chore(deps): bump the prod-minor-patch group across 1 directory with 6 updates

[dependabot]

Bumps the prod-minor-patch group with 6 updates in the / directory:

Package	From	To
@astrojs/react	5.0.6	5.0.7
astro	6.4.2	6.4.6
@tanstack/react-query	5.100.14	5.101.0
viem	2.52.0	2.52.2
wagmi	3.6.5	3.6.16
@anthropic-ai/sdk	0.100.1	0.104.1

Updates @astrojs/react from 5.0.6 to 5.0.7

Release notes

Sourced from @​astrojs/react's releases.

@​astrojs/react@​5.0.7

Patch Changes

• #16900 17a0fbd Thanks @​ocavue! - Bumps devalue dependency to v5.8.1

Changelog

Sourced from @​astrojs/react's changelog.

5.0.7

Patch Changes

• #16900 17a0fbd Thanks @​ocavue! - Bumps devalue dependency to v5.8.1

Commits

• 75ae5df [ci] release (#16912)
• 17a0fbd chore(deps): update devalue (#16900)
• See full diff in compare view

Updates astro from 6.4.2 to 6.4.6

Release notes

Sourced from astro's releases.

astro@6.4.6

Patch Changes

• #16765 b10e86e Thanks @​fkatsuhiro! - Fixes an issue where renaming an image file while the dev server is running triggers a build error. Now Astro correctly hot-reloads the image without crashing.

• #17026 add3df1 Thanks @​matthewp! - Hardens addAttribute to drop attribute names containing characters that are invalid per the HTML spec (", ', >, /, =, whitespace)

• #17033 ffda27b Thanks @​matthewp! - Validates the request origin against allowedDomains before fetching prerendered error pages. When allowedDomains is configured and the Host header matches, the original origin is used. Otherwise, the fetch falls back to localhost.

astro@6.4.5

Patch Changes

• #16985 4ecff32 Thanks @​maximslo! - Fixes the experimental.logger destination not being used for the "Server listening on..." startup message. The logger is now resolved before the server starts listening, and adapterLogger re-creates itself when the underlying logger changes so the startup message uses the correct destination.

• #16947 e0703a6 Thanks @​ematipico! - Fixes Astro.request.url not reflecting validated X-Forwarded-Proto/X-Forwarded-Host headers when security.allowedDomains is configured. Previously, only Astro.url was updated with the forwarded origin while Astro.request.url retained the socket-derived URL, causing the two to diverge behind TLS-terminating proxies.

• #16997 dc45246 Thanks @​matthewp! - Reverts a change to isNode runtime detection that caused a significant build time regression for Cloudflare adapter users with large prerendered sites

astro@6.4.4

Patch Changes

• #16926 1b39ae8 Thanks @​narendraio! - Prevents App.match() from throwing on request paths that contain an invalid percent-sequence.

• #16924 2c0bc94 Thanks @​astrobot-houston! - Fixes an issue where editing a client-side component (e.g. with client:idle, client:load, etc.) caused an unnecessary full program reload of the backend during development.

• #16958 2c1d50f Thanks @​fkatsuhiro! - Fixes a bug where static file endpoints using getStaticPaths with .html in dynamic param values (e.g. { path: 'file.html' }) would fail with a NoMatchingStaticPathFound error during build. The .html suffix is no longer incorrectly stripped from endpoint route pathnames.

• #16855 c610cda Thanks @​astrobot-houston! - Fixes dynamic routes returning 500 "TypeError: Missing parameter" when using domain-based i18n routing in SSR.

• #16946 606c37b Thanks @​ematipico! - Fixes Astro.routePattern to preserve original casing of dynamic parameter names from filenames. Previously, a file at src/pages/blog/[postId].astro would return /blog/[postid] for Astro.routePattern due to an internal .toLowerCase() call. It now correctly returns /blog/[postId].

• #16720 16d49b6 Thanks @​thomas-callahan-collibra! - Fix an issue where dynamic routes would return the string [object Object] instead of the expected content, in certain runtimes.

• #16703 17390a6 Thanks @​henrybrewer00-dotcom! - Fixes styles being stripped when the project root is started with a path whose case differs from the actual filesystem case (e.g. running astro dev from d:\dev\app while the folder on disk is D:\dev\app).

• #16855 c610cda Thanks @​astrobot-houston! - Fixes Astro.currentLocale returning the default locale instead of the domain's locale on dynamic routes served from a mapped domain.

astro@6.4.3

Patch Changes

• #16900 17a0fbd Thanks @​ocavue! - Bumps devalue dependency to v5.8.1

• #16016 0d85e1b Thanks @​felmonon! - Fix a false positive in the dev toolbar accessibility audit for anchors with text inside closed <details> elements.

• #16911 79c6c46 Thanks @​astrobot-houston! - Fixes a bug where experimental.advancedRouting with astro/hono handlers threw TypeError: Cannot read properties of undefined (reading 'route') for unmatched routes instead of rendering the custom 404 page.

• #16899 239c469 Thanks @​matthewp! - Fixes a false "does not call the middleware() handler" warning when using astro() in a custom src/app.ts and the first request is a redirect route.

• #16887 493acdb Thanks @​astrobot-houston! - Fixes redirectToDefaultLocale not working after the Advanced Routing refactoring.

... (truncated)

Changelog

Sourced from astro's changelog.

6.4.6

Patch Changes

• #16765 b10e86e Thanks @​fkatsuhiro! - Fixes an issue where renaming an image file while the dev server is running triggers a build error. Now Astro correctly hot-reloads the image without crashing.

• #17026 add3df1 Thanks @​matthewp! - Hardens addAttribute to drop attribute names containing characters that are invalid per the HTML spec (", ', >, /, =, whitespace)

• #17033 ffda27b Thanks @​matthewp! - Validates the request origin against allowedDomains before fetching prerendered error pages. When allowedDomains is configured and the Host header matches, the original origin is used. Otherwise, the fetch falls back to localhost.

6.4.5

Patch Changes

• #16985 4ecff32 Thanks @​maximslo! - Fixes the experimental.logger destination not being used for the "Server listening on..." startup message. The logger is now resolved before the server starts listening, and adapterLogger re-creates itself when the underlying logger changes so the startup message uses the correct destination.

• #16947 e0703a6 Thanks @​ematipico! - Fixes Astro.request.url not reflecting validated X-Forwarded-Proto/X-Forwarded-Host headers when security.allowedDomains is configured. Previously, only Astro.url was updated with the forwarded origin while Astro.request.url retained the socket-derived URL, causing the two to diverge behind TLS-terminating proxies.

• #16997 dc45246 Thanks @​matthewp! - Reverts a change to isNode runtime detection that caused a significant build time regression for Cloudflare adapter users with large prerendered sites

6.4.4

Patch Changes

• #16926 1b39ae8 Thanks @​narendraio! - Prevents App.match() from throwing on request paths that contain an invalid percent-sequence.

• #16924 2c0bc94 Thanks @​astrobot-houston! - Fixes an issue where editing a client-side component (e.g. with client:idle, client:load, etc.) caused an unnecessary full program reload of the backend during development.

• #16958 2c1d50f Thanks @​fkatsuhiro! - Fixes a bug where static file endpoints using getStaticPaths with .html in dynamic param values (e.g. { path: 'file.html' }) would fail with a NoMatchingStaticPathFound error during build. The .html suffix is no longer incorrectly stripped from endpoint route pathnames.

• #16855 c610cda Thanks @​astrobot-houston! - Fixes dynamic routes returning 500 "TypeError: Missing parameter" when using domain-based i18n routing in SSR.

• #16946 606c37b Thanks @​ematipico! - Fixes Astro.routePattern to preserve original casing of dynamic parameter names from filenames. Previously, a file at src/pages/blog/[postId].astro would return /blog/[postid] for Astro.routePattern due to an internal .toLowerCase() call. It now correctly returns /blog/[postId].

• #16720 16d49b6 Thanks @​thomas-callahan-collibra! - Fix an issue where dynamic routes would return the string [object Object] instead of the expected content, in certain runtimes.

• #16703 17390a6 Thanks @​henrybrewer00-dotcom! - Fixes styles being stripped when the project root is started with a path whose case differs from the actual filesystem case (e.g. running astro dev from d:\dev\app while the folder on disk is D:\dev\app).

• #16855 c610cda Thanks @​astrobot-houston! - Fixes Astro.currentLocale returning the default locale instead of the domain's locale on dynamic routes served from a mapped domain.

6.4.3

Patch Changes

• #16900 17a0fbd Thanks @​ocavue! - Bumps devalue dependency to v5.8.1

• #16016 0d85e1b Thanks @​felmonon! - Fix a false positive in the dev toolbar accessibility audit for anchors with text inside closed <details> elements.

• #16911 79c6c46 Thanks @​astrobot-houston! - Fixes a bug where experimental.advancedRouting with astro/hono handlers threw TypeError: Cannot read properties of undefined (reading 'route') for unmatched routes instead of rendering the custom 404 page.

... (truncated)

Commits

• 19ad1b4 [ci] release (#17023)
• f1baeea [ci] format
• ffda27b Validate origin in prerendered error page fetch against allowedDomains (#17033)
• 0408628 [ci] format
• add3df1 Harden addAttribute to reject invalid attribute names (#17026)
• cfeb958 [ci] format
• b10e86e fix : content collections image hmr (#16765)
• 0b879fb [ci] release (#16972)
• dc45246 Revert isNode workerd detection that caused Cloudflare build regression (#16997)
• 132a879 [ci] format
• Additional commits viewable in compare view

Updates @tanstack/react-query from 5.100.14 to 5.101.0

Release notes

Sourced from @​tanstack/react-query's releases.

@​tanstack/react-query-devtools@​5.101.0

Patch Changes

• Updated dependencies [3042860, e631dc3]:
  • @​tanstack/query-devtools@​5.101.0
  • @​tanstack/react-query@​5.101.0

@​tanstack/react-query-next-experimental@​5.101.0

Patch Changes

• #10857 7cf5923 - fix(react-query-next-experimental): replace deprecated 'isServer' with 'environmentManager.isServer()'

• Updated dependencies []:

  • @​tanstack/react-query@​5.101.0

@​tanstack/react-query-persist-client@​5.101.0

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-persist-client-core@​5.101.0
  • @​tanstack/react-query@​5.101.0

@​tanstack/react-query@​5.101.0

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-core@​5.101.0

Changelog

Sourced from @​tanstack/react-query's changelog.

5.101.0

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-core@​5.101.0

Commits

• f3d8d2a ci: Version Packages (#10774)
• 532bb29 fix(tests): disable local coverage instrumentation (#10776)
• See full diff in compare view

Updates viem from 2.52.0 to 2.52.2

Release notes

Sourced from viem's releases.

viem@2.52.2

Patch Changes

• #4718 1969c01715736de8a16b841cfed81640f0d708c2 Thanks @​jxom! - Tempo: Set the t5 hardfork on the Tempo Testnet (Moderato) chain.

Commits

• 1b6a888 chore: version package (#4719)
• 78a9a60 chore: version package (#4707)
• 5fe74ca docs(tempo): use calls in multisig transaction examples (#4716)
• 1969c01 feat(chains): set t5 hardfork on Tempo Testnet (Moderato) (#4718)
• 394f1c5 chore: bump chains size-limit budgets (#4717)
• 51c51ba Update multisig account support in viem/tempo
• a74b05d chore: bump vitest to fix audit vulnerability (#4715)
• f5ae20d feat(tempo): infer multisig config from account in prepareTransactionRequest ...
• 25c2d6a feat(tempo): add native multisig account support (#4710)
• cee9b68 chore: bump vocs to 2.0.11 (#4708)
• Additional commits viewable in compare view

Updates wagmi from 3.6.5 to 3.6.16

Release notes

Sourced from wagmi's releases.

wagmi@3.6.16

Patch Changes

• Updated dependencies [b029f1c, df7bd38, df7bd38]:
  • @​wagmi/connectors@​9.0.0
  • @​wagmi/core@​3.5.0

wagmi@3.6.15

Patch Changes

• Handled malformed cookie state in cookieToInitialState. (#5116)

• wagmi/tempo: Renamed Actions.wallet.send to Actions.wallet.transfer and Hooks.wallet.useSend to Hooks.wallet.useTransfer. (#5121)

  Also bumps the accounts peer dependency to ~0.12.

  - await Actions.wallet.send(config, {
  -   to: '0x...',
  -   token: '0x...',
  -   value: '1.5',
  - })
  + await Actions.wallet.transfer(config, {
  +   amount: '1.5',
  +   to: '0x...',
  +   token: '0x...',
  + })

  - const send = Hooks.wallet.useSend()
  + const transfer = Hooks.wallet.useTransfer()

• Updated dependencies [f1e6d70, 4c44cd0]:

  • @​wagmi/core@​3.4.12
  • @​wagmi/connectors@​8.0.14

wagmi@3.6.14

Patch Changes

• Updated dependencies [9e8418a]:
  • @​wagmi/core@​3.4.11
  • @​wagmi/connectors@​8.0.13

wagmi@3.6.13

Patch Changes

• Fixed useReadContracts to prefer an explicit chainId parameter over inferred or connected chain ids. (8c56235)

... (truncated)

Changelog

Sourced from wagmi's changelog.

3.6.16

Patch Changes

• Updated dependencies [b029f1c, df7bd38, df7bd38]:
  • @​wagmi/connectors@​9.0.0
  • @​wagmi/core@​3.5.0

3.6.15

Patch Changes

• Handled malformed cookie state in cookieToInitialState. (#5116)

• wagmi/tempo: Renamed Actions.wallet.send to Actions.wallet.transfer and Hooks.wallet.useSend to Hooks.wallet.useTransfer. (#5121)

  Also bumps the accounts peer dependency to ~0.12.

  - await Actions.wallet.send(config, {
  -   to: '0x...',
  -   token: '0x...',
  -   value: '1.5',
  - })
  + await Actions.wallet.transfer(config, {
  +   amount: '1.5',
  +   to: '0x...',
  +   token: '0x...',
  + })

  - const send = Hooks.wallet.useSend()
  + const transfer = Hooks.wallet.useTransfer()

• Updated dependencies [f1e6d70, 4c44cd0]:

  • @​wagmi/core@​3.4.12
  • @​wagmi/connectors@​8.0.14

3.6.14

Patch Changes

• Updated dependencies [9e8418a]:
  • @​wagmi/core@​3.4.11
  • @​wagmi/connectors@​8.0.13

3.6.13

... (truncated)

Commits

• 2f77dbc chore: version packages (#5140)
• c162248 chore: drop older TypeScript support (#5139)
• f44f781 dev: bump viem version
• 98f9a16 chore: version packages (#5122)
• 4c44cd0 refactor(tempo): rename wallet.send to wallet.transfer (#5121)
• dcd6f60 chore: version packages (#5118)
• 4351978 chore: version packages (#5114)
• 8c56235 close: #5106
• da855c6 chore: version packages (#5113)
• f5f498a test: remove blockTimestamp from snapshots
• Additional commits viewable in compare view

Updates @anthropic-ai/sdk from 0.100.1 to 0.104.1

Release notes

Sourced from @​anthropic-ai/sdk's releases.

sdk: v0.104.1

0.104.1 (2026-06-09)

Full Changelog: sdk-v0.104.0...sdk-v0.104.1

Bug Fixes

• api: add frontier_llm refusal category (465e686)

sdk: v0.104.0

0.104.0 (2026-06-09)

Full Changelog: sdk-v0.103.0...sdk-v0.104.0

Features

• api: add support for Managed Agents deployments and environment variable credentials (d01e38b)

sdk: v0.103.0

0.103.0 (2026-06-09)

Full Changelog: sdk-v0.102.0...sdk-v0.103.0

Features

• api: add support for claude-mythos-5 and claude-fable-5, with support for server-side fallbacks on refusal (cc337f7)
• client: adds client-side fallbacks middleware for API providers that do not support server-side fallbacks (cc337f7)
• middleware: add ctx.logger (#55) (edd1454)

Bug Fixes

• client: 3p middleware ordering (#53) (2a4c339)

sdk: v0.102.0

0.102.0 (2026-06-06)

Full Changelog: sdk-v0.101.0...sdk-v0.102.0

Features

• api: small updates to Managed Agents types (8ba4f92)

Bug Fixes

• client: run middleware before request signing (#45) (95f1a4a)

sdk: v0.101.0

0.101.0 (2026-06-05)

... (truncated)

Changelog

Sourced from @​anthropic-ai/sdk's changelog.

0.104.1 (2026-06-09)

Full Changelog: sdk-v0.104.0...sdk-v0.104.1

Bug Fixes

• api: add frontier_llm refusal category (465e686)

0.104.0 (2026-06-09)

Full Changelog: sdk-v0.103.0...sdk-v0.104.0

Features

• api: add support for Managed Agents deployments and environment variable credentials (d01e38b)

0.103.0 (2026-06-09)

Full Changelog: sdk-v0.102.0...sdk-v0.103.0

Features

• api: add support for claude-mythos-5 and claude-fable-5, with support for server-side fallbacks on refusal (cc337f7)
• client: adds client-side fallbacks middleware for API providers that do not support server-side fallbacks (cc337f7)
• middleware: add ctx.logger (#55) (edd1454)

Bug Fixes

• client: 3p middleware ordering (#53) (2a4c339)

0.102.0 (2026-06-06)

Full Changelog: sdk-v0.101.0...sdk-v0.102.0

Features

• api: small updates to Managed Agents types (8ba4f92)

Bug Fixes

• client: run middleware before request signing (#45) (95f1a4a)

0.101.0 (2026-06-05)

Full Changelog: sdk-v0.100.1...sdk-v0.101.0

Features

... (truncated)

Commits

• 9a0442d chore: release main
• 1ccd401 fix(api): add frontier_llm refusal category
• 8be0232 chore: release main
• 813af32 feat(api): add support for Managed Agents deployments and environment variabl...
• 589eed1 chore: release main
• a785874 feat(api): add support for claude-mythos-5 and claude-fable-5, with support f...
• 6322a4f fix(client): 3p middleware ordering (#53)
• c2e94fc feat(middleware): add ctx.logger (#55)
• f7dfb97 chore: release main
• a3f3c97 feat(api): small updates to Managed Agents types
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
txkit-docs	Ready	Preview, Comment	Jun 13, 2026 9:41am
txkit-land	Ready	Preview, Comment	Jun 13, 2026 9:41am
txkit-story	Ready	Preview, Comment	Jun 13, 2026 9:41am

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​anthropic-ai/​sdk@​0.104.1
	wagmi@​3.6.16
	@​astrojs/​react@​5.0.7
	@​tanstack/​react-query@​5.101.0
	astro@​6.4.6

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Obfuscated code: npm @emnapi/runtime is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: pnpm-lock.yaml → npm/next@15.5.18 → npm/astro@6.4.6 → npm/@emnapi/runtime@1.11.1 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@emnapi/runtime@1.11.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm astro is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: app/landing/package.json → npm/astro@6.4.6 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/astro@6.4.6. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report