chore(deps): bump incur from 0.4.8 to 0.4.9 in the production-dependencies group

[dependabot]

Bumps the production-dependencies group with 1 update: incur.

Updates incur from 0.4.8 to 0.4.9

Release notes

Sourced from incur's releases.

incur@0.4.9

Patch Changes

• 0720a24: Added custom global options support via globals and globalAlias on Cli.create().
• 7e94269: Added destructive command hints to generated skill files.
• a14e41d: Fixed BigInt serialization across JSON, JSONL, MCP, and fetch output paths.
• cb05897: Fixed MCP registration command detection for global, local, and source-launched CLIs.
• 15c9068: Defaulted MCP-over-HTTP to stateless transport behavior and returned 405 for unsupported stateless methods.
• 1c52be9: Lazy-loaded YAML and MCP SDK imports outside plain command runs.
• dc0faff: Added typed MCP command metadata for instructions and annotations.
• 1cbe459: Fixed HTTP and MCP command input validation to return standard validation field errors for object-shaped inputs.
• 43c1551: Added banner option to Cli.create for displaying custom content above root help output with sync/async functions, error swallowing, and mode targeting.
• a0f469f: Fixed streaming command terminal records so HTTP NDJSON responses preserved returned c.ok() CTA metadata, represented returned or yielded c.error() values as terminal errors, included terminal duration metadata, unwound generators on response cancellation, and preserved IncurError.retryable metadata in streaming machine-format errors.
• 9a43129: Surfaced c.ok(..., { cta }) metadata on MCP tool responses under _meta.cta.
• a0f469f: Fixed generated and synced skills to use the same command projection as CLI skill output, avoided duplicate skills for command aliases, preserved output schemas and examples consistently, and included the fetch gateway skill hint for fetch-based commands.
• bffbdf4: Typed the root command hint option on Cli.create.

Changelog

Sourced from incur's changelog.

0.4.9

Patch Changes

• 0720a24: Added custom global options support via globals and globalAlias on Cli.create().
• 7e94269: Added destructive command hints to generated skill files.
• a14e41d: Fixed BigInt serialization across JSON, JSONL, MCP, and fetch output paths.
• cb05897: Fixed MCP registration command detection for global, local, and source-launched CLIs.
• 15c9068: Defaulted MCP-over-HTTP to stateless transport behavior and returned 405 for unsupported stateless methods.
• 1c52be9: Lazy-loaded YAML and MCP SDK imports outside plain command runs.
• dc0faff: Added typed MCP command metadata for instructions and annotations.
• 1cbe459: Fixed HTTP and MCP command input validation to return standard validation field errors for object-shaped inputs.
• 43c1551: Added banner option to Cli.create for displaying custom content above root help output with sync/async functions, error swallowing, and mode targeting.
• a0f469f: Fixed streaming command terminal records so HTTP NDJSON responses preserved returned c.ok() CTA metadata, represented returned or yielded c.error() values as terminal errors, included terminal duration metadata, unwound generators on response cancellation, and preserved IncurError.retryable metadata in streaming machine-format errors.
• 9a43129: Surfaced c.ok(..., { cta }) metadata on MCP tool responses under _meta.cta.
• a0f469f: Fixed generated and synced skills to use the same command projection as CLI skill output, avoided duplicate skills for command aliases, preserved output schemas and examples consistently, and included the fetch gateway skill hint for fetch-based commands.
• bffbdf4: Typed the root command hint option on Cli.create.

Commits

• 33491cc chore: version packages (#165)
• 15c9068 fix: default /mcp http transport to stateless
• 9a43129 feat(mcp): surface tool cta metadata (#169)
• bffbdf4 fix: type Cli.create root command hint
• 7e94269 feat(skills): add destructive command hints (#166)
• 77cf379 chore: normalize changesets
• 0720a24 feat: custom global options (#98)
• 713bb95 fix(cli): preserve stream terminal records
• dc0faff feat: add support for instructions and annotations (#130)
• 1c52be9 perf: lazy-load yaml and the MCP SDK off the command-run hot path (#160)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	incur@​0.4.9

View full report