build(deps): bump protobufjs, @certusone/wormhole-sdk, @cosmjs/cosmwasm-stargate, @cosmjs/proto-signing and @cosmjs/stargate in /wormchain/ts-sdk

[dependabot]

Bumps protobufjs, @certusone/wormhole-sdk, @cosmjs/cosmwasm-stargate, @cosmjs/proto-signing and @cosmjs/stargate. These dependencies needed to be updated together.
Updates protobufjs from 6.11.2 to 8.6.4

Release notes

Sourced from protobufjs's releases.

protobufjs: v8.6.4

8.6.4 (2026-06-16)

Bug Fixes

• Avoid materializing ProtoJSON WKT defaults (#2326) (6aaee14)
• Support runtimes without ICU (#2331) (cd6e2e2)

protobufjs: v8.6.3

8.6.3 (2026-06-10)

Bug Fixes

• Consistently reject truncated 64-bit varints (#2322) (ec868f3)
• Include interfaces in API docs and fix FieldMask doc comment (#2319) (c98a4e5)
• Preserve explicit URLs in path resolution (#2320) (c97cdbe)
• Remove renamed reflection objects by identity (#2324) (9c9f8ee)
• Support Node ESM named imports from CommonJS entrypoints (#2315) (3359e64)
• Support utf8_validation during decode (#2325) (4dff8e4)

protobufjs: v8.6.2

8.6.2 (2026-06-09)

Bug Fixes

• Discard unknown fields by default (#2310) (bf12d56)

protobufjs: v8.6.1

8.6.1 (2026-06-07)

Bug Fixes

• cli: Consistently wait for pbts output before JSDoc exit (#2306) (87ff02f)
• cli: Preserve indentation in multiline declarations (#2307) (b38748d)
• Preserve descriptor metadata needed by protoc-gen-pbjs (#2308) (a3b8dc7)
• Remove inquire submodule (#2305) (cc42616)

protobufjs: v8.6.0

8.6.0 (2026-06-04)

Features

• Add spec-compliant protojson extension (#2297) (ffd3d51)

... (truncated)

Changelog

Sourced from protobufjs's changelog.

8.6.4 (2026-06-16)

Bug Fixes

• Avoid materializing ProtoJSON WKT defaults (#2326) (6aaee14)
• Support runtimes without ICU (#2331) (cd6e2e2)

8.6.3 (2026-06-10)

Bug Fixes

• Consistently reject truncated 64-bit varints (#2322) (ec868f3)
• Include interfaces in API docs and fix FieldMask doc comment (#2319) (c98a4e5)
• Preserve explicit URLs in path resolution (#2320) (c97cdbe)
• Remove renamed reflection objects by identity (#2324) (9c9f8ee)
• Support Node ESM named imports from CommonJS entrypoints (#2315) (3359e64)
• Support utf8_validation during decode (#2325) (4dff8e4)

8.6.2 (2026-06-09)

Bug Fixes

• Discard unknown fields by default (#2310) (bf12d56)

8.6.1 (2026-06-07)

Bug Fixes

• cli: Consistently wait for pbts output before JSDoc exit (#2306) (87ff02f)
• cli: Preserve indentation in multiline declarations (#2307) (b38748d)
• Preserve descriptor metadata needed by protoc-gen-pbjs (#2308) (a3b8dc7)
• Remove inquire submodule (#2305) (cc42616)

8.6.0 (2026-06-04)

Features

• Add spec-compliant protojson extension (#2297) (ffd3d51)

Bug Fixes

• Avoid name collisions in generated code (#2302) (ce013ab)
• cli: Vendor patched Catharsis for pbts (#2304) (29f7c96)
• Remove postinstall script (#2299) (b8ed7be)

... (truncated)

Commits

• 6c2d51d chore: release master (#2328)
• cd6e2e2 fix: Support runtimes without ICU (#2331)
• 6aaee14 fix: Avoid materializing ProtoJSON WKT defaults (#2326)
• 8076a5e chore: release master (#2318)
• 4dff8e4 fix: Support utf8_validation during decode (#2325)
• 9c9f8ee fix: Remove renamed reflection objects by identity (#2324)
• de18bbe docs: Document custom constructor registration order (#2323)
• c98a4e5 fix: Include interfaces in API docs and fix FieldMask doc comment (#2319)
• c97cdbe fix: Preserve explicit URLs in path resolution (#2320)
• ec868f3 fix: Consistently reject truncated 64-bit varints (#2322)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for protobufjs since your current version.

Install script changes

This version modifies prepublish script that runs during installation. Review the package contents before updating.

Updates @certusone/wormhole-sdk from 0.2.0 to 0.10.18

Commits

• See full diff in compare view

Updates @cosmjs/cosmwasm-stargate from 0.27.1 to 0.38.1

Release notes

Sourced from @​cosmjs/cosmwasm-stargate's releases.

0.38.0

Highlights in this release

• Add Support for dynamic gas price (via feemarket or Osmosis)
• Add support for Cosmos EVM key handling and signing
• Add support ts-proto v2 code generation
• Decimal type now supports negative values

Housekeeping

• Use ReadonlyDate from readonly-date-esm
• Remove Tendermint 0.34 client
• Rename package @​cosmjs/cosmwasm-stargate to @​cosmjs/cosmwasm

Important notes

• Users now require TypeScript 5.7+ since we return Uint8Array generics whenever possible
• This is the last version that supports Node.js 20. Please upgrade to version 22 or 24.

Changelog: https://github.com/cosmos/cosmjs/blob/main/CHANGELOG.md#0380---2025-12-30 All changes: cosmos/cosmjs@v0.37.0...v0.38.0

0.37.0

Highlights in this release

• Add client for CometBFT 1.x (Comet1Client)
• Modernize dependencies to reduce bundle size and reliability
• Set exports field to all packages. This prevents users from importing non-public interfaces and prepares for and ESM world.
• Deprecate executeKdf from both @​cosmjs/amino and @​cosmjs/proto-signing as wallet encryption will be removed (cosmos/cosmjs#1796).

Changelog: https://github.com/cosmos/cosmjs/blob/main/CHANGELOG.md#0370---2025-10-29 All changes: cosmos/cosmjs@v0.36.1...v0.37.0

0.36.0

Encrypted wallet serialization deprecated!

• The use of encrypted wallet storage is deprecated. In particular this means:

  • Secp256k1HdWallet.serialize/.serializeWithEncryptionKey
  • Secp256k1HdWallet.deserialize/.deserializeWithEncryptionKey
  • DirectSecp256k1HdWallet.serialize/.serializeWithEncryptionKey
  • DirectSecp256k1HdWallet.deserialize/.deserializeWithEncryptionKey

  If you are using any of those methods, please comment at cosmos/cosmjs#1796.

  A scream test was established which slows down the key derivation function a lot. This simulates the use of a pure-JS implementation of Argon2 which we will use on one of the next releases. If this causes problems for your app, switch back to ^0.35.0 and comment in the issue.

• Migrate from libsodium to different implementation in order to reduce bundle size and improve compatibility.

  • ed25519 now uses @​noble/curves
  • xchacha20poly1305 now uses @​noble/ciphers

... (truncated)

Changelog

Sourced from @​cosmjs/cosmwasm-stargate's changelog.

