build(deps): bump preact from 10.29.1 to 10.29.2

[dependabot]

Bumps preact from 10.29.1 to 10.29.2.

Release notes

Sourced from preact's releases.

10.29.2

Fixes

• Fix hydration when we have defaultValue or value on a textarea (#5081, thanks @​JoviDeCroock)

Maintenance

• Add CODEOWNERS for GitHub configuration (v10.x) (#5088, thanks @​JoviDeCroock)
• Fix trusted publishing workflow (#5084, thanks @​JoviDeCroock)
• Trusted publishing (#5072, thanks @​JoviDeCroock)

Commits

• fce6ed7 10.29.2 (#5091)
• 84581d0 Fix buggy edge case (#5090)
• 5a39554 Add CODEOWNERS for GitHub configuration (#5088)
• 562e0f5 Fix trusted publishing workflow (#5084)
• 3a01255 Trusted publishing (#5072)
• cae8d3a Fix migrations when we have defaultValue or value on a textarea (#5081)
• See full diff in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for preact since your current version.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

---

Note

Low Risk
Low risk dependency patch update limited to preact, with changes confined to version/resolution updates in special-pages and the lockfile.

Overview
Updates special-pages to use preact 10.29.2 (from 10.29.1) and refreshes package-lock.json to the new resolved tarball and integrity hash.

^{Reviewed by Cursor Bugbot for commit 5821854. Bugbot is set up for automated code reviews on this repo. Configure here.}

[github-actions]

Suggested comment for Cursor review (copy and paste as a new comment):

@cursoragent can you review against the current code and outline potential impacts based on the changelogs of the update?

Can you check the test coverage and ensure that the new code is covered?
Can you think through if this dependency is still needed or if there's better practices used elsewhere.

Can you draft a separate PR with any fixes that might be needed?

Note: GitHub Actions bot cannot trigger Cursor agent directly. Please copy the above comment to invoke the review.

[github-actions]

Build Branch

Branch	pr-releases/dependabot/npm_and_yarn/main/preact-10.29.2
Commit	d0eff66c1d
Updated	May 22, 2026 at 10:34:09 AM UTC

Static preview entry points

• Docs: docs/index.html
• Static pages: build/integration/pages/index.html
• Integration pages: injected/integration-test/test-pages/index.html

QR codes (mobile preview)

Entry point	QR code
Docs
Static pages
Integration pages

Integration commands

npm (Android / Extension):

npm i github:duckduckgo/content-scope-scripts#pr-releases/dependabot/npm_and_yarn/main/preact-10.29.2

Swift Package Manager (Apple):

.package(url: "https://github.com/duckduckgo/content-scope-scripts.git", branch: "pr-releases/dependabot/npm_and_yarn/main/preact-10.29.2")

git submodule (Windows):

git -C submodules/content-scope-scripts fetch origin pr-releases/dependabot/npm_and_yarn/main/preact-10.29.2
git -C submodules/content-scope-scripts checkout origin/pr-releases/dependabot/npm_and_yarn/main/preact-10.29.2

Pin to exact commit

npm (Android / Extension):

npm i github:duckduckgo/content-scope-scripts#d0eff66c1dc52813c41c507d871a0120f07b5438

Swift Package Manager (Apple):

.package(url: "https://github.com/duckduckgo/content-scope-scripts.git", revision: "d0eff66c1dc52813c41c507d871a0120f07b5438")

git submodule (Windows):

git -C submodules/content-scope-scripts fetch origin pr-releases/dependabot/npm_and_yarn/main/preact-10.29.2
git -C submodules/content-scope-scripts checkout d0eff66c1dc52813c41c507d871a0120f07b5438

[cursor]

Web Compatibility Assessment

• special-pages/package.json:46, package-lock.json:8453-8461, 11363 - info: This is a dependency-only bump from preact 10.29.1 to 10.29.2. The upstream source delta is limited to Preact diffing behavior around textarea defaultValue/hydration and a clone guard for nodes with constructors. No injected/src code, API wrappers, DOM prototype patches, messaging, or platform entry points are changed, so the injected-page API-surface and hostile-page compatibility risk is low.

Security Assessment

• special-pages/package.json:46, package-lock.json:8453-8461, 11363 - info: No new dependencies, peer dependencies, network calls, messaging paths, captured-global usage, or injected runtime code are introduced. npm view shows no dependency/peer-dependency surface change between the two Preact versions.

Risk Level

Low Risk - the PR only updates the pinned Preact patch version used by special-pages; it does not touch injected protections, wrappers, message bridge security checks, or remote-config behavior.

Recommendations

• Wait for the remaining CI jobs to finish, especially special-pages integration tests in Chromium/WebKit.
• No code changes requested from this review. Local verification: npm run test-unit -w special-pages passed (104 tests).

  

_{Sent by Cursor Automation: Web compat and sec}

[cursor]

Dependency review: no blocking dependency-specific concerns found.

Confirmed scope: this PR only bumps special-pages' direct preact dependency from 10.29.1 to 10.29.2 and updates the lockfile tarball/integrity.

Changelog impact reviewed:

• Runtime changes between 10.29.1...10.29.2 are narrow: textarea hydrate() handling for defaultValue/value and a deeper JSON/VNode injection guard. The remaining upstream changes are release workflow/CODEOWNERS/trusted-publishing metadata.
• I found no hydrate usage in special-pages, so the textarea hydration fix does not appear to affect current app paths.
• The JSON/VNode injection guard is security-positive. special-pages does parse native/string JSON in a few places and renders many remote/native-provided values, so taking the hardening patch is preferable to staying on 10.29.1.
• The package publisher changes from jdecroock to GitHub Actions because upstream moved to trusted publishing. preact@10.29.2 includes npm provenance/attestation metadata, and npm audit signatures verified installed registry signatures.

Validation performed:

• npm ci
• npm run test-unit -w special-pages (104/104 pass)
• npm run build -w special-pages
• npm audit signatures (verified registry signatures/attestations)
• npm audit --omit=dev --json does not report preact; it reports existing unrelated transitive advisories in lodash and picomatch.

CI note: build and Ubuntu special-pages unit checks are passing. Some PR checks are still pending. Current semver_label/asana sync failures appear to be CI/secrets issues (ANTHROPIC_API_KEY / ASANA_ACCESS_TOKEN missing), not caused by this dependency bump.

No separate fix PR drafted because I did not find a dependency-update issue that needs code changes.

  

_{Sent by Cursor Automation: Review dependabot}

[github-actions]

[Beta] Generated file diff

Time updated: Fri, 22 May 2026 10:34:53 GMT

Android

    - android/pages/duckplayer/dist/index.js

File has changed

Apple

    - apple/pages/duckplayer/dist/index.js

• apple/pages/duckplayer/index.html
• apple/pages/history/dist/index.js
• apple/pages/new-tab/dist/index.js
• apple/pages/onboarding/dist/index.js
• apple/pages/release-notes/dist/index.js
• apple/pages/special-error/dist/index.js
• apple/pages/special-error/index.html

File has changed

Integration

    - integration/pages/duckplayer/dist/index.js

• integration/pages/example/dist/index.js
• integration/pages/history/dist/index.js
• integration/pages/new-tab/dist/index.js
• integration/pages/onboarding/dist/index.js
• integration/pages/release-notes/dist/index.js
• integration/pages/special-error/dist/index.js

File has changed

Windows

    - windows/pages/duckplayer/dist/index.js

• windows/pages/history/dist/index.js
• windows/pages/new-tab/dist/index.js
• windows/pages/onboarding/dist/index.js
• windows/pages/release-notes/dist/index.js
• windows/pages/special-error/dist/index.js
• windows/pages/special-error/index.html

File has changed

[cursor]

Dependency risk review: no confirmed blocking concerns.

Evidence checked:

• Diff only bumps preact from 10.29.1 to 10.29.2 in special-pages/package.json and updates the root lockfile tarball/integrity. No transitive dependency drift.
• Upstream 10.29.2 runtime changes are limited to textarea hydrate() handling plus a cloneNode() guard that prevents deeply nested JSON-shaped VNode objects from rendering. The rest of the upstream diff is release/workflow metadata for trusted publishing.
• Local usage search found special-pages renders with render(), not hydrate(), and did not find app textarea usage, so the documented textarea hydration fix has no current runtime exposure here.
• Preact remains a required direct dependency: special-pages imports preact, preact/hooks, and @preact/signals broadly across app and shared UI code.

Validation run on a detached worktree at PR head bf41fc0af:

• npm ci
• npm run test-unit --workspace=special-pages -> 104 passed
• npm run build --workspace=special-pages
• npm run test-int --workspace=special-pages -- --reporter list -> 685 passed, 45 skipped

Uncertain/residual risk:

• Dependabot notes a new npm releaser (GitHub Actions) because Preact moved to trusted publishing. I verified npm metadata has the expected 10.29.2 integrity matching the lockfile and a registry signature, but I did not independently audit Preact's repository/environment controls beyond the public upstream workflow/release notes.

No fix PR drafted because I found no concrete issue needing a change. I did not push changes to this PR.

  

_{Sent by Cursor Automation: Review dependabot}

[cursor]

Dependency review: no blocking concerns found.

Evidence reviewed:

• PR diff only updates special-pages direct production dependency preact from ^10.29.1 to ^10.29.2 and the corresponding lockfile tarball/integrity entry.
• Upstream preact 10.29.2 changelog/compare shows a small runtime patch: textarea value/defaultValue hydration handling plus a defensive JSON-injection/VNode-cloning edge-case fix; other changes are upstream release workflow/CODEOWNERS/devtools metadata.
• Repo usage check: special-pages does not call hydrate(; textarea usage found is client-rendered UI, mainly the New Tab omnibar/telemetry debug paths. JSON parsing exists in mocks/page bootstrap paths, but I did not find parsed JSON being rendered directly as a VNode payload.
• preact is still required: special-pages imports preact/preact/hooks broadly, and @preact/signals peers on it.

Validation run locally after npm ci resolved preact@10.29.2:

• npm run build -w special-pages passed
• npm run test-unit -w special-pages passed: 104 tests
• npm run test-int -w special-pages -- --project integration --reporter list passed: 315 passed, 1 skipped

CI evidence: GitHub checks show special-pages unit tests on Linux/Windows and special-pages Chromium/WebKit integration checks passing. Snapshot checks were still pending when reviewed, so visual-regression coverage should still be allowed to finish.

No separate fix PR drafted because I did not identify a fix needed for this dependency bump. Note: npm audit --omit=dev still reports existing production-tree findings in lodash and picomatch, but they are not introduced by this preact update.

  

_{Sent by Cursor Automation: Review dependabot}