Fix security vulnerabilities 311 (#312)

* fix: update @mll-lab/js-utils to fix lodash vulnerabilities

Updates @mll-lab/js-utils from 2.36.1 to 2.41.0, which includes
lodash 4.17.21 instead of the vulnerable 4.17.15.

Fixes 3 HIGH severity vulnerabilities:
- Command Injection (GHSA-35jh-r3h4-6jhm)
- Prototype Pollution (GHSA-p6mc-m468-83gw)
- ReDoS (GHSA-29mw-wpgm-hmr9)

Part of issue #311 - Chunk 1 of 5

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* fix: update jest-environment-jsdom to fix form-data vulnerability

Updates jest-environment-jsdom from 29.7.0 to 30.2.0, which includes
jsdom 26.x with patched dependencies.

Fixes 1 CRITICAL severity vulnerability:
- form-data unsafe random function (GHSA-fjxv-7rqg-78g4)

Also fixes ws vulnerability in jsdom (moved to Storybook, will fix in next chunk).

Tests pass with some expected jsdom warnings about window.getComputedStyle
(known jsdom limitation, not a breaking issue).

Part of issue #311 - Chunk 2 of 5

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* fix: update Storybook packages to v8.6.14

Updated Storybook packages from ^8.0.0 to ^8.2.10 (resolved to 8.6.14):
- @storybook/addon-essentials
- @storybook/react
- @storybook/react-webpack5
- storybook

Also removed deprecated @storybook/addons package.

Note: ws (HIGH) vulnerability persists via @storybook/core@8.6.14 → ws@8.14.2.
The vulnerability requires ws@8.17.1+, but Storybook 8.6.14 uses ws@8.14.2.
Further action needed to resolve this.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* fix: replace storybook-deployer with GitHub Pages Actions

Replaced deprecated @storybook/storybook-deployer with GitHub's native
Pages deployment actions. This removes the CRITICAL parse-url vulnerability
(CVE-2024-XXXXX via git-url-parse → git-up → parse-url).

Changes:
- Updated .github/workflows/show.yml to use GitHub Pages Actions:
  - actions/configure-pages@v4
  - actions/upload-pages-artifact@v3
  - actions/deploy-pages@v4
- Removed @storybook/storybook-deployer from devDependencies
- Added required permissions and concurrency controls
- Added workflow_dispatch for manual triggers

BREAKING CHANGE: Requires one-time manual setup in GitHub Pages settings.
After merging, change Pages source from "Deploy from a branch" to
"GitHub Actions" at: Settings → Pages → Build and deployment → Source

Security impact:
- Eliminates 1 CRITICAL vulnerability (parse-url SSRF)
- Reduces total vulnerabilities from 25 to ~16

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* simplify show

---------

Co-authored-by: Claude <noreply@anthropic.com>

Author: spawnia

.github/workflows/show.yml

@@ -3,9 +3,22 @@ on:
   push:
     branches:
       - master
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  pages: write
+  id-token: write
+
+concurrency:
+  group: pages
+  cancel-in-progress: false
 
 jobs:
   storybook:
+    environment:
+      name: github-pages
+      url: ${{ steps.deployment.outputs.page_url }}
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v5
@@ -14,6 +27,10 @@ jobs:
           node-version: 22
       - run: corepack enable
       - run: yarn install
-      - run: yarn run storybook-to-ghpages --ci --script=storybook:build
-        env:
-          GH_TOKEN: ${{ github.actor }}:${{ secrets.GITHUB_TOKEN }}
+      - run: yarn storybook:build
+      - uses: actions/configure-pages@v4
+      - uses: actions/upload-pages-artifact@v3
+        with:
+          path: ./storybook-static
+      - uses: actions/deploy-pages@v4
+        id: deployment

package.json

@@ -56,7 +56,7 @@
   "dependencies": {
     "@ant-design/icons": "^5.0.1",
     "@dnd-kit/core": "^6.0.8",
-    "@mll-lab/js-utils": "^2.36.1",
+    "@mll-lab/js-utils": "^2.41.0",
     "antd": "4.20.5",
     "date-fns": "^2.29.3",
     "lodash": "^4.17.21",
@@ -79,11 +79,9 @@
     "@rollup/plugin-typescript": "^11.1.6",
     "@semantic-release/changelog": "^6.0.3",
     "@semantic-release/git": "^10.0.1",
-    "@storybook/addon-essentials": "^8.0.0",
-    "@storybook/addons": "^7.6.17",
-    "@storybook/react": "^8.0.0",
-    "@storybook/react-webpack5": "^8.0.0",
-    "@storybook/storybook-deployer": "^2.8.16",
+    "@storybook/addon-essentials": "^8.2.10",
+    "@storybook/react": "^8.2.10",
+    "@storybook/react-webpack5": "^8.2.10",
     "@testing-library/dom": "^9.3.3",
     "@testing-library/jest-dom": "^6.6.4",
     "@testing-library/react": "^14.1.2",
@@ -109,7 +107,7 @@
     "eslint-plugin-testing-library": "^6.2.2",
     "identity-obj-proxy": "^3.0.0",
     "jest": "^29.7.0",
-    "jest-environment-jsdom": "^29.7.0",
+    "jest-environment-jsdom": "^30.2.0",
     "less": "^4.2.0",
     "less-loader": "^11.1.3",
     "prettier": "^3.1.0",
@@ -124,7 +122,7 @@
     "rollup-plugin-peer-deps-external": "^2.2.4",
     "rollup-plugin-styles": "^4.0.0",
     "semantic-release": "^25.0.1",
-    "storybook": "^8.0.0",
+    "storybook": "^8.2.10",
     "style-loader": "^3.3.3",
     "styled-components": "^6.1.1",
     "ts-jest": "^29.1.1",