chore(deps): bump the npm-production group across 1 directory with 8 updates

[dependabot]

Bumps the npm-production group with 8 updates in the / directory:

Package	From	To
incur	0.4.5	0.4.6
@types/node	25.6.0	25.9.1
tsx	4.21.0	4.22.3
bun	1.3.13	1.3.14
@tanstack/react-query	5.100.10	5.100.11
wagmi	3.6.13	3.6.15
@stripe/stripe-js	9.4.0	9.6.0
accounts	0.10.2	0.12.2

Updates incur from 0.4.5 to 0.4.6

Release notes

Sourced from incur's releases.

incur@0.4.6

Patch Changes

• ed18ddc: Added support for automatic OpenAPI v3.2.0 schema generation

Changelog

Sourced from incur's changelog.

0.4.6

Patch Changes

• ed18ddc: Added support for automatic OpenAPI v3.2.0 schema generation

Commits

• 3914ae8 chore: version packages (#141)
• ed18ddc feat: generate OpenAPI spec API (#139)
• See full diff in compare view

Updates @types/node from 25.6.0 to 25.9.1

Commits

• See full diff in compare view

Updates tsx from 4.21.0 to 4.22.3

Release notes

Sourced from tsx's releases.

v4.22.3

4.22.3 (2026-05-19)

Bug Fixes

• decode typed loader source (dce02fc)
• preserve entrypoint with TypeScript preload hooks (68f72f3)

---

This release is also available on:

• npm package (@​latest dist-tag)

v4.22.2

4.22.2 (2026-05-18)

Bug Fixes

• preserve CJS JSON require in ESM hooks (35b700b)
• preserve named exports from CommonJS TypeScript (11de737)
• support module.exports require(esm) interop (cf8f199)

---

This release is also available on:

• npm package (@​latest dist-tag)

v4.22.1

4.22.1 (2026-05-17)

Bug Fixes

• resolve tsconfig path aliases containing a colon (#780) (6979f28)

---

This release is also available on:

• npm package (@​latest dist-tag)

v4.22.0

4.22.0 (2026-05-14)

Features

• upgrade esbuild to 0.28 (#789) (b29f6ee)

---

This release is also available on:

• npm package (@​latest dist-tag)

... (truncated)

Commits

• dce02fc fix: decode typed loader source
• 68f72f3 fix: preserve entrypoint with TypeScript preload hooks
• 69455cf test: cover package exports for ambiguous ESM reexports
• 35b700b fix: preserve CJS JSON require in ESM hooks
• ef807db chore: update testing dependencies
• 3917090 test: document compatibility test taxonomy
• de8113f refactor: centralize Node capability facts
• c1f62db test: consolidate tsconfig path edge coverage
• 4e08174 test: consolidate loader hook coverage
• 674bb30 test: consolidate tsImport commonjs mts coverage
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for tsx since your current version.

Updates bun from 1.3.13 to 1.3.14

Release notes

Sourced from bun's releases.

Bun v1.3.14

To install Bun v1.3.14

curl -fsSL https://bun.sh/install | bash
# or you can use npm
# npm install -g bun

Windows:

powershell -c "irm bun.sh/install.ps1|iex"

To upgrade to Bun v1.3.14:

bun upgrade

Read Bun v1.3.14's release notes on Bun's blog

Thanks to 11 contributors!

• @​190n
• @​alii
• @​carlsmedstad
• @​cirospaciari
• @​coleleavitt
• @​djs5008
• @​dylan-conway
• @​ig-ant
• @​Jarred-Sumner
• @​robobun
• @​sosukesuzuki

Commits

• 0d9b296 Bun.serve: rename h3/h1 options to http3/http1 (#30583)
• 39540fd github-actions: pin action versions (#30575)
• 314ffe3 test: pin #23139 + #22743 — repeated dynamic import of error-throwing module ...
• 2043f9c Upgrade WebKit to 5488984d: fix require(ESM) diamond-dep deadlock (#30527)
• 37bfbed YAML.stringify: quote strings that parse back as numbers (#30435)
• 4c0a5a7 node:http: dispatch request on first write() and emit response in duplex mode...
• ca1788c Don't retry non-idempotent HTTP methods on keep-alive disconnect (#28708)
• 450072b install: disable isolated global virtual store by default until no longer exp...
• 03ebdf8 chore: prevent auto-update actions from running on forks (#30464)
• fe735f8 http: arm idle timer on open so a stalled TLS handshake times out (#30376)
• Additional commits viewable in compare view

Updates @tanstack/react-query from 5.100.10 to 5.100.11

Release notes

Sourced from @​tanstack/react-query's releases.

@​tanstack/react-query-devtools@​5.100.11

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-devtools@​5.100.11
  • @​tanstack/react-query@​5.100.11

@​tanstack/react-query-next-experimental@​5.100.11

Patch Changes

• Updated dependencies []:
  • @​tanstack/react-query@​5.100.11

@​tanstack/react-query-persist-client@​5.100.11

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-persist-client-core@​5.100.11
  • @​tanstack/react-query@​5.100.11

@​tanstack/react-query@​5.100.11

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-core@​5.100.11

Changelog

Sourced from @​tanstack/react-query's changelog.

5.100.11

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-core@​5.100.11

Commits

• See full diff in compare view

Updates wagmi from 3.6.13 to 3.6.15

Release notes

Sourced from wagmi's releases.

wagmi@3.6.15

Patch Changes

• Handled malformed cookie state in cookieToInitialState. (#5116)

• wagmi/tempo: Renamed Actions.wallet.send to Actions.wallet.transfer and Hooks.wallet.useSend to Hooks.wallet.useTransfer. (#5121)

  Also bumps the accounts peer dependency to ~0.12.

  - await Actions.wallet.send(config, {
  -   to: '0x...',
  -   token: '0x...',
  -   value: '1.5',
  - })
  + await Actions.wallet.transfer(config, {
  +   amount: '1.5',
  +   to: '0x...',
  +   token: '0x...',
  + })

  - const send = Hooks.wallet.useSend()
  + const transfer = Hooks.wallet.useTransfer()

• Updated dependencies [f1e6d70, 4c44cd0]:

  • @​wagmi/core@​3.4.12
  • @​wagmi/connectors@​8.0.14

wagmi@3.6.14

Patch Changes

• Updated dependencies [9e8418a]:
  • @​wagmi/core@​3.4.11
  • @​wagmi/connectors@​8.0.13

Changelog

Sourced from wagmi's changelog.

3.6.15

Patch Changes

• Handled malformed cookie state in cookieToInitialState. (#5116)

• wagmi/tempo: Renamed Actions.wallet.send to Actions.wallet.transfer and Hooks.wallet.useSend to Hooks.wallet.useTransfer. (#5121)

  Also bumps the accounts peer dependency to ~0.12.

  - await Actions.wallet.send(config, {
  -   to: '0x...',
  -   token: '0x...',
  -   value: '1.5',
  - })
  + await Actions.wallet.transfer(config, {
  +   amount: '1.5',
  +   to: '0x...',
  +   token: '0x...',
  + })

  - const send = Hooks.wallet.useSend()
  + const transfer = Hooks.wallet.useTransfer()

• Updated dependencies [f1e6d70, 4c44cd0]:

  • @​wagmi/core@​3.4.12
  • @​wagmi/connectors@​8.0.14

3.6.14

Patch Changes

• Updated dependencies [9e8418a]:
  • @​wagmi/core@​3.4.11
  • @​wagmi/connectors@​8.0.13

Commits

• 98f9a16 chore: version packages (#5122)
• 4c44cd0 refactor(tempo): rename wallet.send to wallet.transfer (#5121)
• dcd6f60 chore: version packages (#5118)
• See full diff in compare view

Updates @stripe/stripe-js from 9.4.0 to 9.6.0

Release notes

Sourced from @​stripe/stripe-js's releases.

v9.6.0

New features

• Add types for automatic_surcharge (#918)

Fixes

Changed

v9.5.0

Changed

• Add types for new PE and ECE availablepaymentmethodschange event (#924)

Commits

• c427b26 v9.6.0
• 0c9277f Add types for automatic_surcharge (#918)
• cbe49b0 v9.5.0
• 6a321bf Add types for new PE and ECE availablepaymentmethodschange event (#924)
• See full diff in compare view

Updates accounts from 0.10.2 to 0.12.2

Release notes

Sourced from accounts's releases.

accounts@0.12.2

Patch Changes

• 22153c8: Added access-key publication status helpers and matched scoped key policies locally without crashing on malformed scope data.
• c97987d: Documented chain-qualified relay routes and showed the MPP example server sponsoring pull-mode charge transactions.
• 652ae1a: Added error details to wallet_sendCalls failures so viem push-mode fallbacks preserved the original provider error.
• 91b5699: Passed MPP session options from Provider.create({ mpp }) through to mppx so clients could configure session deposits.
• 8c4b343: Kept pending access-key authorization through fill and signing-only flows so first-use MPP charges and activation gas estimates could publish the key.
• 20cf1d2: Preserved wallet-host RPC error codes when dialog requests failed so validation errors were no longer reported as user rejection.

accounts@0.12.1

Patch Changes

• 2f2f85e: Removed signature from authorizeAccessKey.Parameters.
• e91311f: Defaulted feeToken to chain settlement token in Path A. Protected resolved token from fill() null-clobber. Fixed sponsored transactions reverting with insufficient FeeAMM liquidity.

accounts@0.12.0

Minor Changes

• 91711b3: Changed the default value of mpp on Provider.create to true. Machine Payment Protocol (mppx) support is now enabled by default -- pass mpp: false to opt out.

• 5c46dd4: Breaking: Renamed wallet_send to wallet_transfer. The method now defaults to "read-only" mode.

  For previous behavior, pass editable: true to open the editable flow.

  provider.request({
  - method: 'wallet_send',
  - params: [{ token: '0x...' }],
  + method: 'wallet_transfer',
  + params: [{ editable: true, token: '0x...' }],
  })

Patch Changes

• d545edf: Carried keyType through on non-signable json-rpc accounts so the viem/tempo transaction formatter can derive the correct keyType/keyData placeholder bytes during eth_fillTransaction gas estimation (notably for WebAuthn EOAs).
• 59046a4: Made keyAuthorization.address optional in the RPC schema. RPC nodes return prepared transactions with only keyId (the access key address), so requiring address rejected valid eth_signTransaction payloads when MPP signed via an access key.
• 5a15e7d: Relaxed the id parameter on Kv.durableObject.Namespace.get from unknown to any so Cloudflare's DurableObjectNamespace<T> is structurally assignable without an intermediate cast at the call site.
• 6d6cc9e: Skipped the mppx globalThis.fetch polyfill on runtimes where fetch is read-only (e.g. Cloudflare Workers). Added mpp.polyfill option for explicit control; defaults to auto-detect via the property descriptor.
• d545edf: Fixed local and turnkey adapters dropping publicKey when preparing key authorizations, which caused the wallet to sign authorizations for a freshly-generated address instead of the caller-supplied one.
• 63c9d5c: Removed console warning from expected signing paths in dialog adapter.
• f0757a4: Simplified loadAccounts and createAccount in turnkey adapter.
• 9d20725: Issued a Handler.webAuthn session on successful registration (matching /login), revoked it via wallet_disconnect in the WebAuthn adapter, and surfaced a consistent base64url-encoded userId across /register and /login.
• 5a15e7d: Defaulted Handler.auth({ trustProxy }) to true on Cloudflare Workers and appended a trustProxy / origin hint to "domain mismatch" / "uri mismatch" errors raised from wallet_connect.

accounts@0.11.0

Minor Changes

• 0a73f2c: Renamed the wallet_send value parameter to amount.

... (truncated)

Changelog

Sourced from accounts's changelog.

0.12.2

Patch Changes

• 22153c8: Added access-key publication status helpers and matched scoped key policies locally without crashing on malformed scope data.
• c97987d: Documented chain-qualified relay routes and showed the MPP example server sponsoring pull-mode charge transactions.
• 652ae1a: Added error details to wallet_sendCalls failures so viem push-mode fallbacks preserved the original provider error.
• 91b5699: Passed MPP session options from Provider.create({ mpp }) through to mppx so clients could configure session deposits.
• 8c4b343: Kept pending access-key authorization through fill and signing-only flows so first-use MPP charges and activation gas estimates could publish the key.
• 20cf1d2: Preserved wallet-host RPC error codes when dialog requests failed so validation errors were no longer reported as user rejection.

0.12.1

Patch Changes

• 2f2f85e: Removed signature from authorizeAccessKey.Parameters.
• e91311f: Defaulted feeToken to chain settlement token in Path A. Protected resolved token from fill() null-clobber. Fixed sponsored transactions reverting with insufficient FeeAMM liquidity.

0.12.0

Minor Changes

• 91711b3: Changed the default value of mpp on Provider.create to true. Machine Payment Protocol (mppx) support is now enabled by default -- pass mpp: false to opt out.

• 5c46dd4: Breaking: Renamed wallet_send to wallet_transfer. The method now defaults to "read-only" mode.

  For previous behavior, pass editable: true to open the editable flow.

  provider.request({
  - method: 'wallet_send',
  - params: [{ token: '0x...' }],
  + method: 'wallet_transfer',
  + params: [{ editable: true, token: '0x...' }],
  })

Patch Changes

• d545edf: Carried keyType through on non-signable json-rpc accounts so the viem/tempo transaction formatter can derive the correct keyType/keyData placeholder bytes during eth_fillTransaction gas estimation (notably for WebAuthn EOAs).
• 59046a4: Made keyAuthorization.address optional in the RPC schema. RPC nodes return prepared transactions with only keyId (the access key address), so requiring address rejected valid eth_signTransaction payloads when MPP signed via an access key.
• 5a15e7d: Relaxed the id parameter on Kv.durableObject.Namespace.get from unknown to any so Cloudflare's DurableObjectNamespace<T> is structurally assignable without an intermediate cast at the call site.
• 6d6cc9e: Skipped the mppx globalThis.fetch polyfill on runtimes where fetch is read-only (e.g. Cloudflare Workers). Added mpp.polyfill option for explicit control; defaults to auto-detect via the property descriptor.
• d545edf: Fixed local and turnkey adapters dropping publicKey when preparing key authorizations, which caused the wallet to sign authorizations for a freshly-generated address instead of the caller-supplied one.
• 63c9d5c: Removed console warning from expected signing paths in dialog adapter.
• f0757a4: Simplified loadAccounts and createAccount in turnkey adapter.
• 9d20725: Issued a Handler.webAuthn session on successful registration (matching /login), revoked it via wallet_disconnect in the WebAuthn adapter, and surfaced a consistent base64url-encoded userId across /register and /login.
• 5a15e7d: Defaulted Handler.auth({ trustProxy }) to true on Cloudflare Workers and appended a trustProxy / origin hint to "domain mismatch" / "uri mismatch" errors raised from wallet_connect.

0.11.0

... (truncated)

Commits

• 0bbfc28 refactor: centralize access key authorization (#463)
• 9cadb73 fix: require complete auth endpoints (#459)
• 03d79e9 chore: version packages (#484)
• c1aa03f fix(docker): switch to node:24 image so workerd has CA certs (#485)
• 0d5bc7b fix(tests): require scopes in wallet_authorizeAccessKey and cast result.tx.ga...
• 91b5699 fix(mpp): pass session options through provider (#476)
• 601671c revert: lockfile regen (#482)
• c97987d docs(mpp): clarify relay and fee payer setup (#477)
• 652ae1a fix(mpp): preserve send calls error details (#478)
• 20cf1d2 fix(provider): preserve dialog error codes (#479)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	incur@​0.4.6
	accounts@​0.10.2 ⏵ 0.12.2	-1		+1	+1
	wagmi@​3.6.15
	bun@​1.3.14
	@​tanstack/​react-query@​5.100.11
	@​stripe/​stripe-js@​9.4.0 ⏵ 9.6.0	+1

View full report

[pkg-pr-new]

Open in StackBlitz

npm i https://pkg.pr.new/mppx@480

commit: ec0fe3a