Martin Hochel

This commit **updates the public documentation site (v9)** to reflect the current support status for **Griffel raw styles**. It specifically modifies the support table within the documentation, ensuring that developers have accurate and up-to-date information regarding Griffel's capabilities. This **documentation update** improves the clarity and reliability of the project's public-facing resources, aiding users in understanding and utilizing Griffel effectively.

This commit **enforces** the `jsdoc/empty-tags` ESLint rule by updating the core ESLint configuration and fixing all existing violations. This **documentation cleanup** impacts a broad range of **Fluent UI packages**, including components, utilities, and styling modules, where JSDoc comments were adjusted for proper formatting. The **maintenance** work aims to significantly improve **code quality** and **documentation consistency** across the library. This ensures that JSDoc comments are always informative and correctly structured, leading to clearer API documentation and enhanced maintainability.

This commit delivers a **security fix** for the **`scripts/monorepo`** module, specifically addressing a **command injection vulnerability** within the `getAffectedPackages` helper. The `spawnSync` call in `scripts/monorepo/src/getAffectedPackages.js` has been refactored to prevent malicious command execution. This is achieved by separating arguments and explicitly disabling shell execution, thereby enhancing the security and robustness of monorepo script operations.

This commit **updates the minimum supported TypeScript version to 5.4** for the **`ts-minbar-test-react-components`** and **`ts-minbar-test-react`** test applications. This **maintenance update** involves adjusting the `tsVersion` constant in their `src/index.ts` files and updating their `README.md` documentation to reflect the new compatibility. Furthermore, the **`public-docsite-v9`** documentation is enhanced to clarify the TypeScript support policy and include **React 19** as a supported platform. This ensures the project's test infrastructure and public-facing documentation are aligned with current and upcoming platform versions.

This commit introduces a **refactoring** improvement to the project's **GitHub Actions CI workflows**. It **consolidates multiple `${{ }}` expression blocks** into single, more efficient expressions within the `if` conditions of several workflow files, including `.github/workflows/bundle-size-comment.yml`, `.github/workflows/pr-vrt-comment.yml`, and `.github/workflows/pr-website-deploy-comment.yml`. This **maintenance** task enhances the readability and conciseness of the **CI/CD pipeline configuration** by streamlining conditional logic. The change does not alter the functional behavior of the comment-posting actions, but rather optimizes their underlying structure.

This commit **refactors the project's Git commit hook infrastructure** by replacing the previous setup with **Husky** and **nano-staged**. It migrates existing `post-checkout` and `post-merge` hooks into the new `.husky` directory, while introducing a new `pre-commit` hook to automatically execute `nano-staged`. The `nano-staged.js` configuration is updated to enable **JavaScript formatting**, ensuring consistent code style before commits. This **maintenance chore** streamlines the developer workflow by standardizing and automating pre-commit checks for code quality and formatting.

This commit introduces **conditional execution** for the **bundle size comparison** within the **Continuous Integration (CI) pipeline**. The `monosize compare` step, defined in `.github/workflows/bundle-size.yml`, will now only run when a pull request targets the `master` branch. This **maintenance** change optimizes CI resource usage by preventing unnecessary bundle size checks on feature or development branches, while also providing a clear warning message when the comparison is skipped.

This commit performs a **dependency bump** across several **Fluent UI packages**, specifically affecting `@fluentui/chart-web-components`, `@fluentui/react-storybook-addon`, `@fluentui/react-storybook-addon-export-to-sandbox`, and `@fluentui/web-components`. This **maintenance** update is crucial for **mitigating known CVEs** by upgrading vulnerable dependencies within these components. The change improves the overall **security posture** and stability for consumers utilizing these Fluent UI libraries.

This commit delivers a **critical security fix** to the **`@fluentui-react-provider` package**, specifically addressing an **XSS vulnerability** that could occur during **Server-Side Rendering (SSR)**. To mitigate this, a new utility function, `escapeForStyleTag`, has been introduced to properly escape angle brackets within CSS theme values. This escaping logic is integrated into the `createCSSRuleFromTheme` utility, preventing malicious script injection through theme configurations. The **fix** ensures the integrity and safety of applications utilizing Fluent UI React components by safeguarding against Cross-Site Scripting attacks.

This commit delivers a **bug fix** for the **`workspace-plugin`'s `version-bump` generator**, addressing an issue where `beachballChangetypes` were not correctly removed when an `explicitVersion` argument was provided. The fix modifies the `runMigrationOnProject` function within `tools/workspace-plugin/src/generators/version-bump/index.ts` to extend the condition for removing these disallowed change types. Now, the removal logic applies consistently for both `nightly` releases and when an `explicitVersion` is specified, ensuring proper **version management workflow**. This prevents potential inconsistencies in release processes by correctly handling change types across different versioning strategies.

This commit addresses a **CI/CD issue** within the **Azure DevOps pipeline** for **experimental releases**. It modifies the `azure-pipelines.release-vnext-experimental.yml` script to correctly extract and utilize the full branch path. This ensures that `beachball publish` and `git reset` commands accurately reference the intended branch, preventing errors and improving the reliability of the **experimental release process**.

This commit **updates the Azure DevOps CI/CD pipeline** for **experimental releases** (`vnext-experimental`), specifically modifying the **package publishing process**. It now directly invokes the `beachball` tool with explicit arguments for access and confirmation, rather than relying on an indirect call. This **maintenance change** effectively **resolves issues with branch setting clashes** that previously impacted experimental releases. The update ensures a more **reliable and controlled release mechanism** for `vnext-experimental` packages, preventing publishing conflicts.

This commit **fixes test target dependencies** for the **`react-link`** package, ensuring its test suite runs correctly. It updates the `project.json` configuration to explicitly add the **`a11y-testing`** package as a required dependency for `react-link`'s test target. This **chore** resolves an issue where accessibility tests might not have had the necessary tooling available, thereby improving the reliability and coverage of `react-link`'s accessibility testing. Additionally, the `a11y-testing` README is updated to reflect its usage by `react-link`.

This commit **refactors** the **CI/CD pipeline configuration** to normalize `dryRun` usage and status reporting across various build processes. It introduces a `dryRun` parameter to the shared `tools.yml` template, which is then utilized by the dry run status script for consistent reporting. Multiple `azure-pipelines.*.yml` files are updated to pass this parameter, standardizing how dry run behavior is controlled across different **release and deployment pipelines**. Notably, `azure-pipelines.release-vnext-nightly.yml` now conditionally executes its publish step based on this `dryRun` status, providing more granular control over nightly builds. This **maintenance** effort enhances consistency and control over pipeline execution, particularly for publishing artifacts.

This commit **fixes a naming conflict** within the **`workspace-plugin`'s `version-bump` generator** by renaming the `version` option to `explicitVersion`. This **refactoring** prevents clashes with the `nx cli`'s built-in `--version` flag, ensuring proper functionality when specifying an explicit version for bumping. The change impacts the generator's `schema.json`, `schema.ts`, and internal logic (`index.ts`), along with its test suite (`index.spec.ts`). Additionally, the `azure-pipelines.release-vnext-experimental.yml` CI configuration is updated to reflect this new argument. Users of the `version-bump` generator must now use `--explicitVersion` to specify the desired version.

This commit performs **maintenance** on the project's **Continuous Integration (CI) system** by **removing unused workflows** associated with **Visual Regression Testing (VRT)**. These obsolete configurations are no longer necessary, and their removal streamlines the CI pipeline. The **cleanup** effort improves the efficiency and clarity of the automated testing infrastructure, ensuring only active processes are maintained.

This commit **establishes the official experimental release process for v9**, introducing new CI/CD infrastructure and enhancing internal tooling. It adds a **GitHub Actions workflow** for experimental branch creation and an **Azure Pipeline** to build and publish experimental v9 releases to NPM. The **`version-bump` workspace plugin** is also enhanced to support explicit version setting, bypassing standard bump logic. Finally, comprehensive **documentation** is added for both stable and experimental v9 release processes, providing a clear framework for feature development and testing.

This commit implements a crucial **security fix** to prevent **DOM-based XSS vulnerabilities** within the **PR Deploy Site** application. It refactors `apps/pr-deploy-site/pr-deploy-site.js` to safely render user-controlled data by utilizing `textContent` and `createElement` instead of `innerHTML`, thereby mitigating potential script injection. Concurrently, `apps/pr-deploy-site/just.config.ts` is updated to align its package list injection logic with these new XSS prevention measures. This change significantly enhances the **security** of the site by ensuring user-controlled content is rendered safely, preventing malicious script execution.

This commit performs a **maintenance chore** to fix **test target dependencies** for the **`react-button`** package. It updates `packages/react-components/react-button/library/project.json` to explicitly add a dependency on the **`a11y-testing`** package for the `test` target, ensuring that accessibility checks are correctly integrated into the button component's test suite. This change improves the robustness and completeness of the **`react-button`** testing infrastructure, helping to prevent future accessibility regressions. Additionally, a minor documentation update clarifies the primary use case of the `a11y-testing` package in its `README.md`.

This commit performs **test maintenance** by **updating a snapshot** in the **`scripts/monorepo`** module. The snapshot in `getDependencies.spec.js` required an update to reflect changes in dependency ordering and properties, specifically for `devDependencies`. This re-ordering and modification, including the `isTopLevel` property for `eslint-plugin`, resulted from a recent switch to `nx graph resolution` for dependency management. The update ensures that the tests accurately validate the new expected output of the dependency resolution logic.