chore(deps): update all non-major dependencies#4332
Merged
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
|
All alerts resolved. Learn more about Socket for GitHub. This PR previously contained dependency changes with security issues that have been resolved, removed, or ignored. |
commit: |
renovate
Bot
force-pushed
the
renovate/all-minor-patch
branch
from
1cb06f7 to
c5d912d
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
^4.20260602.1→^4.20260607.1^3.0.7→^3.0.8^5.2.2→^5.3.0^29.0.2→^29.0.3^1.57.2→^1.58.0^8.10.161→^8.10.162^25.9.1→^25.9.27.0.0-dev.20260605.1→7.0.0-dev.20260607.1^4.1.7→^4.1.8^1.7.0→^1.7.2^4.20260601.0→^4.20260603.0^1.66.0→^1.68.0^19.2.6→^19.2.7^4.60.4→^4.61.1^4.61.0→^4.61.1^7.8.1→^7.8.2^2.5.113→^2.5.129^0.2.16→^0.2.17^8.0.14→^8.0.16^7.3.2→^7.3.5^4.1.7→^4.1.8^4.97.0→^4.98.0Release Notes
cloudflare/workerd (@cloudflare/workers-types)
v4.20260607.1Compare Source
v4.20260606.1Compare Source
v4.20260605.1Compare Source
v4.20260604.1Compare Source
v4.20260603.1Compare Source
microsoft/typescript-go (@typescript/native-preview)
v7.0.0-dev.20260607.1Compare Source
v7.0.0-dev.20260606.1Compare Source
vercel/geist-font (geist)
v1.7.2Compare Source
Patch Changes
a4195ae: Update Geist Pixel webfonts with Google Fonts validation fixes.Resyncs the published Geist Pixel static webfonts (
Circle,Grid,Line,Square,Triangle) with the source build, picking up the non-visual fixes made for the Google Fonts release (#229): ligature caret anchors (fi,fl,f_i,A_I,U_I), ametatable with ScriptLangTags, line/paragraph separator glyphs and removal of the visible soft hyphen, and 1-unit on-curve point alignment fixes one,eogonek, andhungarumlautcomb. No visible letterforms change.v1.7.1Compare Source
Patch Changes
c8ed578: Fix Geist Mono rendering source-code text with unintended programming ligatures.v1.7.0 unintentionally activated programming-ligature substitutions (
-->,==,!=,...,--, etc.) under theliga(Standard Ligatures) OpenType feature, which is on by default in every renderer. As a result, text like--debug-prerender,[id...],[...id], orNODE_OPTIONS='--debug-prerender' noderendered with ligated glyphs and broke monospace alignment in code.The source-level fix is in #217; this release ships the rebuilt binaries.
cloudflare/workers-sdk (miniflare)
v4.20260603.0Compare Source
Minor Changes
#14164
b502d54Thanks @G4brym! - Rename theweb_searchbinding kind towebsearchPre-launch rename of the public binding type from
web_searchtowebsearchso the on-the-wire shape matches the product name (Web Search). The wrangler config key, the binding-type string sent to the Cloudflare API, and the miniflare option key all move fromweb_search/webSearchtowebsearch.Update your wrangler config:
The runtime
WebSearchtype exposed onenv.WEBSEARCHis unchanged.#13863
3b8b80aThanks @aslakhellesoy! - Support cross-worker workflow bindings via the dev registryWhen a workflow binding has a
scriptNamethat refers to a worker registered in another Miniflare instance (viaunsafeDevRegistryPath), miniflare now reroutes the engine'sUSER_WORKFLOWbinding through the dev-registry-proxy worker — the same mechanism Durable Objects already use for cross-workerscriptNamebindings.Previously the workflow engine was bound directly to a local service
core:user:<scriptName>, so workerd refused to start when that script lived in a different process.This unblocks
getPlatformProxy()(and any other split-Miniflare setup) for users whose workflow class is defined in a separate worker — for example SvelteKit/Remix on Cloudflare, whereadapter-cloudflare's dev integration runs the user's worker in a sidecar.See #7459.
Patch Changes
#14175
a3eea27Thanks @dependabot! - Update dependencies of "miniflare", "wrangler"The following dependency versions have been updated:
#14081
1fdd8deThanks @dario-piotrowicz! - Detect early workerd exit instead of hanging indefinitelyWhen
workerdexits during startup before writing all expected listen events to the control file descriptor (e.g. due to an IPv6 bind failure, permission error, or missing library), Miniflare'swaitForPorts()would block forever. This causedwrangler devto stall at "Starting local server..." with no error and no timeout.The fix races
waitForPorts()against the child process exit event so that any unexpectedworkerdtermination is detected immediately. Whenworkerdexits early, Miniflare now throwsERR_RUNTIME_FAILUREwith the runtime's stderr output included in the error message, making the root cause diagnosable without external tools.rollup/rollup (rollup)
v4.61.1Compare Source
2026-06-04
Bug Fixes
Pull Requests
v4.61.0Compare Source
2026-06-01
Features
Pull Requests
npm/node-semver (semver)
v7.8.2Compare Source
Bug Fixes
bea6028#870 increment dotted prerelease identifiers (#870) (@liuzemei, @SheldonNeo)vitejs/vite (vite7)
v7.3.5Compare Source
Please refer to CHANGELOG.md for details.
v7.3.3Compare Source
Please refer to CHANGELOG.md for details.
cloudflare/workers-sdk (wrangler)
v4.98.0Compare Source
Minor Changes
#14089
c6c61b5Thanks @alsuren! - Addmigrations_patternto D1 database bindingsThe D1 binding now accepts an optional
migrations_patternfield, allowing you to pointwrangler d1 migrations applyandwrangler d1 migrations listat migration files in nested layouts (e.g. ORM-generated folders likemigrations/0000_init/migration.sql).migrations_patternis a glob (relative to the wrangler config file) and defaults to${migrations_dir}/*.sql, which preserves today's behaviour. Files that do not match the pattern are not executed.{ "d1_databases": [ { "binding": "DB", "database_name": "my-db", "database_id": "...", "migrations_dir": "migrations", "migrations_pattern": "migrations/*/migration.sql" } ] }When no migrations match the configured pattern but files matching the common
migrations/*/migration.sql(drizzle-style) layout do exist, Wrangler logs a hint suggestingmigrations_patternas an opt-in.wrangler d1 migrations createnow returns an actionable error if the generated migration filename would not match the configured pattern.#14153
7a6b1a4Thanks @dario-piotrowicz! - Generalizewrangler deployandwrangler versions uploadpositional argument from[script]to[path]Both
wrangler deployandwrangler versions uploadnow accept a generic[path]positional argument that can point to either a Worker entry-point file or a directory of static assets. The type is auto-detected. For example:wrangler deploy ./src/index.tsdeploys a Worker (same as before)wrangler deploy ./publicdeploys a static assets site (no interactive confirmation prompt)The
--scriptnamed option is now hidden and deprecated for both commands. It continues to work for backwards compatibility but only accepts file paths. Passing a directory to--scriptnow produces a clear error message suggesting the positionalpathargument or--assetsflag instead.#13863
3b8b80aThanks @aslakhellesoy! -getPlatformProxy()now passes through workflow bindings that have ascript_nameWorkflows without a
script_nameare still stripped (and warned about) because the engine for an internal workflow can't run inside the empty proxy worker that backsgetPlatformProxy(). Workflows with ascript_nameare handed to miniflare unchanged; miniflare reroutes the engine'sUSER_WORKFLOWbinding through the dev-registry-proxy when the target worker is running in another Miniflare instance — the same mechanism Durable Objects already use.This means SvelteKit/Remix (and similar split-process setups) can call
platform.env.MY_WORKFLOW.create({ ... })directly from their server-side request handlers in dev, as long as the workflow class is exposed by another worker registered in the dev registry.Closes #7459.
#14164
b502d54Thanks @G4brym! - Rename theweb_searchbinding kind towebsearchPre-launch rename of the public binding type from
web_searchtowebsearchso the on-the-wire shape matches the product name (Web Search). The wrangler config key, the binding-type string sent to the Cloudflare API, and the miniflare option key all move fromweb_search/webSearchtowebsearch.Update your wrangler config:
The runtime
WebSearchtype exposed onenv.WEBSEARCHis unchanged.Patch Changes
#14089
c6c61b5Thanks @alsuren! - Restore the D1executeSqllogger level via try/finallywrangler d1 execute --jsonand the internalexecuteSqlhelper temporarily lower the global logger to"error"to keep human-readable output out of the JSON payload. Previously the level was restored only on the happy path, so any early return or thrown error left the singleton logger muted, silencing laterlogger.warn/logger.logoutput (notably from migration helpers that wrapexecuteSqland are commonly mocked in tests).The level swap is now wrapped in
try/finallyso it is always restored.#14175
a3eea27Thanks @dependabot! - Update dependencies of "miniflare", "wrangler"The following dependency versions have been updated:
#14121
7539a9bThanks @petebacondarwin! - Extract the OAuth 2.0 + PKCE flow into a new@cloudflare/workers-authpackage.The OAuth login / logout / refresh logic, the auth-config TOML file IO, the OAuth token exchange + local callback server, and the Cloudflare Access detection helpers that previously lived in
packages/wrangler/src/user/have moved to the new internal-only@cloudflare/workers-authpackage. Wrangler now wires the OAuth flow up via a small glue module that injects its logger, browser opener, interactivity detector, and config cache via a dependency- injection context.What stays in wrangler:
login/logout/whoami/auth tokencommandsCLOUDFLARE_API_TOKEN,CLOUDFLARE_API_KEY/CLOUDFLARE_EMAIL, etc.)requireAuth,getOrSelectAccountId)string[])whoami/ account fetchingNo behavior change for end users. The on-disk TOML format and location remain identical, and all telemetry message labels are preserved verbatim.
@cloudflare/workers-authis published withprerelease: trueand is not intended for external use — its APIs may change without notice.#14162
0bb2d55Thanks @dario-piotrowicz! - In non-interactive mode remove the skills installation messageWhen Wrangler run in non interactive mode and it detected agents that it could install skills for, it would print a message such as:
Cloudflare agent skills are available for: <DETECTED_AGENTS>. Run wrangler in an interactive terminal to install them, or use '--install-skills' to install without prompting.This message seems to be confusing and unhelpful so it has now been removed.
#14165
8400fb9Thanks @NuroDev! - Limitwrangler versions listto the 10 most recent deployable versionsThe versions API ignores pagination when filtering to deployable versions, so Wrangler now caps the command output client-side. This keeps the command aligned with its help text and avoids overwhelming terminal output for Workers with many versions.
#14151
7949f81Thanks @dario-piotrowicz! - Skip stale bundles during dev server reload to avoid redundant restartsWhen rapidly saving a wrangler config file with remote bindings, each save would trigger a full reload cycle (remote connection setup, miniflare restart), causing many sequential "Reloading local server... / Establishing remote connection..." messages (while blocking the user). The runtime controllers now check whether a newer bundle has been queued at each expensive async boundary and bail out early if the current bundle is stale. This ensures that only the latest config change triggers a reload, making
wrangler devmuch more responsive during repeated config edits.#14072
d462013Thanks @himanshu-cf! - Updatewrangler secret bulkcommand description to reflect create/update/delete capabilitiesThe help text for
wrangler secret bulknow accurately describes that the command can create, update, or delete multiple secrets in a single request, with up to 100 secrets per command. The file argument description also clarifies that setting a key tonullin JSON will delete it, and that deletion is not supported with.envfiles.#13979
c2280cdThanks @matingathani! - Warn when a named environment silently inherits custom_domain routes from the top-level configWhen an
env.<name>block does not overrideroutes, it inherits the top-levelroutesarray. If that array contains entries withcustom_domain: true, every deploy to the named environment will silently reassign the custom domain away from the top-level Worker and towards the env Worker, causing routing drift. Wrangler now emits a warning in this situation and suggests adding"routes": []to the env block to prevent inheritance.#14170
ea12b58Thanks @petebacondarwin! - Tighten on-disk permissions of the OAuth credentials file to0600The user auth config file written by
wrangler login(typically~/.config/.wrangler/config/default.tomlon Linux/macOS, or<environment>.tomlfor non-production Cloudflare API environments) is now written with mode0600and re-chmod-ed on every save. This prevents other local users on shared hosts from reading the stored OAuth tokens. Existing files with looser permissions written by older Wrangler versions are tightened the next time Wrangler refreshes the token or the user logs in again. The change is a no-op on Windows, which does not honour POSIX mode bits.#14022
acf7817Thanks @petebacondarwin! - Show the actual OAuth error instead of hanging whenwrangler loginis rejected by the OAuth provider (for example withinvalid_scope).Previously, if the OAuth callback returned with an
errorother thanaccess_denied, Wrangler would never respond to the browser. Becauseserver.close()'s callback only fires once all open connections have ended, the login command would hang until the 120 second OAuth timeout — at which point it would print a generic timeout message rather than the actual OAuth failure. The same gap existed for the case where the OAuth provider redirected back without an authorisation code, and for failures during the auth-code-to-access-token exchange.The OAuth provider's
error_description(RFC 6749 §4.1.2.1) is now also surfaced, so the message includes the specific reason for the failure rather than just the bareerrorcode. For example, a misconfigured staging scope now surfaces as:instead of hanging silently.
Updated dependencies [
a3eea27,1fdd8de,b502d54,3b8b80a]:Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.
This PR was generated by Mend Renovate. View the repository job log.