build(deps): bump the ui-package-dependencies group in /ui-package with 6 updates

[dependabot]

Bumps the ui-package-dependencies group in /ui-package with 6 updates:

Package	From	To
@rainbow-me/rainbowkit	2.2.10	2.2.11
react	19.2.5	19.2.6
react-dom	19.2.5	19.2.6
viem	2.48.8	2.48.11
@babel/preset-env	7.29.3	7.29.5
sass-loader	16.0.7	16.0.8

Updates @rainbow-me/rainbowkit from 2.2.10 to 2.2.11

Release notes

Sourced from @​rainbow-me/rainbowkit's releases.

@​rainbow-me/rainbowkit@​2.2.11

Patch Changes

• a40b1f4: Migrate the Base connector to canonical base naming, while preserving backwards-compatible aliases baseAccount and coinbaseWallet.

• 3672dc6: Added Anchorage Digital wallet support with the anchorageDigitalWallet wallet connector.

• 1043d88: Added MeCo Wallet support with mecoWallet wallet connector.

• f52657f: Exposed RainbowKitProviderProps and WalletButtonRendererProps as public type exports to support Custom Wallet Button scenarios.

• 4f2de17: Fixed a crash that could occur when selecting a wallet while multiple browser wallet extensions were installed and the specific injected wallet was missing. Wallet-specific injected connectors now bind only to their matching provider instead of falling back to available defaults.

• bc4625c: Fix recent transaction tracking so failed transactions no longer prevent an app's own transaction receipt wait from settling.

• 25c4c2b: Improved SSR safety to prevent WalletConnect initialization warnings and mitigate localStorage API availability changes in Node.js v25 and above.

• f52657f: Fixed useWindowSize triggering a state update after unmount, which could surface as a React warning.

• eb4251d: The AuthenticationAdapter.createMessage API can now return a promise, so dApps can fetch or construct a custom SIWE message asynchronously. This enables server-side SIWE message creation before prompting the wallet, while preserving existing synchronous behavior.

  See the server-side message creation docs for guidance.

• b0f6d52: fix: harden useCoolMode against malicious wallet icon URLs

  The cool mode particle animation built image elements via innerHTML, which parses its input as HTML. A malicious EIP-6963 wallet could supply a crafted icon URL containing injected attributes (e.g. onerror) that would execute in the dApp's origin when a user interacts with the wallet button.

  Switched to document.createElement('img') with property assignment so the icon value is always treated as a plain URL rather than markup.

• f2523a9: Updated MetaMask wallet icon

Changelog

Sourced from @​rainbow-me/rainbowkit's changelog.

2.2.11

Patch Changes

• a40b1f4: Migrate the Base connector to canonical base naming, while preserving backwards-compatible aliases baseAccount and coinbaseWallet.

• 3672dc6: Added Anchorage Digital wallet support with the anchorageDigitalWallet wallet connector.

• 1043d88: Added MeCo Wallet support with mecoWallet wallet connector.

• f52657f: Exposed RainbowKitProviderProps and WalletButtonRendererProps as public type exports to support Custom Wallet Button scenarios.

• 4f2de17: Fixed a crash that could occur when selecting a wallet while multiple browser wallet extensions were installed and the specific injected wallet was missing. Wallet-specific injected connectors now bind only to their matching provider instead of falling back to available defaults.

• bc4625c: Fix recent transaction tracking so failed transactions no longer prevent an app's own transaction receipt wait from settling.

• 25c4c2b: Improved SSR safety to prevent WalletConnect initialization warnings and mitigate localStorage API availability changes in Node.js v25 and above.

• f52657f: Fixed useWindowSize triggering a state update after unmount, which could surface as a React warning.

• eb4251d: The AuthenticationAdapter.createMessage API can now return a promise, so dApps can fetch or construct a custom SIWE message asynchronously. This enables server-side SIWE message creation before prompting the wallet, while preserving existing synchronous behavior.

  See the server-side message creation docs for guidance.

• b0f6d52: fix: harden useCoolMode against malicious wallet icon URLs

  The cool mode particle animation built image elements via innerHTML, which parses its input as HTML. A malicious EIP-6963 wallet could supply a crafted icon URL containing injected attributes (e.g. onerror) that would execute in the dApp's origin when a user interacts with the wallet button.

  Switched to document.createElement('img') with property assignment so the icon value is always treated as a plain URL rather than markup.

