chore(deps): bump the npm_and_yarn group across 1 directory with 2 updates

[dependabot]

Bumps the npm_and_yarn group with 2 updates in the / directory: ws and viem.

Updates ws from 8.18.3 to 8.20.1

Release notes

Sourced from ws's releases.

8.20.1

Bug fixes

• Fixed an uninitialized memory disclosure issue in websocket.close() (c0327ec1).

Providing a TypedArray (e.g. Float32Array) as the reason argument for websocket.close(), rather than the supported string or Buffer types, caused uninitialized memory to be disclosed to the remote peer.

import { deepStrictEqual } from 'node:assert';
import { WebSocket, WebSocketServer } from 'ws';
const wss = new WebSocketServer(
{ port: 0, skipUTF8Validation: true },
function () {
const { port } = wss.address();
const ws = new WebSocket(ws://localhost:${port}, {
skipUTF8Validation: true
});
ws.on('close', function (code, reason) {
  deepStrictEqual(reason, Buffer.alloc(80));
});

}
);
wss.on('connection', function (ws) {
ws.close(1000, new Float32Array(20));
});

The issue was privately reported by Nikita Skovoroda.

8.20.0

Features

• Added exports for the PerMessageDeflate class and utilities for the Sec-WebSocket-Extensions and Sec-WebSocket-Protocol headers (d3503c1f).

8.19.0

Features

• Added the closeTimeout option (#2308).

Bug fixes

• Handled a forthcoming breaking change in Node.js core (19984854).

Commits

• 5d9b316 [dist] 8.20.1
• c0327ec [security] Fix uninitialized memory disclosure in websocket.close()
• ce2a3d6 [ci] Test on node 26
• 58e45b8 [ci] Do not test on node 25
• 5f26c24 [ci] Run the lint step on node 24
• 8439255 [dist] 8.20.0
• d3503c1 [minor] Export the PerMessageDeflate class and header utils
• 3ee5349 [api] Convert the isServer and maxPayload parameters to options
• 91707b4 [doc] Add missing space
• 8b55319 [pkg] Update eslint to version 10.0.1
• Additional commits viewable in compare view

Updates viem from 2.45.0 to 2.50.4

Release notes

Sourced from viem's releases.

viem@2.50.4

Patch Changes

• #4647 423131df9e00e3df062274e483b98a4921674cea Thanks @​jxom! - Fixed Tempo chain declarations to emit portable inferred types for exported derived chains.

viem@2.50.3

Patch Changes

• #4642 5bafcd444f7ebae9bb06a8efbc801a7ea845154d Thanks @​jxom! - viem/tempo: Updated wallet.deposit to use amount and supported token symbols for wallet_deposit requests.

viem@2.49.3

Patch Changes

• #4621 6d80eaeea315c552a57e9683607ed36f7d219a9e Thanks @​Blessing-Circle! - Added Arc chain.

• #4622 c5dc4d63506f787e92417eff77dd0ef84e3a2c8c Thanks @​struong! - viem/tempo: Preserved feeToken on broadcast envelope when feePayerSignature is present. Previously stripped unconditionally when feePayer === true, breaking fee payer signature verification on-chain.

viem@2.49.2

Patch Changes

• 215469280e57b4ec729bd2537857a4ca363c984b Thanks @​jxom! - viem/tempo: Renamed Actions.wallet.send to Actions.wallet.transfer.

viem@2.49.0

Minor Changes

• #4584 4cd686d4acf2c0f14955509a91a3c7ee6d0257f9 Thanks @​tmm! - Added AbortSignal support to request options and call action.

Patch Changes

• #4608 0e282d69d534e7fc277300260e31c07c4d8cb325 Thanks @​jxom! - viem/tempo: Updated Actions.wallet.send parameters to match the latest wallet RPC schema: renamed value to amount, added an optional memo field (UTF-8, max 32 bytes; rejected for non-TIP-20 tokens), and widened token to also accept curated tokenlist symbols.

  await Actions.wallet.send(client, {
  +  amount: '1.5',
  +  memo: 'thanks',
     to: '0x...',
  -  token: '0x...',
  +  token: 'pathUsd',
  -  value: '1.5',
  })

viem@2.48.11

Patch Changes

• #4585 18ccb586bd40d8410703e426261b0f03e530ade5 Thanks @​gakonst! - viem/tempo: Added wallet_ JSON-RPC Actions for opening send, swap, and deposit flows.

viem@2.48.8

Patch Changes

... (truncated)

Commits

• eb95848 chore: version package (#4648)
• 423131d fix(tempo): export portable chain types (#4647)
• 7cc3bc3 test(tempo): update export snapshot (#4646)
• 2b3b327 fix(tempo): use configured zone rpc (#4645)
• 41d7dcf chore: version package (#4643)
• fce9095 feat(tempo): update wallet.deposit params (#4644)
• 5bafcd4 fix(tempo): update wallet.deposit params (#4642)
• d530b1f chore: version package (#4641)
• dfe1964 feat(tempo): expose Chain namespace (#4640)
• 50ade6c chore: version package (#4639)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[randygrok]

Closing in favor of #241.

This PR only bumped the root package.json/package-lock.json (sun-valley), which is dead code: it was an accidental npm init -y + npm install viem, has a non-existent index.js main, the default npm test stub, and is not referenced by CI, Dockerfiles, scripts, or any workspace config. The real npm code lives in clients/ and bin/sponsor-service/ with their own manifests.

Rather than bumping a manifest nothing uses, #241 removes it entirely, which also stops these spurious Dependabot alerts at the source.

[dependabot]

This pull request was built based on a group rule. Closing it will not ignore any of these versions in future pull requests.

To ignore these dependencies, configure ignore rules in dependabot.yml