Skip to content

chore(deps): bump the npm-production group across 1 directory with 9 updates#490

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/npm-production-66636df159
Open

chore(deps): bump the npm-production group across 1 directory with 9 updates#490
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/npm-production-66636df159

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github Jun 1, 2026
edited
Loading

Bumps the npm-production group with 9 updates in the / directory:

Package From To
incur 0.4.5 0.4.6
@types/node 25.6.0 25.9.1
ws 8.20.1 8.21.0
@remix-run/node-fetch-server 0.13.1 0.13.3
bun 1.3.13 1.3.14
@tanstack/react-query 5.100.10 5.100.14
wagmi 3.6.13 3.6.15
@stripe/stripe-js 9.4.0 9.6.0
accounts 0.10.2 0.14.4

Updates incur from 0.4.5 to 0.4.6

Release notes

Sourced from incur's releases.

incur@0.4.6

Patch Changes

  • ed18ddc: Added support for automatic OpenAPI v3.2.0 schema generation
Changelog

Sourced from incur's changelog.

0.4.6

Patch Changes

  • ed18ddc: Added support for automatic OpenAPI v3.2.0 schema generation
Commits

Updates @types/node from 25.6.0 to 25.9.1

Commits

Updates ws from 8.20.1 to 8.21.0

Release notes

Sourced from ws's releases.

8.21.0

Features

  • Introduced the maxBufferedChunks and maxFragments options (2b2abd45).

Bug fixes

  • Fixed a remote memory exhaustion DoS vulnerability (2b2abd45).

A high volume of tiny fragments and data chunks could be sent by a peer, using modest network traffic, to crash a ws server or client due to OOM.

import { WebSocket, WebSocketServer } from 'ws';
const wss = new WebSocketServer({ port: 0 }, function () {
const data = Buffer.alloc(1);
const options = { fin: false };
const { port } = wss.address();
const ws = new WebSocket(ws://localhost:${port});
ws.on('open', function () {
(function send() {
ws.send(data, options, function (err) {
if (err) return;
send();
});
})();
});
ws.on('error', console.error);
ws.on('close', function (code, reason) {
console.log(client close - code: ${code} reason: ${reason.toString()});
});
});
wss.on('connection', function (ws) {
ws.on('error', console.error);
ws.on('close', function (code, reason) {
console.log(server close - code: ${code} reason: ${reason.toString()});
});
});

The vulnerability was responsibly disclosed and fixed by Nadav Magier.

In vulnerable versions, the issue can be mitigated by lowering the value of the maxPayload option if possible.

Commits

Updates @remix-run/node-fetch-server from 0.13.1 to 0.13.3

Release notes

Sourced from @​remix-run/node-fetch-server's releases.

node-fetch-server v0.13.3

Patch Changes

  • Cancel unfinished streaming response bodies when the client connection closes before the response completes so user-provided ReadableStream.cancel() hooks run for aborted requests (see #11432).

  • Drop handler responses when the client has already disconnected, and do not forward request abort errors from handlers or response streams to onError or write them to a closed socket (see #11431).

node-fetch-server v0.13.2

Patch Changes

  • Start writing the first response stream chunk immediately instead of waiting for another chunk. Streaming responses with a delayed second chunk now flush their initial data without unnecessary blocking.
Changelog

Sourced from @​remix-run/node-fetch-server's changelog.

v0.13.3

Patch Changes

  • Cancel unfinished streaming response bodies when the client connection closes before the response completes so user-provided ReadableStream.cancel() hooks run for aborted requests (see #11432).

  • Drop handler responses when the client has already disconnected, and do not forward request abort errors from handlers or response streams to onError or write them to a closed socket (see #11431).

v0.13.2

Patch Changes

  • Start writing the first response stream chunk immediately instead of waiting for another chunk. Streaming responses with a delayed second chunk now flush their initial data without unnecessary blocking.
Commits

Updates bun from 1.3.13 to 1.3.14

Release notes

Sourced from bun's releases.

Bun v1.3.14

To install Bun v1.3.14

curl -fsSL https://bun.sh/install | bash
# or you can use npm
# npm install -g bun

Windows:

powershell -c "irm bun.sh/install.ps1|iex"

To upgrade to Bun v1.3.14:

bun upgrade

Read Bun v1.3.14's release notes on Bun's blog

Thanks to 11 contributors!

Commits
  • 0d9b296 Bun.serve: rename h3/h1 options to http3/http1 (#30583)
  • 39540fd github-actions: pin action versions (#30575)
  • 314ffe3 test: pin #23139 + #22743 — repeated dynamic import of error-throwing module ...
  • 2043f9c Upgrade WebKit to 5488984d: fix require(ESM) diamond-dep deadlock (#30527)
  • 37bfbed YAML.stringify: quote strings that parse back as numbers (#30435)
  • 4c0a5a7 node:http: dispatch request on first write() and emit response in duplex mode...
  • ca1788c Don't retry non-idempotent HTTP methods on keep-alive disconnect (#28708)
  • 450072b install: disable isolated global virtual store by default until no longer exp...
  • 03ebdf8 chore: prevent auto-update actions from running on forks (#30464)
  • fe735f8 http: arm idle timer on open so a stalled TLS handshake times out (#30376)
  • Additional commits viewable in compare view

Updates @tanstack/react-query from 5.100.10 to 5.100.14

Release notes

Sourced from @​tanstack/react-query's releases.

@​tanstack/react-query-devtools@​5.100.14

Patch Changes

  • Updated dependencies [ed20b6d]:
    • @​tanstack/react-query@​5.100.14
    • @​tanstack/query-devtools@​5.100.14

@​tanstack/react-query-next-experimental@​5.100.14

Patch Changes

  • Updated dependencies [ed20b6d]:
    • @​tanstack/react-query@​5.100.14

@​tanstack/react-query-persist-client@​5.100.14

Patch Changes

  • Updated dependencies [ed20b6d]:
    • @​tanstack/react-query@​5.100.14
    • @​tanstack/query-persist-client-core@​5.100.14

@​tanstack/react-query@​5.100.14

Patch Changes

  • fix(react-query): do not go into optimistic fetching state when not subscribed (#10759)

  • Updated dependencies []:

    • @​tanstack/query-core@​5.100.14

@​tanstack/react-query-devtools@​5.100.13

Patch Changes

  • Updated dependencies []:
    • @​tanstack/query-devtools@​5.100.13
    • @​tanstack/react-query@​5.100.13

@​tanstack/react-query-next-experimental@​5.100.13

Patch Changes

  • Updated dependencies []:
    • @​tanstack/react-query@​5.100.13

@​tanstack/react-query-persist-client@​5.100.13

Patch Changes

  • Updated dependencies []:
    • @​tanstack/query-persist-client-core@​5.100.13
    • @​tanstack/react-query@​5.100.13

@​tanstack/react-query@​5.100.13

Patch Changes

... (truncated)

Changelog

Sourced from @​tanstack/react-query's changelog.

5.100.14

Patch Changes

  • fix(react-query): do not go into optimistic fetching state when not subscribed (#10759)

  • Updated dependencies []:

    • @​tanstack/query-core@​5.100.14

5.100.13

Patch Changes

  • Updated dependencies [d423168]:
    • @​tanstack/query-core@​5.100.13

5.100.12

Patch Changes

  • Updated dependencies []:
    • @​tanstack/query-core@​5.100.12

5.100.11

Patch Changes

  • Updated dependencies []:
    • @​tanstack/query-core@​5.100.11
Commits

Updates wagmi from 3.6.13 to 3.6.15

Release notes

Sourced from wagmi's releases.

wagmi@3.6.15

Patch Changes

  • Handled malformed cookie state in cookieToInitialState. (#5116)

  • wagmi/tempo: Renamed Actions.wallet.send to Actions.wallet.transfer and Hooks.wallet.useSend to Hooks.wallet.useTransfer. (#5121)

    Also bumps the accounts peer dependency to ~0.12.

    - await Actions.wallet.send(config, {
-   to: '0x...',
-   token: '0x...',
-   value: '1.5',
- })
+ await Actions.wallet.transfer(config, {
+   amount: '1.5',
+   to: '0x...',
+   token: '0x...',
+ })
    - const send = Hooks.wallet.useSend()
+ const transfer = Hooks.wallet.useTransfer()

  • Updated dependencies [f1e6d70, 4c44cd0]:

    • @​wagmi/core@​3.4.12
    • @​wagmi/connectors@​8.0.14

wagmi@3.6.14

Patch Changes

  • Updated dependencies [9e8418a]:
    • @​wagmi/core@​3.4.11
    • @​wagmi/connectors@​8.0.13
Changelog

Sourced from wagmi's changelog.

3.6.15

Patch Changes

  • Handled malformed cookie state in cookieToInitialState. (#5116)

  • wagmi/tempo: Renamed Actions.wallet.send to Actions.wallet.transfer and Hooks.wallet.useSend to Hooks.wallet.useTransfer. (#5121)

    Also bumps the accounts peer dependency to ~0.12.

