chore(deps): bump the npm-production group across 1 directory with 7 updates

[dependabot]

Bumps the npm-production group with 7 updates in the / directory:

Package	From	To
incur	0.3.23	0.3.25
ox	0.14.7	0.14.15
@types/node	25.5.0	25.6.0
vite	8.0.5	8.0.8
@metamask/sdk	0.33.1	0.34.0
@stripe/stripe-js	8.9.0	9.1.0
accounts	0.4.12	0.6.1

Updates incur from 0.3.23 to 0.3.25

Release notes

Sourced from incur's releases.

incur@0.3.25

Patch Changes

• abfa8c7: Fixed Root CLIs created with Cli.create and aliases not registering those aliases as command aliases when mounted via cli.command().

incur@0.3.24

Patch Changes

• 250e65f: Added command-level aliases option for subcommands (e.g. aliases: ['extensions', 'ext'] on an extension command).
• 26d7bf8: Fixed root fetch/command fallback bypassing "Did you mean?" suggestions when the input is a typo of a known command.

Changelog

Sourced from incur's changelog.

0.3.25

Patch Changes

• abfa8c7: Fixed Root CLIs created with Cli.create and aliases not registering those aliases as command aliases when mounted via cli.command().

0.3.24

Patch Changes

• 250e65f: Added command-level aliases option for subcommands (e.g. aliases: ['extensions', 'ext'] on an extension command).
• 26d7bf8: Fixed root fetch/command fallback bypassing "Did you mean?" suggestions when the input is a typo of a known command.

Commits

• 42c1591 chore: version packages (#125)
• abfa8c7 fix: register aliases from Root CLI when mounted via cli.command() (#124)
• 5a19855 chore: version packages (#123)
• 26d7bf8 fix: show 'did you mean?' instead of root fallback for command typos (#122)
• 250e65f feat: add command-level aliases (#121)
• See full diff in compare view

Updates ox from 0.14.7 to 0.14.15

Release notes

Sourced from ox's releases.

ox@0.14.15

Patch Changes

• d073091 Thanks @​jxom! - Fixed TransactionRequest.blobVersionedHashes to include | undefined for exactOptionalPropertyTypes compatibility.

ox@0.14.14

Patch Changes

• 14137f7 Thanks @​jxom! - Added RpcSchema.ToViem and RpcSchema.FromViem type utilities for converting between Ox and Viem RPC schema formats. Added tempo_simulateV1 RPC schema to ox/tempo.

ox@0.14.13

Patch Changes

• 68f8fa0 Thanks @​jxom! - viem/tempo: Renamed contractAddress to address on KeyAuthorization.Scope. Added support for human-readable ABI signatures in selector (e.g. 'transfer(address,uint256)'), which are automatically encoded into 4-byte selectors.

ox@0.14.12

Patch Changes

• #208 30537f8 Thanks @​dgca! - Added serviceCodes field to ERC-8021 Attribution schema.

• #211 9d0d676 Thanks @​jxom! - viem/tempo: Added support for period and call scopes on KeyAuthorization.

ox@0.14.11

Patch Changes

• #209 52d985e Thanks @​jxom! - Fixed Credential.serialize to extract authenticatorData from the CBOR-encoded attestationObject when the browser/passkey provider doesn't expose it on the response object (e.g. Firefox + 1Password).

ox@0.14.10

Patch Changes

• #204 9aec6a9 Thanks @​jxom! - Added Ed25519.toX25519PublicKey and Ed25519.toX25519PrivateKey for converting Ed25519 keys to X25519 keys. Useful for performing X25519 Diffie-Hellman key exchange using an Ed25519 signing key pair.

ox@0.14.9

Patch Changes

• #201 ea94ea6 Thanks @​decofe! - Fixed KeyAuthorization.fromRpc to preserve undefined expiry instead of defaulting to 0.

ox@0.14.8

Patch Changes

• 0d0575e Thanks @​jxom! - Added ERC-8021 Schema 2 (CBOR-encoded) attribution support to the Attribution module.

Commits

• c10bae5 chore: version packages (#215)
• d073091 fix: add undefined to blobVersionedHashes for exactOptionalPropertyTypes
• 25b4cbe rename tempo RpcSchema to RpcSchemaTempo
• acacde8 fix: dead link to /api/RpcSchema in json-rpc guide
• 1193caf chore: version packages (#214)
• e9c77c9 Update tempo-rpc-schema.md
• 14137f7 feat: add tempo_simulateV1 RpcSchema + ToViem/FromViem conversions
• fc0a3b9 chore: version packages (#213)
• 09affde fix: remaining contractAddress references in e2e tests
• 68f8fa0 feat(tempo): rename Scope.contractAddress to address, support signatures in s...
• Additional commits viewable in compare view

Updates @types/node from 25.5.0 to 25.6.0

Commits

• See full diff in compare view

Updates vite from 8.0.5 to 8.0.8

Release notes

Sourced from vite's releases.

v8.0.8

Please refer to CHANGELOG.md for details.

v8.0.7

Please refer to CHANGELOG.md for details.

v8.0.6

Please refer to CHANGELOG.md for details.

Changelog

Sourced from vite's changelog.

8.0.8 (2026-04-09)

Features

• update rolldown to 1.0.0-rc.15 (#22201) (6baf587)

Bug Fixes

• avoid dns.getDefaultResultOrder temporary (#22202) (15f1c15)
• ssr: class property keys hoisting matching imports (#22199) (e137601)

8.0.7 (2026-04-07)

Bug Fixes

• use sync dns.getDefaultResultOrder instead of dns.promises (#22185) (5c05b04)

8.0.6 (2026-04-07)

Features

• update rolldown to 1.0.0-rc.13 (#22097) (51d3e48)

Bug Fixes

• css: avoid mutating sass error multiple times (#22115) (d5081c2)
• optimize-deps: hoist CJS interop assignment (#22156) (17a8f9e)

Performance Improvements

• early return in getLocalhostAddressIfDiffersFromDNS when DNS order is verbatim (#22151) (56ec256)

Miscellaneous Chores

• create-vite: remove unnecessary DOM.Iterable (#22168) (bdc53ab)
• replace remaining prettier script (#22179) (af71fb2)

Commits

• 6e585dc release: v8.0.8
• e137601 fix(ssr): class property keys hoisting matching imports (#22199)
• 15f1c15 fix: avoid dns.getDefaultResultOrder temporary (#22202)
• 6baf587 feat: update rolldown to 1.0.0-rc.15 (#22201)
• fdb2e6f release: v8.0.7
• 5c05b04 fix: use sync dns.getDefaultResultOrder instead of dns.promises (#22185)
• 7b3086f release: v8.0.6
• af71fb2 chore: replace remaining prettier script (#22179)
• 51d3e48 feat: update rolldown to 1.0.0-rc.13 (#22097)
• 17a8f9e fix(optimize-deps): hoist CJS interop assignment (#22156)
• Additional commits viewable in compare view

Updates @metamask/sdk from 0.33.1 to 0.34.0

Changelog

Sourced from @​metamask/sdk's changelog.

[0.34.0]

Added

• Introduces a new hideReturnToAppNotification option (default false) and passes it through to deeplink/QR URLs (#1350)

Commits

• 338a07a Release 116.0.0 (#1383)
• 9ea3ee0 Revert "Release 116.0.0 (#1380)" (#1382)
• 45f4136 Release 116.0.0 (#1380)
• 3d4e103 Revert "Release/116.0.0 (#1364)" (#1379)
• 97749a2 Release/116.0.0 (#1364)
• 1cff69d feat: Add option to hide return modal (#1350)
• See full diff in compare view

Updates @stripe/stripe-js from 8.9.0 to 9.1.0

Release notes

Sourced from @​stripe/stripe-js's releases.

v9.1.0

New features

• Update type to have percentage (#911)
• Add unit amount decimal (#907)

v9.0.1

New features

• Add Contributing section to README (#901)

Fixes

• Include klarna in TermsOption (#905)
• Add verification types for TaxIdElement (#904)

Changed

• Bump picomatch from 2.2.2 to 2.3.2 (#902)
• Bump picomatch from 2.2.2 to 2.3.2 in /examples/rollup (#903)

v9.0.0

New features

• Change elements.update() return type from void to Promise (#888)

Changed

• Updated types for Dahlia (#883, #898)
• update type for createEmbeddedCheckoutPage rename (#890)
• add format to getValue for addressElement (#886)
• Remove boolean from RadiosOption type for Dahlia (#885)
• Remove createSource and retrieveSource types for Dahlia (#892)

v8.11.0

New features

Fixes

Changed

• [Payment Form Element] Add paymentMethods and rename wallets to expressCheckout (#894)

... (truncated)

Commits

• 49a6a71 v9.1.0
• afc8739 Update type to have percentage (#911)
• b0ad84c Add unit amount decimal (#907)
• 437bfdf v9.0.1
• d9e8bd1 Include klarna in TermsOption (#905)
• 8d12463 Bump picomatch from 2.2.2 to 2.3.2 (#902)
• 443511d Bump picomatch from 2.2.2 to 2.3.2 in /examples/rollup (#903)
• 0c277af Add verification types for TaxIdElement (#904)
• f375884 Add Contributing section to README (#901)
• d0628d5 v9.0.0
• Additional commits viewable in compare view

Updates accounts from 0.4.12 to 0.6.1

Release notes

Sourced from accounts's releases.

accounts@0.6.1

Patch Changes

• 1aa18fe: Added feePayer to wallet_sendCalls capabilities and wallet_getCapabilities response.
• 1aa18fe: Support feePayer: false to opt out of fee payers on a per-transaction basis when a provider-level fee payer is configured.

accounts@0.6.0

Minor Changes

• 36db0d9: Breaking: Renamed feePayerUrl to feePayer.

accounts@0.5.9

Patch Changes

• 901cfee: Fixed iframe dialog getting stuck on "Check prompt" when the store is swapped during React re-renders.

accounts@0.5.8

Patch Changes

• b4c87a3: Fixed iframe dialog getting stuck on "Check prompt" when the store is swapped during React re-renders.
• 567bf0a: Added accounts/react-native entrypoint with React Native adapter and storage implementation.

accounts@0.5.7

Patch Changes

• cc334ff: Injected active chainId into transaction requests when the consumer does not provide one.

accounts@0.5.6

Patch Changes

• 6eff229: Added privateKey support to dangerous_secp256k1() so wagmi configs could pin distinct signers per connector.

accounts@0.5.5

Patch Changes

• b03c228: Bumped deps

accounts@0.5.4

Patch Changes

• 4936c12: Fixed Dialog.iframe() injecting duplicate iframes by caching the instance as a singleton keyed by host.

accounts@0.5.3

Patch Changes

• 7134f07: Updated internal dependencies.

accounts@0.5.2

Patch Changes

... (truncated)

Changelog

Sourced from accounts's changelog.

0.6.1

Patch Changes

• 1aa18fe: Added feePayer to wallet_sendCalls capabilities and wallet_getCapabilities response.
• 1aa18fe: Support feePayer: false to opt out of fee payers on a per-transaction basis when a provider-level fee payer is configured.

0.6.0

Minor Changes

• 36db0d9: Breaking: Renamed feePayerUrl to feePayer.

0.5.9

Patch Changes

• 901cfee: Fixed iframe dialog getting stuck on "Check prompt" when the store is swapped during React re-renders.

0.5.8

Patch Changes

• b4c87a3: Fixed iframe dialog getting stuck on "Check prompt" when the store is swapped during React re-renders.
• 567bf0a: Added accounts/react-native entrypoint with React Native adapter and storage implementation.

0.5.7

Patch Changes

• cc334ff: Injected active chainId into transaction requests when the consumer does not provide one.

0.5.6

Patch Changes

• 6eff229: Added privateKey support to dangerous_secp256k1() so wagmi configs could pin distinct signers per connector.

0.5.5

Patch Changes

• b03c228: Bumped deps

0.5.4

Patch Changes

• 4936c12: Fixed Dialog.iframe() injecting duplicate iframes by caching the instance as a singleton keyed by host.

... (truncated)

Commits

• b9a121f chore: version packages (#181)
• 1aa18fe feat: support feePayer: false opt-out; add feePayer capabilities (#180)
• 9fd6988 chore: version packages (#179)
• 36db0d9 feat: rename feePayerUrl to feePayer with precedence support (#178)
• a41e590 chore: version packages (#177)
• 901cfee fix: search previous stores for in-flight responses on iframe re-entry (#176)
• d7737c4 chore(deps): bump actions/cache from 4.3.0 to 5.0.4 (#169)
• 6d6901e chore: version packages (#174)
• b4c87a3 fix: migrate pending requests on iframe singleton re-entry (#175)
• 567bf0a feat: add accounts/react-native entrypoint (#155)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​metamask/​sdk@​0.33.1 ⏵ 0.34.0	+3		+1	+38
	@​typescript/​native-preview@​7.0.0-dev.20260416.2 ⏵ 7.0.0-dev.20260418.1
	incur@​0.3.23 ⏵ 0.3.25	-3
	accounts@​0.4.12 ⏵ 0.6.1	+1		+1	+2
	@​stripe/​stripe-js@​9.2.0 ⏵ 9.1.0				-1

View full report

[pkg-pr-new]

Open in StackBlitz

npm i https://pkg.pr.new/mppx@373

commit: 75f2694