• f2523a9: Updated MetaMask wallet icon

Commits

• 03360ee chore: version packages (#2659)
• f6f00a8 chore(tooling): upgrade biome, typescript (#2669)
• e90c2dd feat: next-auth v5 (#2606)
• bc4625c fix: isolate recent transaction receipt waits (#2670)
• eb4251d feat: support async createMessage in AuthenticationAdapter (#2633)
• 5349f6a feat: internal component exports (#2589)
• a40b1f4 fix: migrate baseAccount connector to base with aliases (#2634)
• 33f2a10 fix: cuer QRCode prop type errors (#2663)
• 4f2de17 fix: avoid binding missing injected wallets (#2661)
• b473b08 fix: guard localStorage access during SSR (#2660)
• Additional commits viewable in compare view

Updates react from 19.2.5 to 19.2.6

Release notes

Sourced from react's releases.

19.2.6 (May 6th, 2026)

React Server Components

• Type hardening and performance improvements (#36425 by @​eps1lon and @​unstubbable)

Commits

• eaf3e95 Version 19.2.6
• See full diff in compare view

Updates react-dom from 19.2.5 to 19.2.6

Release notes

Sourced from react-dom's releases.

19.2.6 (May 6th, 2026)

React Server Components

• Type hardening and performance improvements (#36425 by @​eps1lon and @​unstubbable)

Commits

• eaf3e95 Version 19.2.6
• See full diff in compare view

Updates viem from 2.48.8 to 2.48.11

Release notes

Sourced from viem's releases.

viem@2.48.11

Patch Changes

• #4585 18ccb586bd40d8410703e426261b0f03e530ade5 Thanks @​gakonst! - viem/tempo: Added wallet_ JSON-RPC Actions for opening send, swap, and deposit flows.

Commits

• 0235844 chore: version package (#4587)
• b243024 docs: add wallet actions
• 18ccb58 feat(tempo): add wallet actions (#4585)
• 39a98f7 chore: snaps
• f806162 chore: audit
• d18c7dc chore: version package (#4578)
• 54db4f4 chore: inline @​deprecated on statusSepolia exports
• 677aff4 chore: biome auto-fix duplicate export declarations
• d413d1b types: add tempo virtual address capability (#4579)
• 79800d2 chore: version package (#4577)
• Additional commits viewable in compare view

Updates @babel/preset-env from 7.29.3 to 7.29.5

Release notes

Sourced from @​babel/preset-env's releases.

v7.29.5 (2026-05-05)

🏠 Internal

• babel-preset-env
  • Update @babel/* dependencies

v7.29.4 (2026-05-05)

🐛 Bug Fix

• babel-plugin-transform-modules-systemjs
  • #17974 [7.x backport]fix(systemjs): improve module string name support (@​JLHwung)

Committers: 1

• Huáng Jùnliàng (@​JLHwung)

Commits

• 3cd910d v7.29.5
• 3d399f8 [7.x backport]docs(preset-env): update CONTRIBUTING.md (#17976)
• See full diff in compare view

Updates sass-loader from 16.0.7 to 16.0.8

Release notes

Sourced from sass-loader's releases.

v16.0.8

16.0.8 (2026-05-08)

Bug Fixes

• normalize separators in getPossibleRequests for Windows (#1308) (#1309) (90e349d)

Changelog

Sourced from sass-loader's changelog.

16.0.8 (2026-05-08)

Bug Fixes

• normalize separators in getPossibleRequests for Windows (#1308) (#1309) (90e349d)

Commits

• 4f00ed5 chore(release): 16.0.8
• 90e349d fix: normalize separators in getPossibleRequests for Windows (#1308) (#1309)
• cda2078 chore(deps-dev): bump follow-redirects from 1.15.9 to 1.16.0 (#1306)
• 128abc0 chore(deps): bump lodash from 4.17.23 to 4.18.1 (#1305)
• e3df97d chore(deps-dev): bump node-forge from 1.3.3 to 1.4.0 (#1304)
• ff8005b chore(deps): bump serialize-javascript and terser-webpack-plugin (#1299)
• 7dd2827 chore(deps-dev): bump flatted from 3.3.2 to 3.4.2 (#1301)
• 9e6a5e5 chore(deps): bump picomatch (#1300)
• a488645 chore(deps): bump immutable from 5.0.3 to 5.1.5 (#1298)
• fe6fe07 chore(deps-dev): bump js-yaml from 3.14.1 to 3.14.2 (#1297)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions