Bump undici, @actions/github, @cloudflare/vitest-pool-workers and wrangler

[dependabot]

Bumps undici to 6.27.0 and updates ancestor dependencies undici, @actions/github, @cloudflare/vitest-pool-workers and wrangler. These dependencies need to be updated together.

Updates undici from 6.21.1 to 6.27.0

Release notes

Sourced from undici's releases.

v6.27.0

⚠️ Security Release

This release line addresses 4 security advisories.

Action required: Upgrade to undici 6.27.0 or later.

npm install undici@^6.27.0

Note on patched version: the v6 fixes shipped in v6.27.0, not 6.26.0 — v6.26.0 contains only the chunked-EOF fix (#5308) and the version bump, none of the security fixes below.

The v6 line is not affected by the SOCKS5 advisories (GHSA-vmh5-mc38-953g, GHSA-hm92-r4w5-c3mj), the shared-cache disclosure (GHSA-pr7r-676h-xcf6), or the 8.x-only WebSocket regression (GHSA-38rv-x7px-6hhq).

Summary

Advisory	CVE	Severity (CVSS)	Fixed in	Fix commit
GHSA-vxpw-j846-p89q	CVE-2026-12151	High (7.5)	6.27.0	b7f252e7
GHSA-p88m-4jfj-68fv	CVE-2026-9679	Moderate (5.9)	6.27.0	25efa447
GHSA-g8m3-5g58-fq7m	CVE-2026-11525	Low (3.7)	6.27.0	25efa447
GHSA-35p6-xmwp-9g52	CVE-2026-6733	Low (3.7)	6.27.0	f4c31d60

---

High severity

WebSocket DoS via fragment count bypass — CVE-2026-12151

GHSA-vxpw-j846-p89q · CWE-400, CWE-770 Fix: b7f252e7 Backport WebSocket maxPayloadSize fixes (#5423, backported to v6 in #5428)

A malicious WebSocket server can stream a large number of small or empty continuation frames. Undici enforced a limit on cumulative payload size but did not limit the number of fragments per message, leading to unbounded memory growth and denial of service. All releases from 6.17.0 onward are affected.

• Affected: applications using new WebSocket(...) or WebSocketStream against untrusted endpoints.
• Workaround: none — upgrade is required.

---

Moderate severity

HTTP header injection via Set-Cookie percent-decoding — CVE-2026-9679

... (truncated)

Commits

• 551138c Bumped v6.27.0 (#5431)
• b7f252e Backport WebSocket maxPayloadSize fixes to v7.x (#5423) (#5428)
• 25efa44 fix(cookies): preserve values and parse SameSite strictly
• f4c31d6 fix: guard idle socket validation to skip fresh sockets (#5400)
• 768beac Bumped v6.26.0 (#5323)
• 7917b25 fix: validate EOF for chunked h1 responses (#5308)
• 3420499 Bumped v6.25.0 (#5029)
• d7a1e55 feat: add configurable maxPayloadSize for WebSocket (#4955)
• a9d1848 Do not mark v6.x releases as latest
• 0126586 Ignore local agent configuration files
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for undici since your current version.

Updates @actions/github from 6.0.1 to 9.1.1

Changelog

Sourced from @​actions/github's changelog.

9.1.1

• Bump undici from 6.23.0 to 6.24.0 #2346

9.1.0

• Append actions_orchestration_id to user-agent when the ACTIONS_ORCHESTRATION_ID environment variable is set #2364

9.0.0

• Breaking change: Package is now ESM-only
  • CommonJS consumers must use dynamic import() instead of require()
  • Example: const { getOctokit, context } = await import('@actions/github')
• Fix TypeScript compilation by migrating to ESM, enabling proper imports from @octokit/core/types

8.0.1

• Update undici to 6.23.0
• Update @actions/http-client to 3.0.2

8.0.0

• Update @​octokit dependencies
  • @octokit/core ^7.0.6
  • @octokit/plugin-paginate-rest ^14.0.0
  • @octokit/plugin-rest-endpoint-methods ^17.0.0
  • @octokit/request ^10.0.7
  • @octokit/request-error ^7.1.0
• Breaking change: Minimum Node.js version is now 20 (previously 18)

7.0.0

• Update to v3.0.1 of @actions/http-client

Commits

• See full diff in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​actions/github since your current version.

Updates @cloudflare/vitest-pool-workers from 0.9.11 to 0.16.18

Release notes

Sourced from @​cloudflare/vitest-pool-workers's releases.

@​cloudflare/vitest-pool-workers@​0.16.18

Patch Changes

• Updated dependencies [c6579d3, 444b75e, b38823f, cfd6205, cfd6205]:
  • wrangler@4.103.0
  • miniflare@4.20260617.1

@​cloudflare/vitest-pool-workers@​0.16.17

Patch Changes

• #14347 673b09e Thanks @​jamesopstad! - Update undici from 7.24.8 to 7.28.0

• #14314 5c3bb11 Thanks @​harryzcy! - Bump esbuild to 0.28.1

  This update includes several bug fixes from esbuild versions 0.27.3 through 0.28.1. See the esbuild changelog for details.

• Updated dependencies [673b09e, e930bd4, f6e49dd, 5c3bb11, 296ad65, 594544d, a79b899, 5dfb788, ca61558, 36777db]:

  • miniflare@4.20260617.0
  • wrangler@4.102.0

@​cloudflare/vitest-pool-workers@​0.16.16

Patch Changes

• Updated dependencies [0e055d3, 27db82c, 2a6a26b, 9a424ed, ecfdd5a, 604be26, 1fb7ba5, 208b3bb, 41f391f, 32f9307, 8b2ce41, 3578919, ee82c76, 41f391f, 21dbc12, 7e63948, 035917f]:
  • miniflare@4.20260616.0
  • wrangler@4.101.0

@​cloudflare/vitest-pool-workers@​0.16.15

Patch Changes

• Updated dependencies [98c9afe, e305126, f3990b2, 4597f08, 25722ac, 41f75c0, 10b5538, 818c105, 2ae6099, 2047a32, 2047a32, e8561c2]:
  • wrangler@4.100.0
  • miniflare@4.20260611.0

@​cloudflare/vitest-pool-workers@​0.16.14

Patch Changes

• Updated dependencies [23aecac, b932e47, d076bcc, 24497d0, 4bb572f, 165adb2, 776098c, 0706fbf, 7993711, 48c4ff0, 8cf8c61, 8923f97, b205fb7, a61ac29]:
  • wrangler@4.99.0
  • miniflare@4.20260609.0

@​cloudflare/vitest-pool-workers@​0.16.13

Patch Changes

• Updated dependencies [c6c61b5, c6c61b5, a3eea27, 7a6b1a4, 7539a9b, 1fdd8de, 3b8b80a, 0bb2d55, 8400fb9, b502d54, 7949f81, d462013, c2280cd, 3b8b80a, ea12b58, acf7817]:
  • wrangler@4.98.0
  • miniflare@4.20260603.0

@​cloudflare/vitest-pool-workers@​0.16.12

Patch Changes

... (truncated)

Changelog

Sourced from @​cloudflare/vitest-pool-workers's changelog.

0.16.18

Patch Changes

• Updated dependencies [c6579d3, 444b75e, b38823f, cfd6205, cfd6205]:
  • wrangler@4.103.0
  • miniflare@4.20260617.1

0.16.17

Patch Changes

• #14347 673b09e Thanks @​jamesopstad! - Update undici from 7.24.8 to 7.28.0

• #14314 5c3bb11 Thanks @​harryzcy! - Bump esbuild to 0.28.1

  This update includes several bug fixes from esbuild versions 0.27.3 through 0.28.1. See the esbuild changelog for details.

