Skip to content

chore(deps): bump the npm-production group with 5 updates#619

Closed
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/npm-production-a7cca51538
Closed

chore(deps): bump the npm-production group with 5 updates#619
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/npm-production-a7cca51538

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 6, 2026

Copy link
Copy Markdown
Contributor

Bumps the npm-production group with 5 updates:

Package From To
incur 0.4.9 0.4.10
hono 4.12.26 4.12.27
vite 8.0.16 8.1.0
@tanstack/react-query 5.101.0 5.101.2
wagmi 3.6.17 3.6.21

Updates incur from 0.4.9 to 0.4.10

Release notes

Sourced from incur's releases.

incur@0.4.10

Patch Changes

  • a94480c: Added mcp doctor command that smoke-tests MCP initialization and tool listing without calling tools.
  • f069769: Added MCP tool name and description metadata overrides for commands, including duplicate exposed-name validation.
  • 309d566: Added support for non-object MCP output schemas by omitting them from tool registration while preserving JSON text output.
Changelog

Sourced from incur's changelog.

0.4.10

Patch Changes

  • a94480c: Added mcp doctor command that smoke-tests MCP initialization and tool listing without calling tools.
  • f069769: Added MCP tool name and description metadata overrides for commands, including duplicate exposed-name validation.
  • 309d566: Added support for non-object MCP output schemas by omitting them from tool registration while preserving JSON text output.
Commits

Updates hono from 4.12.26 to 4.12.27

Release notes

Sourced from hono's releases.

v4.12.27

Security fixes

This release includes fixes for the following security issues:

hono/jsx does not isolate context per request

Affects: hono/jsx, hono/jsx-renderer. During SSR, context was stored process-wide instead of per request, so useContext()/useRequestContext() read after an await in an async component could return another concurrent request's value — leading to cross-request data disclosure or authorization checks against the wrong request. GHSA-hvrm-45r6-mjfj

Server-Side XSS via JSX escaping bypass in cx()

Affects: hono/css. cx() marked its composed class name as already-escaped without escaping the input, so untrusted input passed as a class name could break out of the JSX class attribute during SSR and inject markup (XSS). GHSA-w62v-xxxg-mg59

API Gateway v1 adapter can drop a repeated request header value

Affects: hono/aws-lambda. The API Gateway v1 (and VPC Lattice) adapter de-duplicated repeated header values by substring instead of exact match, dropping a value that is a substring of another (e.g. 203.0.113.1 dropped when 203.0.113.10 is present) — affecting logic such as X-Forwarded-For-based IP restriction. GHSA-xgm2-5f3f-mvvc


Users of hono/jsx/hono/jsx-renderer, hono/css (cx()), or the hono/aws-lambda API Gateway v1 / VPC Lattice adapters are encouraged to upgrade.

Commits

Updates vite from 8.0.16 to 8.1.0

Release notes

Sourced from vite's releases.

create-vite@8.1.0

Please refer to CHANGELOG.md for details.

plugin-legacy@8.1.0

Please refer to CHANGELOG.md for details.

v8.1.0

Please refer to CHANGELOG.md for details.

plugin-legacy@8.1.0-beta.0

Please refer to CHANGELOG.md for details.

v8.1.0-beta.0

Please refer to CHANGELOG.md for details.

Changelog

Sourced from vite's changelog.

8.1.0 (2026-06-23)

Features

Bug Fixes

  • bundled-dev: errors should be kept when incremental build fails (#22617) (9a0dd48)
  • cache falsy values in perEnvironmentState (#22715) (0e91e79)
  • glob: respect caseSensitive option in hmr matcher (#22711) (65f525e)
  • html: omit nonce on import map when cspNonce is unset (#22713) (8340bb5)
  • optimizer: skip null-valued exports in expandGlobIds glob resolution (#22611) (8b9f5cd)
  • resolved build options should be kept as a getter (#22691) (3527191)
  • server: handle malformed URI in memory files middleware (#22714) (df9e0a5)
  • use literal envPrefix queries for Vite Task (#22706) (da72733)
  • warn on deprecated envFile (#22555) (ed7b283)

Code Refactoring

8.1.0-beta.0 (2026-06-15)

Features

  • import.meta.glob support caseSensitive option (#21707) (2ad6737)
  • add warning to discourage Vite with yarn pnp (#21906) (3fbb55a)
  • build: chunk importmap (#21580) (e180312)
  • css: support lightningcss plugin dependency (#21748) (0b7aaed)
  • deps: bump @​vitejs/devtools peer dependency version (#22542) (d2c2bc0)
  • html: add html.additionalAssetSources option (#21412) (a41404b)
  • integrate with Vite Task for zero-config build caching (#22453) (f8d75f7)
  • rename server.hmr options to server.ws options (#21357) (9ce3036)
  • server: support multiple hosts in __VITE_ADDITIONAL_SERVER_ALLOWED_HOSTS (#21501) (735f9a1)
  • track dependencies when loading config with native (#22602) (a7e2da8)
  • types: add more precise typing for known query types to match known as types (#21863) (cc39e55)
  • update rolldown to 1.1.1 (#22593) (8a13d63)
  • wasm: direct .wasm imports (WASM ESM Integration) (#21779) (c23d85b)

Bug Fixes

  • apply correct fs restrictions for pnpm gvs (#22415) (092320b)
  • css: support external CSS with lightningcss (#18389) (d64a1a5)
  • deps: update all non-major dependencies (#22637) (44bb9d9)
  • deps: update all non-major dependencies (#22681) (f4f0633)
  • html: insert import map before modulepreload that is not self-close tag (#21409) (e399c89)
  • optimizer: preserve sourcemaps for transformed optimized deps with follow-up transforms (#22428) (1298951)

... (truncated)

Commits

Updates @tanstack/react-query from 5.101.0 to 5.101.2

Release notes

Sourced from @​tanstack/react-query's releases.

@​tanstack/react-query-devtools@​5.101.2

Patch Changes

@​tanstack/react-query-next-experimental@​5.101.2

Patch Changes

  • Updated dependencies []:
    • @​tanstack/react-query@​5.101.2

@​tanstack/react-query-persist-client@​5.101.2

Patch Changes

  • Updated dependencies []:
    • @​tanstack/query-persist-client-core@​5.101.2
    • @​tanstack/react-query@​5.101.2

@​tanstack/react-query@​5.101.2

Patch Changes

  • Updated dependencies []:
    • @​tanstack/query-core@​5.101.2

@​tanstack/react-query-devtools@​5.101.1

Patch Changes

  • Updated dependencies []:
    • @​tanstack/query-devtools@​5.101.1
    • @​tanstack/react-query@​5.101.1

@​tanstack/react-query-next-experimental@​5.101.1

Patch Changes

  • Updated dependencies []:
    • @​tanstack/react-query@​5.101.1

@​tanstack/react-query-persist-client@​5.101.1

Patch Changes

  • Updated dependencies []:
    • @​tanstack/query-persist-client-core@​5.101.1
    • @​tanstack/react-query@​5.101.1

@​tanstack/react-query@​5.101.1

Patch Changes

... (truncated)

Changelog

Sourced from @​tanstack/react-query's changelog.

5.101.2

Patch Changes

  • Updated dependencies []:
    • @​tanstack/query-core@​5.101.2

5.101.1

Patch Changes

  • Updated dependencies [9eff92e]:
    • @​tanstack/query-core@​5.101.1
Commits
  • 610e8d1 ci: Version Packages (#10996)
  • 1f84256 docs: document the select typing caveat for parallel-queries hooks (#10984)
  • b809297 ci: Version Packages (#10977)
  • ccc843e test({react,preact}-query/useQueries): move type-only tests to 'useQueries.te...
  • 4154613 test({react,preact}-query/useMutation): split 'should handle conditional logi...
  • 8bb5fde test({react,preact}-query/useMutation): split 'should pass meta to mutation' ...
  • 87426a3 test(react-query): replace deprecated 'toBeCalledTimes' with 'toHaveBeenCalle...
  • feb1efd test(*): move 'vi.useRealTimers' to the end of 'afterEach' so cleanup runs un...
  • See full diff in compare view

Updates wagmi from 3.6.17 to 3.6.21

Release notes

Sourced from wagmi's releases.

wagmi@3.6.21

Patch Changes

  • Fixed Tempo types so transaction override parameters are optional. (#5171)

  • Updated dependencies [1d6989e]:

    • @​wagmi/core@​3.5.5
    • @​wagmi/connectors@​8.0.20

wagmi@3.6.20

Patch Changes

  • Fixed Tempo Zone types for optional fields. (#5167)

  • Updated dependencies [f0b78c3]:

    • @​wagmi/core@​3.5.4
    • @​wagmi/connectors@​8.0.19

wagmi@3.6.19

Patch Changes

  • Added connector-specific subpath exports and marked optional connector dependency imports as optional for Turbopack resolution. (#5165)

  • Updated dependencies [05338be, 05338be]:

    • @​wagmi/connectors@​8.0.18
    • @​wagmi/core@​3.5.3

wagmi@3.6.18

Patch Changes

  • Updated dependencies [3e12a5e]:
    • @​wagmi/connectors@​8.0.17
    • @​wagmi/core@​3.5.2
Changelog

Sourced from wagmi's changelog.

3.6.21

Patch Changes

  • Fixed Tempo types so transaction override parameters are optional. (#5171)

  • Updated dependencies [1d6989e]:

    • @​wagmi/core@​3.5.5
    • @​wagmi/connectors@​8.0.20

3.6.20

Patch Changes

  • Fixed Tempo Zone types for optional fields. (#5167)

  • Updated dependencies [f0b78c3]:

    • @​wagmi/core@​3.5.4
    • @​wagmi/connectors@​8.0.19

3.6.19

Patch Changes

  • Added connector-specific subpath exports and marked optional connector dependency imports as optional for Turbopack resolution. (#5165)

  • Updated dependencies [05338be, 05338be]:

    • @​wagmi/connectors@​8.0.18
    • @​wagmi/core@​3.5.3

3.6.18

Patch Changes

  • Updated dependencies [3e12a5e]:
    • @​wagmi/connectors@​8.0.17
    • @​wagmi/core@​3.5.2
Commits

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

Bumps the npm-production group with 5 updates:

| Package | From | To |
| --- | --- | --- |
| [incur](https://github.com/wevm/incur) | `0.4.9` | `0.4.10` |
| [hono](https://github.com/honojs/hono) | `4.12.26` | `4.12.27` |
| [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite) | `8.0.16` | `8.1.0` |
| [@tanstack/react-query](https://github.com/TanStack/query/tree/HEAD/packages/react-query) | `5.101.0` | `5.101.2` |
| [wagmi](https://github.com/wevm/wagmi/tree/HEAD/packages/react) | `3.6.17` | `3.6.21` |


Updates `incur` from 0.4.9 to 0.4.10
- [Release notes](https://github.com/wevm/incur/releases)
- [Changelog](https://github.com/wevm/incur/blob/main/CHANGELOG.md)
- [Commits](https://github.com/wevm/incur/compare/incur@0.4.9...incur@0.4.10)

Updates `hono` from 4.12.26 to 4.12.27
- [Release notes](https://github.com/honojs/hono/releases)
- [Commits](honojs/hono@v4.12.26...v4.12.27)

Updates `vite` from 8.0.16 to 8.1.0
- [Release notes](https://github.com/vitejs/vite/releases)
- [Changelog](https://github.com/vitejs/vite/blob/main/packages/vite/CHANGELOG.md)
- [Commits](https://github.com/vitejs/vite/commits/create-vite@8.1.0/packages/vite)

Updates `@tanstack/react-query` from 5.101.0 to 5.101.2
- [Release notes](https://github.com/TanStack/query/releases)
- [Changelog](https://github.com/TanStack/query/blob/main/packages/react-query/CHANGELOG.md)
- [Commits](https://github.com/TanStack/query/commits/@tanstack/react-query@5.101.2/packages/react-query)

Updates `wagmi` from 3.6.17 to 3.6.21
- [Release notes](https://github.com/wevm/wagmi/releases)
- [Changelog](https://github.com/wevm/wagmi/blob/main/packages/react/CHANGELOG.md)
- [Commits](https://github.com/wevm/wagmi/commits/wagmi@3.6.21/packages/react)

---
updated-dependencies:
- dependency-name: incur
  dependency-version: 0.4.10
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: npm-production
- dependency-name: hono
  dependency-version: 4.12.27
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: npm-production
- dependency-name: vite
  dependency-version: 8.1.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: npm-production
- dependency-name: "@tanstack/react-query"
  dependency-version: 5.101.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: npm-production
- dependency-name: wagmi
  dependency-version: 3.6.21
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: npm-production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jul 6, 2026
@socket-security

Copy link
Copy Markdown

@pkg-pr-new

pkg-pr-new Bot commented Jul 6, 2026

Copy link
Copy Markdown

Open in StackBlitz

npm i https://pkg.pr.new/mppx@619

commit: cbb238a

@tmm tmm closed this Jul 9, 2026
@dependabot @github

dependabot Bot commented on behalf of github Jul 9, 2026

Copy link
Copy Markdown
Contributor Author

This pull request was built based on a group rule. Closing it will not ignore any of these versions in future pull requests.

To ignore these dependencies, configure ignore rules in dependabot.yml

@dependabot dependabot Bot deleted the dependabot/npm_and_yarn/npm-production-a7cca51538 branch July 9, 2026 18:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant