fix: bump preact from 10.28.0 to 10.28.3 (GHSA-36hm-qxxp-pg3m)

[devin-ai-integration]

Summary

Addresses Dependabot alert #36 — Preact JSON VNode Injection (GHSA-36hm-qxxp-pg3m, HIGH severity).

Lockfile-only change: bumps the preact@^10.16.0 resolution (transitive dep via @metamask/sdk) from 10.28.0 → 10.28.3. The pinned preact@10.24.2 used by @coinbase/wallet-sdk is not in the vulnerable range and is left untouched.

Review & Testing Checklist for Human

• Verify MetaMask wallet connection still works in staging — preact is a transitive dep of @metamask/sdk, so any runtime regression would surface there
• Confirm CI passes with proper env vars (local build fails on missing NEXT_PUBLIC_CROSSMINT_ENV, which is pre-existing)

Notes

• Requested by: @soinclined
• Link to Devin run

[devin-ai-integration]

Original prompt from Penelope

https://github.com/Crossmint/worldstore-amazon-e2e/security/dependabot/36 
Can you draft a PR to fix this that doesn't break anything

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR that start with 'DevinAI' or '@devin'.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring