build(deps): bump @preact/signals from 2.9.0 to 2.9.1#2723
Open
dependabot[bot] wants to merge 1 commit into
Open
build(deps): bump @preact/signals from 2.9.0 to 2.9.1#2723dependabot[bot] wants to merge 1 commit into
dependabot[bot] wants to merge 1 commit into
Conversation
Bumps [@preact/signals](https://github.com/preactjs/signals/tree/HEAD/packages/preact) from 2.9.0 to 2.9.1. - [Release notes](https://github.com/preactjs/signals/releases) - [Changelog](https://github.com/preactjs/signals/blob/main/packages/preact/CHANGELOG.md) - [Commits](https://github.com/preactjs/signals/commits/HEAD/packages/preact) --- updated-dependencies: - dependency-name: "@preact/signals" dependency-version: 2.9.1 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
added
dependencies
Contributor
|
Suggested comment for Cursor review (copy and paste as a new comment): Note: GitHub Actions bot cannot trigger Cursor agent directly. Please copy the above comment to invoke the review. |
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Web Compatibility Assessment
special-pages/package.json:42,package-lock.json:1917-1919,package-lock.json:11335- severity: info. No web-compat findings. This is a dependency-only bump for@preact/signalsinspecial-pages; it does not touchinjected/src, API wrappers/shims,DDGProxy, captured globals, platform entry points, DOM observer/timer patterns, or remote config.- Upstream
@preact/signals2.9.1is a narrow patch for signal-bound DOM prop handling: it avoids redundant unchanged attribute writes and restores signal refs on unmount/remount. That does not broaden page interaction surface and should reduce render-time DOM churn.
Security Assessment
special-pages/package.json:42,package-lock.json:1917-1919,package-lock.json:11335- severity: info. No security findings. The diff does not change native messaging schemas/transports, message bridge checks, origin validation,postMessage, network requests, dynamic code execution, iframe handling, or global capture hygiene.- Package metadata is aligned: peer dependency remains
preact >= 10.25.0 || >=11.0.0-0, dependency remains@preact/signals-core ^1.14.0, and the lockfile keeps@preact/signals-coreat1.14.0with no unrelated churn.
Risk Level
Low Risk - special-pages dependency patch only; no injected runtime or security-sensitive infrastructure changes.
Recommendations
No code changes required from a web-compat/security perspective. Targeted verification run: npm run test-unit --workspace=special-pages passed locally (104 tests).
Sent by Cursor Automation: Web compat and sec
Contributor
There was a problem hiding this comment.
No blocking concerns found for this dependency update.
Evidence reviewed:
- PR diff only bumps
@preact/signalsfrom2.9.0to2.9.1inspecial-pages/package.jsonandpackage-lock.json; the resolved transitive@preact/signals-coreremains1.14.0. - The
2.9.1package changelog/tarball maps to upstream PR preactjs/signals#924 / commitebcee906, a patch for redundant signal-bound DOM attribute writes when parents rerender with unchanged signal props. The package diff changes the Preact adapter’sdiffed/unmounthandling, not public APIs used here. - Local usage is still concentrated in
special-pages/pages/new-tabstate/rendering paths (useSignal,useComputed,useSignalEffect,batch,effect,signal). I did not find usage of@preact/signals/utils,<For>, or<Show>. - Supply-chain checks: package maintainers/license/peer deps are unchanged, no new transitive package was introduced,
npm audit --workspace special-pages --omit=devreports 0 vulnerabilities, andnpm audit signatures --workspace special-pagesverifies registry signatures/attestations.
Validation run on a clean npm ci install resolving @preact/signals@2.9.1:
npm ls @preact/signals @preact/signals-core --workspace special-pagesnpm run test-unit --workspace special-pagesnpm run build --workspace special-pages- Focused new-tab/customizer/activity integrations passed when rerun serially:
npm run test-int --workspace special-pages -- --reporter=list --workers=1 pages/new-tab/integration-tests/new-tab.spec.js pages/new-tab/app/customizer/integration-tests/customizer.spec.js pages/new-tab/app/activity/integration-tests/activity.spec.js
Non-blocking caveat: I could not find a GitHub Release object/tag for @preact/signals@2.9.1; the release evidence is from npm metadata/tarball changelog plus the merged upstream PR. Given the lockfile integrity, verified signatures/attestations, and small upstream diff, I do not see this as a blocker.
No separate fix PR was drafted because I did not identify a required fix.
Sent by Cursor Automation: Review dependabot
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps @preact/signals from 2.9.0 to 2.9.1.
Changelog
Sourced from @preact/signals's changelog.
Commits
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)Note
Low Risk
Dependency-only patch with no repo code changes; upstream fix targets DOM update efficiency for signal props.
Overview
Bumps
@preact/signalsfrom 2.9.0 to 2.9.1 inspecial-pages(package.jsonand rootpackage-lock.json). No application source changes.The patch release fixes redundant DOM attribute writes when a parent rerenders with unchanged signal-bound props (library DIFFED hook behavior), which can reduce unnecessary DOM updates in Preact UIs that use signals (e.g. history and new-tab pages).
Reviewed by Cursor Bugbot for commit 039b9ad. Bugbot is set up for automated code reviews on this repo. Configure here.