fix: override preact to 10.28.2 to resolve JSON VNode Injection vulnerability (CVE-2026-22028)

[devin-ai-integration]

Description

Resolves Dependabot alert #402 — Preact JSON VNode Injection (CVE-2026-22028, GHSA-36hm-qxxp-pg3m, severity: high).

preact is a transitive dependency pulled in by @coinbase/wallet-sdk (via @dynamic-labs/ethereum, @privy-io/react-auth). The vulnerable range is >= 10.28.0, < 10.28.2. Since it's not a direct dependency, a pnpm override is used to pin all preact resolutions to 10.28.2.

⚠️ Reviewer note

The override also bumps preact@10.24.2 (used by @base-org/account via @reown/appkit-utils) to 10.28.2. This is a minor version bump for that consumer (10.24 → 10.28), not just a patch. The 10.24.2 version was outside the vulnerable range, but the blanket override consolidates both versions. Please verify CI passes cleanly — if there are runtime issues in the wallet quickstart app (which uses @reown/appkit), a scoped override like "@coinbase/wallet-sdk>preact": "10.28.2" may be preferable instead.

Test plan

• pnpm lint — passes
• pnpm test:vitest — all 11 test suites pass
• No manual app testing performed; relying on CI

Package updates

• preact: 10.24.2 / 10.28.0 → 10.28.2 (via pnpm override)
• No changesets needed — this is a root-level transitive dependency override, not a published package change.

---

Link to Devin run: https://crossmint.devinenterprise.com/sessions/60ab00d1319f460d9a52407b624d7e48
Requested by: @soinclined

[devin-ai-integration]

Original prompt from Penelope

Please TAL at the following dependabot alert and create a PR that doesn't break anything and resolves this issue. https://github.com/Crossmint/crossmint-sdk/security/dependabot/402

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR that start with 'DevinAI' or '@devin'.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring

[changeset-bot]

⚠️ No Changeset found

Latest commit: 67f784e

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[greptile-apps]

_{No files reviewed, no comments}

_{Edit Code Review Agent Settings | Greptile}

[greptile-apps]

_{No files reviewed, no comments}

_{Edit Code Review Agent Settings | Greptile}