Skip to content

chore: bump the npm-non-major group across 1 directory with 8 updates#1013

Closed
dependabot[bot] wants to merge 1 commit into
devfrom
dependabot/npm_and_yarn/npm-non-major-ed8778dc3c
Closed

chore: bump the npm-non-major group across 1 directory with 8 updates#1013
dependabot[bot] wants to merge 1 commit into
devfrom
dependabot/npm_and_yarn/npm-non-major-ed8778dc3c

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 30, 2026

Copy link
Copy Markdown
Contributor

Bumps the npm-non-major group with 8 updates in the / directory:

Package From To
@sentry/react 10.58.0 10.59.0
dompurify 3.4.10 3.4.11
katex 0.16.47 0.17.0
react-aria 3.49.0 3.50.0
@cloudflare/vite-plugin 1.41.0 1.42.1
oxfmt 0.45.0 0.56.0
oxlint 1.70.0 1.71.0
wrangler 4.101.0 4.103.0

Updates @sentry/react from 10.58.0 to 10.59.0

Release notes

Sourced from @​sentry/react's releases.

10.59.0

Important Changes

  • feat(react-router): Add support for React Router v8 (#21633)

    The SDK now supports React Router v8, in both the framework and SPA (@sentry/react) modes.

  • feat(react): Add version-agnostic React Router SPA exports (#21633)

    @sentry/react now exports version-agnostic wrappers for React Router v6+ SPA instrumentation. The new exports replace the version-specific V6/V7 variants, which are now deprecated:

    Deprecated New
    reactRouterV6BrowserTracingIntegration / V7 reactRouterBrowserTracingIntegration
    withSentryReactRouterV6Routing / V7 wrapReactRouterRouting
    wrapCreateBrowserRouterV6 / V7 wrapCreateBrowserRouter
    wrapCreateMemoryRouterV6 / V7 wrapCreateMemoryRouter
    wrapUseRoutesV6 / V7 wrapUseRoutes

    The deprecated exports continue to work and will be removed in the next major version.

Other Changes

  • feat(aws-serverless): Instrument aws-sdk clients >= 3.1046.0 (#21548)
  • feat(bun): Add orchestrion bun build plugin (#21410)
  • feat(cloudflare): Instrument sync KV (#21316)
  • feat(core): Disable gen_ai message truncation by default when streamGenAiSpans is enabled (#21603)
  • feat(deno): Add orchestrion deno runtime hook (#21451)
  • feat(hono): Extend peer dependency range (#21550)
  • feat(node): Collapse orchestrion opt-in to a single option (#20900)
  • fix: Diagnostics channel Node v18 (#21631)
  • fix(browser): Clean up pageload readystatechange listener (#21632)
  • fix(core): Capture scopes on span before emitting spanStart event (#21644)
  • fix(core): Defer TwP sampling by reading trace state from the scope (#21549)
  • fix(core): Prevent outgoing HTTP instrumentation from crashing on // request paths (#21645)
  • fix(core): Set production as default sentry.environment attribute value on streamed spans (#21637)
  • fix(nextjs): Register safe random ID context at module load (#21573)
  • chore: Change deprecation/deprecation to oxlint equivalent (#21604)
  • chore: Switch license headers to SPDX format (#21357)
  • chore(deps-dev): Bump esbuild from 0.20.0 to 0.28.1 (#21511)
  • chore(deps): Bump esbuild from 0.25.0 to 0.28.1 in /dev-packages/e2e-tests/test-applications/node-profiling-esm (#21514)
  • chore(deps): Bump react-router-6 to 6.30.4 (#21566)
  • ci: Assign server team as codeowner for server-utils package (#21601)
  • ci: Dedup flaky test issues across esm/cjs variants (#21595)
  • ci: Do not apply Bug label to flaky test issues (#21593)

... (truncated)

Changelog

Sourced from @​sentry/react's changelog.

10.59.0

Important Changes

  • feat(react-router): Add support for React Router v8 (#21633)

    The SDK now supports React Router v8, in both the framework and SPA (@sentry/react) modes.

  • feat(react): Add version-agnostic React Router SPA exports (#21633)

    @sentry/react now exports version-agnostic wrappers for React Router v6+ SPA instrumentation. The new exports replace the version-specific V6/V7 variants, which are now deprecated:

    Deprecated New
    reactRouterV6BrowserTracingIntegration / V7 reactRouterBrowserTracingIntegration
    withSentryReactRouterV6Routing / V7 wrapReactRouterRouting
    wrapCreateBrowserRouterV6 / V7 wrapCreateBrowserRouter
    wrapCreateMemoryRouterV6 / V7 wrapCreateMemoryRouter
    wrapUseRoutesV6 / V7 wrapUseRoutes

    The deprecated exports continue to work and will be removed in the next major version.

Other Changes

  • feat(aws-serverless): Instrument aws-sdk clients >= 3.1046.0 (#21548)
  • feat(bun): Add orchestrion bun build plugin (#21410)
  • feat(cloudflare): Instrument sync KV (#21316)
  • feat(core): Disable gen_ai message truncation by default when streamGenAiSpans is enabled (#21603)
  • feat(deno): Add orchestrion deno runtime hook (#21451)
  • feat(hono): Extend peer dependency range (#21550)
  • feat(node): Collapse orchestrion opt-in to a single option (#20900)
  • fix: Diagnostics channel Node v18 (#21631)
  • fix(browser): Clean up pageload readystatechange listener (#21632)
  • fix(core): Capture scopes on span before emitting spanStart event (#21644)
  • fix(core): Defer TwP sampling by reading trace state from the scope (#21549)
  • fix(core): Prevent outgoing HTTP instrumentation from crashing on // request paths (#21645)
  • fix(core): Set production as default sentry.environment attribute value on streamed spans (#21637)
  • fix(nextjs): Register safe random ID context at module load (#21573)
  • chore: Change deprecation/deprecation to oxlint equivalent (#21604)
  • chore: Switch license headers to SPDX format (#21357)
  • chore(deps-dev): Bump esbuild from 0.20.0 to 0.28.1 (#21511)
  • chore(deps): Bump esbuild from 0.25.0 to 0.28.1 in /dev-packages/e2e-tests/test-applications/node-profiling-esm (#21514)
  • chore(deps): Bump react-router-6 to 6.30.4 (#21566)
  • ci: Assign server team as codeowner for server-utils package (#21601)
  • ci: Dedup flaky test issues across esm/cjs variants (#21595)

... (truncated)

Commits
  • 2cb0ef6 release: 10.59.0
  • f77b265 Merge pull request #21655 from getsentry/prepare-release/10.59.0
  • 8e32a8d meta(changelog): Update changelog for 10.59.0
  • 50fe5d9 fix: Diagnostics channel Node v18 (#21631)
  • 9c765e0 feat(react-router): support react router v8 (#21633)
  • 815c1cf feat(deps): Bump @​babel/core from 7.29.0 to 7.29.6 (#21574)
  • a520447 ref(tanstackstart-react): Use @sentry/conventions (#21498)
  • 38a0485 test(cloudflare): Remove mock in DO tests (#21634)
  • cb69761 feat(deno): Add orchestrion deno runtime hook (#21451)
  • 1e057ba chore(deps): Bump esbuild from 0.25.0 to 0.28.1 in /dev-packages/e2e-tests/te...
  • Additional commits viewable in compare view

Updates dompurify from 3.4.10 to 3.4.11

Release notes

Sourced from dompurify's releases.

DOMPurify 3.4.11

  • Fixed an issue with a leaky config for hooks via setConfig, thanks @​trace37labs
  • Bumped vulnerable development dependencies to arrive at plain 0 with npm audit
  • Updated the osv-scanner suppression list as no vulnerable dependencies are left for now
  • Updated up the linting tool-chain and removed now-redundant lint directives
  • Updated the documentation is several spots, README, wiki, etc.
  • Bumped several dependencies where possible
Commits

Updates katex from 0.16.47 to 0.17.0

Release notes

Sourced from katex's releases.

v0.17.0

0.17.0 (2026-05-22)

Performance Improvements

  • simplify defineFunction to avoid destructuring, improve typing (#4222) (fb604e6)

BREAKING CHANGES

  • The internal API for __defineFunction changed: you should no longer wrap properties in props.
Changelog

Sourced from katex's changelog.

0.17.0 (2026-05-22)

Performance Improvements

  • simplify defineFunction to avoid destructuring, improve typing (#4222) (fb604e6)

BREAKING CHANGES

  • The internal API for __defineFunction changed: you should no longer wrap properties in props.
Commits
  • 3dec549 chore(release): 0.17.0 [ci skip]
  • fb604e6 perf: simplify defineFunction to avoid destructuring, improve typing (#4222)
  • 6caa636 refactor: tighten ParseNode types (#4219)
  • afed784 docs: make first supportive organizations logos bigger (#4216)
  • b02d9ac chore(deps): update dependency webpack-dev-server to v5.2.4 [security] (#4220)
  • See full diff in compare view

Updates react-aria from 3.49.0 to 3.50.0

Commits
  • 1c84a49 Publish
  • 208099b chore: omit isNonModal from ContextualHelpPopover (#10224)
  • a064c19 docs: add S2 audit skill (#10160)
  • 0594914 chore: update chat story prompts to be more realistic (#10223)
  • b8b0688 chore: Audit style props in AI package (#10218)
  • cb43c8c docs: add CenterBaseline to style macro docs (#10216)
  • 003d04d chore: remove horizontal card from ai export (#10217)
  • 358d6d8 chore: make sure Tree keyboard navigation docs example renders fully on small...
  • edceb07 chore: Expose keyboardNavigationBehavior="tab" in S2 (#10206)
  • 6e132fb Revert "fix: preserve selection anchor for multi-Select range selection (#101...
  • Additional commits viewable in compare view

Updates @cloudflare/vite-plugin from 1.41.0 to 1.42.1

Release notes

Sourced from @​cloudflare/vite-plugin's releases.

@​cloudflare/vite-plugin@​1.42.1

Patch Changes

  • #14366 c6579d3 Thanks @​jamesopstad! - Resolve relative cf-worker entrypoint imports relative to the importing module

    When loading the experimental cloudflare.config.ts, a relative entrypoint imported with import ... with { type: "cf-worker" } (e.g. ./src/index.ts) is now anchored to the module where the import is written, rather than being passed through verbatim and later resolved against the top-level config file. This fixes incorrect resolution when the import lives in a file other than the entry config — for example a config that re-exports from a nested file.

    Bare specifiers (such as @scope/pkg) and virtual modules (such as virtual:foo) are still left unresolved so that consumers can apply their own resolution.

  • Updated dependencies [c6579d3, 444b75e, b38823f, cfd6205, cfd6205]:

    • wrangler@4.103.0
    • miniflare@4.20260617.1

@​cloudflare/vite-plugin@​1.42.0

Minor Changes

  • #14339 aa49856 Thanks @​jamesopstad! - Add a build command to the experimental, internal cf-vite delegate binary

    cf-vite build runs Vite's full multi-environment app build (via the Builder API) and enables the experimental Build Output API by default, emitting a self-contained .cloudflare/output/v0/ directory. It forces experimental.newConfig and experimental.newConfig.cfBuildOutput on, so a cloudflare.config.ts is required at the project root.

Patch Changes

  • #14346 e930bd4 Thanks @​haidargit! - Bump ws from 8.20.1 to 8.21.0 to address GHSA-96hv-2xvq-fx4p

    GHSA-96hv-2xvq-fx4p / CVE-2026-48779 (high severity) reports a remote memory-exhaustion DoS in ws@<8.21.0: a peer sending a high volume of tiny fragments and data chunks over modest network traffic can crash a ws server or client via OOM. The fix shipped in ws@8.21.0 (commit 2b2abd45, released 2026-05-22), which also introduces the maxBufferedChunks and maxFragments options. This change bumps the workspace catalog entry so that miniflare, wrangler, and @cloudflare/vite-plugin all pick up the patched release.

  • #14351 6c7df19 Thanks @​jamesopstad! - Force the experimental new config on by default in the cf-vite dev delegate

  • #14218 4eed569 Thanks @​matingathani! - Allow resolve.external containing only Node.js built-ins in Worker environments

    Vitest 4 automatically sets resolve.external to the full list of Node.js built-in modules for non-standard Vite environments via its internal runnerTransform plugin. Previously, the Cloudflare Vite plugin rejected any non-empty resolve.external array, throwing an incompatibility error on startup when used alongside Vitest 4.

    The validation check now allows resolve.external arrays that contain only Node.js built-in module names (both bare fs and node:fs forms). The error is only thrown when resolve.external is true or contains non-built-in package names that would prevent user code from being bundled into the Worker.

  • Updated dependencies [673b09e, e930bd4, f6e49dd, 5c3bb11, 296ad65, 594544d, a79b899, 5dfb788, ca61558, 36777db]:

    • miniflare@4.20260617.0
    • wrangler@4.102.0
Changelog

Sourced from @​cloudflare/vite-plugin's changelog.

1.42.1

Patch Changes

  • #14366 c6579d3 Thanks @​jamesopstad! - Resolve relative cf-worker entrypoint imports relative to the importing module

    When loading the experimental cloudflare.config.ts, a relative entrypoint imported with import ... with { type: "cf-worker" } (e.g. ./src/index.ts) is now anchored to the module where the import is written, rather than being passed through verbatim and later resolved against the top-level config file. This fixes incorrect resolution when the import lives in a file other than the entry config — for example a config that re-exports from a nested file.

    Bare specifiers (such as @scope/pkg) and virtual modules (such as virtual:foo) are still left unresolved so that consumers can apply their own resolution.

  • Updated dependencies [c6579d3, 444b75e, b38823f, cfd6205, cfd6205]:

    • wrangler@4.103.0
    • miniflare@4.20260617.1

1.42.0

Minor Changes

  • #14339 aa49856 Thanks @​jamesopstad! - Add a build command to the experimental, internal cf-vite delegate binary

    cf-vite build runs Vite's full multi-environment app build (via the Builder API) and enables the experimental Build Output API by default, emitting a self-contained .cloudflare/output/v0/ directory. It forces experimental.newConfig and experimental.newConfig.cfBuildOutput on, so a cloudflare.config.ts is required at the project root.

Patch Changes

  • #14346 e930bd4 Thanks @​haidargit! - Bump ws from 8.20.1 to 8.21.0 to address GHSA-96hv-2xvq-fx4p

    GHSA-96hv-2xvq-fx4p / CVE-2026-48779 (high severity) reports a remote memory-exhaustion DoS in ws@<8.21.0: a peer sending a high volume of tiny fragments and data chunks over modest network traffic can crash a ws server or client via OOM. The fix shipped in ws@8.21.0 (commit 2b2abd45, released 2026-05-22), which also introduces the maxBufferedChunks and maxFragments options. This change bumps the workspace catalog entry so that miniflare, wrangler, and @cloudflare/vite-plugin all pick up the patched release.

  • #14351 6c7df19 Thanks @​jamesopstad! - Force the experimental new config on by default in the cf-vite dev delegate

  • #14218 4eed569 Thanks @​matingathani! - Allow resolve.external containing only Node.js built-ins in Worker environments

    Vitest 4 automatically sets resolve.external to the full list of Node.js built-in modules for non-standard Vite environments via its internal runnerTransform plugin. Previously, the Cloudflare Vite plugin rejected any non-empty resolve.external array, throwing an incompatibility error on startup when used alongside Vitest 4.

    The validation check now allows resolve.external arrays that contain only Node.js built-in module names (both bare fs and node:fs forms). The error is only thrown when resolve.external is true or contains non-built-in package names that would prevent user code from being bundled into the Worker.

  • Updated dependencies [673b09e, e930bd4, f6e49dd, 5c3bb11, 296ad65, 594544d, a79b899, 5dfb788, ca61558, 36777db]:

    • miniflare@4.20260617.0
    • wrangler@4.102.0
Commits
  • 4d8ffcb Version Packages (#14353)
  • cfd6205 Extract autoconfig in its own standalone package (#14295)
  • dd7e101 Version Packages (#14327)
  • 6c7df19 Force the experimental new config on by default in the cf-vite dev delegate (...
  • aa49856 Add build command to cf-vite (#14339)
  • 4eed569 [vite-plugin] fix: allow Node.js built-ins in resolve.external for Worker env...
  • 36777db Wrangler support for experimental Build Output API (#14324)
  • See full diff in compare view

Updates oxfmt from 0.45.0 to 0.56.0

Changelog

Sourced from oxfmt's changelog.

Changelog

All notable changes to this package will be documented in this file.

The format is based on Keep a Changelog.

[0.55.0] - 2026-06-15

🚀 Features

  • 9a2788b linter/unicorn: Implement prefer-export-from rule (#22935) (AliceLanniste)

[0.54.0] - 2026-06-08

📚 Documentation

  • dadafe3 oxlint, oxfmt: Mention migrate skills in npm READMEs (#22965) (Boshen)
  • f88961a oxfmt: Annotate each config option with supported languages (#22953) (leaysgur)

[0.52.0] - 2026-05-26

🚀 Features

  • 16b8058 oxfmt: Support vite-plus/resolveConfig for vite.config.ts (#22454) (leaysgur)

[0.50.0] - 2026-05-15

🐛 Bug Fixes

  • 43b9978 formatter/sort_imports: Treat subpath imports as internal (#22440) (leaysgur)

[0.49.0] - 2026-05-11

🚀 Features

  • 6e8e818 oxfmt: Experimental .svelte support (#21700) (leaysgur)
Commits
  • c4be770 release(apps): oxlint v1.71.0 && oxfmt v0.56.0 (#23707)
  • aa79b5b release(apps): oxlint v1.70.0 && oxfmt v0.55.0 (#23442)
  • 9a2788b feat(linter/unicorn): implement prefer-export-from rule (#22935)
  • 44ae845 release(apps): oxlint v1.69.0 && oxfmt v0.54.0 (#23116)
  • dadafe3 docs(oxlint, oxfmt): mention migrate skills in npm READMEs (#22965)
  • f88961a docs(oxfmt): annotate each config option with supported languages (#22953)
  • 964a758 release(apps): oxlint v1.68.0 && oxfmt v0.53.0 (#22883)
  • 68b455d release(apps): oxlint v1.67.0 && oxfmt v0.52.0 (#22735)
  • 16b8058 feat(oxfmt): Support vite-plus/resolveConfig for vite.config.ts (#22454)
  • 5570206 release(apps): oxlint v1.66.0 && oxfmt v0.51.0 (#22528)
  • Additional commits viewable in compare view

Updates oxlint from 1.70.0 to 1.71.0

Release notes

Sourced from oxlint's releases.

oxlint v1.27.0 && oxfmt v0.12.0

Oxlint v1.27.0

🚀 Features

  • 222a8f0 linter/plugins: Implement SourceCode#isSpaceBetween (#15498) (overlookmotel)
  • 2f9735d linter/plugins: Implement context.languageOptions (#15486) (overlookmotel)
  • bc731ff linter/plugins: Stub out all Context APIs (#15479) (overlookmotel)
  • 5822cb4 linter/plugins: Add extend method to FILE_CONTEXT (#15477) (overlookmotel)
  • 7b1e6f3 apps: Add pure rust binaries and release to github (#15469) (Boshen)
  • 2a89b43 linter: Introduce debug assertions after fixes to assert validity (#15389) (camc314)
  • ad3c45a editor: Add oxc.path.node option (#15040) (Sysix)

🐛 Bug Fixes

  • 6f3cd77 linter/no-var: Incorrect warning for blocks (#15504) (Hamir Mahal)
  • 6957fb9 linter/plugins: Do not allow access to Context#id in createOnce (#15489) (overlookmotel)
  • 7409630 linter/plugins: Allow access to cwd in createOnce in ESLint interop mode (#15488) (overlookmotel)
  • 732205e parser: Reject using / await using in a switch case / default clause (#15225) (sapphi-red)
  • a17ca32 linter/plugins: Replace Context class (#15448) (overlookmotel)
  • ecf2f7b language_server: Fail gracefully when tsgolint executable not found (#15436) (camc314)
  • 3c8d3a7 lang-server: Improve logging in failure case for tsgolint (#15299) (camc314)
  • ef71410 linter: Use jsx if source type is JS in fix debug assertion (#15434) (camc314)
  • e32bbf6 linter/no-var: Handle TypeScript declare keyword in fixer (#15426) (camc314)
  • 6565dbe linter/switch-case-braces: Skip comments when searching for : token (#15425) (camc314)
  • 85bd19a linter/prefer-class-fields: Insert value after type annotation in fixer (#15423) (camc314)
  • fde753e linter/plugins: Block access to context.settings in createOnce (#15394) (overlookmotel)
  • ddd9f9f linter/forward-ref-uses-ref: Dont suggest removing wrapper in invalid positions (#15388) (camc314)
  • dac2a9c linter/no-template-curly-in-string: Remove fixer (#15387) (camc314)
  • 989b8e3 linter/no-var: Only fix to const if the var has an initializer (#15385) (camc314)
  • cc403f5 linter/plugins: Return empty object for unimplemented parserServices (#15364) (magic-akari)

⚡ Performance

  • 25d577e language_server: Start tools in parallel (#15500) (Sysix)
  • 3c57291 linter/plugins: Optimize loops (#15449) (overlookmotel)
  • 3166233 linter/plugins: Remove Arcs (#15431) (overlookmotel)
  • 9de1322 linter/plugins: Lazily deserialize settings JSON (#15395) (overlookmotel)
  • 3049ec2 linter/plugins: Optimize deepFreezeSettings (#15392) (overlookmotel)
  • 444ebfd linter/plugins: Use single object for parserServices (#15378) (overlookmotel)

📚 Documentation

  • 97d2104 linter: Update comment in lint.rs about default value for tsconfig path (#15530) (Connor Shea)
  • 2c6bd9e linter: Always refer as "ES2015" instead of "ES6" (#15411) (sapphi-red)
  • a0c5203 linter/import/named: Update "ES7" comment in examples (#15410) (sapphi-red)
  • 3dc24b5 linter,minifier: Always refer as "ES Modules" instead of "ES6 Modules" (#15409) (sapphi-red)
  • 2ad77fb linter/no-this-before-super: Correct "Why is this bad?" section (#15408) (sapphi-red)
  • 57f0ce1 linter: Add backquotes where appropriate (#15407) (sapphi-red)

Oxfmt v0.12.0

... (truncated)

Changelog

Sourced from oxlint's changelog.

[1.71.0] - 2026-06-22

🚀 Features

  • 0dc2405 linter: Add schema for eslint/no-restricted-properties (#23619) (Sysix)
  • b638d0e linter: Add schema for node/callback-return (#23615) (Sysix)
  • eb8bedc linter: Add schema for import/extensions (#23557) (WaterWhisperer)
  • 46f3625 linter: Implement node/no-sync rule (#23589) (fujitani sora)
  • b01739a linter: Add schema for unicorn/numeric-separators-style (#23554) (Mikhail Baev)
  • 68afd2a linter/node: Implement no-mixed-requires rule (#23539) (fujitani sora)
  • a421215 linter: Add schema for eslint/prefer-destructuring (#23410) (WaterWhisperer)
  • 84438be linter/jsdoc: Added missing options to require-param-description (#23416) (kapobajza)
  • 51910df linter/jsdoc: Add missing options to require-param-type rule (#23418) (kapobajza)
  • e90925f linter/unicorn: Implement prefer-number-coercion rule (#23497) (Shekhu☺️)
  • dd1c866 linter/vue: Implement no-async-in-computed-properties rule (#23493) (bab)
  • b02444e linter: Add schema for react/jsx-no-script-url (#23475) (WaterWhisperer)
  • a8dce46 linter/unicorn: Implement max-nested-calls rule (#23461) (arieleli01212)

🐛 Bug Fixes

  • a303c23 linter/jsx-a11y: Align anchor-is-valid config with upstream (#23446) (camc314)

📚 Documentation

  • b50bf4d linter: Remove manually written options doc for eslint/arrow-body-style (#23490) (Mikhail Baev)
Commits
  • c4be770 release(apps): oxlint v1.71.0 && oxfmt v0.56.0 (#23707)
  • 0dc2405 feat(linter): add schema for eslint/no-restricted-properties (#23619)
  • b638d0e feat(linter): add schema for node/callback-return (#23615)
  • 6d355ab refactor(linter): remove number_as_object_schema helper (#23614)
  • eb8bedc feat(linter): add schema for import/extensions (#23557)
  • 46f3625 feat(linter): implement node/no-sync rule (#23589)
  • 953c7b3 refactor(linter): make unicorn/numeric-separators-style options u32 (#23558)
  • b01739a feat(linter): add schema for unicorn/numeric-separators-style (#23554)
  • 68afd2a feat(linter/node): implement no-mixed-requires rule (#23539)
  • b08e9f5 refactor(linter): re-enable schema for `jsx_a11y/no-noninteractive-element-in...
  • Additional commits viewable in compare view

Updates wrangler from 4.101.0 to 4.103.0

Release notes

Sourced from wrangler's releases.

wrangler@4.103.0

Minor Changes

  • #14295 cfd6205 Thanks @​dario-piotrowicz! - Move unstable_getWorkerNameFromProject from wrangler to @cloudflare/workers-utils

    The unstable_getWorkerNameFromProject export has been removed from the wrangler package. This function is now available as getWorkerNameFromProject (without the unstable_ prefix) from @cloudflare/workers-utils. If you were importing this function from wrangler, update your import to use @cloudflare/workers-utils instead.

  • #14295 cfd6205 Thanks @​dario-piotrowicz! - Remove experimental autoconfig exports

    The experimental autoconfig exports (experimental_getDetailsForAutoConfig, experimental_runAutoConfig, experimental_AutoConfigFramework) have been removed. This logic has been moved to the @cloudflare/autoconfig package (without the experimental_ prefixes since the package itself is pre-v1).

Patch Changes

  • #14366 c6579d3 Thanks @​jamesopstad! - Resolve relative cf-worker entrypoint imports relative to the importing module

    When loading the experimental cloudflare.config.ts, a relative entrypoint imported with import ... with { type: "cf-worker" } (e.g. ./src/index.ts) is now anchored to the module where the import is written, rather than being passed through verbatim and later resolved against the top-level config file. This fixes incorrect resolution when the import lives in a file other than the entry config — for example a config that re-exports from a nested file.

    Bare specifiers (such as @scope/pkg) and virtual modules (such as virtual:foo) are still left unresolved so that consumers can apply their own resolution.

  • #14316 444b75e Thanks @​matingathani! - Prevent wrangler dev crash when source-mapping a truncated error chunk

    When a worker logs many errors in quick succession, the stderr chunks received by wrangler dev can be truncated mid-stack-frame, leaving a call site with an invalid column number. The source map library throws in that case, which was crashing the wrangler process entirely. The error is now caught and the original (un-source-mapped) text is returned instead.

  • #14118 b38823f Thanks @​aicayzer! - Fix Uint8Array step outputs in local Workflows being persisted with the full backing ArrayBuffer

    A Uint8Array returned from a Workflows step under wrangler dev was serialised together with its full underlying ArrayBuffer, causing a raw SQLITE_TOOBIG error at view sizes well below the documented 1MiB step-output limit. For example, a 200KB view sliced from an 800KB buffer (a common pattern from crypto.getRandomValues or arr.slice(...) on a larger pool) would fail. The view's bytes are now copied to a tight buffer before persistence, bringing local behaviour in line with production. Fixes #14101.

  • Updated dependencies [b38823f]:

    • miniflare@4.20260617.1

wrangler@4.102.0

Minor Changes

  • #14340 f6e49dd Thanks @​emily-shen! - Add cf-wrangler build delegate support

    The experimental cf-wrangler delegate binary now accepts build and emits the Build Output API directory through Wrangler's new-config build path. This lets parent tools invoke Wrangler's build-output implementation with cf-wrangler build instead of shelling out through the public Wrangler CLI.

  • #14324 36777db Thanks @​jamesopstad! - Add experimental --experimental-cf-build-output flag to wrangler build

    When used alongside --experimental-new-config, wrangler build now emits a self-contained Build Output API directory under .cloudflare/output/v0/ instead of delegating to wrangler deploy --dry-run.

Patch Changes

  • #14347 673b09e Thanks @​jamesopstad! - Update undici from 7.24.8 to 7.28.0

  • #14346 e930bd4 Thanks @​haidargit! - Bump ws from 8.20.1 to 8.21.0 to address GHSA-96hv-2xvq-fx4p

    GHSA-96hv-2xvq-fx4p / CVE-2026-48779 (high severity) reports a remote memory-exhaustion DoS in ws@<8.21.0: a peer sending a high volume of tiny fragments and data chunks over modest network traffic can crash a ws server or client via OOM. The fix shipped in ws@8.21.0 (commit 2b2abd45, released 2026-05-22), which also introduces the maxBufferedChunks and maxFragments options. This change bumps the workspace catalog entry so that miniflare, wrangler, and @cloudflare/vite-plugin all pick up the patched release.

  • #14314 5c3bb11 Thanks @​harryzcy! - Bump esbuild to 0.28.1

... (truncated)

Commits

Bumps the npm-non-major group with 8 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [@sentry/react](https://github.com/getsentry/sentry-javascript) | `10.58.0` | `10.59.0` |
| [dompurify](https://github.com/cure53/DOMPurify) | `3.4.10` | `3.4.11` |
| [katex](https://github.com/KaTeX/KaTeX) | `0.16.47` | `0.17.0` |
| [react-aria](https://github.com/adobe/react-spectrum) | `3.49.0` | `3.50.0` |
| [@cloudflare/vite-plugin](https://github.com/cloudflare/workers-sdk/tree/HEAD/packages/vite-plugin-cloudflare) | `1.41.0` | `1.42.1` |
| [oxfmt](https://github.com/oxc-project/oxc/tree/HEAD/npm/oxfmt) | `0.45.0` | `0.56.0` |
| [oxlint](https://github.com/oxc-project/oxc/tree/HEAD/npm/oxlint) | `1.70.0` | `1.71.0` |
| [wrangler](https://github.com/cloudflare/workers-sdk/tree/HEAD/packages/wrangler) | `4.101.0` | `4.103.0` |



Updates `@sentry/react` from 10.58.0 to 10.59.0
- [Release notes](https://github.com/getsentry/sentry-javascript/releases)
- [Changelog](https://github.com/getsentry/sentry-javascript/blob/develop/CHANGELOG.md)
- [Commits](getsentry/sentry-javascript@10.58.0...10.59.0)

Updates `dompurify` from 3.4.10 to 3.4.11
- [Release notes](https://github.com/cure53/DOMPurify/releases)
- [Commits](cure53/DOMPurify@3.4.10...3.4.11)

Updates `katex` from 0.16.47 to 0.17.0
- [Release notes](https://github.com/KaTeX/KaTeX/releases)
- [Changelog](https://github.com/KaTeX/KaTeX/blob/main/CHANGELOG.md)
- [Commits](KaTeX/KaTeX@v0.16.47...v0.17.0)

Updates `react-aria` from 3.49.0 to 3.50.0
- [Release notes](https://github.com/adobe/react-spectrum/releases)
- [Commits](https://github.com/adobe/react-spectrum/compare/react-aria@3.49.0...react-aria@3.50.0)

Updates `@cloudflare/vite-plugin` from 1.41.0 to 1.42.1
- [Release notes](https://github.com/cloudflare/workers-sdk/releases)
- [Changelog](https://github.com/cloudflare/workers-sdk/blob/main/packages/vite-plugin-cloudflare/CHANGELOG.md)
- [Commits](https://github.com/cloudflare/workers-sdk/commits/@cloudflare/vite-plugin@1.42.1/packages/vite-plugin-cloudflare)

Updates `oxfmt` from 0.45.0 to 0.56.0
- [Release notes](https://github.com/oxc-project/oxc/releases)
- [Changelog](https://github.com/oxc-project/oxc/blob/main/npm/oxfmt/CHANGELOG.md)
- [Commits](https://github.com/oxc-project/oxc/commits/oxfmt_v0.56.0/npm/oxfmt)

Updates `oxlint` from 1.70.0 to 1.71.0
- [Release notes](https://github.com/oxc-project/oxc/releases)
- [Changelog](https://github.com/oxc-project/oxc/blob/main/npm/oxlint/CHANGELOG.md)
- [Commits](https://github.com/oxc-project/oxc/commits/oxlint_v1.71.0/npm/oxlint)

Updates `wrangler` from 4.101.0 to 4.103.0
- [Release notes](https://github.com/cloudflare/workers-sdk/releases)
- [Commits](https://github.com/cloudflare/workers-sdk/commits/wrangler@4.103.0/packages/wrangler)

---
updated-dependencies:
- dependency-name: "@sentry/react"
  dependency-version: 10.59.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: npm-non-major
- dependency-name: dompurify
  dependency-version: 3.4.11
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: npm-non-major
- dependency-name: katex
  dependency-version: 0.17.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: npm-non-major
- dependency-name: react-aria
  dependency-version: 3.50.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: npm-non-major
- dependency-name: "@cloudflare/vite-plugin"
  dependency-version: 1.42.1
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: npm-non-major
- dependency-name: oxfmt
  dependency-version: 0.56.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: npm-non-major
- dependency-name: oxlint
  dependency-version: 1.71.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: npm-non-major
- dependency-name: wrangler
  dependency-version: 4.103.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: npm-non-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added the internal label Jun 30, 2026
@dependabot dependabot Bot requested review from 7w1 and hazre as code owners June 30, 2026 01:27
@dependabot dependabot Bot added the internal label Jun 30, 2026
@dependabot @github

dependabot Bot commented on behalf of github Jul 1, 2026

Copy link
Copy Markdown
Contributor Author

Looks like these dependencies are updatable in another way, so this is no longer needed.

@dependabot dependabot Bot closed this Jul 1, 2026
@dependabot dependabot Bot deleted the dependabot/npm_and_yarn/npm-non-major-ed8778dc3c branch July 1, 2026 01:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants