chore(deps): bump the npm-production group across 1 directory with 10 updates

[dependabot]

Bumps the npm-production group with 10 updates in the / directory:

Package	From	To
incur	0.4.5	0.4.6
@types/node	25.6.0	25.9.1
tsx	4.21.0	4.22.3
vite	8.0.10	8.0.14
@remix-run/node-fetch-server	0.13.1	0.13.3
bun	1.3.13	1.3.14
@tanstack/react-query	5.100.10	5.100.11
wagmi	3.6.13	3.6.15
@stripe/stripe-js	9.4.0	9.6.0
accounts	0.10.2	0.14.2

Updates incur from 0.4.5 to 0.4.6

Release notes

Sourced from incur's releases.

incur@0.4.6

Patch Changes

• ed18ddc: Added support for automatic OpenAPI v3.2.0 schema generation

Changelog

Sourced from incur's changelog.

0.4.6

Patch Changes

• ed18ddc: Added support for automatic OpenAPI v3.2.0 schema generation

Commits

• 3914ae8 chore: version packages (#141)
• ed18ddc feat: generate OpenAPI spec API (#139)
• See full diff in compare view

Updates @types/node from 25.6.0 to 25.9.1

Commits

• See full diff in compare view

Updates tsx from 4.21.0 to 4.22.3

Release notes

Sourced from tsx's releases.

v4.22.3

4.22.3 (2026-05-19)

Bug Fixes

• decode typed loader source (dce02fc)
• preserve entrypoint with TypeScript preload hooks (68f72f3)

---

This release is also available on:

• npm package (@​latest dist-tag)

v4.22.2

4.22.2 (2026-05-18)

Bug Fixes

• preserve CJS JSON require in ESM hooks (35b700b)
• preserve named exports from CommonJS TypeScript (11de737)
• support module.exports require(esm) interop (cf8f199)

---

This release is also available on:

• npm package (@​latest dist-tag)

v4.22.1

4.22.1 (2026-05-17)

Bug Fixes

• resolve tsconfig path aliases containing a colon (#780) (6979f28)

---

This release is also available on:

• npm package (@​latest dist-tag)

v4.22.0

4.22.0 (2026-05-14)

Features

• upgrade esbuild to 0.28 (#789) (b29f6ee)

---

This release is also available on:

• npm package (@​latest dist-tag)

... (truncated)

Commits

• dce02fc fix: decode typed loader source
• 68f72f3 fix: preserve entrypoint with TypeScript preload hooks
• 69455cf test: cover package exports for ambiguous ESM reexports
• 35b700b fix: preserve CJS JSON require in ESM hooks
• ef807db chore: update testing dependencies
• 3917090 test: document compatibility test taxonomy
• de8113f refactor: centralize Node capability facts
• c1f62db test: consolidate tsconfig path edge coverage
• 4e08174 test: consolidate loader hook coverage
• 674bb30 test: consolidate tsImport commonjs mts coverage
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for tsx since your current version.

Updates vite from 8.0.10 to 8.0.14

Release notes

Sourced from vite's releases.

v8.0.14

Please refer to CHANGELOG.md for details.

v8.0.13

Please refer to CHANGELOG.md for details.

v8.0.12

Please refer to CHANGELOG.md for details.

v8.0.11

Please refer to CHANGELOG.md for details.

Changelog

Sourced from vite's changelog.

8.0.14 (2026-05-21)

Features

• update rolldown to 1.0.2 (#22484) (96efc88)

Bug Fixes

• deps: update all non-major dependencies (#22471) (98b8163)
• dev: handle errors when sending messages to vite server (#22450) (e8e9a34)
• html: handle trailing slash paths in transformIndexHtml (#22480) (5d94d1b)
• optimizer: pass oxc jsx options to transformSync in dependency scan (#22342) (b3132da)

Miscellaneous Chores

• deps: update rolldown-related dependencies (#22470) (7cb728e)
• remove irrelevant commits from changelog (2c69495)

Code Refactoring

• glob: do not rewrite import path for absolute base (#22310) (0ae2844)

Tests

• css: sass does not use main field (#22449) (ebf39a0)

8.0.13 (2026-05-14)

Features

• bundled-dev: add lazy bundling support (#21406) (4f0949f)
• optimizer: improve the esbuild plugin converter to pass some properties of build result to onEnd (#22357) (47071ce)
• update rolldown to 1.0.1 (#22444) (8c766a6)

