chore(deps): bump the all-dependencies group with 7 updates

[dependabot]

Bumps the all-dependencies group with 7 updates:

Package	From	To
@opennextjs/cloudflare	1.19.9	1.19.10
@tanstack/react-query	5.100.10	5.100.11
@cloudflare/workers-types	4.20260511.1	4.20260518.1
@types/node	20.19.40	20.19.41
oxfmt	0.49.0	0.50.0
oxlint	1.64.0	1.65.0
wrangler	4.90.0	4.92.0

Updates @opennextjs/cloudflare from 1.19.9 to 1.19.10

Release notes

Sourced from @​opennextjs/cloudflare's releases.

@​opennextjs/cloudflare@​1.19.10

Patch Changes

• #1261 780dd4f Thanks @​vicb! - Allow populating R2 when the domain is protected by Cloudflare Access

  You need to:

  • create a "Service Auth" policy for "open-next-cache-populate..workers.dev"
  • add an "Include" rule for "Any Access Service Token" or for a given service token ("Service Token")
  • populate the env variables CLOUDFLARE_ACCESS_CLIENT_ID and CLOUDFLARE_ACCESS_CLIENT_SECRET

Changelog

Sourced from @​opennextjs/cloudflare's changelog.

1.19.10

Patch Changes

• #1261 780dd4f Thanks @​vicb! - Allow populating R2 when the domain is protected by Cloudflare Access

  You need to:

  • create a "Service Auth" policy for "open-next-cache-populate..workers.dev"
  • add an "Include" rule for "Any Access Service Token" or for a given service token ("Service Token")
  • populate the env variables CLOUDFLARE_ACCESS_CLIENT_ID and CLOUDFLARE_ACCESS_CLIENT_SECRET

Commits

• 49eade5 Version Packages (#1266)
• 780dd4f Allow populating R2 when the domain is protected by Cloudflare Access (#1261)
• See full diff in compare view

Updates @tanstack/react-query from 5.100.10 to 5.100.11

Release notes

Sourced from @​tanstack/react-query's releases.

@​tanstack/react-query-devtools@​5.100.11

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-devtools@​5.100.11
  • @​tanstack/react-query@​5.100.11

@​tanstack/react-query-next-experimental@​5.100.11

Patch Changes

• Updated dependencies []:
  • @​tanstack/react-query@​5.100.11

@​tanstack/react-query-persist-client@​5.100.11

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-persist-client-core@​5.100.11
  • @​tanstack/react-query@​5.100.11

@​tanstack/react-query@​5.100.11

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-core@​5.100.11

Changelog

Sourced from @​tanstack/react-query's changelog.

5.100.11

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-core@​5.100.11

Commits

• See full diff in compare view

Updates @cloudflare/workers-types from 4.20260511.1 to 4.20260518.1

Commits

• See full diff in compare view

Updates @types/node from 20.19.40 to 20.19.41

Commits

• See full diff in compare view

Updates oxfmt from 0.49.0 to 0.50.0

Changelog

Sourced from oxfmt's changelog.

[0.50.0] - 2026-05-15

🐛 Bug Fixes

• 43b9978 formatter/sort_imports: Treat subpath imports as internal (#22440) (leaysgur)

Commits

• 25e5cbc release(apps): oxlint v1.65.0 && oxfmt v0.50.0 (#22458)
• 43b9978 fix(formatter/sort_imports): Treat subpath imports as internal (#22440)
• See full diff in compare view

Updates oxlint from 1.64.0 to 1.65.0

Release notes

Sourced from oxlint's releases.

oxlint v1.27.0 && oxfmt v0.12.0

Oxlint v1.27.0

🚀 Features

• 222a8f0 linter/plugins: Implement SourceCode#isSpaceBetween (#15498) (overlookmotel)
• 2f9735d linter/plugins: Implement context.languageOptions (#15486) (overlookmotel)
• bc731ff linter/plugins: Stub out all Context APIs (#15479) (overlookmotel)
• 5822cb4 linter/plugins: Add extend method to FILE_CONTEXT (#15477) (overlookmotel)
• 7b1e6f3 apps: Add pure rust binaries and release to github (#15469) (Boshen)
• 2a89b43 linter: Introduce debug assertions after fixes to assert validity (#15389) (camc314)
• ad3c45a editor: Add oxc.path.node option (#15040) (Sysix)

🐛 Bug Fixes

• 6f3cd77 linter/no-var: Incorrect warning for blocks (#15504) (Hamir Mahal)
• 6957fb9 linter/plugins: Do not allow access to Context#id in createOnce (#15489) (overlookmotel)
• 7409630 linter/plugins: Allow access to cwd in createOnce in ESLint interop mode (#15488) (overlookmotel)
• 732205e parser: Reject using / await using in a switch case / default clause (#15225) (sapphi-red)
• a17ca32 linter/plugins: Replace Context class (#15448) (overlookmotel)
• ecf2f7b language_server: Fail gracefully when tsgolint executable not found (#15436) (camc314)
• 3c8d3a7 lang-server: Improve logging in failure case for tsgolint (#15299) (camc314)
• ef71410 linter: Use jsx if source type is JS in fix debug assertion (#15434) (camc314)
• e32bbf6 linter/no-var: Handle TypeScript declare keyword in fixer (#15426) (camc314)
• 6565dbe linter/switch-case-braces: Skip comments when searching for : token (#15425) (camc314)
• 85bd19a linter/prefer-class-fields: Insert value after type annotation in fixer (#15423) (camc314)
• fde753e linter/plugins: Block access to context.settings in createOnce (#15394) (overlookmotel)
• ddd9f9f linter/forward-ref-uses-ref: Dont suggest removing wrapper in invalid positions (#15388) (camc314)
• dac2a9c linter/no-template-curly-in-string: Remove fixer (#15387) (camc314)
• 989b8e3 linter/no-var: Only fix to const if the var has an initializer (#15385) (camc314)
• cc403f5 linter/plugins: Return empty object for unimplemented parserServices (#15364) (magic-akari)

⚡ Performance

• 25d577e language_server: Start tools in parallel (#15500) (Sysix)
• 3c57291 linter/plugins: Optimize loops (#15449) (overlookmotel)
• 3166233 linter/plugins: Remove Arcs (#15431) (overlookmotel)
• 9de1322 linter/plugins: Lazily deserialize settings JSON (#15395) (overlookmotel)
• 3049ec2 linter/plugins: Optimize deepFreezeSettings (#15392) (overlookmotel)
• 444ebfd linter/plugins: Use single object for parserServices (#15378) (overlookmotel)

📚 Documentation

• 97d2104 linter: Update comment in lint.rs about default value for tsconfig path (#15530) (Connor Shea)
• 2c6bd9e linter: Always refer as "ES2015" instead of "ES6" (#15411) (sapphi-red)
• a0c5203 linter/import/named: Update "ES7" comment in examples (#15410) (sapphi-red)
• 3dc24b5 linter,minifier: Always refer as "ES Modules" instead of "ES6 Modules" (#15409) (sapphi-red)
• 2ad77fb linter/no-this-before-super: Correct "Why is this bad?" section (#15408) (sapphi-red)
• 57f0ce1 linter: Add backquotes where appropriate (#15407) (sapphi-red)

Oxfmt v0.12.0

... (truncated)

Changelog

Sourced from oxlint's changelog.

[1.65.0] - 2026-05-15

🚀 Features

• 5478fb5 linter/jsdoc: Implement require-throws-description rule (#22386) (Mikhail Baev)
• c73225e linter/eslint: Implement prefer-arrow-callback rule (#22312) (박천(Cheon Park))
• de82b59 linter: Add support for eslint-plugin-jsx-a11y-x (#22356) (mehm8128)
• f44b6c8 linter: Fill schemas DummyRuleMap with built-in rules (#22288) (Sysix)

Commits

• 25e5cbc release(apps): oxlint v1.65.0 && oxfmt v0.50.0 (#22458)
• 5478fb5 feat(linter/jsdoc): implement require-throws-description rule (#22386)
• c73225e feat(linter/eslint): implement prefer-arrow-callback rule (#22312)
• de82b59 feat(linter): add support for eslint-plugin-jsx-a11y-x (#22356)
• 7daa96b chore(linter): update schema json & config (#22365)
• f44b6c8 feat(linter): fill schemas DummyRuleMap with built-in rules (#22288)
• See full diff in compare view

Updates wrangler from 4.90.0 to 4.92.0

Release notes

Sourced from wrangler's releases.

wrangler@4.92.0

Minor Changes

• #13670 506aa02 Thanks @​elithrar! - Add wrangler artifacts commands for managing Artifacts repos and repo tokens.

  This adds CLI support for the Artifacts control-plane workflows that were previously only available through the API. You can now list and inspect namespaces, create, list, inspect, and delete repos, and issue repo-scoped tokens when you need to authenticate git access.

  The new commands support both human-readable output and --json output so they fit existing Wrangler automation patterns.

• #13916 be8a98c Thanks @​emily-shen! - Add --keep-vars flag to wrangler versions upload, matching the existing behavior in wrangler deploy. When set, environment variables configured via the dashboard are preserved rather than being deleted before the upload.

Patch Changes

• #13926 19ed49a Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260511.1	1.20260515.1

• #11471 3ff0a50 Thanks @​HW13! - Improve wrangler types --env-interface for multi-worker projects.

  Custom env interfaces generated by wrangler types no longer expand from Cloudflare.Env, avoiding some unintended type expansion when multiple workers' generated types are used together.

• #13910 bf688f7 Thanks @​timoconnellaus! - Fix Failed to fetch auth token: 401 Unauthorized from sibling-rotated refresh tokens

  refreshToken previously used the refresh token from module-level localState, which is populated once at startup and never re-read. OAuth refresh tokens are single-use, so when a sibling wrangler process (in another repo, another shell, or a parallel script) refreshes first, it rotates the token server-side and writes the new value to the shared config file (~/Library/Preferences/.wrangler/config/default.toml on macOS). The long-lived process — typically wrangler dev — then sends its stale in-memory token on the next refresh and gets 401 Unauthorized from https://dash.cloudflare.com/oauth2/token, falling through to interactive login and timing out unattended.

  refreshToken now calls reinitialiseAuthTokens() before exchanging, picking up the latest refresh token written by any sibling process. The previously empty catch {} also now logs the underlying error at debug level so future refresh failures are diagnosable without source-diving.

• #13843 2e72c83 Thanks @​nzws! - Fix wrangler versions secret put/delete/bulk to preserve the existing version's placement settings

  When creating a new version via wrangler versions secret, the previous code only re-emitted a bare { mode: "smart" } placement when the API reported placement_mode === "smart", dropping any other placement entirely. The new version is now created with the placement settings returned by the API, so placement settings survive a secret put/delete/bulk round-trip.

• #13908 802eaf4 Thanks @​shiminshen! - fix: stop rewriting query strings that happen to contain the request Host

  wrangler dev previously rewrote occurrences of the outer host inside request.url's query string. For example, a request to ?echo=https%3A%2F%2Fdevelopment.test%2Fpath with Host: development.test would be seen by the user worker as ?echo=https%3A%2F%2Fproduction.test%2Fpath, silently mutating opaque application data such as redirect_uri values in OAuth flows.

  The proxy worker now sets the internal MF-Original-URL header after its blanket host-rewriting pass over request headers, so the URL passed to the user worker preserves the original query string.

• #13827 8f5cdb1 Thanks @​greyvugrin! - Fix multi-environment warning when CLOUDFLARE_ENV is set

  Commands that warn when multiple environments are configured but none is specified (e.g. wrangler deploy, wrangler secret put) were not accounting for the CLOUDFLARE_ENV environment variable when deciding whether to show the warning. This caused a misleading warning to appear even when the target environment was correctly specified via CLOUDFLARE_ENV.

• Updated dependencies [19ed49a]:

  • miniflare@4.20260515.0

wrangler@4.91.0

Minor Changes

... (truncated)

Commits

• a3fa623 Version Packages (#13918)
• 802eaf4 fix(wrangler): stop rewriting query strings that contain the request Host (#1...
• 2e72c83 [wrangler] Preserve placement on versions secret commands (#13843)
• 19ed49a build(deps): bump the workerd-and-workers-types group with 2 updates (#13926)
• 3ff0a50 fix: wrangler types decouple env-interface from namespace (#11471)
• 506aa02 [wrangler] Add artifacts CLI commands (#13670)
• 8f5cdb1 fix(wrangler): hide multi-env warning when env is set via CLOUDFLARE_ENV (#13...
• be8a98c refactor deploy/versions upload (part 1) (#13916)
• bf688f7 [wrangler] fix: re-read refresh_token from disk to avoid 401 from sibling-pro...
• adbf8cb Version Packages (#13895)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions