Merge branch 'develop' of https://github.com/public-ui/kolibri into fix/9699-table-in-accordion

Author: deleonio

.github/workflows/benchmark.baseline.yml

@@ -12,7 +12,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Create GitHub App Token
-        uses: actions/create-github-app-token@v2
+        uses: actions/create-github-app-token@v3
         id: app-token
         with:
           app-id: ${{ secrets.APP_ID }}

.github/workflows/benchmark.monitoring.yml

@@ -17,7 +17,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Create GitHub App Token
-        uses: actions/create-github-app-token@v2
+        uses: actions/create-github-app-token@v3
         id: app-token
         with:
           app-id: ${{ secrets.APP_ID }}

.github/workflows/cla.yml

@@ -12,7 +12,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: 'Create GitHub app token'
-        uses: actions/create-github-app-token@v2
+        uses: actions/create-github-app-token@v3
         id: app-token
         with:
           app-id: ${{ secrets.APP_ID }}

.github/workflows/draft-deploy.yml

@@ -51,12 +51,12 @@ jobs:
         run: pnpm i --no-frozen-lockfile --no-verify-store-integrity
 
       - name: Build
-        run: pnpm --filter @public-ui/sample-react... build
+        run: pnpm --filter @public-ui/presentation... build
 
-      - name: Attest sample react build
+      - name: Attest presentation build
         uses: actions/attest-build-provenance@v4
         with:
-          subject-path: packages/samples/react/dist
+          subject-path: packages/samples/presentation/dist
 
       - name: Netlify Deploy
         uses: netlify/actions/cli@master
@@ -65,7 +65,7 @@ jobs:
           NETLIFY_AUTH_TOKEN: ${{ secrets.NETLIFY_AUTH_TOKEN }}
           NETLIFY_SITE_ID: ${{ vars.NETLIFY_SITE_ID }}
         with:
-          args: deploy --no-build --filter=@public-ui/sample-react -d packages/samples/react/dist
+          args: deploy --no-build --filter=@public-ui/presentation -d packages/samples/presentation/dist
 
       - name: Find comment
         uses: peter-evans/find-comment@v4

.github/workflows/publish.yml

@@ -43,7 +43,7 @@ jobs:
     if: github.repository == 'public-ui/kolibri'
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/create-github-app-token@v2
+      - uses: actions/create-github-app-token@v3
         id: app-token
         with:
           app-id: ${{ secrets.APP_ID }}

.github/workflows/test-deploy.yml

@@ -52,12 +52,12 @@ jobs:
         run: pnpm i --no-frozen-lockfile --no-verify-store-integrity
 
       - name: Build
-        run: pnpm --filter @public-ui/sample-react... build
+        run: pnpm --filter @public-ui/presentation... build
 
-      - name: Attest sample react build
+      - name: Attest presentation build
         uses: actions/attest-build-provenance@v4
         with:
-          subject-path: packages/samples/react/dist
+          subject-path: packages/samples/presentation/dist
 
       - name: Netlify Deploy
         uses: netlify/actions/cli@master
@@ -66,4 +66,4 @@ jobs:
           NETLIFY_AUTH_TOKEN: ${{ secrets.NETLIFY_AUTH_TOKEN }}
           NETLIFY_SITE_ID: ${{ vars.NETLIFY_SITE_ID }}
         with:
-          args: deploy --no-build --filter=@public-ui/sample-react -d packages/samples/react/dist --alias="$GITHUB_REF_NAME" # Netlify conveniently sanitizes the alias for us. E.g. `release/1.7` becomes `release-1-7`
+          args: deploy --no-build --filter=@public-ui/presentation -d packages/samples/presentation/dist --alias="$GITHUB_REF_NAME" # Netlify conveniently sanitizes the alias for us. E.g. `release/1.7` becomes `release-1-7`

.github/workflows/update-snapshots.yml

@@ -17,7 +17,7 @@ jobs:
   update-snapshots:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/create-github-app-token@v2
+      - uses: actions/create-github-app-token@v3
         id: app-token
         with:
           app-id: ${{ secrets.APP_ID }}
@@ -83,10 +83,14 @@ jobs:
       - name: Display git status (after test-update)
         run: git status
 
+      - name: Stage snapshot changes
+        run: |
+          shopt -s globstar
+          git add packages/**/__snapshots__/** packages/**/snapshots/**
+
       - name: Commit and push changes
         uses: stefanzweifel/git-auto-commit-action@v7
         with:
           commit_message: Update all snapshots
-          file_pattern: 'packages/**/__snapshots__/** packages/**/snapshots/**'
           commit_user_name: '${{ steps.app-token.outputs.app-slug }}[bot]'
           commit_user_email: '${{ steps.get-user-id.outputs.user-id }}+${{ steps.app-token.outputs.app-slug }}[bot]@users.noreply.github.com'

.github/workflows/visual-tests-base.yml

@@ -7,6 +7,10 @@ concurrency:
   group: 'workflow-${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}'
   cancel-in-progress: true
 
+permissions:
+  contents: write
+  pull-requests: write
+
 jobs:
   visual-tests-snapshots:
     strategy:
@@ -88,3 +92,53 @@ jobs:
           name: base-snapshots-${{ matrix.package }}
           path: /tmp/snapshots/${{ matrix.package }}
           if-no-files-found: ignore
+
+      - name: Determine report path
+        id: report-path
+        if: always() && github.event.pull_request.head.repo.fork == false
+        run: |
+          PACKAGE="${{ matrix.package }}"
+          if [[ "${PACKAGE}" == 'test-tag-name-transformer' ]]; then
+            REPORT_DIR="packages/test-tag-name-transformer/playwright-report"
+          else
+            THEME_DIR="${PACKAGE#theme-}"
+            REPORT_DIR="packages/themes/${THEME_DIR}/playwright-report"
+          fi
+          echo "path=${REPORT_DIR}" >> $GITHUB_OUTPUT
+          if [ -d "${REPORT_DIR}" ]; then
+            echo "exists=true" >> $GITHUB_OUTPUT
+          else
+            echo "exists=false" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Deploy report to GitHub Pages
+        if: always() && github.event.pull_request.head.repo.fork == false && steps.report-path.outputs.exists == 'true'
+        uses: JamesIves/github-pages-deploy-action@v4
+        with:
+          folder: ${{ steps.report-path.outputs.path }}
+          target-folder: pr-${{ github.event.pull_request.number }}/${{ matrix.package }}
+          branch: gh-pages
+          clean: false
+
+      - name: Find existing PR comment
+        if: always() && github.event.pull_request.head.repo.fork == false
+        uses: peter-evans/find-comment@v4
+        id: fc
+        with:
+          issue-number: ${{ github.event.pull_request.number }}
+          comment-author: 'github-actions[bot]'
+          body-includes: '<!-- visual-test-report-${{ matrix.package }} -->'
+
+      - name: Post PR comment with report link
+        if: always() && github.event.pull_request.head.repo.fork == false
+        uses: peter-evans/create-or-update-comment@v5
+        with:
+          comment-id: ${{ steps.fc.outputs.comment-id }}
+          issue-number: ${{ github.event.pull_request.number }}
+          edit-mode: replace
+          body: |
+            <!-- visual-test-report-${{ matrix.package }} -->
+            ## Visual Test Report — `${{ matrix.package }}`
+            [Open Playwright Report](https://${{ github.repository_owner }}.github.io/${{ github.event.repository.name }}/pr-${{ github.event.pull_request.number }}/${{ matrix.package }}/)
+
+            Run: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}

.github/workflows/visual-tests-cleanup.yml

@@ -0,0 +1,31 @@
+name: Visual Tests Report Cleanup
+
+on:
+  pull_request:
+    types: [closed]
+
+permissions:
+  contents: write
+
+jobs:
+  cleanup:
+    if: github.event.pull_request.head.repo.fork == false
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+        with:
+          ref: gh-pages
+          persist-credentials: true
+
+      - name: Remove PR report directory
+        run: |
+          PR_DIR="pr-${{ github.event.pull_request.number }}"
+          if [ -d "$PR_DIR" ]; then
+            git config user.name "github-actions[bot]"
+            git config user.email "github-actions[bot]@users.noreply.github.com"
+            git rm -rf "$PR_DIR"
+            git commit -m "chore: remove visual test report for PR #${{ github.event.pull_request.number }}"
+            git push
+          else
+            echo "No report directory found for PR #${{ github.event.pull_request.number }}, skipping."
+          fi

docs/CVE_OVERVIEW.md

@@ -30,9 +30,9 @@
 
 | Severity |  v4 |  v3 |  v2 |  v1 |
 | -------- | --: | --: | --: | --: |
-| critical |   3 |   3 |   3 |   1 |
-| high     |  18 |  18 |  28 |  21 |
-| moderate |   2 |   2 |  14 |   1 |
+| critical |   4 |   4 |   4 |   2 |
+| high     |  25 |  24 |  35 |  23 |
+| moderate |   7 |   7 |  19 |   1 |
 | low      |   3 |   3 |   8 |   0 |
 | info     |   0 |   0 |   0 |   0 |
 | unknown  |   0 |   0 |   0 |   0 |
@@ -44,17 +44,21 @@
 | basic-ftp            | critical | CVE-2026-27699      | v4, v3, v2        | Basic FTP has Path Traversal Vulnerability in its downloadToDir() method          |
 | fast-xml-parser      | critical | CVE-2026-25896      | v4, v3, v2        | fast-xml-parser has an entity encoding bypass via regex injection in DOCTYPE ent  |
 | locutus              | critical | CVE-2026-25521      | v4, v3, v2, v1    | locutus is vulnerable to Prototype Pollution                                      |
+| locutus              | critical | CVE-2026-32304      | v4, v3, v2, v1    | Locutus vulnerable to RCE via unsanitized input in create_function()              |
 | @angular/common      | high     | CVE-2025-66035      | v1                | Angular is Vulnerable to XSRF Token Leakage via Protocol-Relative URLs in Angula  |
 | @angular/compiler    | high     | CVE-2025-66412      | v1                | Angular Stored XSS Vulnerability via SVG Animation, SVG URL and MathML Attribute  |
 | @angular/compiler    | high     | CVE-2026-22610      | v1                | Angular has XSS Vulnerability via Unsanitized SVG Script Attributes               |
+| @angular/compiler    | high     | CVE-2026-32635      | v1                | Angular vulnerable to XSS in i18n attribute bindings                              |
 | @angular/core        | high     | CVE-2026-22610      | v1                | Angular has XSS Vulnerability via Unsanitized SVG Script Attributes               |
 | @angular/core        | high     | CVE-2026-27970      | v1                | Angular i18n vulnerable to Cross-Site Scripting                                   |
+| @angular/core        | high     | CVE-2026-32635      | v1                | Angular vulnerable to XSS in i18n attribute bindings                              |
 | @hono/node-server    | high     | CVE-2026-29087      | v2                | @hono/node-server has authorization bypass for protected static paths via encode  |
 | axios                | high     | CVE-2026-25639      | v3, v2            | Axios is Vulnerable to Denial of Service via **proto** Key in mergeConfig         |
 | braces               | high     | CVE-2024-4068       | v4, v3, v2, v1    | Uncontrolled resource consumption in braces                                       |
 | express-rate-limit   | high     | CVE-2026-30827      | v2                | express-rate-limit: IPv4-mapped IPv6 addresses bypass per-client rate limiting o  |
 | fast-xml-parser      | high     | CVE-2026-25128      | v4, v3, v2        | fast-xml-parser has RangeError DoS Numeric Entities Bug                           |
 | fast-xml-parser      | high     | CVE-2026-26278      | v4, v3, v2        | fast-xml-parser affected by DoS through entity expansion in DOCTYPE (no expansio  |
+| flatted              | high     | CVE-2026-32141      | v4, v3, v2        | flatted vulnerable to unbounded recursion DoS in parse() revive phase             |
 | hono                 | high     | CVE-2026-29045      | v2                | Hono vulnerable to arbitrary file access via serveStatic vulnerability            |
 | immutable            | high     | CVE-2026-29063      | v2                | Immutable is vulnerable to Prototype Pollution                                    |
 | locutus              | high     | CVE-2026-29091      | v4, v3, v2, v1    | locutus call_user_func_array vulnerable to Remote Code Execution (RCE) due to Co  |
@@ -66,12 +70,15 @@
 | semver               | high     | CVE-2022-25883      | v2                | semver vulnerable to Regular Expression Denial of Service                         |
 | serialize-javascript | high     | GHSA-5c6j-r48x-rmvq | v4, v3, v2, v1    | Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.to  |
 | svgo                 | high     | CVE-2026-29074      | v4, v3, v2, v1    | SVGO DoS through entity expansion in DOCTYPE (Billion Laughs)                     |
-| tar                  | high     | CVE-2026-23950      | v1                | Race Condition in node-tar Path Reservations via Unicode Ligature Collisions on   |
 | tar                  | high     | CVE-2026-24842      | v1                | node-tar Vulnerable to Arbitrary File Creation/Overwrite via Hardlink Path Trave  |
 | tar                  | high     | CVE-2026-23745      | v1                | node-tar is Vulnerable to Arbitrary File Overwrite and Symlink Poisoning via Ins  |
-| tar                  | high     | CVE-2026-26960      | v4, v3, v1        | Arbitrary File Read/Write via Hardlink Target Escape Through Symlink Chain in no  |
+| tar                  | high     | CVE-2026-26960      | v4, v1            | Arbitrary File Read/Write via Hardlink Target Escape Through Symlink Chain in no  |
 | tar                  | high     | CVE-2026-29786      | v4, v3, v2, v1    | tar has Hardlink Path Traversal via Drive-Relative Linkpath                       |
 | tar                  | high     | CVE-2026-31802      | v4, v3, v2, v1    | node-tar Symlink Path Traversal via Drive-Relative Linkpath                       |
+| tar                  | high     | CVE-2026-23950      | v1                | Race Condition in node-tar Path Reservations via Unicode Ligature Collisions on   |
+| undici               | high     | CVE-2026-1528       | v4, v3, v2        | Undici: Malicious WebSocket 64-bit length overflows parser and crashes the clien  |
+| undici               | high     | CVE-2026-1526       | v4, v3, v2        | Undici has Unbounded Memory Consumption in WebSocket permessage-deflate Decompre  |
+| undici               | high     | CVE-2026-2229       | v4, v3, v2        | Undici has Unhandled Exception in WebSocket Client Due to Invalid server_max_win  |
 | ajv                  | moderate | CVE-2025-69873      | v3, v2            | ajv has ReDoS when using `$data` option                                           |
 | ejs                  | moderate | CVE-2024-33883      | v2                | ejs lacks certain pollution protection                                            |
 | esbuild              | moderate | GHSA-67mh-4wv8-2f99 | v2                | esbuild enables any website to send any requests to the development server and r  |
@@ -84,6 +91,9 @@
 | nanoid               | moderate | CVE-2024-55565      | v2                | Predictable results in nanoid generation when given non-integer values            |
 | qs                   | moderate | CVE-2025-15284      | v2                | qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion   |
 | serialize-javascript | moderate | CVE-2024-11831      | v2                | Cross-site Scripting (XSS) in serialize-javascript                                |
+| undici               | moderate | CVE-2026-1525       | v4, v3, v2        | Undici has an HTTP Request/Response Smuggling issue                               |
+| undici               | moderate | CVE-2026-1527       | v4, v3, v2        | Undici has CRLF Injection in undici via `upgrade` option                          |
+| undici               | moderate | CVE-2026-2581       | v4, v3, v2        | Undici has Unbounded Memory Consumption in its DeduplicationHandler via Response  |
 | webpack              | moderate | CVE-2024-43788      | v2                | Webpack's AutoPublicPathRuntimeModule has a DOM Clobbering Gadget that leads to   |
 | webpack-dev-server   | moderate | CVE-2025-30360      | v2                | webpack-dev-server users' source code may be stolen when they access a malicious  |
 | webpack-dev-server   | moderate | CVE-2025-30359      | v2                | webpack-dev-server users' source code may be stolen when they access a malicious  |