Skip to content

Bump wrangler from 4.109.0 to 4.110.0#550

Merged
github-actions[bot] merged 1 commit into
Currentfrom
dependabot/npm_and_yarn/wrangler-4.110.0
Jul 10, 2026
Merged

Bump wrangler from 4.109.0 to 4.110.0#550
github-actions[bot] merged 1 commit into
Currentfrom
dependabot/npm_and_yarn/wrangler-4.110.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 10, 2026

Copy link
Copy Markdown
Contributor

Bumps wrangler from 4.109.0 to 4.110.0.

Release notes

Sourced from wrangler's releases.

wrangler@4.110.0

Minor Changes

  • #14591 0283a1f Thanks @​dario-piotrowicz! - Send npm package dependency metadata with worker uploads

    Wrangler now collects npm package dependency information from the project's package.json at deploy and version upload time, and includes it in the upload metadata sent to the Cloudflare API. This enables dependency analytics and future features like vulnerability alerting.

    The collected data includes the package name, the version constraint from package.json, and the exact installed version from node_modules. Both dependencies and devDependencies are included, while workspace packages, local packages, and unresolvable packages are excluded. The list is capped at 200 entries per upload.

    To opt out, set dependencies_instrumentation.enabled to false in your Wrangler configuration file:

    {
      "dependencies_instrumentation": {
        "enabled": false
      }
    }
  • #14535 1b965c5 Thanks @​Naapperas! - Support dynamic retry delays for Workflow steps in local dev

    A step's retries.delay can now be a function that computes the delay per failed attempt, in addition to a static duration. The function receives { ctx, error } and returns a delay (a number of milliseconds or a duration string like "30 seconds"), and its result is fed into the configured backoff.

    await step.do(
      "call flaky API",
      {
        retries: {
          limit: 5,
          backoff: "constant",
          delay: ({ ctx }) => ctx.attempt * 1000,
        },
      },
      async () => {
        /* ... */
      }
    );

    The function is invoked once per failed attempt with a 5 second timeout. If it throws, times out, or returns an invalid value, the step fails without further retries.

Patch Changes

  • #14589 7b28392 Thanks @​jamesopstad! - Fix runtime type caching when wrangler dev auto-regenerates types

    When dev.generate_types (or wrangler dev --types) regenerated an out-of-date worker-configuration.d.ts, the written file omitted the // Begin runtime types marker (and the /* eslint-disable */ header) that wrangler types writes. As a result, later runs could not detect the cached runtime types and always regenerated them. The auto-regenerated file now matches wrangler types output, restoring the cache.

  • Updated dependencies [1b965c5]:

    • miniflare@4.20260708.1
Commits

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code labels Jul 10, 2026
@socket-security

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security
Vulnerability Quality Maintenance License
Updatednpm/​wrangler@​4.109.0 ⏵ 4.110.098 +2810092 +196 +1100

View full report

@socket-security

Copy link
Copy Markdown

Caution

Review the following alerts detected in dependencies.

According to your organization's Security Policy, you must resolve all "Block" alerts before proceeding. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Block Medium
Dynamic code execution: npm @emnapi/runtime

Eval Type: Function

Location: Package overview

From: ?npm/wrangler@4.110.0npm/@emnapi/runtime@1.11.2

ℹ Read more on: This package | This alert | What is dynamic code execution?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Avoid packages that use dynamic code execution like eval(), since this could potentially execute any code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@emnapi/runtime@1.11.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
System shell access: npm detect-libc in module child_process

Module: child_process

Location: Package overview

From: ?npm/wrangler@4.110.0npm/detect-libc@2.1.2

ℹ Read more on: This package | This alert | What is shell access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should avoid accessing the shell which can reduce portability, and make it easier for malicious shell access to be introduced.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/detect-libc@2.1.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
Network access: npm undici in module globalThis["fetch"]

Module: globalThis["fetch"]

Location: Package overview

From: ?npm/wrangler@4.110.0npm/undici@7.28.0

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/undici@7.28.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
Network access: npm workerd in module https

Module: https

Location: Package overview

From: ?npm/wrangler@4.110.0npm/workerd@1.20260708.1

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/workerd@1.20260708.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
Network access: npm workerd in module globalThis["fetch"]

Module: globalThis["fetch"]

Location: Package overview

From: ?npm/wrangler@4.110.0npm/workerd@1.20260708.1

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/workerd@1.20260708.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
System shell access: npm workerd in module child_process

Module: child_process

Location: Package overview

From: ?npm/wrangler@4.110.0npm/workerd@1.20260708.1

ℹ Read more on: This package | This alert | What is shell access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should avoid accessing the shell which can reduce portability, and make it easier for malicious shell access to be introduced.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/workerd@1.20260708.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
Network access: npm ws in module http

Module: http

Location: Package overview

From: ?npm/wrangler@4.110.0npm/ws@8.21.0

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/ws@8.21.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
Network access: npm ws in module https

Module: https

Location: Package overview

From: ?npm/wrangler@4.110.0npm/ws@8.21.0

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/ws@8.21.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
Network access: npm ws in module net

Module: net

Location: Package overview

From: ?npm/wrangler@4.110.0npm/ws@8.21.0

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/ws@8.21.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
Network access: npm ws in module tls

Module: tls

Location: Package overview

From: ?npm/wrangler@4.110.0npm/ws@8.21.0

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/ws@8.21.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Low
Embedded URLs or IPs: npm @cloudflare/kv-asset-handler

URLs: vnd.ahead.space, vnd.curl.car, vnd.dece.data, vnd.gmx, vnd.muvee.style, vnd.nokia.n-gage.data, vnd.oasis.opendocument.graphics, vnd.previewsystems.box, vnd.sun.xml.writer.global, vnd.dece.audio, vnd.rip, vnd.fly, vnd.in3d.spot, vnd.dece.mobile, vnd.dece.sd, vnd.dece.video, vnd.vivo

Location: Package overview

From: ?npm/wrangler@4.110.0npm/@cloudflare/kv-asset-handler@0.5.0

ℹ Read more on: This package | This alert | What are URL strings?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@cloudflare/kv-asset-handler@0.5.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Low
Dynamic module loading: npm @cspotcode/source-map-support

Location: Package overview

From: ?npm/wrangler@4.110.0npm/@cspotcode/source-map-support@0.8.1

ℹ Read more on: This package | This alert | What is dynamic require?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should avoid dynamic imports when possible. Audit the use of dynamic require to ensure it is not executing malicious or vulnerable code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@cspotcode/source-map-support@0.8.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Low
Filesystem access: npm @cspotcode/source-map-support with module fs

Module: fs

Location: Package overview

From: ?npm/wrangler@4.110.0npm/@cspotcode/source-map-support@0.8.1

ℹ Read more on: This package | This alert | What is filesystem access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: If a package must read the file system, clarify what it will read and ensure it reads only what it claims to. If appropriate, packages can leave file system access to consumers and operate on data passed to it instead.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@cspotcode/source-map-support@0.8.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Low
Environment variable access: npm @emnapi/runtime reads NODE_ENV

Env Vars: NODE_ENV

Location: Package overview

From: ?npm/wrangler@4.110.0npm/@emnapi/runtime@1.11.2

ℹ Read more on: This package | This alert | What is environment variable access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should be clear about which environment variables they access, and care should be taken to ensure they only access environment variables they claim to.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@emnapi/runtime@1.11.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Low
Minified code present: npm @emnapi/runtime with 100.0% likelihood

Confidence: 1.00

Location: Package overview

From: ?npm/wrangler@4.110.0npm/@emnapi/runtime@1.11.2

ℹ Read more on: This package | This alert | What's wrong with minified code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: In many cases minified code is harmless, however minified code can be used to hide a supply chain attack. Consider not shipping minified code on npm.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@emnapi/runtime@1.11.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Low
Embedded URLs or IPs: npm @jridgewell/resolve-uri

URLs: http://foo.com, http://foo.com/

Location: Package overview

From: ?npm/wrangler@4.110.0npm/@jridgewell/resolve-uri@3.1.2

ℹ Read more on: This package | This alert | What are URL strings?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@jridgewell/resolve-uri@3.1.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Low
Minified code present: npm @speed-highlight/core with 100.0% likelihood

Confidence: 1.00

Location: Package overview

From: ?npm/wrangler@4.110.0npm/@speed-highlight/core@1.2.17

ℹ Read more on: This package | This alert | What's wrong with minified code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: In many cases minified code is harmless, however minified code can be used to hide a supply chain attack. Consider not shipping minified code on npm.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@speed-highlight/core@1.2.17. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Low
Dynamic module loading: npm blake3-wasm

Location: Package overview

From: ?npm/wrangler@4.110.0npm/blake3-wasm@2.1.5

ℹ Read more on: This package | This alert | What is dynamic require?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should avoid dynamic imports when possible. Audit the use of dynamic require to ensure it is not executing malicious or vulnerable code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/blake3-wasm@2.1.5. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Low
Filesystem access: npm blake3-wasm with module fs

Module: fs

Location: Package overview

From: ?npm/wrangler@4.110.0npm/blake3-wasm@2.1.5

ℹ Read more on: This package | This alert | What is filesystem access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: If a package must read the file system, clarify what it will read and ensure it reads only what it claims to. If appropriate, packages can leave file system access to consumers and operate on data passed to it instead.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/blake3-wasm@2.1.5. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Low
Embedded URLs or IPs: npm blake3-wasm

URLs: https://nodejs.org/dist/index.json, https://github.com/connor4312/blake3

Location: Package overview

From: ?npm/wrangler@4.110.0npm/blake3-wasm@2.1.5

ℹ Read more on: This package | This alert | What are URL strings?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/blake3-wasm@2.1.5. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Low
Filesystem access: npm detect-libc with module fs

Module: fs

Location: Package overview

From: ?npm/wrangler@4.110.0npm/detect-libc@2.1.2

ℹ Read more on: This package | This alert | What is filesystem access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: If a package must read the file system, clarify what it will read and ensure it reads only what it claims to. If appropriate, packages can leave file system access to consumers and operate on data passed to it instead.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/detect-libc@2.1.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Low
Environment variable access: npm kleur

Location: Package overview

From: ?npm/wrangler@4.110.0npm/kleur@4.1.5

ℹ Read more on: This package | This alert | What is environment variable access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should be clear about which environment variables they access, and care should be taken to ensure they only access environment variables they claim to.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/kleur@4.1.5. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Low
Embedded URLs or IPs: npm miniflare

URLs: Select.Group, Pagination.Info, http://fb.me/use-check-prop-types, https://fb.me/react-async-component-lifecycle-hooks, https://bit.ly/3cXEKWf, https://miniflare.dev/get-started/migrating, https://developers.cloudflare.com/workflows/build/sleeping-and-retrying/, https://tanstack.com/router/v1/docs/framework/react/guide/not-found-errors#migrating-from-notfoundroute, https://react.dev/errors/, http://www.w3.org/2000/svg, http://www.w3.org/1998/Math/MathML, http://www.w3.org/1999/xlink, http://www.w3.org/XML/1998/namespace, https://base-ui.com/production-error, https://www.cloudflare.com, Sidebar.Group, Sidebar.Menu, https://developers.cloudflare.com/cloudflare-one/access-controls/service-credentials/service-tokens/, https://customer-placeholder.cloudflarestream.com/, http://www.example.com, http://dogs.are.great, https://dash.cloudflare.com/?account=workers/plans, https://developers.cloudflare.com/workers/about/limits/#number-of-requests-limit, https://workers.cloudflare.com?utm_source=error_footer, vnd.ahead.space, vnd.curl.car, vnd.dece.data, vnd.gmx, vnd.muvee.style, vnd.nokia.n-gage.data, vnd.oasis.opendocument.graphics, vnd.previewsystems.box, vnd.sun.xml.writer.global, vnd.dece.audio, vnd.rip, vnd.fly, vnd.in3d.spot, vnd.dece.mobile, vnd.dece.sd, vnd.dece.video, vnd.vivo, https://sparrow.cloudflare.com, 127.0.0.1, https://developers.cloudflare.com/email-routing/email-workers/reply-email-workers/, example.com

Location: Package overview

From: ?npm/wrangler@4.110.0npm/miniflare@4.20260708.1

ℹ Read more on: This package | This alert | What are URL strings?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/miniflare@4.20260708.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Low
Environment variable access: npm semver

Location: Package overview

From: ?npm/wrangler@4.110.0npm/semver@7.8.5

ℹ Read more on: This package | This alert | What is environment variable access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should be clear about which environment variables they access, and care should be taken to ensure they only access environment variables they claim to.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/semver@7.8.5. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Low
Environment variable access: npm semver reads NODE_DEBUG

Env Vars: NODE_DEBUG

Location: Package overview

From: ?npm/wrangler@4.110.0npm/semver@7.8.5

ℹ Read more on: This package | This alert | What is environment variable access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should be clear about which environment variables they access, and care should be taken to ensure they only access environment variables they claim to.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/semver@7.8.5. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Low
Embedded URLs or IPs: npm semver

URLs: https://semver.org/, SemVer.compare

Location: Package overview

From: ?npm/wrangler@4.110.0npm/semver@7.8.5

ℹ Read more on: This package | This alert | What are URL strings?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/semver@7.8.5. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Low
Dynamic module loading: npm sharp

Location: Package overview

From: ?npm/wrangler@4.110.0npm/sharp@0.34.5

ℹ Read more on: This package | This alert | What is dynamic require?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should avoid dynamic imports when possible. Audit the use of dynamic require to ensure it is not executing malicious or vulnerable code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/sharp@0.34.5. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

See 33 more rows in the dashboard

View full report

Bumps [wrangler](https://github.com/cloudflare/workers-sdk/tree/HEAD/packages/wrangler) from 4.109.0 to 4.110.0.
- [Release notes](https://github.com/cloudflare/workers-sdk/releases)
- [Commits](https://github.com/cloudflare/workers-sdk/commits/wrangler@4.110.0/packages/wrangler)

---
updated-dependencies:
- dependency-name: wrangler
  dependency-version: 4.110.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/wrangler-4.110.0 branch from fca8273 to d83e77f Compare July 10, 2026 15:25
@github-actions github-actions Bot merged commit 9240807 into Current Jul 10, 2026
8 of 10 checks passed
@github-actions github-actions Bot deleted the dependabot/npm_and_yarn/wrangler-4.110.0 branch July 10, 2026 15:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code

Development

Successfully merging this pull request may close these issues.

1 participant