    - await Actions.wallet.send(config, {
-   to: '0x...',
-   token: '0x...',
-   value: '1.5',
- })
+ await Actions.wallet.transfer(config, {
+   amount: '1.5',
+   to: '0x...',
+   token: '0x...',
+ })
    - const send = Hooks.wallet.useSend()
+ const transfer = Hooks.wallet.useTransfer()

  • Updated dependencies [f1e6d70, 4c44cd0]:

    • @​wagmi/core@​3.4.12
    • @​wagmi/connectors@​8.0.14

3.6.14

Patch Changes

  • Updated dependencies [9e8418a]:
    • @​wagmi/core@​3.4.11
    • @​wagmi/connectors@​8.0.13
Commits

Updates @stripe/stripe-js from 9.4.0 to 9.6.0

Release notes

Sourced from @​stripe/stripe-js's releases.

v9.6.0

New features

  • Add types for automatic_surcharge (#918)

Fixes

Changed

v9.5.0

Changed

  • Add types for new PE and ECE availablepaymentmethodschange event (#924)
Commits

Updates accounts from 0.10.2 to 0.14.4

Release notes

Sourced from accounts's releases.

accounts@0.14.4

Patch Changes

  • 8afc239: Fix React Native auth token handling and mobile auth URL encoding.

accounts@0.14.3

Patch Changes

  • 801e18a: Simplified Privy account loading and fixed stale wallet cache handling after failed account selection.
  • f176676: Point React Native mobile authentication at the remote manager route.

accounts@0.14.2

Patch Changes

  • 022d947: Simplified Privy account loading and fixed stale wallet cache handling after failed account selection.

accounts@0.14.1

Patch Changes

  • 62705cb: Added an on filter to the wallet_connect showDeposit capability to direct if the deposit screen should be shown on login or register.

accounts@0.14.0

Minor Changes

  • feb1ab6: Breaking: Updated Tempo chain imports to use scoped chain entrypoints. Bump your Viem version to >=2.50.4.

Patch Changes

  • 7aeec48: Fixed access key authorization to reject requests that require external key material when none is provided.
  • 78778cb: Added a Privy adapter for connecting and signing with app-provided Privy embedded wallet accounts.
  • e15757f: Added a showDeposit capability to wallet_connect.

accounts@0.13.0

Minor Changes

  • 0666744: Breaking: Changed Handler.auth() to require callers to provide origin or domain, so SIWE challenge and verify flows pinned domain binding instead of deriving it from request Host headers.

  • f652ff2: Breaking: Updated wallet_deposit params to use amount and token and removed value.

    provider.request({
  method: 'wallet_deposit',
- params: [{ value: '25' }],
+ params: [{ amount: '25', token: 'pathUSD' }],
})

Patch Changes

  • ab516b7: Fixed WebAuthn credential storage to bind credentials to their registered user id and use atomic duplicate rejection when the configured Kv supports it.
  • 4029a37: Fixed dialog auth capability handling to forward returned auth tokens through wallet connection account results.

... (truncated)

Changelog

Sourced from accounts's changelog.

0.14.4

Patch Changes

  • 8afc239: Fix React Native auth token handling and mobile auth URL encoding.

0.14.3

Patch Changes

  • 801e18a: Simplified Privy account loading and fixed stale wallet cache handling after failed account selection.
  • f176676: Point React Native mobile authentication at the remote manager route.

0.14.2

Patch Changes

  • 022d947: Simplified Privy account loading and fixed stale wallet cache handling after failed account selection.

0.14.1

Patch Changes

  • 62705cb: Added an on filter to the wallet_connect showDeposit capability to direct if the deposit screen should be shown on login or register.

0.14.0

Minor Changes

  • feb1ab6: Breaking: Updated Tempo chain imports to use scoped chain entrypoints. Bump your Viem version to >=2.50.4.

Patch Changes

  • 7aeec48: Fixed access key authorization to reject requests that require external key material when none is provided.
  • 78778cb: Added a Privy adapter for connecting and signing with app-provided Privy embedded wallet accounts.
  • e15757f: Added a showDeposit capability to wallet_connect.

0.13.0

Minor Changes

  • 0666744: Breaking: Changed Handler.auth() to require callers to provide origin or domain, so SIWE challenge and verify flows pinned domain binding instead of deriving it from request Host headers.

  • f652ff2: Breaking: Updated wallet_deposit params to use amount and token and removed value.

    provider.request({
  method: 'wallet_deposit',
- params: [{ value: '25' }],
+ params: [{ amount: '25', token: 'pathUSD' }],
})

... (truncated)

Commits

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jun 1, 2026
@socket-security
Copy link
Copy Markdown

socket-security Bot commented Jun 1, 2026
edited
Loading

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Addedincur@​0.4.67610010096100
Updatedaccounts@​0.10.2 ⏵ 0.14.477 -110099 +197 +1100
Addedwagmi@​3.6.15801007998100
Addedbun@​1.3.14911008095100
Added@​tanstack/​react-query@​5.100.14991008898100
Addedws@​8.21.09810010094100
Updated@​stripe/​stripe-js@​9.4.0 ⏵ 9.6.0100 +1100100100100

View full report

@pkg-pr-new
Copy link
Copy Markdown

pkg-pr-new Bot commented Jun 1, 2026
edited
Loading

Open in StackBlitz

npm i https://pkg.pr.new/mppx@490

commit: efc4ea4

@dependabot
chore(deps): bump the npm-production group across 1 directory with 9 …
efc4ea4 
…updates

Bumps the npm-production group with 9 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [incur](https://github.com/wevm/incur) | `0.4.5` | `0.4.6` |
| [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) | `25.6.0` | `25.9.1` |
| [ws](https://github.com/websockets/ws) | `8.20.1` | `8.21.0` |
| [@remix-run/node-fetch-server](https://github.com/remix-run/remix/tree/HEAD/packages/node-fetch-server) | `0.13.1` | `0.13.3` |
| [bun](https://github.com/oven-sh/bun) | `1.3.13` | `1.3.14` |
| [@tanstack/react-query](https://github.com/TanStack/query/tree/HEAD/packages/react-query) | `5.100.10` | `5.100.14` |
| [wagmi](https://github.com/wevm/wagmi/tree/HEAD/packages/react) | `3.6.13` | `3.6.15` |
| [@stripe/stripe-js](https://github.com/stripe/stripe-js) | `9.4.0` | `9.6.0` |
| [accounts](https://github.com/tempoxyz/accounts) | `0.10.2` | `0.14.4` |



Updates `incur` from 0.4.5 to 0.4.6
- [Release notes](https://github.com/wevm/incur/releases)
- [Changelog](https://github.com/wevm/incur/blob/main/CHANGELOG.md)
- [Commits](https://github.com/wevm/incur/compare/incur@0.4.5...incur@0.4.6)

Updates `@types/node` from 25.6.0 to 25.9.1
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

Updates `ws` from 8.20.1 to 8.21.0
- [Release notes](https://github.com/websockets/ws/releases)
- [Commits](websockets/ws@8.20.1...8.21.0)

Updates `@remix-run/node-fetch-server` from 0.13.1 to 0.13.3
- [Release notes](https://github.com/remix-run/remix/releases)
- [Changelog](https://github.com/remix-run/remix/blob/main/packages/node-fetch-server/CHANGELOG.md)
- [Commits](https://github.com/remix-run/remix/commits/v0.13.3/packages/node-fetch-server)

Updates `bun` from 1.3.13 to 1.3.14
- [Release notes](https://github.com/oven-sh/bun/releases)
- [Commits](oven-sh/bun@bun-v1.3.13...bun-v1.3.14)

Updates `@tanstack/react-query` from 5.100.10 to 5.100.14
- [Release notes](https://github.com/TanStack/query/releases)
- [Changelog](https://github.com/TanStack/query/blob/main/packages/react-query/CHANGELOG.md)
- [Commits](https://github.com/TanStack/query/commits/@tanstack/react-query@5.100.14/packages/react-query)

Updates `wagmi` from 3.6.13 to 3.6.15
- [Release notes](https://github.com/wevm/wagmi/releases)
- [Changelog](https://github.com/wevm/wagmi/blob/main/packages/react/CHANGELOG.md)
- [Commits](https://github.com/wevm/wagmi/commits/wagmi@3.6.15/packages/react)

Updates `@stripe/stripe-js` from 9.4.0 to 9.6.0
- [Release notes](https://github.com/stripe/stripe-js/releases)
- [Commits](stripe/stripe-js@v9.4.0...v9.6.0)

Updates `accounts` from 0.10.2 to 0.14.4
- [Release notes](https://github.com/tempoxyz/accounts/releases)
- [Changelog](https://github.com/tempoxyz/accounts/blob/main/CHANGELOG.md)
- [Commits](https://github.com/tempoxyz/accounts/compare/accounts@0.10.2...accounts@0.14.4)

---
updated-dependencies:
- dependency-name: "@remix-run/node-fetch-server"
  dependency-version: 0.13.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: npm-production
- dependency-name: "@stripe/stripe-js"
  dependency-version: 9.6.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: npm-production
- dependency-name: "@tanstack/react-query"
  dependency-version: 5.100.14
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: npm-production
- dependency-name: "@types/node"
  dependency-version: 25.9.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: npm-production
- dependency-name: accounts
  dependency-version: 0.14.4
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: npm-production
- dependency-name: bun
  dependency-version: 1.3.14
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: npm-production
- dependency-name: incur
  dependency-version: 0.4.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: npm-production
- dependency-name: wagmi
  dependency-version: 3.6.15
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: npm-production
- dependency-name: ws
  dependency-version: 8.21.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: npm-production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/npm-production-66636df159 branch from bd82aa1 to efc4ea4 Compare June 1, 2026 09:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants