Skip to content

chore(deps): bump pympp[tempo] from 0.8.2 to 0.9.0 in /conformance/adapters/python in the python-dependencies group#43

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/uv/conformance/adapters/python/python-dependencies-91735d4fc1
Open

chore(deps): bump pympp[tempo] from 0.8.2 to 0.9.0 in /conformance/adapters/python in the python-dependencies group#43
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/uv/conformance/adapters/python/python-dependencies-91735d4fc1

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 29, 2026

Copy link
Copy Markdown
Contributor

Bumps the python-dependencies group in /conformance/adapters/python with 1 update: pympp[tempo].

Updates pympp[tempo] from 0.8.2 to 0.9.0

Release notes

Sourced from pympp[tempo]'s releases.

v0.9.0

Minor Changes

  • Validate the credential source on the Tempo hash-credential verification path. The server now parses the did:pkh:eip155 source before reserving the transaction hash, requires TIP-20 transfers to originate from the declared source address (falling back to the receipt sender when no source is provided), and rejects malformed or chain-mismatched sources with a uniform error. Adds a validate_sender callback (with SenderValidation / ValidateSender) to ChargeIntent to authorize smart-account / relayer flows where the on-chain transfer sender differs from the declared source. (by @​stevencartavia, #154)
  • Sponsored (fee-payer) charges now dry-run the co-signed transaction via tempo_simulateV1 before broadcasting. If the transaction would revert on-chain, the sponsor rejects it instead of paying gas for a failing transaction. The check fails closed: if the simulation RPC is unavailable, the charge is rejected. (by @​stevencartavia, #154)

Patch Changes

  • Preserve all sender-signed fields when decoding and re-signing fee-payer (0x78) envelopes. Two fields that are part of the sender's signing hash were being lost when the fee payer reconstructed the transaction to cosign it, causing valid transactions to be rejected ("Sender address does not match recovered signer") or mis-attributed:
  • keyAuthorization: the decoder rebuilt it from only chain_id, key_type, key_id, and expiry, dropping limits and the T6 (TIP-1049) allowed_calls, witness, is_admin, and account fields. It now round-trips the authorization RLP verbatim (decode and encode), so it works for both legacy and T6 authorizations — including non-secp256k1 root signatures — without requiring a T6-aware pytempo.
  • tempo_authorization_list: was dropped entirely during cosigning; it is now carried through.
  • Access-key (keychain) and other non-secp256k1 sender signatures, which a fee payer cannot verify offline, are now rejected with a clear error instead of an opaque ECDSA recovery failure, and the envelope decoder fails closed on unexpected field counts.
  • Pre-broadcast simulation (tempo_simulateV1) is skipped for locally co-signed transactions that carry a keyAuthorization or a non-empty tempo_authorization_list. These fields are preserved verbatim as opaque RLP for the broadcast transaction but cannot yet be faithfully re-serialized into the simulation JSON (keyAuthorization / aaAuthorizationList), so the transaction is broadcast without the extra revert check rather than simulated as a different transaction. (by @​stevencartavia, #154)

New Contributors

Full Changelog: tempoxyz/pympp@v0.8.2...v0.9.0

Changelog

Sourced from pympp[tempo]'s changelog.

0.9.0 (2026-06-23)

Minor Changes

  • Validate the credential source on the Tempo hash-credential verification path. The server now parses the did:pkh:eip155 source before reserving the transaction hash, requires TIP-20 transfers to originate from the declared source address (falling back to the receipt sender when no source is provided), and rejects malformed or chain-mismatched sources with a uniform error. Adds a validate_sender callback (with SenderValidation / ValidateSender) to ChargeIntent to authorize smart-account / relayer flows where the on-chain transfer sender differs from the declared source. (by @​stevencartavia, #154)
  • Sponsored (fee-payer) charges now dry-run the co-signed transaction via tempo_simulateV1 before broadcasting. If the transaction would revert on-chain, the sponsor rejects it instead of paying gas for a failing transaction. The check fails closed: if the simulation RPC is unavailable, the charge is rejected. (by @​stevencartavia, #154)

Patch Changes

  • Preserve all sender-signed fields when decoding and re-signing fee-payer (0x78) envelopes. Two fields that are part of the sender's signing hash were being lost when the fee payer reconstructed the transaction to cosign it, causing valid transactions to be rejected ("Sender address does not match recovered signer") or mis-attributed:
  • keyAuthorization: the decoder rebuilt it from only chain_id, key_type, key_id, and expiry, dropping limits and the T6 (TIP-1049) allowed_calls, witness, is_admin, and account fields. It now round-trips the authorization RLP verbatim (decode and encode), so it works for both legacy and T6 authorizations — including non-secp256k1 root signatures — without requiring a T6-aware pytempo.
  • tempo_authorization_list: was dropped entirely during cosigning; it is now carried through.
  • Access-key (keychain) and other non-secp256k1 sender signatures, which a fee payer cannot verify offline, are now rejected with a clear error instead of an opaque ECDSA recovery failure, and the envelope decoder fails closed on unexpected field counts.
  • Pre-broadcast simulation (tempo_simulateV1) is skipped for locally co-signed transactions that carry a keyAuthorization or a non-empty tempo_authorization_list. These fields are preserved verbatim as opaque RLP for the broadcast transaction but cannot yet be faithfully re-serialized into the simulation JSON (keyAuthorization / aaAuthorizationList), so the transaction is broadcast without the extra revert check rather than simulated as a different transaction. (by @​stevencartavia, #154)
Commits
  • e24d634 chore: release v0.9.0 (#151)
  • ea8ebac feat: preserve sender-signed fields when cosigning fee-payer envelopes (#154)
  • 514ab1c feat: simulate sponsored txs before broadcast (#150)
  • 5cc5420 chore(deps): bump the actions group with 3 updates (#152)
  • 737a315 feat: add server body digest and route scope conformance (#149)
  • 3b8ecfd feat: validate hash credential source (#148)
  • b675ed8 chore(deps): bump wevm/changelogs from de0250123a1d70a2b64a458bd5efcf313986df...
  • 18fc5cc ci: add conformance gate (#146)
  • See full diff in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

Bumps the python-dependencies group in /conformance/adapters/python with 1 update: [pympp[tempo]](https://github.com/tempoxyz/pympp).


Updates `pympp[tempo]` from 0.8.2 to 0.9.0
- [Release notes](https://github.com/tempoxyz/pympp/releases)
- [Changelog](https://github.com/tempoxyz/pympp/blob/main/CHANGELOG.md)
- [Commits](tempoxyz/pympp@v0.8.2...v0.9.0)

---
updated-dependencies:
- dependency-name: pympp[tempo]
  dependency-version: 0.9.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: python-dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file python:uv Pull requests that update python:uv code labels Jun 29, 2026
@socket-security

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security
Vulnerability Quality Maintenance License
Updatedpypi/​pympp@​0.8.2 ⏵ 0.9.0100 +1100100100100

View full report

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file python:uv Pull requests that update python:uv code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants