chore: bump MM Connect packages

[jiexi]

Jira Link

Description

Bumps the MetaMask Connect SDK packages used by @web3auth/no-modal:

• @metamask/connect-evm: ^1.0.0 → ^1.3.0
• @metamask/connect-multichain: ^0.12.1 → ^0.14.0
• @metamask/connect-solana: ^1.0.0 → ^1.1.0

How has this been tested?

Screenshots (if appropriate)

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)

Checklist

• My code follows the code style of this project. (run lint)
• My change requires a change to the documentation.
• I have updated the documentation accordingly.
• I have added tests to cover my changes.
• All new and existing tests passed.

---

Note

Medium Risk
Updates @metamask/connect-* dependencies used by @web3auth/no-modal, which may change wallet connection behavior at runtime despite no local code changes.

Overview
Bumps the MetaMask Connect SDK packages used by @web3auth/no-modal (EVM/multichain/solana) and refreshes both root and demo/vue-app-new lockfiles accordingly.

The lockfile updates also re-resolve/relocate several transitive dependencies (including moving some MetaMask packages from root to packages/no-modal and adjusting metadata like peer/dev flags), reflecting the new dependency graph.

^{Reviewed by Cursor Bugbot for commit 767dad9. Bugbot is set up for automated code reviews on this repo. Configure here.}

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
web3auth-web	Ready	Preview, Comment	May 15, 2026 9:34pm

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 119126b. Configure here.}

[cursor]

Dual multichain versions may break Solana singleton coordination

Medium Severity

@metamask/connect-solana@1.1.0 depends on @metamask/connect-multichain@^0.13.0 (which for 0.x semver means >=0.13.0, <0.14.0), but this PR bumps the direct @metamask/connect-multichain to ^0.14.0. This causes npm to install two separate copies: 0.14.0 (used by connect-evm and the app code's createMultichainClient) and 0.13.0 (used internally by connect-solana's createSolanaClient). Since the multichain module provides the singleton core that all connect clients delegate to, the Solana client may fail to coordinate with the shared multichain session, potentially breaking Solana wallet functionality through the MetaMask connector.

 

^{Reviewed by Cursor Bugbot for commit 119126b. Configure here.}