build(deps): bump @atlaskit/pragmatic-drag-and-drop from 1.7.9 to 1.7.10

[dependabot]

Bumps @atlaskit/pragmatic-drag-and-drop from 1.7.9 to 1.7.10.

Commits

• See full diff in compare view

---

Note

Low Risk
Low risk dependency-only change that updates the drag-and-drop library version; main risk is minor behavioral/regression changes in UI interactions.

Overview
Updates @atlaskit/pragmatic-drag-and-drop from 1.7.9 to 1.7.10 for special-pages, refreshing both special-pages/package.json and the root package-lock.json to the new resolved artifact and integrity hash.

^{Reviewed by Cursor Bugbot for commit 4ec7170. Bugbot is set up for automated code reviews on this repo. Configure here.}

[github-actions]

Suggested comment for Cursor review (copy and paste as a new comment):

@cursoragent can you review against the current code and outline potential impacts based on the changelogs of the update?

Can you check the test coverage and ensure that the new code is covered?
Can you think through if this dependency is still needed or if there's better practices used elsewhere.

Can you draft a separate PR with any fixes that might be needed?

Note: GitHub Actions bot cannot trigger Cursor agent directly. Please copy the above comment to invoke the review.

[github-actions]

Build Branch

Branch	pr-releases/dependabot/npm_and_yarn/main/atlaskit/pragmatic-drag-and-drop-1.7.10
Commit	4afd9e4609
Updated	April 13, 2026 at 1:09:52 PM UTC

Static preview entry points

• Docs: docs/index.html
• Static pages: build/integration/pages/index.html
• Integration pages: injected/integration-test/test-pages/index.html

QR codes (mobile preview)

Entry point	QR code
Docs
Static pages
Integration pages

Integration commands

npm (Android / Extension):

npm i github:duckduckgo/content-scope-scripts#pr-releases/dependabot/npm_and_yarn/main/atlaskit/pragmatic-drag-and-drop-1.7.10

Swift Package Manager (Apple):

.package(url: "https://github.com/duckduckgo/content-scope-scripts.git", branch: "pr-releases/dependabot/npm_and_yarn/main/atlaskit/pragmatic-drag-and-drop-1.7.10")

git submodule (Windows):

git -C submodules/content-scope-scripts fetch origin pr-releases/dependabot/npm_and_yarn/main/atlaskit/pragmatic-drag-and-drop-1.7.10
git -C submodules/content-scope-scripts checkout origin/pr-releases/dependabot/npm_and_yarn/main/atlaskit/pragmatic-drag-and-drop-1.7.10

Pin to exact commit

npm (Android / Extension):

npm i github:duckduckgo/content-scope-scripts#4afd9e46096a80ff49619d2ab1aab58243a3ece9

Swift Package Manager (Apple):

.package(url: "https://github.com/duckduckgo/content-scope-scripts.git", revision: "4afd9e46096a80ff49619d2ab1aab58243a3ece9")

git submodule (Windows):

git -C submodules/content-scope-scripts fetch origin pr-releases/dependabot/npm_and_yarn/main/atlaskit/pragmatic-drag-and-drop-1.7.10
git -C submodules/content-scope-scripts checkout 4afd9e46096a80ff49619d2ab1aab58243a3ece9

[cursor]

Stale comment

Web Compatibility Assessment

• special-pages/package.json 39 severity info: Dependency bump only (@atlaskit/pragmatic-drag-and-drop ^1.7.9 → ^1.7.10). No changes to injected runtime features, wrapper utilities, API shims, or message bridge paths, so no direct risk to API surface fidelity/prototype-chain behavior in injected/.
• package-lock.json 128-136 severity info: Lockfile resolves the same package to 1.7.10; this is package metadata only and does not alter browser API overrides, DOM hooks, or platform feature initialization behavior.

Security Assessment

• package-lock.json 10890-10892 severity warning: Unrelated lockfile delta (@duckduckgo/design-tokens reference normalized from commit SHA to #v0.17.0) expanded the PR’s dependency surface beyond the stated Atlaskit bump. This is not a direct runtime web exploit path for injected scripts, but it is supply-chain review noise and should be intentional.
• No changes touch injected/src/captured-globals.js, wrapper-utils.js, utils.js (DDGProxy), message transport/origin checks, or bridge secret validation. No direct security-regression indicators found for hostile-page threat model controls.

Risk Level

Low Risk — dependency-only update in special-pages with no injected-page runtime/security primitive changes; only notable issue is unrelated lockfile metadata drift.

Recommendations

1. Keep dependency PRs single-purpose: regenerate lockfile to include only the Atlaskit bump, or split unrelated @duckduckgo/design-tokens lockfile normalization into a separate PR.
2. Run special-pages targeted regression checks after merge (npm run test-unit and npm run test-int -- --reporter list) to validate drag-and-drop interaction behavior across platforms.
3. Alternative: pin this update with an exact version in a short-lived verification branch before broad lockfile refresh, then run full workspace lockfile normalization separately.

  

_{Sent by Cursor Automation: Web compat and sec}

[cursor]

Stale comment

Dependency Risk Review: @atlaskit/pragmatic-drag-and-drop 1.7.9 → 1.7.10

Confirmed findings

• No blocking security or behavioral risk found in this bump based on upstream release notes and local usage.
• Upstream changelog for 1.7.10 reports only: internal removal of unnecessary token fallbacks/imports from @atlaskit/theme.
  • Source: CHANGELOG.md on unpkg
• Runtime dependency set for this package is unchanged between 1.7.9 and 1.7.10 (@babel/runtime, bind-event-listener, raf-schd).
• In this repo, runtime usage is concentrated in special-pages/pages/new-tab/app/favorites/components/PragmaticDND.js.

Test coverage assessment

• Existing integration coverage for favorites drag/drop behavior is strong in special-pages/pages/new-tab/app/favorites/integration-tests/favorites.spec.js:
  • reorder behavior
  • placeholder drops
  • external drag/drop
• This aligns with the risk surface for this dependency in our code.

Uncertain concerns / assumptions

• The upstream note references internal theme token handling. We do not have targeted assertions for drag-preview styling/visual fidelity during active drag, so purely visual regressions would be weakly detected.
• I attempted to run the focused favorites integration suite, but local execution was blocked by an unrelated build issue resolving @duckduckgo/design-tokens onboarding CSS in this environment. This prevents direct local runtime confirmation in this automation run.

Dependency necessity / alternatives

• Dependency still appears justified: we rely on multiple adapters/utilities from this package in PragmaticDND.
• Replacing it with raw HTML5 DnD would reintroduce cross-browser/platform edge cases this library already handles; I do not recommend replacement as part of this update.

Separate PR for fixes

• No follow-up fix PR is required from findings above.
• Optional hardening follow-up (separate PR if desired): add a drag-preview visual smoke check to reduce blind spots for theme-token/internal style changes.

  

_{Sent by Cursor Automation: Review dependabot}

[cursor]

Stale comment

Web Compatibility Assessment

• special-pages/package.json (L36-L40) — info: Dependency version bump only (@atlaskit/pragmatic-drag-and-drop ^1.7.9 → ^1.7.10). No changes to injected feature code, API shims, wrapper utilities, or browser-facing override contracts, so no direct risk to API surface fidelity/prototype integrity in page context.
• package-lock.json (L126-L134) — info: Lockfile entry updates tarball/integrity for the same package patch release. No behavioral code diff in this PR; compatibility impact is constrained to transitive runtime behavior of the upstream library inside special-pages.
• package-lock.json (L10878-L10884) — info: Workspace dependency pointer updated consistently with special-pages/package.json; no scope expansion beyond declared package.

Security Assessment

• special-pages/package.json (L36-L40) — info: No messaging bridge, origin validation, postMessage, iframe handling, or config-gating logic changed. This PR does not alter trust-boundary logic used by injected scripts.
• package-lock.json (L126-L134) — info: Integrity hash and resolved URL updated to the new published package artifact; no new direct code path in C-S-S security-critical modules (injected/src, wrapper-utils, captured-globals, message-bridge).
• special-pages/package.json, package-lock.json (ranges above) — info: No new use of uncaptured globals, dynamic code execution, or data exfiltration primitives introduced by repository code changes.

Risk Level

Low Risk — Patch-level dependency bump limited to special-pages metadata/lockfile with no modifications to injected runtime, wrapper/masking machinery, or messaging/security-sensitive code.

Recommendations

1. Add/maintain a focused drag-and-drop interaction smoke test in special-pages (omnibar/history surfaces using this library) to detect upstream behavioral regressions from future patch bumps.
2. Keep dependency PR scope strict to the declared package (already true here) and continue verifying lockfile churn does not include unrelated package updates.
3. If desired for extra assurance, run one manual browser smoke check for affected special-pages drag/drop flows on at least one WebKit-based target before merge.

  

_{Sent by Cursor Automation: Web compat and sec}

[cursor]

Stale comment

Dependency review for @atlaskit/pragmatic-drag-and-drop bump 1.7.9 -> 1.7.10

Confirmed issues

• None blocking.

Evidence

• PR diff only changes special-pages/package.json and package-lock.json entries for this package.
• NPM tarball diff (1.7.9 vs 1.7.10) shows only CHANGELOG.md and package version metadata changed; no dist/* runtime code changes.
• Upstream CHANGELOG.md for 1.7.10 states: internal cleanup removing unnecessary token fallbacks/imports from @atlaskit/theme.
• In this repo, runtime usage is isolated to special-pages/pages/new-tab/app/favorites/components/PragmaticDND.js.

Uncertain concerns / assumptions

• No uncertain risk identified specific to this bump, assuming published tarball contents match lockfile integrity (which they do in this PR).

Test coverage assessment

• Existing integration coverage for this dependency path is strong: reorder, placeholder drop, and external drop are tested in special-pages/pages/new-tab/app/favorites/integration-tests/favorites.spec.js via favorites.page.js.
• Local run of that suite in this environment failed before test execution due to an unrelated workspace build resolution issue (@duckduckgo/design-tokens/.../onboarding.css), so runtime validation depends on CI for this PR.
• CI currently has Unit tests (special-pages, ubuntu-latest) green; special-pages integration jobs are still in progress.

Dependency necessity / alternatives

• Dependency is still needed: PragmaticDND.js depends on multiple adapters/utilities from this package and its hitbox companion.
• Alternative (migrating to native DnD only) is possible but would be a larger refactor and not justified by this patch-level update.

Recommendation

• No security or behavioral regression found for this update.
• Merge is reasonable once remaining CI checks complete successfully.
• No separate follow-up PR is needed from this review.

  

_{Sent by Cursor Automation: Review dependabot}

[cursor]

Stale comment

Web Compatibility Assessment

• special-pages/package.json (line 39), info: Dependency range bump only (@atlaskit/pragmatic-drag-and-drop ^1.7.9 → ^1.7.10). No injected runtime code paths, wrapper utilities, API shims, or platform entry points were modified, so no direct web compatibility regression vector is introduced in C-S-S injected code.
• package-lock.json (lines 126-134, 10881), info: Lockfile updates for the same package version resolution/integrity only. No executable source changes in injected/ or messaging layers.

Security Assessment

• special-pages/package.json (line 39), info: No changes to hostile-page execution surfaces (injected/src/**), no bridge transport/origin validation changes, and no captured-globals/DDGProxy/wrapper utility changes.
• package-lock.json (lines 126-134, 10881), info: Supply-chain metadata update only in this PR diff; no newly introduced direct usage of uncaptured globals, postMessage, dynamic code execution, or config-gating logic.

Risk Level

Low Risk: PR only updates a special-pages dependency and lockfile metadata, with zero modifications to injected web-page runtime, API override machinery, or security-critical messaging/capture code.

Recommendations

1. Run special-pages drag-and-drop interaction tests/smoke checks to catch any behavioral change introduced by upstream package internals.
2. If CI does not already do it for this path, add/ensure a minimal regression test for reorder/drag flows that rely on @atlaskit/pragmatic-drag-and-drop to detect future dependency regressions early.
3. Optionally pin and review upstream changelog entries for this package in dependency bump PRs to quickly identify any non-patch semantic changes.

  

_{Sent by Cursor Automation: Web compat and sec}

[cursor]

Threat-focused review for bump @atlaskit/pragmatic-drag-and-drop 1.7.9 -> 1.7.10

Confirmed findings

• No blocking issues found.
• Upstream delta appears metadata-only in the published package: npm diff and tarball file-tree diff show changes only in CHANGELOG.md and package.json.
• 1.7.10 changelog entry is: "Internal changes to remove unnecessary token fallbacks and imports from @atlaskit/theme".
• Runtime dependency set is unchanged (@babel/runtime, bind-event-listener, raf-schd), so this does not expand transitive runtime surface.

Coverage / regression detection

• In-repo consumer remains special-pages/pages/new-tab/app/favorites/components/PragmaticDND.js.
• Existing integration coverage in special-pages/pages/new-tab/app/favorites/integration-tests/favorites.spec.js exercises critical flows:
  • re-orders items
  • support drop on placeholders
  • accepts external drag/drop
• I attempted to run that suite, but Playwright webserver startup failed before tests executed due unresolved @duckduckgo/design-tokens/build/desktop-browsers/onboarding.css from pages/onboarding/app/v4/App.module.css (appears unrelated to this dependency bump).

Still-needed check

• This dependency is still needed for favorites drag/drop + external drop handling. No better in-repo alternative was found that would reduce risk.

Uncertain concerns / assumptions

• Assumption: upstream patch note accurately describes the release.
• Residual risk is the normal npm publisher trust/supply-chain risk, not a behavior change risk.

Separate PR for fixes

• No dependency-specific fix is required from this review, so no separate fix PR was drafted.

  

_{Sent by Cursor Automation: Review dependabot}

[cursor]

Web Compatibility Assessment

• special-pages/package.json (36-40), severity: info
  Bumps @atlaskit/pragmatic-drag-and-drop from ^1.7.9 to ^1.7.10. This is a patch-level dependency update in special-pages only; no injected feature code, API overrides, shims, wrapper utilities, or platform entry points are modified.
• package-lock.json (126-136, 10878-10883), severity: info
  Lockfile update is consistent with the same package bump (version/resolved/integrity + workspace dependency entry). No behavioral code paths in C-S-S injected runtime are changed.

Security Assessment

• special-pages/package.json (36-40), severity: info
  No changes to messaging transports, message-bridge trust checks, captured globals, stack-trace exemption logic, or any content-script security boundary.
• package-lock.json (126-136), severity: info
  Integrity hash update reflects the new published tarball; there is no new dynamic execution pattern, origin validation change, or data-exfiltration vector introduced by this diff itself.

No warning/error/critical findings identified in this PR diff.

Risk Level

Low Risk — dependency patch bump in special-pages only, with no changes to injected web-page hooks, compatibility-sensitive API masking, or security-critical bridge/capture logic.

Recommendations

1. Keep this as a dependency-only update and require green CI, especially special-pages unit/integration coverage that exercises drag/drop interactions.
2. Add or maintain a focused special-pages drag/drop smoke test (pointer + keyboard flows) to detect upstream behavior shifts on future patch bumps.
3. Continue isolating dependency bumps from injected runtime changes to preserve rollback clarity and reduce compatibility/security blast radius.

  

_{Sent by Cursor Automation: Web compat and sec}

[cursor]

Dependency Risk Review: @atlaskit/pragmatic-drag-and-drop 1.7.9 -> 1.7.10

Findings (confirmed)

• No blocking security or behavioral risks found in this bump.

Evidence

• PR diff only updates special-pages/package.json and package-lock.json for this dependency.
• Upstream changelog for 1.7.10 reports only: "Internal changes to remove unnecessary token fallbacks and imports from @atlaskit/theme".
• Package artifact comparison (npm pack for 1.7.9 vs 1.7.10) shows no runtime file changes in dist/*; only CHANGELOG.md and package.json version differ.

Impact on current code

• Runtime usage is localized to favorites drag/drop in special-pages/pages/new-tab/app/favorites/components/PragmaticDND.js.
• Given identical shipped runtime files, this update should not change behavior in our drag/drop paths.

Test coverage assessment

• Existing integration coverage for impacted paths exists in special-pages/pages/new-tab/app/favorites/integration-tests/favorites.spec.js, including:
  • re-orders items
  • support drop on placeholders
  • accepts external drag/drop
• Attempted targeted run, but test execution was blocked by an unrelated pre-existing workspace build issue resolving @duckduckgo/design-tokens/build/desktop-browsers/onboarding.css in onboarding CSS.

Uncertain concerns / required validation

• Because of the unrelated build blocker above, I could not re-run the targeted integration subset in this environment. I recommend confirming green CI for favorites integration coverage on this PR before merge.

Dependency necessity / alternatives

• This dependency is still justified in current code: we directly use multiple APIs (draggable, dropTargetForElements, monitorForElements, external adapters, preview helpers).
• Alternative (native HTML5 DnD only) would be a larger rewrite and likely regress cross-platform behavior already covered by the current integration tests.

Separate fixes PR

• No fixes needed specific to this dependency update, so no separate PR drafted from this review.

  

_{Sent by Cursor Automation: Review dependabot}

[dependabot]

Superseded by #2641.