Bug Fixes

• build: copy public directory after building same environment with write=false (#22328) (158e8ae)
• css: await sass/less/styl worker disposal on teardown (fix #22274) (#22275) (b7edcb7)
• css: keep deprecated name/originalFileName in synthetic assetFileNames call (#22439) (8e59c97)
• make isBundled per environment (#22257) (a576326)
• ssr: avoid rewriting labels that collide with imports (#22451) (d9b18e0)

Miscellaneous Chores

• remove irrelevant commits from changelog (#22430) (6ea3838)
• update changelog (#22413) (fcdc87c)

8.0.12 (2026-05-11)

Features

• update rolldown to 1.0.0 (#22401) (cf0ff41)

... (truncated)

Commits

• c917f1e release: v8.0.14
• 5d94d1b fix(html): handle trailing slash paths in transformIndexHtml (#22480)
• 98b8163 fix(deps): update all non-major dependencies (#22471)
• 96efc88 feat: update rolldown to 1.0.2 (#22484)
• ebf39a0 test(css): sass does not use main field (#22449)
• 0ae2844 refactor(glob): do not rewrite import path for absolute base (#22310)
• 7cb728e chore(deps): update rolldown-related dependencies (#22470)
• b3132da fix(optimizer): pass oxc jsx options to transformSync in dependency scan ...
• e8e9a34 fix(dev): handle errors when sending messages to vite server (#22450)
• 2c69495 chore: remove irrelevant commits from changelog
• Additional commits viewable in compare view

Updates @remix-run/node-fetch-server from 0.13.1 to 0.13.3

Release notes

Sourced from @​remix-run/node-fetch-server's releases.

node-fetch-server v0.13.3

Patch Changes

• Cancel unfinished streaming response bodies when the client connection closes before the response completes so user-provided ReadableStream.cancel() hooks run for aborted requests (see #11432).

• Drop handler responses when the client has already disconnected, and do not forward request abort errors from handlers or response streams to onError or write them to a closed socket (see #11431).

node-fetch-server v0.13.2

Patch Changes

• Start writing the first response stream chunk immediately instead of waiting for another chunk. Streaming responses with a delayed second chunk now flush their initial data without unnecessary blocking.

Changelog

Sourced from @​remix-run/node-fetch-server's changelog.

v0.13.3

Patch Changes

• Cancel unfinished streaming response bodies when the client connection closes before the response completes so user-provided ReadableStream.cancel() hooks run for aborted requests (see #11432).

• Drop handler responses when the client has already disconnected, and do not forward request abort errors from handlers or response streams to onError or write them to a closed socket (see #11431).

v0.13.2

Patch Changes

• Start writing the first response stream chunk immediately instead of waiting for another chunk. Streaming responses with a delayed second chunk now flush their initial data without unnecessary blocking.

Commits

• See full diff in compare view

Updates bun from 1.3.13 to 1.3.14

Release notes

Sourced from bun's releases.

Bun v1.3.14

To install Bun v1.3.14

curl -fsSL https://bun.sh/install | bash
# or you can use npm
# npm install -g bun

Windows:

powershell -c "irm bun.sh/install.ps1|iex"

To upgrade to Bun v1.3.14:

bun upgrade

Read Bun v1.3.14's release notes on Bun's blog

Thanks to 11 contributors!

• @​190n
• @​alii
• @​carlsmedstad
• @​cirospaciari
• @​coleleavitt
• @​djs5008
• @​dylan-conway
• @​ig-ant
• @​Jarred-Sumner
• @​robobun
• @​sosukesuzuki

Commits

• 0d9b296 Bun.serve: rename h3/h1 options to http3/http1 (#30583)
• 39540fd github-actions: pin action versions (#30575)
• 314ffe3 test: pin #23139 + #22743 — repeated dynamic import of error-throwing module ...
• 2043f9c Upgrade WebKit to 5488984d: fix require(ESM) diamond-dep deadlock (#30527)
• 37bfbed YAML.stringify: quote strings that parse back as numbers (#30435)
• 4c0a5a7 node:http: dispatch request on first write() and emit response in duplex mode...
• ca1788c Don't retry non-idempotent HTTP methods on keep-alive disconnect (#28708)
• 450072b install: disable isolated global virtual store by default until no longer exp...
• 03ebdf8 chore: prevent auto-update actions from running on forks (#30464)
• fe735f8 http: arm idle timer on open so a stalled TLS handshake times out (#30376)
• Additional commits viewable in compare view

Updates @tanstack/react-query from 5.100.10 to 5.100.11

Release notes

Sourced from @​tanstack/react-query's releases.

@​tanstack/react-query-devtools@​5.100.11

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-devtools@​5.100.11
  • @​tanstack/react-query@​5.100.11

@​tanstack/react-query-next-experimental@​5.100.11

Patch Changes

• Updated dependencies []:
  • @​tanstack/react-query@​5.100.11

@​tanstack/react-query-persist-client@​5.100.11

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-persist-client-core@​5.100.11
  • @​tanstack/react-query@​5.100.11

@​tanstack/react-query@​5.100.11

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-core@​5.100.11

Changelog

Sourced from @​tanstack/react-query's changelog.

5.100.11

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-core@​5.100.11

Commits

• See full diff in compare view

Updates wagmi from 3.6.13 to 3.6.15

Release notes

Sourced from wagmi's releases.

wagmi@3.6.15

Patch Changes

• Handled malformed cookie state in cookieToInitialState. (#5116)

• wagmi/tempo: Renamed Actions.wallet.send to Actions.wallet.transfer and Hooks.wallet.useSend to Hooks.wallet.useTransfer. (#5121)

  Also bumps the accounts peer dependency to ~0.12.

  - await Actions.wallet.send(config, {
  -   to: '0x...',
  -   token: '0x...',
  -   value: '1.5',
  - })
  + await Actions.wallet.transfer(config, {
  +   amount: '1.5',
  +   to: '0x...',
  +   token: '0x...',
  + })

  - const send = Hooks.wallet.useSend()
  + const transfer = Hooks.wallet.useTransfer()

• Updated dependencies [f1e6d70, 4c44cd0]:

  • @​wagmi/core@​3.4.12
  • @​wagmi/connectors@​8.0.14

wagmi@3.6.14

Patch Changes

• Updated dependencies [9e8418a]:
  • @​wagmi/core@​3.4.11
  • @​wagmi/connectors@​8.0.13

Changelog

Sourced from wagmi's changelog.

3.6.15

Patch Changes

• Handled malformed cookie state in cookieToInitialState. (#5116)

• wagmi/tempo: Renamed Actions.wallet.send to Actions.wallet.transfer and Hooks.wallet.useSend to Hooks.wallet.useTransfer. (#5121)

  Also bumps the accounts peer dependency to ~0.12.

  - await Actions.wallet.send(config, {
  -   to: '0x...',
  -   token: '0x...',
  -   value: '1.5',
  - })
  + await Actions.wallet.transfer(config, {
  +   amount: '1.5',
  +   to: '0x...',
  +   token: '0x...',
  + })

  - const send = Hooks.wallet.useSend()
  + const transfer = Hooks.wallet.useTransfer()

• Updated dependencies [f1e6d70, 4c44cd0]:

  • @​wagmi/core@​3.4.12
  • @​wagmi/connectors@​8.0.14

3.6.14

Patch Changes

• Updated dependencies [9e8418a]:
  • @​wagmi/core@​3.4.11
  • @​wagmi/connectors@​8.0.13

Commits

• 98f9a16 chore: version packages (#5122)
• 4c44cd0 refactor(tempo): rename wallet.send to wallet.transfer (#5121)
• dcd6f60 chore: version packages (#5118)
• See full diff in compare view

Updates @stripe/stripe-js from 9.4.0 to 9.6.0

Release notes

Sourced from @​stripe/stripe-js's releases.

v9.6.0

New features

• Add types for automatic_surcharge (#918)

Fixes

Changed

v9.5.0

Changed

• Add types for new PE and ECE availablepaymentmethodschange event (#924)

Commits

• c427b26 v9.6.0
• 0c9277f Add types for automatic_surcharge (#918)
• cbe49b0 v9.5.0
• 6a321bf Add types for new PE and ECE availablepaymentmethodschange event (#924)
• See full diff in compare view

Updates accounts from 0.10.2 to 0.14.2

Release notes

Sourced from accounts's releases.

accounts@0.14.2

Patch Changes

• 022d947: Simplified Privy account loading and fixed stale wallet cache handling after failed account selection.

accounts@0.14.1

Patch Changes

• 62705cb: Added an on filter to the wallet_connect showDeposit capability to direct if the deposit screen should be shown on login or register.

accounts@0.14.0

Minor Changes

• feb1ab6: Breaking: Updated Tempo chain imports to use scoped chain entrypoints. Bump your Viem version to >=2.50.4.

Patch Changes

• 7aeec48: Fixed access key authorization to reject requests that require external key material when none is provided.
• 78778cb: Added a Privy adapter for connecting and signing with app-provided Privy embedded wallet accounts.
• e15757f: Added a showDeposit capability to wallet_connect.

accounts@0.13.0

Minor Changes

• 0666744: Breaking: Changed Handler.auth() to require callers to provide origin or domain, so SIWE challenge and verify flows pinned domain binding instead of deriving it from request Host headers.

• f652ff2: Breaking: Updated wallet_deposit params to use amount and token and removed value.

  provider.request({
    method: 'wallet_deposit',
  - params: [{ value: '25' }],
  + params: [{ amount: '25', token: 'pathUSD' }],
  })

Patch Changes

• ab516b7: Fixed WebAuthn credential storage to bind credentials to their registered user id and use atomic duplicate rejection when the configured Kv supports it.
• 4029a37: Fixed dialog auth capability handling to forward returned auth tokens through wallet connection account results.
• bdd6b39: Rejected unsafe app-provided external fee-payer URLs unless relay config explicitly allowed unsafe URLs.
• c64d825: Fixed wallet_connect auth handling to allow derived or forwarded auth endpoints without dropping the SIWE signature.
• dd5d399: Fixed access-key authorization lifecycle handling so pending authorizations stayed attached until publication was known.

accounts@0.12.2

Patch Changes

• 22153c8: Added access-key publication status helpers and matched scoped key policies locally without crashing on malformed scope data.
• c97987d: Documented chain-qualified relay routes and showed the MPP example server sponsoring pull-mode charge transactions.
• 652ae1a: Added error details to wallet_sendCalls failures so viem push-mode fallbacks preserved the original provider error.
• 91b5699: Passed MPP session options from Provider.create({ mpp }) through to mppx so clients could configure session deposits.

... (truncated)

Changelog

Sourced from accounts's changelog.

0.14.2

Patch Changes

• 022d947: Simplified Privy account loading and fixed stale wallet cache handling after failed account selection.

0.14.1

Patch Changes

• 62705cb: Added an on filter to the wallet_connect showDeposit capability to direct if the deposit screen should be shown on login or register.

0.14.0

Minor Changes

• feb1ab6: Breaking: Updated Tempo chain imports to use scoped chain entrypoints. Bump your Viem version to >=2.50.4.

Patch Changes

• 7aeec48: Fixed access key authorization to reject requests that require external key material when none is provided.
• 78778cb: Added a Privy adapter for connecting and signing with app-provided Privy embedded wallet accounts.
• e15757f: Added a showDeposit capability to wallet_connect.

0.13.0

Minor Changes

• 0666744: Breaking: Changed Handler.auth() to require callers to provide origin or domain, so SIWE challenge and verify flows pinned domain binding instead of deriving it from request Host headers.

• f652ff2: Breaking: Updated wallet_deposit params to use amount and token and removed value.

  provider.request({
    method: 'wallet_deposit',
  - params: [{ value: '25' }],
  + params: [{ amount: '25', token: 'pathUSD' }],
  })

Patch Changes

• ab516b7: Fixed WebAuthn credential storage to bind credentials to their registered user id and use atomic duplicate rejection when the configured Kv supports it.
• 4029a37: Fixed dialog auth capability handling to forward returned auth tokens through wallet connection account results.
• bdd6b39: Rejected unsafe app-provided external fee-payer URLs unless relay config explicitly allowed unsafe URLs.
• c64d825: Fixed wallet_connect auth handling to allow derived or forwarded auth endpoints without dropping the SIWE signature.
• dd5d399: Fixed access-key authorization lifecycle handling so pending authorizations stayed attached until publication was known.

0.12.2

Patch Changes

... (truncated)

Commits

• 200b72a chore: version packages (#537)
• 022d947 refactor: simplify Privy account loading (#536)
• c7d6c71 docs: update deposit guidance (#535)
• b09571f chore: version packages (#534)
• 62705cb feat: add showDeposit#on (#533)
• ea49241 chore: version packages (#528)
• a28843b docs: move showDeposit guide note (#532)
• feb1ab6 chore: update tempo chain dependencies (#526)
• 78778cb chore: add generated Privy adapter changeset (#531)
• 22dab4a fix: include Privy env vars in playground deploy (#530)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[pkg-pr-new]

Open in StackBlitz

npm i https://pkg.pr.new/mppx@484

commit: d7870ac

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	incur@​0.4.6
	accounts@​0.10.2 ⏵ 0.14.2	-1		+1	+1
	wagmi@​3.6.15
	bun@​1.3.14
	@​typescript/​native-preview@​7.0.0-dev.20260527.1
	@​tanstack/​react-query@​5.100.11
	@​stripe/​stripe-js@​9.4.0 ⏵ 9.6.0	+1

View full report