chore(deps): bump @solana/pay from 0.2.6 to 1.0.18

[dependabot]

Bumps @solana/pay from 0.2.6 to 1.0.18.

Release notes

Sourced from @​solana/pay's releases.

@​solana/pay v1.0.18

Installation

pnpm add @solana/pay

https://www.npmjs.com/package/@​solana/pay/v/1.0.18

@​solana/pay v1.0.17

Installation

pnpm add @solana/pay

https://www.npmjs.com/package/@​solana/pay/v/1.0.17

@​solana/pay v1.0.16

Installation

pnpm add @solana/pay

https://www.npmjs.com/package/@​solana/pay/v/1.0.16

@​solana/pay v1.0.0

Installation

pnpm add @solana/pay

https://www.npmjs.com/package/@​solana/pay/v/1.0.0

@​solana/pay v1.0.0-beta.14

Installation

pnpm add @solana/pay

https://www.npmjs.com/package/@​solana/pay/v/1.0.0-beta.14

... (truncated)

Commits

• 8b8a4bb feat: add redeem codes (#375)
• 91e8798 feat: add support for subscriptions [experimental] (#374)
• bdec635 feat: improve catalog check (#367)
• c65165c feat: support for sessions - preliminary work (#364)
• 0276555 Merge pull request #365 from amilz/chore/bump-kit
• 94b3627 chore: bump @​solana/kit ecosystem and migrate off deprecated APIs
• 26889ac chore: update mpp / x402 (#362)
• 37fa44d ux: clarify Touch ID requirement for Keychain (#341)
• e72cddd chore: add security policy (#356)
• 04a40a4 fix: mime type handling (#353)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​solana/pay since your current version.

[dependabot]

Labels

The following labels could not be found: automerge-eligible, dependencies. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

[overstepping]

Verdict: ❌ Do not merge — breaking, needs a migration not a bump

@solana/pay 1.0 is a full rewrite onto @solana/kit (web3.js v2). Verified against the installed 1.0.16 typings:

• validateTransfer(rpc: Rpc<GetTransactionApi>, signature: Signature, { recipient, amount, splToken, reference, memo }, …)
• findReference(rpc: Rpc<…>, reference, …)

Both now take a kit Rpc and kit Address/Signature types — not a Connection/PublicKey from @solana/web3.js v1. bignumber.js is also gone (amounts are native).

Our root payment-verification handlers all pass v1 Connection + PublicKey + a BigNumber amount:

• api/_lib/purchase-confirm.js
• api/marketplace/buy-asset.js
• api/purchase/skill.js

The whole root is on @solana/web3.js ^1.98.4. Merging this breaks Solana payment confirmation entirely. Porting only @solana/pay to kit while the rest of the stack stays on web3.js v1 would create two parallel Solana stacks — not advisable. Hold on the 0.2.x line until a deliberate, stack-wide web3.js→kit migration. Recommend closing this PR (or marking it on-hold).

Triage by Claude — reviewed against actual usage in the codebase.

[dependabot]

Looks like @solana/pay is no longer being updated by Dependabot, so this is no longer needed.

[overstepping]

For the record: closing/declining intentionally. @solana/pay v1 is a web3.js 2.0 (@solana/kit) rewrite incompatible with our web3.js v1 payment path; pinned at 0.2.x and added to .github/dependabot.yml ignore in #55 until a deliberate migration.