• Updated dependencies [673b09e, e930bd4, f6e49dd, 5c3bb11, 296ad65, 594544d, a79b899, 5dfb788, ca61558, 36777db]:

  • miniflare@4.20260617.0
  • wrangler@4.102.0

0.16.16

Patch Changes

• Updated dependencies [0e055d3, 27db82c, 2a6a26b, 9a424ed, ecfdd5a, 604be26, 1fb7ba5, 208b3bb, 41f391f, 32f9307, 8b2ce41, 3578919, ee82c76, 41f391f, 21dbc12, 7e63948, 035917f]:
  • miniflare@4.20260616.0
  • wrangler@4.101.0

0.16.15

Patch Changes

• Updated dependencies [98c9afe, e305126, f3990b2, 4597f08, 25722ac, 41f75c0, 10b5538, 818c105, 2ae6099, 2047a32, 2047a32, e8561c2]:
  • wrangler@4.100.0
  • miniflare@4.20260611.0

0.16.14

Patch Changes

• Updated dependencies [23aecac, b932e47, d076bcc, 24497d0, 4bb572f, 165adb2, 776098c, 0706fbf, 7993711, 48c4ff0, 8cf8c61, 8923f97, b205fb7, a61ac29]:
  • wrangler@4.99.0
  • miniflare@4.20260609.0

0.16.13

Patch Changes

... (truncated)

Commits

• 4d8ffcb Version Packages (#14353)
• dd7e101 Version Packages (#14327)
• 89a753e Version Packages (#14274)
• 341bd13 Version Packages (#14237)
• 8a4bfe5 Version Packages (#14179)
• c8c366e Version Packages (#14159)
• 0b60424 Version Packages (#14142)
• 3d7992e [vitest-pool-workers] Fix module resolution for paths with spaces (#14152)
• da8e306 [vitest-pool-workers] Preserve Durable Object handler order (for hibernated D...
• 0998725 Set disallowTypeAnnotations to false in `@typescript-eslint/consistent-ty...
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​cloudflare/vitest-pool-workers since your current version.

Updates wrangler from 4.40.2 to 4.103.0

Release notes

Sourced from wrangler's releases.

wrangler@4.103.0

Minor Changes

• #14295 cfd6205 Thanks @​dario-piotrowicz! - Move unstable_getWorkerNameFromProject from wrangler to @cloudflare/workers-utils

  The unstable_getWorkerNameFromProject export has been removed from the wrangler package. This function is now available as getWorkerNameFromProject (without the unstable_ prefix) from @cloudflare/workers-utils. If you were importing this function from wrangler, update your import to use @cloudflare/workers-utils instead.

• #14295 cfd6205 Thanks @​dario-piotrowicz! - Remove experimental autoconfig exports

  The experimental autoconfig exports (experimental_getDetailsForAutoConfig, experimental_runAutoConfig, experimental_AutoConfigFramework) have been removed. This logic has been moved to the @cloudflare/autoconfig package (without the experimental_ prefixes since the package itself is pre-v1).

Patch Changes

• #14366 c6579d3 Thanks @​jamesopstad! - Resolve relative cf-worker entrypoint imports relative to the importing module

  When loading the experimental cloudflare.config.ts, a relative entrypoint imported with import ... with { type: "cf-worker" } (e.g. ./src/index.ts) is now anchored to the module where the import is written, rather than being passed through verbatim and later resolved against the top-level config file. This fixes incorrect resolution when the import lives in a file other than the entry config — for example a config that re-exports from a nested file.

  Bare specifiers (such as @scope/pkg) and virtual modules (such as virtual:foo) are still left unresolved so that consumers can apply their own resolution.

• #14316 444b75e Thanks @​matingathani! - Prevent wrangler dev crash when source-mapping a truncated error chunk

  When a worker logs many errors in quick succession, the stderr chunks received by wrangler dev can be truncated mid-stack-frame, leaving a call site with an invalid column number. The source map library throws in that case, which was crashing the wrangler process entirely. The error is now caught and the original (un-source-mapped) text is returned instead.

• #14118 b38823f Thanks @​aicayzer! - Fix Uint8Array step outputs in local Workflows being persisted with the full backing ArrayBuffer

  A Uint8Array returned from a Workflows step under wrangler dev was serialised together with its full underlying ArrayBuffer, causing a raw SQLITE_TOOBIG error at view sizes well below the documented 1MiB step-output limit. For example, a 200KB view sliced from an 800KB buffer (a common pattern from crypto.getRandomValues or arr.slice(...) on a larger pool) would fail. The view's bytes are now copied to a tight buffer before persistence, bringing local behaviour in line with production. Fixes #14101.

• Updated dependencies [b38823f]:

  • miniflare@4.20260617.1

wrangler@4.102.0

Minor Changes

• #14340 f6e49dd Thanks @​emily-shen! - Add cf-wrangler build delegate support

  The experimental cf-wrangler delegate binary now accepts build and emits the Build Output API directory through Wrangler's new-config build path. This lets parent tools invoke Wrangler's build-output implementation with cf-wrangler build instead of shelling out through the public Wrangler CLI.

• #14324 36777db Thanks @​jamesopstad! - Add experimental --experimental-cf-build-output flag to wrangler build

  When used alongside --experimental-new-config, wrangler build now emits a self-contained Build Output API directory under .cloudflare/output/v0/ instead of delegating to wrangler deploy --dry-run.

Patch Changes

• #14347 673b09e Thanks @​jamesopstad! - Update undici from 7.24.8 to 7.28.0

• #14346 e930bd4 Thanks @​haidargit! - Bump ws from 8.20.1 to 8.21.0 to address GHSA-96hv-2xvq-fx4p

  GHSA-96hv-2xvq-fx4p / CVE-2026-48779 (high severity) reports a remote memory-exhaustion DoS in ws@<8.21.0: a peer sending a high volume of tiny fragments and data chunks over modest network traffic can crash a ws server or client via OOM. The fix shipped in ws@8.21.0 (commit 2b2abd45, released 2026-05-22), which also introduces the maxBufferedChunks and maxFragments options. This change bumps the workspace catalog entry so that miniflare, wrangler, and @cloudflare/vite-plugin all pick up the patched release.

• #14314 5c3bb11 Thanks @​harryzcy! - Bump esbuild to 0.28.1

... (truncated)

Commits

• 4d8ffcb Version Packages (#14353)
• 7649895 move auto provisioning to deploy-helpers (#14354)
• cfd6205 Extract autoconfig in its own standalone package (#14295)
• dd7e101 Version Packages (#14327)
• 5dfb788 Support dev.plugin on typed services bindings (#14269)
• 296ad65 Bump the workerd-and-workers-types group across 1 directory with 2 updates (#...
• f6e49dd add build command to cf-wrangler (#14340)
• 36777db Wrangler support for experimental Build Output API (#14324)
• a79b899 [wrangler] fix: respect find_additional_modules when no_bundle is set (#14315)
• 5c3bb11 Bump esbuild to 0.28.1 (#14314)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for wrangler since your current version.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	npm/​@​cloudflare/​vitest-pool-workers@​0.9.11 ⏵ 0.16.18	-1		-23
	npm/​@​actions/​github@​6.0.1 ⏵ 9.1.1			+1
	npm/​wrangler@​4.40.2 ⏵ 4.103.0	+1	+16	-2	+1

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Obfuscated code: npm @emnapi/runtime is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: package-lock.json → npm/@cloudflare/vitest-pool-workers@0.16.18 → npm/wrangler@4.103.0 → npm/sharp@0.34.3 → npm/@emnapi/runtime@1.11.1 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@emnapi/runtime@1.11.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report