[0.38.1] - 2025-12-31

• Bring back main/types fields for bundlephobia support. (#1942)

#1942: cosmos/cosmjs#1942

[0.38.0] - 2025-12-30

Added

• @​cosmjs/encoding: Add fixUint8Array which takes an Uint8Array<ArrayBufferLike> and returns Uint8Array<ArrayBuffer>. This can be used in cases where a data source returns an Uint8Array without specifying the buffer type but you need an ArrayBuffer. Internally it might perform a copy but in the vast majority of cases it will just change the type after ensuring ArrayBuffer is used. (#1883)
• @​cosmjs/math: Add Decimal.adjustFractionalDigits which allows you to change the fractional digits of a Decimal without changing its value. (#1916)
• @​cosmjs/stargate, @​cosmjs/cosmwasm-stargate: Add option to configure dynamic gas price in SigningCosmWasmClientOptions and SigningStargateClientOptions using the DynamicGasPriceConfig interface for gasPrice. This then uses Osmosis' EIP-1559 implementation or the Skip fee market module to get the gas price from the chain. (#1926)
• @​cosmjs/cosmwasm-stargate: Add the ability to specify a custom account parser for CosmWasmClient. (#1928)
• Add support for Cosmos EVM key handling and signing. (#1932)
• @​cosmjs/proto-signing: Add support for ts-proto v2 through the newly added TsProto2GeneratedType interface. As long as the existing TsProtoGeneratedType is not removed, ts-proto v1 remains supported. (#1613)

#1613: cosmos/cosmjs#1613 #1883: cosmos/cosmjs#1883 #1916: cosmos/cosmjs#1916 #1926: cosmos/cosmjs#1926 #1928: cosmos/cosmjs#1928 #1932: cosmos/cosmjs#1932

Changed

• all: return Uint8Array<ArrayBuffer> instead of Uint8Array = Uint8Array<ArrayBufferLike> whenever CosmJS creates binary data for users. This allows users to stick it into APIs that require ArrayBuffer such as many APIs from Subtle crypto. You can still assign Uint8Array<ArrayBuffer> to any Uint8Array in an existing codebase like this:

  const myVar: Uint8Array = fromHex("aabb");

... (truncated)

Commits

• c1e00ef Set version 0.38.1
• 9d9e735 Bring back main/types fields for bundlephobia support (#1942)
• 37377b7 Fix @​cosmjs/cosmwasm package name in README
• b28d7d8 Set version 0.38.0
• 27b7de9 Update some credits
• e232235 Merge pull request #1934 from cosmos/spliteria
• 3cc8083 Rename renaming libsodum module to ed25519
• 6bf92d6 Pull Xchacha20poly1305 code out of libsodium module
• b82b285 Pull argon2 code out of libsolium module
• 02592ac Set version 0.38.0-rc.1
• Additional commits viewable in compare view

Updates @cosmjs/proto-signing from 0.27.1 to 0.39.0

Release notes

Sourced from @​cosmjs/proto-signing's releases.

0.39.0

Changed

• all: Drop support for Node.js < 22. Node.js 20 reached end-of-life on 2025-04 and the crypto stack (@noble/*, @​scure/bip39 v2) relies on APIs that only ship in Node 22+. If you are still on an older Node, upgrade before taking this release.
• @​cosmjs/crypto: Upgrade dependencies @​noble/ciphers, @​noble/curves, @​noble/hashes and @​scure/bip39 to v2. These upgrades are otherwise transparent to users of the high-level @cosmjs/crypto API, but direct consumers of the underlying libraries should consult their respective migration notes. (#1935)
• @​cosmjs/crypto: Use pure-JS implementation of Argon2id from @​noble/hashes instead of the WASM-based hash-wasm implementation. This removes the hash-wasm runtime dependency and makes Argon2id.execute fully synchronous-capable without requiring a WASM instantiation. (#1938)
• @​cosmjs/amino, @​cosmjs/proto-signing: Remove scream test around argon2 call in wallet serialization/deserialization which is not needed anymore after #1938.
• all: Bring back the classic main/types fields in package.json alongside the exports field so tools like bundlephobia that do not understand exports can still resolve the package entry points. (#1944)
• @​cosmjs/stargate: Change Account.accountNumber from number to bigint. Cosmos SDK 0.53+ can assign account numbers via GenerateID() that exceed Number.MAX_SAFE_INTEGER (2^53 − 1), which would silently lose precision when represented as a JavaScript number. Using bigint preserves the full 64-bit range. Breaking change for anyone reading accountNumber off Account (e.g. from StargateClient.getAccount()): you will typically need to either coerce back with Number(account.accountNumber) where you know the value is safe, or keep using bigint end-to-end. (#1956)
• @​cosmjs/amino: makeSignDoc now accepts number | string | bigint for accountNumber (previously number | string) and encodes the value via Uint64 instead of Uint53 so large account numbers no longer overflow when building a sign doc. (#1956)
• @​cosmjs/crypto: Deprecate Argon2id/Argon2idOptions/isArgon2idOptions because it will likely be removed when wallet serialization/deserialization is removed.
• @​cosmjs/faucet: Upgrade koa to ^3.1.2 to address the host header injection advisory GHSA-7gcc-r8m5-44qm. Same-major bump, no API changes. (#1959)
• @​cosmjs/proto-signing: Upgrade protobufjs to ^7.5.5 to address the arbitrary code execution advisory GHSA-xq3m-2v4x-88gg. Same-major bump, no API changes. (#1959)

#1935: cosmos/cosmjs#1935 #1938: cosmos/cosmjs#1938 #1944: cosmos/cosmjs#1944 #1956: cosmos/cosmjs#1956 #1959: cosmos/cosmjs#1959

... (truncated)

Changelog

Sourced from @​cosmjs/proto-signing's changelog.

[0.39.0] - 2026-05-04

Changed

• all: Drop support for Node.js < 22. Node.js 20 reached end-of-life on 2025-04 and the crypto stack (@noble/*, @​scure/bip39 v2) relies on APIs that only ship in Node 22+. If you are still on an older Node, upgrade before taking this release.
• @​cosmjs/crypto: Upgrade dependencies @​noble/ciphers, @​noble/curves, @​noble/hashes and @​scure/bip39 to v2. These upgrades are otherwise transparent to users of the high-level @cosmjs/crypto API, but direct consumers of the underlying libraries should consult their respective migration notes. (#1935)
• @​cosmjs/crypto: Use pure-JS implementation of Argon2id from @​noble/hashes instead of the WASM-based hash-wasm implementation. This removes the hash-wasm runtime dependency and makes Argon2id.execute fully synchronous-capable without requiring a WASM instantiation. (#1938)
• @​cosmjs/amino, @​cosmjs/proto-signing: Remove scream test around argon2 call in wallet serialization/deserialization which is not needed anymore after #1938.
• all: Bring back the classic main/types fields in package.json alongside the exports field so tools like bundlephobia that do not understand exports can still resolve the package entry points. (#1944)
• @​cosmjs/stargate: Change Account.accountNumber from number to bigint. Cosmos SDK 0.53+ can assign account numbers via GenerateID() that exceed Number.MAX_SAFE_INTEGER (2^53 − 1), which would silently lose precision when represented as a JavaScript number. Using bigint preserves the full 64-bit range. Breaking change for anyone reading accountNumber off Account (e.g. from StargateClient.getAccount()): you will typically need to either coerce back with Number(account.accountNumber) where you know the value is safe, or keep using bigint end-to-end. (#1956)
• @​cosmjs/amino: makeSignDoc now accepts number | string | bigint for accountNumber (previously number | string) and encodes the value via Uint64 instead of Uint53 so large account numbers no longer overflow when building a sign doc. (#1956)
• @​cosmjs/crypto: Deprecate Argon2id/Argon2idOptions/isArgon2idOptions because it will likely be removed when wallet serialization/deserialization is removed.
• @​cosmjs/faucet: Upgrade koa to ^3.1.2 to address the host header injection advisory GHSA-7gcc-r8m5-44qm. Same-major bump, no API changes. (#1959)
• @​cosmjs/proto-signing: Upgrade protobufjs to ^7.5.5 to address the arbitrary code execution advisory GHSA-xq3m-2v4x-88gg. Same-major bump, no API changes. (#1959)

#1935: cosmos/cosmjs#1935 #1938: cosmos/cosmjs#1938 #1944: cosmos/cosmjs#1944 #1956: cosmos/cosmjs#1956 #1959: cosmos/cosmjs#1959

... (truncated)

Commits

• ec55c66 Set version: 0.39.0
• e39b5ff Convert account Number to bigint (#1956)
• 45156aa Merge pull request #1960 from codingki/rename-evmd-to-evmd051
• 6536a4b Mirror evmd051Enabled pattern for slow variant
• 20a429b Rename evmd scripts to versioned name (evmd051)
• 0fedbb2 Merge pull request #1959 from codingki/chore/security-audit-fixes
• 6cfedd5 chore(deps): Fix security vulnerabilities reported by yarn audit
• 2338a7e Merge pull request #1958 from cosmos/fix/yarn-node25-ebadf
• c21c737 [autofix.ci] apply automated fixes
• e664c60 fix(ci): Drop accidental .yarnrc.yml security relaxations
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by kiki-skip, a new releaser for @​cosmjs/proto-signing since your current version.

Updates @cosmjs/stargate from 0.27.1 to 0.39.0

Release notes

Sourced from @​cosmjs/stargate's releases.

0.39.0

Changed

• all: Drop support for Node.js < 22. Node.js 20 reached end-of-life on 2025-04 and the crypto stack (@noble/*, @​scure/bip39 v2) relies on APIs that only ship in Node 22+. If you are still on an older Node, upgrade before taking this release.
• @​cosmjs/crypto: Upgrade dependencies @​noble/ciphers, @​noble/curves, @​noble/hashes and @​scure/bip39 to v2. These upgrades are otherwise transparent to users of the high-level @cosmjs/crypto API, but direct consumers of the underlying libraries should consult their respective migration notes. (#1935)
• @​cosmjs/crypto: Use pure-JS implementation of Argon2id from @​noble/hashes instead of the WASM-based hash-wasm implementation. This removes the hash-wasm runtime dependency and makes Argon2id.execute fully synchronous-capable without requiring a WASM instantiation. (#1938)
• @​cosmjs/amino, @​cosmjs/proto-signing: Remove scream test around argon2 call in wallet serialization/deserialization which is not needed anymore after #1938.
• all: Bring back the classic main/types fields in package.json alongside the exports field so tools like bundlephobia that do not understand exports can still resolve the package entry points. (#1944)
• @​cosmjs/stargate: Change Account.accountNumber from number to bigint. Cosmos SDK 0.53+ can assign account numbers via GenerateID() that exceed Number.MAX_SAFE_INTEGER (2^53 − 1), which would silently lose precision when represented as a JavaScript number. Using bigint preserves the full 64-bit range. Breaking change for anyone reading accountNumber off Account (e.g. from StargateClient.getAccount()): you will typically need to either coerce back with Number(account.accountNumber) where you know the value is safe, or keep using bigint end-to-end. (#1956)
• @​cosmjs/amino: makeSignDoc now accepts number | string | bigint for accountNumber (previously number | string) and encodes the value via Uint64 instead of Uint53 so large account numbers no longer overflow when building a sign doc. (#1956)
• @​cosmjs/crypto: Deprecate Argon2id/Argon2idOptions/isArgon2idOptions because it will likely be removed when wallet serialization/deserialization is removed.
• @​cosmjs/faucet: Upgrade koa to ^3.1.2 to address the host header injection advisory GHSA-7gcc-r8m5-44qm. Same-major bump, no API changes. (#1959)
• @​cosmjs/proto-signing: Upgrade protobufjs to ^7.5.5 to address the arbitrary code execution advisory GHSA-xq3m-2v4x-88gg. Same-major bump, no API changes. (#1959)

#1935: cosmos/cosmjs#1935 #1938: cosmos/cosmjs#1938 #1944: cosmos/cosmjs#1944 #1956: cosmos/cosmjs#1956 #1959: cosmos/cosmjs#1959

... (truncated)

Changelog

Sourced from @​cosmjs/stargate's changelog.

[0.39.0] - 2026-05-04

Changed

• all: Drop support for Node.js < 22. Node.js 20 reached end-of-life on 2025-04 and the crypto stack (@noble/*, @​scure/bip39 v2) relies on APIs that only ship in Node 22+. If you are still on an older Node, upgrade before taking this release.
• @​cosmjs/crypto: Upgrade dependencies @​noble/ciphers, @​noble/curves, @​noble/hashes and @​scure/bip39 to v2. These upgrades are otherwise transparent to users of the high-level @cosmjs/crypto API, but direct consumers of the underlying libraries should consult their respective migration notes. (#1935)
• @​cosmjs/crypto: Use pure-JS implementation of Argon2id from @​noble/hashes instead of the WASM-based hash-wasm implementation. This removes the hash-wasm runtime dependency and makes Argon2id.execute fully synchronous-capable without requiring a WASM instantiation. (#1938)
• @​cosmjs/amino, @​cosmjs/proto-signing: Remove scream test around argon2 call in wallet serialization/deserialization which is not needed anymore after #1938.
• all: Bring back the classic main/types fields in package.json alongside the exports field so tools like bundlephobia that do not understand exports can still resolve the package entry points. (#1944)
• @​cosmjs/stargate: Change Account.accountNumber from number to bigint. Cosmos SDK 0.53+ can assign account numbers via GenerateID() that exceed Number.MAX_SAFE_INTEGER (2^53 − 1), which would silently lose precision when represented as a JavaScript number. Using bigint preserves the full 64-bit range. Breaking change for anyone reading accountNumber off Account (e.g. from StargateClient.getAccount()): you will typically need to either coerce back with Number(account.accountNumber) where you know the value is safe, or keep using bigint end-to-end. (#1956)
• @​cosmjs/amino: makeSignDoc now accepts number | string | bigint for accountNumber (previously number | string) and encodes the value via Uint64 instead of Uint53 so large account numbers no longer overflow when building a sign doc. (#1956)
• @​cosmjs/crypto: Deprecate Argon2id/Argon2idOptions/isArgon2idOptions because it will likely be removed when wallet serialization/deserialization is removed.
• @​cosmjs/faucet: Upgrade koa to ^3.1.2 to address the host header injection advisory GHSA-7gcc-r8m5-44qm. Same-major bump, no API changes. (#1959)
• @​cosmjs/proto-signing: Upgrade protobufjs to ^7.5.5 to address the arbitrary code execution advisory GHSA-xq3m-2v4x-88gg. Same-major bump, no API changes. (#1959)

#1935: cosmos/cosmjs#1935 #1938: cosmos/cosmjs#1938 #1944: cosmos/cosmjs#1944 #1956: cosmos/cosmjs#1956 #1959: cosmos/cosmjs#1959

... (truncated)

Commits

• ec55c66 Set version: 0.39.0
• e39b5ff Convert account Number to bigint (#1956)
• 45156aa Merge pull request #1960 from codingki/rename-evmd-to-evmd051
• 6536a4b Mirror evmd051Enabled pattern for slow variant
• 20a429b Rename evmd scripts to versioned name (evmd051)
• 0fedbb2 Merge pull request #1959 from codingki/chore/security-audit-fixes
• 6cfedd5 chore(deps): Fix security vulnerabilities reported by yarn audit
• 2338a7e Merge pull request #1958 from cosmos/fix/yarn-node25-ebadf
• c21c737 [autofix.ci] apply automated fixes
• e664c60 fix(ci): Drop accidental .yarnrc.yml security relaxations
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by kiki-skip, a new releaser for @​cosmjs/stargate since your current version.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.