Problem
All TypeScript packages in this monorepo bundle viem/chains at build time, and every publish workflow uses pnpm install --frozen-lockfile. This pins viem to whatever version was last resolved in pnpm-lock.yaml, regardless of the ^ range in each package.json.
The lockfile currently contains four different viem versions across packages:
| Locked version |
Packages |
| 2.23.2 |
legacy packages (x402, x402-express, etc.) |
| 2.37.3 |
wagmi transitive |
| 2.40.3 |
@x402/paywall, @x402/express, @x402/fetch, @x402/evm |
| 2.45.1 |
@x402/extensions |
viem is currently at 2.47.10. Any chain added to viem after the locked version for a given package is missing from that package's published bundle.
Impact
Packages that do runtime chain lookups via viem/chains will fail for missing chains:
- @x402/paywall (
paywallUtils.ts) — throws "Unsupported chain ID" when a user connects a wallet on an unrecognized chain
- @x402/extensions (
sign-in-with-x/verify.ts, evm.ts, types.ts) — sign-in verification fails for unrecognized chains
This affects any chain that onboards to x402 and was added to viem after the locked version. For example, Mezo (chain ID 31611, added in viem 2.47.10) is missing from all current published packages.
The problem will recur with every new chain that joins x402 unless the build process addresses it.
Where the constraint is
- All 14 publish workflows in
.github/workflows/publish_npm_scoped_x402_*.yml use --frozen-lockfile
- No publish workflow runs
pnpm update before building
- tsup configs don't externalize viem, so chain definitions are baked into each bundle
- No runtime extension point exists for server operators to provide chain definitions that aren't in the bundle
Suggestion
Other monorepos in the ecosystem (wagmi, viem, RainbowKit, Vite, Next.js) use Renovate or Dependabot with auto-merge for minor/patch dependency updates. This keeps the lockfile current continuously — Renovate opens PRs as new dependency versions publish, minor/patch updates auto-merge, and the lockfile stays fresh without manual intervention. The publish workflow stays --frozen-lockfile (preserving reproducibility), but the lockfile itself reflects recent dependency versions rather than going stale between manual updates.
This repo doesn't currently have Renovate or Dependabot configured. A minimal Dependabot config would look like:
# .github/dependabot.yml
version: 2
updates:
- package-ecosystem: "npm"
directory: "/typescript"
schedule:
interval: "weekly"
groups:
viem:
patterns:
- "viem"
update-types:
- "minor"
- "patch"This would open weekly PRs for viem minor/patch updates, keeping the lockfile fresh without changing the publish workflow or sacrificing build reproducibility.
Problem
All TypeScript packages in this monorepo bundle
viem/chainsat build time, and every publish workflow usespnpm install --frozen-lockfile. This pins viem to whatever version was last resolved inpnpm-lock.yaml, regardless of the^range in eachpackage.json.The lockfile currently contains four different viem versions across packages:
viem is currently at 2.47.10. Any chain added to viem after the locked version for a given package is missing from that package's published bundle.
Impact
Packages that do runtime chain lookups via
viem/chainswill fail for missing chains:paywallUtils.ts) — throws "Unsupported chain ID" when a user connects a wallet on an unrecognized chainsign-in-with-x/verify.ts,evm.ts,types.ts) — sign-in verification fails for unrecognized chainsThis affects any chain that onboards to x402 and was added to viem after the locked version. For example, Mezo (chain ID 31611, added in viem 2.47.10) is missing from all current published packages.
The problem will recur with every new chain that joins x402 unless the build process addresses it.
Where the constraint is
.github/workflows/publish_npm_scoped_x402_*.ymluse--frozen-lockfilepnpm updatebefore buildingSuggestion
Other monorepos in the ecosystem (wagmi, viem, RainbowKit, Vite, Next.js) use Renovate or Dependabot with auto-merge for minor/patch dependency updates. This keeps the lockfile current continuously — Renovate opens PRs as new dependency versions publish, minor/patch updates auto-merge, and the lockfile stays fresh without manual intervention. The publish workflow stays
--frozen-lockfile(preserving reproducibility), but the lockfile itself reflects recent dependency versions rather than going stale between manual updates.This repo doesn't currently have Renovate or Dependabot configured. A minimal Dependabot config would look like:
This would open weekly PRs for viem minor/patch updates, keeping the lockfile fresh without changing the publish workflow or sacrificing build reproducibility.