (docs claims fact-check, scripts/check-docs-claims.mjs) — new
    blocking gate that validates <hx-*> tags against the CEM, --hx-* token
    prefixes against @helixui/tokens, @helixui/* package references against
    the workspace + npm, internal /<slug>/ links, stale repo references, and
    outdated WCAG conformance claims.

  No public API changes. Patch-only release.