You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
You can trigger a rebase of this PR by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
Note
Low Risk
Low risk dependency-only bump; potential risk is subtle drag-and-drop behavior/regression changes in special-pages due to the library update.
Overview
Updates @atlaskit/pragmatic-drag-and-drop from 1.7.9 to 1.8.0 for the special-pages workspace, with corresponding package-lock.json resolution/integrity changes.
Reviewed by Cursor Bugbot for commit d4008a6. Bugbot is set up for automated code reviews on this repo. Configure here.
Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.
Suggested comment for Cursor review (copy and paste as a new comment):
@cursoragent can you review against the current code and outline potential impacts based on the changelogs of the update?
Can you check the test coverage and ensure that the new code is covered?
Can you think through if this dependency is still needed or if there's better practices used elsewhere.
Can you draft a separate PR with any fixes that might be needed?
Note: GitHub Actions bot cannot trigger Cursor agent directly. Please copy the above comment to invoke the review.
The reason will be displayed to describe this comment to others. Learn more.
Stale comment
Web Compatibility Assessment
File: special-pages/package.json, line range: 39-39, severity: info.
The change is a direct semver bump of @atlaskit/pragmatic-drag-and-drop from ^1.7.9 to ^1.8.0; no injected feature code, wrapper utilities, API shims, or prototype overrides changed in this PR. No direct API-surface-fidelity risk is introduced by the diff itself.
File: package-lock.json, line range: 126-138, severity: info.
Lockfile update is consistent with the package bump (version/resolved/integrity only for this package block), with no additional platform bridge or injected runtime code paths modified.
File: package-lock.json, line range: 10878-10883, severity: info.
Workspace dependency entry for special-pages is updated to ^1.8.0 with no other dependency graph shape change visible in this diff.
Security Assessment
File: special-pages/package.json, line range: 39-39, severity: info.
No changes to injected/ security-sensitive surfaces (captured-globals, wrapper-utils, DDGProxy, message bridge, transport origin checks). Threat model items around global capture hygiene and bridge trust boundaries are unaffected by this PR.
File: package-lock.json, line range: 126-138, severity: info.
Integrity hash and tarball URL rotate as expected for the upstream release; no new direct use of uncaptured globals, dynamic code execution patterns, or message schema/path relaxations introduced by changed repository code.
Risk Level
Low Risk — dependency-only bump in special-pages manifests/lockfile with no modifications to injected scripts, web API wrapping logic, or messaging security boundaries.
Recommendations
Run targeted integration coverage for favorites DnD flows that use this package (special-pages/pages/new-tab/app/favorites/components/PragmaticDND.js) across platform projects to catch upstream behavioral drift (npm run test-int -- pages/new-tab/integration-tests/new-tab.spec.js --reporter list).
Add/keep a regression assertion for reorder + external drop path in new tab favorites to detect contract shifts in monitorForElements / dropTargetForElements after minor upgrades.
Alternative risk posture: if you want tighter rollout control for this dependency family, pin exact 1.8.0 instead of caret range in special-pages/package.json and advance intentionally per release.
The reason will be displayed to describe this comment to others. Learn more.
Stale comment
Findings (by severity)
Medium (uncertain): Popover API code path introduces runtime behavior change in drag overlay internals.
Evidence: upstream 1.8.0 changelog and npm diff show changes in honey-pot-fix/make-honey-pot-fix and public-utils/element/custom-native-drag-preview/set-custom-native-drag-preview to use popover="manual" + showPopover() (with fallback to previous z-index behavior).
Impact surface in this repo: special-pages/pages/new-tab/app/favorites/components/PragmaticDND.js uses setCustomNativeDragPreview.
Why this matters: this can affect drag-preview rendering/layering and drag interaction semantics in browsers that support Popover API.
Confirmed non-issues
No runtime dependency expansion between 1.7.9 and 1.8.0 (same prod deps: @babel/runtime, bind-event-listener, raf-schd).
npm audit --workspace special-pages --omit dev reports 0 known vulnerabilities.
Test coverage and validation status
Existing integration tests already cover core favorites DnD behavior in special-pages/pages/new-tab/app/favorites/integration-tests/favorites.spec.js (re-orders items, support drop on placeholders, accepts external drag/drop).
I could not execute that suite here due an unrelated pre-existing build failure resolving @duckduckgo/design-tokens/build/desktop-browsers/onboarding.css, so PR-specific runtime validation is still pending.
Required validation for this bump
Run favorites DnD integration tests on at least one Popover-capable browser and one fallback-path browser.
Manually verify drag preview placement and successful drop for both internal reorder and external drop.
Dependency necessity
This dependency is still needed in current code: usage is localized to new-tab favorites DnD, and it provides cross-browser drag/drop handling that would be non-trivial to replicate.
Alternative approach (optional long-term hardening): replace with native HTML5 DnD + local helpers to reduce third-party surface area, but that trades off current upstream browser-specific fixes.
The reason will be displayed to describe this comment to others. Learn more.
1.8.0 changes drag overlay internals to use the Popover API (popover="manual") when available, with fallback for older browsers. Since favorites DnD uses setCustomNativeDragPreview, please ensure we run/verify DnD behavior on both code paths (Popover-supported and fallback browsers) before merge.
The reason will be displayed to describe this comment to others. Learn more.
Stale comment
Web Compatibility Assessment
special-pages/package.json (line 39), package-lock.json (lines 128-132, 10881) — severity: info
Change is a pure dependency bump (@atlaskit/pragmatic-drag-and-drop^1.7.9 → ^1.8.0) with no edits to injected feature code, wrappers, shims, lifecycle hooks, or platform entry points. No direct risk to injected API-surface fidelity/prototype integrity patterns.
special-pages/package.json (line 39) — severity: info
Runtime impact is scoped to special-pages (new-tab favorites drag/drop usage), not hostile third-party page contexts where injected script tamper-resistance constraints apply.
Security Assessment
special-pages/package.json (line 39), package-lock.json (lines 128-132) — severity: info
No changes to injected/ security-sensitive paths (captured-globals, wrapper-utils, DDGProxy, message bridge/transports, origin checks). Threat-model controls for page-world tampering and bridge boundary remain unchanged.
package-lock.json (lines 128-132) — severity: info
Lockfile updates include new resolved tarball and integrity hash for 1.8.0, so install-time artifact pinning remains intact.
Risk Level
Low Risk — dependency-only update in special-pages with no modifications to injected runtime protections or web-API override machinery.
Recommendations
Run special-pages unit/integration coverage for new-tab favorites drag/drop flows to catch upstream behavioral drift from the minor version bump.
Perform a quick manual smoke test of reorder + external drop interactions in the new-tab favorites UI across at least one desktop and one mobile WebView target.
The reason will be displayed to describe this comment to others. Learn more.
Stale comment
Findings (risk-focused)
Coverage gap on the exact changed behavior path (confirmed)
Upstream @atlaskit/pragmatic-drag-and-drop1.8.0 introduces a minor runtime behavior change: it moves "on-top" rendering (including custom native drag previews) to popover="manual" top-layer logic, with z-index fallback.
Our code uses that path in special-pages/pages/new-tab/app/favorites/components/PragmaticDND.js via setCustomNativeDragPreview.
The drag/drop coverage in special-pages/pages/new-tab/app/favorites/integration-tests/favorites.spec.js is good functionally, but it only runs in the integration Playwright project (Desktop Chrome) per special-pages/playwright.config.js.
The same spec is not exercised in macos / ios / android projects, even though this dependency change is browser-engine sensitive.
Risk: regressions in drag-preview layering / hit-testing on WebKit-family paths could ship without test signal.
If any shipped runtime falls back to the non-popover path (older engine / constrained webview behavior), behavior should remain old-style z-index-based, but we do not currently have an explicit regression assertion for that path in this repo.
Dependency necessity check
The dependency is still needed today. It is actively used by favorites DnD logic; replacing it with native DnD primitives here would be higher-risk and larger in scope than this bump.
Suggested follow-up (separate PR, not this one)
Add a targeted cross-engine regression check for favorites drag preview + drop (at minimum WebKit project coverage for the favorites DnD path).
Optional alternative: bump directly to 1.8.1 in a follow-up dependency PR (latest patch; upstream notes expanded a11y Playwright coverage).
A newer version of @atlaskit/pragmatic-drag-and-drop exists, but since this PR has been edited by someone other than Dependabot I haven't updated it. You'll get a PR for the updated version as normal once this PR is merged.
The reason will be displayed to describe this comment to others. Learn more.
Web Compatibility Assessment
special-pages/package.json line 39, package-lock.json lines 85-97 and 249-255 — severity: info
Dependency-only bump of @atlaskit/pragmatic-drag-and-drop from ^1.7.9 to ^1.8.0; no injected/ code, wrapper utilities, API shims, lifecycle hooks, platform entry points, or messaging code changed.
Upstream package diff — severity: info 1.8.0 changes the package’s overlay internals for honey-pot/custom native drag-preview rendering to use popover="manual" top-layer placement when supported, with the prior max-z-index path as fallback. This can affect new-tab favorites drag/drop visuals, but it is scoped to special-pages, not hostile page-world injected scripts.
Validation — severity: info npm run build --workspace=special-pages and npm run test-int --workspace=special-pages -- pages/new-tab/app/favorites/integration-tests/favorites.spec.js --project integration --reporter list passed locally (18 passed).
Security Assessment
special-pages/package.json line 39, package-lock.json lines 85-97 — severity: info
No changes to security-sensitive injected surfaces (captured-globals, wrapper-utils, DDGProxy, message bridge, transports, origin validation, or postMessage). The hostile-page tampering threat model is unaffected by the repository diff.
Dependency metadata — severity: info
Production dependency set is unchanged between 1.7.9 and 1.8.0; npm audit --workspace special-pages --omit dev reports 0 vulnerabilities.
Risk Level
Low Risk — dependency-only special-pages update with localized new-tab drag/drop behavior and no changes to injected runtime protections or messaging security boundaries.
Recommendations
No blocking changes for this PR.
Optional follow-up: add WebKit/mobile-project coverage for the favorites drag-preview/drop path, since the upstream Popover API behavior is browser-engine sensitive and current favorites.spec.js coverage runs under the integration Desktop Chrome project.
The reason will be displayed to describe this comment to others. Learn more.
Dependency risk review for @atlaskit/pragmatic-drag-and-drop1.7.9 -> 1.8.0.
Confirmed issues: none found.
What changed upstream: 1.8.0 moves the package's "on top" rendering helpers to popover="manual" / browser top-layer when available, with the previous z-index: 2147483647 behavior as fallback. The published package diff confirms this touches the honey-pot fix and setCustomNativeDragPreview; no runtime dependency or license changes.
Repo impact: the direct affected usage is New Tab favorites in special-pages/pages/new-tab/app/favorites/components/PragmaticDND.js, which uses element drag/drop, external HTML drops, and setCustomNativeDragPreview. The external adapter APIs used here did not change in the package diff.
Coverage checked: after npm ci, npm run test-int -- pages/new-tab/app/favorites/integration-tests/favorites.spec.js --reporter list passed locally: 18/18. Current CI also shows special-pages Chromium/WebKit jobs passing.
Residual validation risk: the favorites suite is only matched by the integration project in special-pages/playwright.config.js (Desktop Chrome). Because this dependency change is specifically top-layer/Popover behavior and upstream calls out Safari support boundaries, I would still smoke-test New Tab favorites reorder on macOS/iOS native shells or add separate WebKit coverage for favorites.spec.js if this path has regressed before. This is an uncertain concern, not a confirmed bug.
Dependency need: it still looks justified for this code path. Replacing it would mean reimplementing internal reorder monitoring, closest-edge drop calculation, custom native preview handling, and external bookmark MIME/html drop behavior. I did not draft a separate fix PR because I did not identify a concrete code fix needed from this review.
The reason will be displayed to describe this comment to others. Learn more.
Dependency review for @atlaskit/pragmatic-drag-and-drop1.7.9 -> 1.8.0:
No confirmed blocking issues found.
Evidence:
PR diff only updates special-pages/package.json and package-lock.json; runtime dependencies and license remain unchanged (Apache-2.0, same @babel/runtime, bind-event-listener, raf-schd).
Upstream changelog for 1.8.0 says the behavior change is internal “on top” rendering: honey-pot overlay and custom native drag previews now use popover="manual" / browser top layer when supported, falling back to the prior z-index: 2147483647 approach when unsupported.
Local usage is still needed: the package is directly used by the new-tab favorites DnD implementation, including setCustomNativeDragPreview, monitorForElements, dropTargetForElements, and external drop handling.
Existing coverage exercises the affected user paths: focused favorites integration suite passed, including reorder, placeholder drop, and external drop.
Verification run:
npm run test-int -w special-pages -- pages/new-tab/app/favorites/integration-tests/favorites.spec.js --reporter list -> 18 passed
npm run build -w special-pages -> passed
Uncertain residual risk:
Because 1.8.0 switches supported browsers from z-index overlaying to the Popover API, native embedded browser smoke coverage is still the useful validation point, especially Safari/WebKit-based shells and any platform versions where HTMLElement.prototype.showPopover exists but top-layer/manual-popover drag behavior differs from desktop Chromium. The automated Playwright coverage gives good confidence for Chromium-style behavior but does not prove all native shell engines.
No fix PR drafted because I did not find a confirmed code or test gap requiring changes.
Sent by Cursor Automation: Review dependabot
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
dependenciesUpdate one or more dependencies versionminorIncrement the minor version when mergedsemver-patchBug fix / internal — no release needed
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
dependabot
Bot
added
dependencies
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
Bumps @atlaskit/pragmatic-drag-and-drop from 1.7.9 to 1.8.0.
Commits
You can trigger a rebase of this PR by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)Note
Low Risk
Low risk dependency-only bump; potential risk is subtle drag-and-drop behavior/regression changes in
special-pagesdue to the library update.Overview
Updates
@atlaskit/pragmatic-drag-and-dropfrom1.7.9to1.8.0for thespecial-pagesworkspace, with correspondingpackage-lock.jsonresolution/integrity changes.Reviewed by Cursor Bugbot for commit d4008a6. Bugbot is set up for automated code reviews on this repo. Configure here.