chore(deps): bump the npm_and_yarn group across 1 directory with 2 updates

[dependabot]

Bumps the npm_and_yarn group with 2 updates in the / directory: agents and wrangler.

Updates agents from 0.2.35 to 0.6.0

Release notes

Sourced from agents's releases.

agents@0.6.0

Minor Changes

• #565 0e9a607 Thanks @​mattzcarey! - Add RPC transport for MCP: connect an Agent to an McpAgent via Durable Object bindings

  New feature: addMcpServer with DO binding

  Agents can now connect to McpAgent instances in the same Worker using RPC transport — no HTTP, no network overhead. Pass the Durable Object namespace directly:

  // In your Agent
  await this.addMcpServer("counter", env.MY_MCP);
  // With props
  await this.addMcpServer("counter", env.MY_MCP, {
  props: { userId: "user-123", role: "admin" },
  });

  The addMcpServer method now accepts string | DurableObjectNamespace as the second parameter with proper TypeScript overloads, so HTTP and RPC paths are type-safe and cannot be mixed.

  Hibernation support

  RPC connections survive Durable Object hibernation automatically. The binding name and props are persisted to storage and restored on wake-up, matching the behavior of HTTP MCP connections. No need to manually re-establish connections in onStart().

  Deduplication

  Calling addMcpServer with the same server name multiple times (e.g., across hibernation cycles) now returns the existing connection instead of creating duplicates. This applies to both RPC and HTTP connections. Connection IDs are stable across hibernation restore.

  Other changes

  • Rewrote RPCClientTransport to accept a DurableObjectNamespace and create the stub internally via getServerByName from partyserver, instead of requiring a pre-constructed stub
  • Rewrote RPCServerTransport to drop session management (unnecessary for DO-scoped RPC) and use JSONRPCMessageSchema from the MCP SDK for validation instead of 170 lines of hand-written validation
  • Removed _resolveRpcBinding, _buildRpcTransportOptions, _buildHttpTransportOptions, and _connectToMcpServerInternal from the Agent base class — RPC transport logic no longer leaks into index.ts
  • Added AddRpcMcpServerOptions type (discriminated from AddMcpServerOptions) so props is only available when passing a binding
  • Added RPC_DO_PREFIX constant used consistently across all RPC naming
  • Fixed MCPClientManager.callTool passing serverId through to conn.client.callTool (it should be stripped before the call)
  • Added getRpcServersFromStorage() and saveRpcServerToStorage() to MCPClientManager for hibernation persistence
  • restoreConnectionsFromStorage now skips RPC servers (restored separately by the Agent class which has access to env)
  • Reduced rpc.ts from 609 lines to 245 lines
  • Reduced types.ts from 108 lines to 26 lines
  • Updated mcp-rpc-transport example to use Workers AI (no API keys needed), Kumo/agents-ui components, and Tailwind CSS
  • Updated MCP transports documentation

Patch Changes

• #973 969fbff Thanks @​threepointone! - Update dependencies

• #960 179b8cb Thanks @​mattzcarey! - Harden JSON Schema to TypeScript converter for production use

  • Add depth and circular reference guards to prevent stack overflows on recursive or deeply nested schemas

... (truncated)

Changelog

Sourced from agents's changelog.

0.6.0

Minor Changes

• #565 0e9a607 Thanks @​mattzcarey! - Add RPC transport for MCP: connect an Agent to an McpAgent via Durable Object bindings

  New feature: addMcpServer with DO binding

  Agents can now connect to McpAgent instances in the same Worker using RPC transport — no HTTP, no network overhead. Pass the Durable Object namespace directly:

  // In your Agent
  await this.addMcpServer("counter", env.MY_MCP);
  // With props
  await this.addMcpServer("counter", env.MY_MCP, {
  props: { userId: "user-123", role: "admin" },
  });

  The addMcpServer method now accepts string | DurableObjectNamespace as the second parameter with proper TypeScript overloads, so HTTP and RPC paths are type-safe and cannot be mixed.

  Hibernation support

  RPC connections survive Durable Object hibernation automatically. The binding name and props are persisted to storage and restored on wake-up, matching the behavior of HTTP MCP connections. No need to manually re-establish connections in onStart().

  Deduplication

  Calling addMcpServer with the same server name multiple times (e.g., across hibernation cycles) now returns the existing connection instead of creating duplicates. This applies to both RPC and HTTP connections. Connection IDs are stable across hibernation restore.

  Other changes

  • Rewrote RPCClientTransport to accept a DurableObjectNamespace and create the stub internally via getServerByName from partyserver, instead of requiring a pre-constructed stub
  • Rewrote RPCServerTransport to drop session management (unnecessary for DO-scoped RPC) and use JSONRPCMessageSchema from the MCP SDK for validation instead of 170 lines of hand-written validation
  • Removed _resolveRpcBinding, _buildRpcTransportOptions, _buildHttpTransportOptions, and _connectToMcpServerInternal from the Agent base class — RPC transport logic no longer leaks into index.ts
  • Added AddRpcMcpServerOptions type (discriminated from AddMcpServerOptions) so props is only available when passing a binding
  • Added RPC_DO_PREFIX constant used consistently across all RPC naming
  • Fixed MCPClientManager.callTool passing serverId through to conn.client.callTool (it should be stripped before the call)
  • Added getRpcServersFromStorage() and saveRpcServerToStorage() to MCPClientManager for hibernation persistence
  • restoreConnectionsFromStorage now skips RPC servers (restored separately by the Agent class which has access to env)
  • Reduced rpc.ts from 609 lines to 245 lines
  • Reduced types.ts from 108 lines to 26 lines
  • Updated mcp-rpc-transport example to use Workers AI (no API keys needed), Kumo/agents-ui components, and Tailwind CSS
  • Updated MCP transports documentation

Patch Changes

• #973 969fbff Thanks @​threepointone! - Update dependencies

• #960 179b8cb Thanks @​mattzcarey! - Harden JSON Schema to TypeScript converter for production use

  • Add depth and circular reference guards to prevent stack overflows on recursive or deeply nested schemas

... (truncated)

Commits

• 2468dfa Version Packages (#964)
• 179b8cb feat(codemode): support AI SDK jsonSchema wrapper + production-harden schema ...
• 97c6702 Warn on experimental RPC transport usage
• 0e9a607 RPC transport (#565)
• 969fbff Update dependencies and x402 EVM signer usage (#973)
• b848008 Make callbackHost optional for MCP servers (#963)
• 8edbb61 Update docs and playground demos, add exports
• 89eebf1 Version Packages (#940)
• 943c407 Remove ts-expect-error comments & bump deps (#954)
• 90e54da refactor(codemode): modular SDK — remove internal LLM, add Executor interface...
• Additional commits viewable in compare view

Updates wrangler from 4.50.0 to 4.59.1

Commits

• 37a8607 Version Packages (#11890)
• 99b1f32 fix: execute git commands in pages deploy safely (#11889)
• e98c95a Version Packages (#11836)
• ad65efa Add --check flag to wrangler types (#11852)
• beb96af feat(unenv-preset): add support for native node:sqlite module (#11841)
• b0e54b2 [wrangler] Add AI agent detection to analytics events (#11820)
• 2203af4 Add Node.js 24 and 25 compatibility to the test suites for Miniflare, Wrangle...
• b6148ed chore(deps): bump the workerd-and-workers-types group with 2 updates (#11872)
• 0eb973d Do not warn user when using a redirected config that came from a config with ...
• 0f8d69d containers: users can set multiple tiers for constraints (#11755)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.