Update dependencies to latest semver-safe versions

Resolves 5 security vulnerabilities (ReDoS in markdown-it, ajv,
minimatch; prototype pollution in flatted; path traversal in h3).
Prettier 3.8.1 reformatted four SKILL.md files. Also fixes .gitignore
to properly ignore Playwright test-results directory.

Author: mattobee

.agents/skills/estimating-accessibility-effort/SKILL.md

@@ -32,24 +32,24 @@ Effort estimates based only on the issue description are unreliable. Before esti
 
 For each issue, produce:
 
-| Field | Description |
-|-------|-------------|
-| **Issue** | One-sentence description of the problem |
-| **WCAG** | Success criterion reference (e.g., 2.1.1 Keyboard) |
-| **Severity** | Critical (A violation, blocker), Serious (AA violation), Moderate (best practice) |
-| **Scope** | How many files, components, or pages are affected |
-| **Effort** | T-shirt size: XS, S, M, L, XL (see definitions below) |
-| **Rationale** | Brief explanation of what the fix involves and why it takes this much effort |
-| **Dependencies** | Other issues or changes this fix depends on or enables |
+| Field            | Description                                                                       |
+| ---------------- | --------------------------------------------------------------------------------- |
+| **Issue**        | One-sentence description of the problem                                           |
+| **WCAG**         | Success criterion reference (e.g., 2.1.1 Keyboard)                                |
+| **Severity**     | Critical (A violation, blocker), Serious (AA violation), Moderate (best practice) |
+| **Scope**        | How many files, components, or pages are affected                                 |
+| **Effort**       | T-shirt size: XS, S, M, L, XL (see definitions below)                             |
+| **Rationale**    | Brief explanation of what the fix involves and why it takes this much effort      |
+| **Dependencies** | Other issues or changes this fix depends on or enables                            |
 
 ### Effort definitions
 
-| Size | Typical scope | Examples |
-|------|--------------|---------|
-| **XS** | Single attribute or property change. One file, no logic changes. | Add missing `alt` text, add `aria-label` to a button, add `autocomplete` attribute, add `lang` attribute |
-| **S** | Localised change within one component. May involve a few attributes and minor template restructuring. | Associate error messages with fields via `aria-describedby`, add visible labels to replace placeholder-only labels, add `aria-live` to a status region |
-| **M** | Changes to one component plus its consumers, or changes spanning 2-5 files. May require new state management. | Implement keyboard navigation for a custom widget, add focus management to a modal (trap + return), make a data table sortable by keyboard, add skip link |
-| **L** | Structural changes affecting multiple components or a shared layout. May require new components, hooks, or utility functions. | Redesign a drag-and-drop interface to have a keyboard alternative, retrofit focus management across all route changes, build an accessible combobox to replace a custom dropdown |
+| Size   | Typical scope                                                                                                                            | Examples                                                                                                                                                                                                |
+| ------ | ---------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| **XS** | Single attribute or property change. One file, no logic changes.                                                                         | Add missing `alt` text, add `aria-label` to a button, add `autocomplete` attribute, add `lang` attribute                                                                                                |
+| **S**  | Localised change within one component. May involve a few attributes and minor template restructuring.                                    | Associate error messages with fields via `aria-describedby`, add visible labels to replace placeholder-only labels, add `aria-live` to a status region                                                  |
+| **M**  | Changes to one component plus its consumers, or changes spanning 2-5 files. May require new state management.                            | Implement keyboard navigation for a custom widget, add focus management to a modal (trap + return), make a data table sortable by keyboard, add skip link                                               |
+| **L**  | Structural changes affecting multiple components or a shared layout. May require new components, hooks, or utility functions.            | Redesign a drag-and-drop interface to have a keyboard alternative, retrofit focus management across all route changes, build an accessible combobox to replace a custom dropdown                        |
 | **XL** | Architectural changes. Affects the application's structure, routing, state management, or component library. Usually a multi-day effort. | Replace a custom component system with an accessible component library, restructure page layouts for correct landmark hierarchy across all routes, implement a comprehensive form error handling system |
 
 ### Factors that increase effort
@@ -74,12 +74,12 @@ When estimating a set of issues (e.g., a full audit report), also provide:
 ### Summary table
 
 | Effort | Count | Examples |
-|--------|-------|---------|
-| XS | n | ... |
-| S | n | ... |
-| M | n | ... |
-| L | n | ... |
-| XL | n | ... |
+| ------ | ----- | -------- |
+| XS     | n     | ...      |
+| S      | n     | ...      |
+| M      | n     | ...      |
+| L      | n     | ...      |
+| XL     | n     | ...      |
 
 ### Dependency graph
 
@@ -101,18 +101,18 @@ Highlight issues that are XS or S effort with Critical or Serious severity. Thes
 ### Individual Estimates
 
 | Issue | WCAG | Severity | Scope | Effort | Rationale |
-|-------|------|----------|-------|--------|-----------|
-| ... | ... | ... | ... | ... | ... |
+| ----- | ---- | -------- | ----- | ------ | --------- |
+| ...   | ...  | ...      | ...   | ...    | ...       |
 
 ### Summary
 
 | Effort | Count |
-|--------|-------|
-| XS | n |
-| S | n |
-| M | n |
-| L | n |
-| XL | n |
+| ------ | ----- |
+| XS     | n     |
+| S      | n     |
+| M      | n     |
+| L      | n     |
+| XL     | n     |
 
 ### Dependencies
 

.agents/skills/predicting-accessibility-risks/SKILL.md

@@ -22,16 +22,17 @@ Before assessing risks, understand what is being proposed:
 
 For each risk identified, produce:
 
-| Field | Description |
-|-------|-------------|
-| **Risk** | One-sentence description of what could go wrong |
-| **Affected users** | Which disability groups are affected and how (screen reader users, keyboard-only users, low vision, cognitive, motor) |
-| **WCAG criteria** | The success criteria at stake (e.g., 2.1.1 Keyboard, 1.3.1 Info and Relationships) |
-| **Likelihood** | How likely is this to occur without explicit attention? High (almost certain without mitigation), Medium (depends on implementation choices), Low (only if a specific mistake is made) |
-| **Cost to fix later** | How expensive is this to retrofit if caught after implementation? High (requires architectural changes), Medium (requires rework of multiple components), Low (localised fix) |
-| **Mitigation** | Specific, actionable recommendation to avoid the risk |
+| Field                 | Description                                                                                                                                                                            |
+| --------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| **Risk**              | One-sentence description of what could go wrong                                                                                                                                        |
+| **Affected users**    | Which disability groups are affected and how (screen reader users, keyboard-only users, low vision, cognitive, motor)                                                                  |
+| **WCAG criteria**     | The success criteria at stake (e.g., 2.1.1 Keyboard, 1.3.1 Info and Relationships)                                                                                                     |
+| **Likelihood**        | How likely is this to occur without explicit attention? High (almost certain without mitigation), Medium (depends on implementation choices), Low (only if a specific mistake is made) |
+| **Cost to fix later** | How expensive is this to retrofit if caught after implementation? High (requires architectural changes), Medium (requires rework of multiple components), Low (localised fix)          |
+| **Mitigation**        | Specific, actionable recommendation to avoid the risk                                                                                                                                  |
 
 Focus on risks that meet at least one of these criteria:
+
 - High cost to fix later (structural or architectural)
 - High likelihood (the default implementation path would miss it)
 - Affects a fundamental interaction (navigation, form submission, content access)
@@ -110,20 +111,20 @@ These are common risk areas, not exhaustive checklists. Use them as prompts to i
 ### High Risk
 
 | Risk | Affected users | WCAG | Likelihood | Fix cost | Mitigation |
-|------|---------------|------|------------|----------|------------|
-| ... | ... | ... | ... | ... | ... |
+| ---- | -------------- | ---- | ---------- | -------- | ---------- |
+| ...  | ...            | ...  | ...        | ...      | ...        |
 
 ### Medium Risk
 
 | Risk | Affected users | WCAG | Likelihood | Fix cost | Mitigation |
-|------|---------------|------|------------|----------|------------|
-| ... | ... | ... | ... | ... | ... |
+| ---- | -------------- | ---- | ---------- | -------- | ---------- |
+| ...  | ...            | ...  | ...        | ...      | ...        |
 
 ### Low Risk
 
 | Risk | Affected users | WCAG | Likelihood | Fix cost | Mitigation |
-|------|---------------|------|------------|----------|------------|
-| ... | ... | ... | ... | ... | ... |
+| ---- | -------------- | ---- | ---------- | -------- | ---------- |
+| ...  | ...            | ...  | ...        | ...      | ...        |
 
 ### Recommendations
 

.agents/skills/prioritising-accessibility-fixes/SKILL.md

@@ -26,12 +26,12 @@ If effort estimates are missing, read the affected code and estimate before prio
 
 If issues arrive without effort estimates and `estimating-accessibility-effort` is not available, use this scale:
 
-| Size | Typical scope |
-|------|--------------|
-| **XS** | Single attribute or property change, one file |
-| **S** | Localised change within one component, a few attributes |
-| **M** | Changes to one component plus its consumers, or 2-5 files |
-| **L** | Structural changes affecting multiple components or a shared layout |
+| Size   | Typical scope                                                                   |
+| ------ | ------------------------------------------------------------------------------- |
+| **XS** | Single attribute or property change, one file                                   |
+| **S**  | Localised change within one component, a few attributes                         |
+| **M**  | Changes to one component plus its consumers, or 2-5 files                       |
+| **L**  | Structural changes affecting multiple components or a shared layout             |
 | **XL** | Architectural changes affecting routing, state management, or component library |
 
 ## Scoring model
@@ -40,31 +40,31 @@ Each issue is scored on three dimensions. The priority score determines the reme
 
 ### Severity (WCAG compliance level)
 
-| Rating | Definition | Score |
-|--------|-----------|-------|
-| Critical | WCAG Level A violation. The feature is unusable for some disability group. | 3 |
-| Serious | WCAG Level AA violation. The feature is degraded but partially usable. | 2 |
-| Moderate | Best practice or WCAG AAA. Usability improvement, not a compliance failure. | 1 |
+| Rating   | Definition                                                                  | Score |
+| -------- | --------------------------------------------------------------------------- | ----- |
+| Critical | WCAG Level A violation. The feature is unusable for some disability group.  | 3     |
+| Serious  | WCAG Level AA violation. The feature is degraded but partially usable.      | 2     |
+| Moderate | Best practice or WCAG AAA. Usability improvement, not a compliance failure. | 1     |
 
 ### User impact
 
 User impact measures how many people are affected and how severely their experience is degraded. This is distinct from WCAG severity — a Serious (AA) issue that affects every keyboard user on every page has higher user impact than a Critical (A) issue on a rarely visited admin screen.
 
-| Rating | Definition | Score |
-|--------|-----------|-------|
-| High | Affects a core user flow (navigation, auth, primary actions) or affects users across many pages. Multiple disability groups impacted. | 3 |
-| Medium | Affects a secondary flow or a specific page. One disability group primarily impacted. | 2 |
-| Low | Affects an edge case, a rarely used feature, or a minor inconvenience rather than a barrier. | 1 |
+| Rating | Definition                                                                                                                            | Score |
+| ------ | ------------------------------------------------------------------------------------------------------------------------------------- | ----- |
+| High   | Affects a core user flow (navigation, auth, primary actions) or affects users across many pages. Multiple disability groups impacted. | 3     |
+| Medium | Affects a secondary flow or a specific page. One disability group primarily impacted.                                                 | 2     |
+| Low    | Affects an edge case, a rarely used feature, or a minor inconvenience rather than a barrier.                                          | 1     |
 
 ### Effort (inverse — lower effort scores higher)
 
 Lower effort means faster delivery of accessibility improvement. All else being equal, fix the easy things first.
 
-| Rating | Effort sizes | Score |
-|--------|-------------|-------|
-| Low effort | XS, S | 3 |
-| Medium effort | M | 2 |
-| High effort | L, XL | 1 |
+| Rating        | Effort sizes | Score |
+| ------------- | ------------ | ----- |
+| Low effort    | XS, S        | 3     |
+| Medium effort | M            | 2     |
+| High effort   | L, XL        | 1     |
 
 ### Priority score
 
@@ -121,21 +121,21 @@ Present batches as grouped items with a combined effort estimate and a note on w
 
 ### Tier 1 - Fix Immediately
 
-| # | Issue | WCAG | Severity | Impact | Effort | Score |
-|---|-------|------|----------|--------|--------|-------|
-| 1 | ... | ... | ... | ... | ... | ... |
+| #   | Issue | WCAG | Severity | Impact | Effort | Score |
+| --- | ----- | ---- | -------- | ------ | ------ | ----- |
+| 1   | ...   | ...  | ...      | ...    | ...    | ...   |
 
 ### Tier 2 - Plan for Next Sprint
 
-| # | Issue | WCAG | Severity | Impact | Effort | Score |
-|---|-------|------|----------|--------|--------|-------|
-| 1 | ... | ... | ... | ... | ... | ... |
+| #   | Issue | WCAG | Severity | Impact | Effort | Score |
+| --- | ----- | ---- | -------- | ------ | ------ | ----- |
+| 1   | ...   | ...  | ...      | ...    | ...    | ...   |
 
 ### Tier 3 - Schedule When Capacity Allows
 
-| # | Issue | WCAG | Severity | Impact | Effort | Score |
-|---|-------|------|----------|--------|--------|-------|
-| 1 | ... | ... | ... | ... | ... | ... |
+| #   | Issue | WCAG | Severity | Impact | Effort | Score |
+| --- | ----- | ---- | -------- | ------ | ------ | ----- |
+| 1   | ...   | ...  | ...      | ...    | ...    | ...   |
 
 ### Batches
 

.agents/skills/writing-accessibility-tests/SKILL.md

@@ -98,7 +98,11 @@ export const test = base.extend<A11yFixtures>({
   makeAxeBuilder: async ({ page }, use) => {
     await use(() =>
       new AxeBuilder({ page }).withTags([
-        'wcag2a', 'wcag2aa', 'wcag21a', 'wcag21aa', 'wcag22aa',
+        'wcag2a',
+        'wcag2aa',
+        'wcag21a',
+        'wcag21aa',
+        'wcag22aa',
       ])
     );
   },
@@ -120,7 +124,9 @@ Tests then use:
 ```typescript
 import { test } from './fixtures/base';
 
-test('page has no accessibility violations', async ({ expectNoAxeViolations }) => {
+test('page has no accessibility violations', async ({
+  expectNoAxeViolations,
+}) => {
   await expectNoAxeViolations();
 });
 ```
@@ -180,9 +186,9 @@ await page.waitForSelector('#event-list');
 ### Accessible names
 
 ```typescript
-await expect(
-  page.getByRole('textbox', { name: 'Email' })
-).toHaveAccessibleName('Email');
+await expect(page.getByRole('textbox', { name: 'Email' })).toHaveAccessibleName(
+  'Email'
+);
 
 await expect(
   page.getByRole('button', { name: 'Save profile' })
@@ -233,8 +239,14 @@ expect(h1Count).toBe(1);
 ### Live regions
 
 ```typescript
-await expect(page.locator('.filter-count')).toHaveAttribute('aria-live', 'polite');
-await expect(page.locator('.filter-count')).toHaveAttribute('aria-atomic', 'true');
+await expect(page.locator('.filter-count')).toHaveAttribute(
+  'aria-live',
+  'polite'
+);
+await expect(page.locator('.filter-count')).toHaveAttribute(
+  'aria-atomic',
+  'true'
+);
 ```
 
 ### Dialog accessibility
@@ -306,9 +318,14 @@ axe cannot evaluate contrast for elements styled with CSS custom property chains
 
 ```typescript
 const fgColor = await element.evaluate((el) => getComputedStyle(el).color);
-const bgColor = await container.evaluate((el) => getComputedStyle(el).backgroundColor);
+const bgColor = await container.evaluate(
+  (el) => getComputedStyle(el).backgroundColor
+);
 const ratio = contrastRatio(fgColor, bgColor);
-expect(ratio, `Contrast ratio is ${ratio.toFixed(2)}:1, expected at least 4.5:1`).toBeGreaterThanOrEqual(4.5);
+expect(
+  ratio,
+  `Contrast ratio is ${ratio.toFixed(2)}:1, expected at least 4.5:1`
+).toBeGreaterThanOrEqual(4.5);
 ```
 
 ## Shadow DOM patterns
@@ -320,10 +337,16 @@ Playwright's `toHaveAccessibleName()` cannot pierce shadow DOM. For web componen
 await expect(page.locator('#my-button')).toContainText('Button Label');
 
 // Icon-only button — check the icon's label attribute
-await expect(page.locator('#my-button icon-element')).toHaveAttribute('label', /.+/);
+await expect(page.locator('#my-button icon-element')).toHaveAttribute(
+  'label',
+  /.+/
+);
 
 // Dialog/drawer — check the label attribute on the host
-await expect(page.locator('#my-dialog')).toHaveAttribute('label', 'Dialog Name');
+await expect(page.locator('#my-dialog')).toHaveAttribute(
+  'label',
+  'Dialog Name'
+);
 
 // Switch/select — check label attribute
 await expect(page.locator('#my-switch')).toHaveAttribute('label', /.+/);

.gitignore

@@ -68,4 +68,4 @@ dist
 .netlify
 
 # Ignore Playwright test run metadata
-.test-results/.last-run.json
+test-results/