Skip to content

chore(deps): bump the npm-dependencies group across 1 directory with 3 updates#48

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/conformance/npm-dependencies-d359af47ea
Open

chore(deps): bump the npm-dependencies group across 1 directory with 3 updates#48
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/conformance/npm-dependencies-d359af47ea

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 6, 2026

Copy link
Copy Markdown
Contributor

Bumps the npm-dependencies group with 3 updates in the /conformance directory: mppx, @types/node and tsx.

Updates mppx from 0.7.0 to 0.8.5

Release notes

Sourced from mppx's releases.

mppx@0.8.5

Patch Changes

  • 754b491: Added viem token definitions and token sets to make managing tokens simpler.

mppx@0.8.4

Patch Changes

  • 3136195: Fixed Tempo auto-swap call building with viem@>=2.54 and hardened account balance metadata formatting.
  • 86b6586: Fixed Stripe CLI live-mode Shared Payment Token creation. SPT requests now send the preview Stripe-Version header, live-mode requests target the issued-tokens endpoint with seller_details[network_business_profile], and restricted test keys (rk_test_...) are recognized as test mode.
  • cdd989e: Added a mppx validate CLI command for discovering paid endpoints, validating payment challenges, checking malformed-credential handling, and exercising Tempo payment flows end to end.

mppx@0.8.3

Patch Changes

  • be8a655: Fixed Tempo charge credential creation with viem@>=2.54 transfer call builders.

mppx@0.8.2

Patch Changes

  • 80ed268: Added CLI selection of payable Tempo charge challenges and a currency override.
  • 24ddf52: Filtered unsupported x402 accepts during HTTP client challenge extraction.
  • 24ddcca: Rejected non-canonical fee-payer calldata and client-supplied access lists before sponsorship.
  • 685f698: Fixed MCP payment-aware fetch retries for tool results with payment-required metadata.
  • 8305a05: Added configurable incremental payment challenge retries for client fetch, defaulting to three.

mppx@0.8.1

Patch Changes

  • 2c4086f: Disabled automatic CLI configuration discovery from local directories.
  • 2158a40: Enforced sponsor fee policies before hosted fee-payer signing.
  • ca8687b: Validated session open deposit and voucher amounts before sponsored broadcast.

mppx@0.8.0

Minor Changes

  • daab9b8: Breaking: Collapsed McpClient.wrap and the in-place wrapClient variant into a single McpClient.wrap API on the mppx/mcp/client entrypoint.

    McpClient.wrap now adds payment handling to an MCP SDK client in place: the client is mutated and the same reference is returned, so surfaces that keep using the original client become payment-aware (e.g. when another SDK owns the client reference, like Cloudflare Agents). The MCP SDK callTool(params, resultSchema?, options?) signature is preserved, payment challenges are handled whether they arrive as payment-required errors or as tool results carrying org.paymentauth/payment-required metadata, and the config accepts orderChallenges and paymentPreferences alongside methods and onPaymentRequired. Calling wrap on the same client again replaces its payment configuration.

    Migration: move per-call options from the second argument to the third — mcp.callTool(params, undefined, { context, timeout }) — and replace the approval-first overload mcp.callTool(onPaymentRequired, params, options) with the onPaymentRequired option: mcp.callTool(params, undefined, { onPaymentRequired }) (pass null to bypass a configured hook). The MCP entrypoints moved to mppx/mcp/client and mppx/mcp/server; the mppx/mcp-sdk/* specifiers remain as aliases.

  • e755222: Settled MCP-over-HTTP payment challenges in the same payment-aware fetch as HTTP 402s, so Transport.http() can extract JSON-RPC -32042 challenges and retry with credentials in MCP metadata.

  • 18b57cc: Added a pluggable channelStore for persisting reusable payer session channels and removed the client-side authorizedSigner override so voucher authority is derived from the selected account.

Patch Changes

  • 4c79a78: Rejected empty Payment challenge IDs during construction and deserialization.
  • 7c38c17: Deprecated uppercase asset and chain aliases in favor of lowercase exports.
  • 0e88d07: Corrected PaymentRequest documentation examples to use the exported namespace name.

... (truncated)

Changelog

Sourced from mppx's changelog.

0.8.5

Patch Changes

  • 754b491: Added viem token definitions and token sets to make managing tokens simpler.

0.8.4

Patch Changes

  • 3136195: Fixed Tempo auto-swap call building with viem@>=2.54 and hardened account balance metadata formatting.
  • 86b6586: Fixed Stripe CLI live-mode Shared Payment Token creation. SPT requests now send the preview Stripe-Version header, live-mode requests target the issued-tokens endpoint with seller_details[network_business_profile], and restricted test keys (rk_test_...) are recognized as test mode.
  • cdd989e: Added a mppx validate CLI command for discovering paid endpoints, validating payment challenges, checking malformed-credential handling, and exercising Tempo payment flows end to end.

0.8.3

Patch Changes

  • be8a655: Fixed Tempo charge credential creation with viem@>=2.54 transfer call builders.

0.8.2

Patch Changes

  • 80ed268: Added CLI selection of payable Tempo charge challenges and a currency override.
  • 24ddf52: Filtered unsupported x402 accepts during HTTP client challenge extraction.
  • 24ddcca: Rejected non-canonical fee-payer calldata and client-supplied access lists before sponsorship.
  • 685f698: Fixed MCP payment-aware fetch retries for tool results with payment-required metadata.
  • 8305a05: Added configurable incremental payment challenge retries for client fetch, defaulting to three.

0.8.1

Patch Changes

  • 2c4086f: Disabled automatic CLI configuration discovery from local directories.
  • 2158a40: Enforced sponsor fee policies before hosted fee-payer signing.
  • ca8687b: Validated session open deposit and voucher amounts before sponsored broadcast.

0.8.0

Minor Changes

  • daab9b8: Breaking: Collapsed McpClient.wrap and the in-place wrapClient variant into a single McpClient.wrap API on the mppx/mcp/client entrypoint.

    McpClient.wrap now adds payment handling to an MCP SDK client in place: the client is mutated and the same reference is returned, so surfaces that keep using the original client become payment-aware (e.g. when another SDK owns the client reference, like Cloudflare Agents). The MCP SDK callTool(params, resultSchema?, options?) signature is preserved, payment challenges are handled whether they arrive as payment-required errors or as tool results carrying org.paymentauth/payment-required metadata, and the config accepts orderChallenges and paymentPreferences alongside methods and onPaymentRequired. Calling wrap on the same client again replaces its payment configuration.

    Migration: move per-call options from the second argument to the third — mcp.callTool(params, undefined, { context, timeout }) — and replace the approval-first overload mcp.callTool(onPaymentRequired, params, options) with the onPaymentRequired option: mcp.callTool(params, undefined, { onPaymentRequired }) (pass null to bypass a configured hook). The MCP entrypoints moved to mppx/mcp/client and mppx/mcp/server; the mppx/mcp-sdk/* specifiers remain as aliases.

  • e755222: Settled MCP-over-HTTP payment challenges in the same payment-aware fetch as HTTP 402s, so Transport.http() can extract JSON-RPC -32042 challenges and retry with credentials in MCP metadata.

  • 18b57cc: Added a pluggable channelStore for persisting reusable payer session channels and removed the client-side authorizedSigner override so voucher authority is derived from the selected account.

... (truncated)

Commits

Updates @types/node from 25.9.3 to 26.1.0

Commits

Updates tsx from 4.22.4 to 4.23.0

Release notes

Sourced from tsx's releases.

v4.23.0

4.23.0 (2026-07-03)

Bug Fixes

Features


This release is also available on:

v4.22.5

4.22.5 (2026-07-02)

Bug Fixes

  • isolate hook state per async module.register() registration (a305f36)

This release is also available on:

Commits
  • 1dfad37 docs: cite esbuild's extension-resolution model in node notes
  • 257bbbb fix: avoid redundant filesystem probes during module resolution
  • c178197 feat: add multi-scenario startup benchmark suite
  • 51800ac docs: add Node internals knowledge base (notes/node)
  • a305f36 fix: isolate hook state per async module.register() registration
  • ca501a9 chore: upgrade skills-npm to v1.2.0
  • 596cd1f test: cover __dirname, __filename, & require.cache in CJS TS file
  • 75d9bf0 test: lock in lenient ESM for ambiguous and CJS-typed packages
  • 1472f3e test: cover ESM-syntax dependency with omitted "type" field
  • See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

…3 updates

Bumps the npm-dependencies group with 3 updates in the /conformance directory: [mppx](https://github.com/wevm/mppx), [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) and [tsx](https://github.com/privatenumber/tsx).


Updates `mppx` from 0.7.0 to 0.8.5
- [Release notes](https://github.com/wevm/mppx/releases)
- [Changelog](https://github.com/wevm/mppx/blob/main/CHANGELOG.md)
- [Commits](https://github.com/wevm/mppx/compare/mppx@0.7.0...mppx@0.8.5)

Updates `@types/node` from 25.9.3 to 26.1.0
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

Updates `tsx` from 4.22.4 to 4.23.0
- [Release notes](https://github.com/privatenumber/tsx/releases)
- [Changelog](https://github.com/privatenumber/tsx/blob/master/release.config.cjs)
- [Commits](privatenumber/tsx@v4.22.4...v4.23.0)

---
updated-dependencies:
- dependency-name: mppx
  dependency-version: 0.8.5
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: npm-dependencies
- dependency-name: "@types/node"
  dependency-version: 26.1.0
  dependency-type: direct:development
  update-type: version-update:semver-major
  dependency-group: npm-dependencies
- dependency-name: tsx
  dependency-version: 4.23.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: npm-dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jul 6, 2026
@socket-security

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security
Vulnerability Quality Maintenance License
Updatednpm/​tsx@​4.22.4 ⏵ 4.23.095 -410071 -1093100
Updatednpm/​@​types/​node@​25.9.3 ⏵ 26.1.0100 +110081 +196100
Updatednpm/​mppx@​0.7.0 ⏵ 0.8.581100100 +198 +1100

View full report

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants