Bump mppx from 0.4.11 to 0.5.4 in /mpp/server/node-typescript

[dependabot]

Bumps mppx from 0.4.11 to 0.5.4.

Release notes

Sourced from mppx's releases.

mppx@0.5.4

Patch Changes

• c3f522c: Fixed CLI defaulting to testnet when --rpc-url is omitted. The CLI now defaults to Tempo mainnet. Also added resolveRpcUrl helper so MPPX_RPC_URL and RPC_URL env vars are respected consistently across all commands.
• f086276: Added theming to automatic HTML payment links.

mppx@0.5.3

Patch Changes

• ba0bb60: Override vulnerable lodash (<=4.17.23) to >=4.18.0 in pnpm overrides. Fixes code injection via _.template (GHSA-r5fr-rjxr-66jc) and prototype pollution via _.unset/_.omit (GHSA-f23m-r3pf-42rh).

mppx@0.5.1

Patch Changes

• dd27cb1: Validate the did:pkh:eip155 source DID on zero-dollar Tempo proof credentials. Servers now reject malformed proof source DIDs and chain ID mismatches between the source DID and the challenge signing domain.

mppx@0.5.0

Minor Changes

• 5e7750b: Added a proof credential type for zero-amount Tempo charge requests. Clients now sign an EIP-712 proof over the challenge ID instead of creating a broadcastable transaction, and servers verify the proof against the credential source DID before accepting the request. This prevents zero-dollar auth flows from burning gas when the payer would otherwise have been the fee payer.

mppx@0.4.12

Patch Changes

• 5684b94: Fixed settleOnChain and closeOnChain to use the payee account as msg.sender instead of the fee payer when submitting fee-sponsored transactions. Previously, sendFeePayerTx used the fee payer as both sender and gas sponsor, causing the escrow contract to revert with NotPayee(). Added account option to tempo.settle() so callers can specify the signing account separately from the fee payer.
• 3bc8657: Added compile-time guard to tempo.session() and tempo.charge(). Unknown properties (e.g. stream instead of sse) now cause a type error instead of being silently accepted.
• 0531edd: Added split-payment support to Tempo charge requests, including client transaction construction and stricter server verification for split transfers.
• 6188184: Added realm auto-detection from the request Host header when not explicitly configured. Resolution order: explicit value → env vars (MPP_REALM, FLY_APP_NAME, VERCEL_URL, etc.) → request URL hostname → "MPP Payment" fallback with a one-time warning. Removed the hard-coded "MPP Payment" default and deprioritized HOST/HOSTNAME env vars in favor of platform-specific alternatives.
• ba79504: Return 410 ChannelClosedError instead of 402 AmountExceedsDepositError when a channel's on-chain deposit is zero but the channel still exists (payer is non-zero). This handles a race window during settlement where the escrow contract zeros the deposit before setting the finalized flag.

Changelog

Sourced from mppx's changelog.

0.5.4

Patch Changes

• c3f522c: Fixed CLI defaulting to testnet when --rpc-url is omitted. The CLI now defaults to Tempo mainnet. Also added resolveRpcUrl helper so MPPX_RPC_URL and RPC_URL env vars are respected consistently across all commands.
• f086276: Added theming to automatic HTML payment links.

0.5.3

Patch Changes

• ba0bb60: Override vulnerable lodash (<=4.17.23) to >=4.18.0 in pnpm overrides. Fixes code injection via _.template (GHSA-r5fr-rjxr-66jc) and prototype pollution via _.unset/_.omit (GHSA-f23m-r3pf-42rh).

0.5.2

Patch Changes

• 2a7dbd3: Added experimental support for payment links
• 20f3fe4: Hardened credential verification, transport billing, error responses, and proxy routing. Credential request binding now verifies fields match the actual incoming request. SSE transport derives billing context directly from the verified credential payload. 402 error responses no longer leak internal details. Proxy routing binds management POST fallback to the credential's payment method and intent for correct disambiguation.

0.5.1

Patch Changes

• dd27cb1: Validate the did:pkh:eip155 source DID on zero-dollar Tempo proof credentials. Servers now reject malformed proof source DIDs and chain ID mismatches between the source DID and the challenge signing domain.

0.5.0

Minor Changes

• 5e7750b: Added a proof credential type for zero-amount Tempo charge requests. Clients now sign an EIP-712 proof over the challenge ID instead of creating a broadcastable transaction, and servers verify the proof against the credential source DID before accepting the request. This prevents zero-dollar auth flows from burning gas when the payer would otherwise have been the fee payer.

0.4.12

Patch Changes

• 5684b94: Fixed settleOnChain and closeOnChain to use the payee account as msg.sender instead of the fee payer when submitting fee-sponsored transactions. Previously, sendFeePayerTx used the fee payer as both sender and gas sponsor, causing the escrow contract to revert with NotPayee(). Added account option to tempo.settle() so callers can specify the signing account separately from the fee payer.
• 3bc8657: Added compile-time guard to tempo.session() and tempo.charge(). Unknown properties (e.g. stream instead of sse) now cause a type error instead of being silently accepted.
• 0531edd: Added split-payment support to Tempo charge requests, including client transaction construction and stricter server verification for split transfers.
• 6188184: Added realm auto-detection from the request Host header when not explicitly configured. Resolution order: explicit value → env vars (MPP_REALM, FLY_APP_NAME, VERCEL_URL, etc.) → request URL hostname → "MPP Payment" fallback with a one-time warning. Removed the hard-coded "MPP Payment" default and deprioritized HOST/HOSTNAME env vars in favor of platform-specific alternatives.
• ba79504: Return 410 ChannelClosedError instead of 402 AmountExceedsDepositError when a channel's on-chain deposit is zero but the channel still exists (payer is non-zero). This handles a race window during settlement where the escrow contract zeros the deposit before setting the finalized flag.

Commits

• 9323531 chore: version packages (#286)
• c3f522c fix: default resolveChain to mainnet, add resolveRpcUrl helper (#285)
• f086276 feat(html): payment links theming (#283)
• c621fb7 chore: update tempo image to latest (#282)
• 415a5b9 ci: update GitHub Actions for Node 24 and stabilize runtime tests (#276)
• 0ee8ddc fix: add build step before changesets publish (#281)
• 24469c1 chore: version packages (#280)
• ba0bb60 chore: add changeset for lodash override (#279)
• 3dfbc28 fix: override lodash <=4.17.23 to fix audit vulnerabilities (#277)
• d5d6547 chore: version packages (#274)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)