Version Packages#13969
Open
workers-devprod wants to merge 1 commit into
Open
Conversation
Contributor
|
✅ All changesets look good |
![devin-ai-integration[bot]](https://avatars.githubusercontent.com/in/811515?s=60&v=4){kind=small}
create-cloudflare
@cloudflare/kv-asset-handler
miniflare
@cloudflare/pages-shared
@cloudflare/unenv-preset
@cloudflare/vite-plugin
@cloudflare/vitest-pool-workers
@cloudflare/workers-editor-shared
@cloudflare/workers-utils
wrangler
commit: |
workers-devprod
force-pushed
the
changeset-release/main
branch
16 times, most recently
from
94d380e to
38eaf88
Compare
workers-devprod
force-pushed
the
changeset-release/main
branch
from
38eaf88 to
2a6fde1
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR was opened by the Changesets release GitHub action. When you're ready to do a release, you can merge this and the packages will be published to npm automatically. If you're not ready to do a release yet, that's fine, whenever you add more changesets to main, this PR will be updated.
Releases
miniflare@4.20260520.0
Patch Changes
#13978
fa1f61fThanks @sassyconsultingllc! - Bumpwsfrom 8.18.0 to 8.20.1 to address GHSA-58qx-3vcg-4xpxGHSA-58qx-3vcg-4xpx / CVE-2026-45736 reports an uninitialized-memory disclosure in
ws@<8.20.1when aTypedArrayis passed as the reason argument toWebSocket.close(). The fix shipped in ws@8.20.1 on 2026-05-12. This change bumps the workspace catalog entry so thatminiflare,wrangler, and@cloudflare/vite-pluginall pick up the patched release.#13977
2679e05Thanks @dependabot! - Update dependencies of "miniflare", "wrangler"The following dependency versions have been updated:
#13984
7e40d98Thanks @dependabot! - Update dependencies of "miniflare", "wrangler"The following dependency versions have been updated:
#13912
d803737Thanks @petebacondarwin! - Fix/cdn-cgi/*host validation incorrectly accepting subdomains of exact configured routesMiniflare's
/cdn-cgi/*host/origin validator was treating exact configured routes the same as wildcard configured routes, so a request whoseHostorOriginhostname was a subdomain of an exact route (e.g.sub.my-custom-site.comfor amy-custom-site.com/*route) was incorrectly accepted. Exact configured routes and the configuredupstreamhostname are now required to match the request hostname exactly. Subdomain matching is only applied to wildcard routes such as*.example.com/*. Localhost hostnames continue to be allowed as before.This affects
wrangler devand local development through@cloudflare/vite-plugin, both of which use Miniflare under the hood.#13971
59cd880Thanks @petebacondarwin! - Improve error diagnostics in the Browser Run binding workerWhen the local Browser Run binding failed to reach an upstream — for example when Chrome failed to launch and miniflare's loopback
/browser/launchendpoint returned a 500 with a stack-trace text body — the binding worker would callresponse.json()on the non-JSON body and throw an opaqueSyntaxError: Unexpected token X, "..." is not valid JSON. The actual upstream error message (e.g.Chrome readiness probe at ... timed out after 5000ms) was discarded.The binding worker now reads the response body as text first, surfaces the HTTP status and body content in the thrown error, and chains the original
SyntaxErrorviacausewhen the body was a 2xx response that didn't parse as JSON. This makes both local-dev failures and CI test flakes self-diagnosing.#13980
e8c2031Thanks @petebacondarwin! - Recover from corrupted@puppeteer/browserscache when launching a Browser Run sessionWhen Miniflare's local Browser Run binding launches Chrome, it calls
@puppeteer/browsers'install()to ensure the binary is present. If a previousinstall()was interrupted mid-extraction (test timeout, process kill, antivirus quarantine), the cache directory can be left partially populated — the folder exists but the executable inside it is missing.install()then throwsThe browser folder (...) exists but the executable (...) is missingon every subsequent call within the same process and the entire test session, breaking every later Browser Run operation until the cache is manually cleared.launchBrowsernow catches that specific error, removes the corrupted cache directory, and retriesinstall()once. If the corruption persists after cleanup, the original error is rethrown with a clearer message.This complements #13971, which surfaced the original error from inside the binding worker. With that diagnostic in place and this self-healing layer, the previously-intermittent "browser folder exists but executable missing" failure mode should no longer fail an entire CI run.
@cloudflare/pages-shared@0.13.138
Patch Changes
fa1f61f,2679e05,7e40d98,d803737,59cd880,e8c2031]:@cloudflare/vite-plugin@1.37.3
Patch Changes
#13978
fa1f61fThanks @sassyconsultingllc! - Bumpwsfrom 8.18.0 to 8.20.1 to address GHSA-58qx-3vcg-4xpxGHSA-58qx-3vcg-4xpx / CVE-2026-45736 reports an uninitialized-memory disclosure in
ws@<8.20.1when aTypedArrayis passed as the reason argument toWebSocket.close(). The fix shipped in ws@8.20.1 on 2026-05-12. This change bumps the workspace catalog entry so thatminiflare,wrangler, and@cloudflare/vite-pluginall pick up the patched release.#13912
d803737Thanks @petebacondarwin! - Fix/cdn-cgi/*host validation incorrectly accepting subdomains of exact configured routesMiniflare's
/cdn-cgi/*host/origin validator was treating exact configured routes the same as wildcard configured routes, so a request whoseHostorOriginhostname was a subdomain of an exact route (e.g.sub.my-custom-site.comfor amy-custom-site.com/*route) was incorrectly accepted. Exact configured routes and the configuredupstreamhostname are now required to match the request hostname exactly. Subdomain matching is only applied to wildcard routes such as*.example.com/*. Localhost hostnames continue to be allowed as before.This affects
wrangler devand local development through@cloudflare/vite-plugin, both of which use Miniflare under the hood.#13919
c7eab7fThanks @petebacondarwin! - Fix the outboundCF-Workerheader reflecting the route pattern hostname instead of the parent zone, and falling back to<worker-name>.example.comundervite dev,vitest-pool-workers, andgetPlatformProxyTwo related issues affected the
CF-Workerheader on outbound subrequests in local development:@cloudflare/vite-plugin,@cloudflare/vitest-pool-workers, andgetPlatformProxy, the header fell back to<worker-name>.example.comeven whenrouteswere configured, becauseunstable_getMiniflareWorkerOptionsand the equivalentgetPlatformProxyworker-options path did not propagate azonevalue to Miniflare. This broke local development against services that reject unknownCF-Workerhosts (for example, Apple WeatherKit returns403 Forbidden).wrangler dev --local, when a route used thezone_namefield (for example{ pattern: "foo.example.com/*", zone_name: "example.com" }), the header was set to the pattern's hostname (foo.example.com) rather than the zone name (example.com). Production setsCF-Workerto the zone name that owns the Worker, so this was inconsistent with deployed behaviour.Both bugs are fixed: the new
unstable_getMiniflareWorkerOptions/getPlatformProxypath now propagates azonederived from the first configured route, and all four local-dev paths now prefer a route's explicitzone_nameover the pattern hostname when computing that zone. Whenzone_nameisn't set, the existing best-effort behaviour is preserved — forwrangler devthis meansdev.hostis still honoured as a local override and the pattern hostname is used as a final fallback. Resolving the parent zone forzone_id-only,custom_domain, or plain-string routes would require an API lookup, so locally we still approximate it with the pattern hostname.Note:
dev.hostis intentionally not consulted by theunstable_getMiniflareWorkerOptions/getPlatformProxypaths — thedevconfig block is specific towrangler dev.Updated dependencies [
fa1f61f,2679e05,7e40d98,adc9221,735852d,d803737,c7eab7f,59cd880,62abf97,e8c2031,e349fe0,da0fa8c,a5c9365]:@cloudflare/vitest-pool-workers@0.16.8
Patch Changes
#13919
c7eab7fThanks @petebacondarwin! - Fix the outboundCF-Workerheader reflecting the route pattern hostname instead of the parent zone, and falling back to<worker-name>.example.comundervite dev,vitest-pool-workers, andgetPlatformProxyTwo related issues affected the
CF-Workerheader on outbound subrequests in local development:@cloudflare/vite-plugin,@cloudflare/vitest-pool-workers, andgetPlatformProxy, the header fell back to<worker-name>.example.comeven whenrouteswere configured, becauseunstable_getMiniflareWorkerOptionsand the equivalentgetPlatformProxyworker-options path did not propagate azonevalue to Miniflare. This broke local development against services that reject unknownCF-Workerhosts (for example, Apple WeatherKit returns403 Forbidden).wrangler dev --local, when a route used thezone_namefield (for example{ pattern: "foo.example.com/*", zone_name: "example.com" }), the header was set to the pattern's hostname (foo.example.com) rather than the zone name (example.com). Production setsCF-Workerto the zone name that owns the Worker, so this was inconsistent with deployed behaviour.Both bugs are fixed: the new
unstable_getMiniflareWorkerOptions/getPlatformProxypath now propagates azonederived from the first configured route, and all four local-dev paths now prefer a route's explicitzone_nameover the pattern hostname when computing that zone. Whenzone_nameisn't set, the existing best-effort behaviour is preserved — forwrangler devthis meansdev.hostis still honoured as a local override and the pattern hostname is used as a final fallback. Resolving the parent zone forzone_id-only,custom_domain, or plain-string routes would require an API lookup, so locally we still approximate it with the pattern hostname.Note:
dev.hostis intentionally not consulted by theunstable_getMiniflareWorkerOptions/getPlatformProxypaths — thedevconfig block is specific towrangler dev.Updated dependencies [
fa1f61f,2679e05,7e40d98,adc9221,735852d,d803737,c7eab7f,59cd880,62abf97,e8c2031,e349fe0,da0fa8c,a5c9365]:wrangler@4.93.1
Patch Changes
#13978
fa1f61fThanks @sassyconsultingllc! - Bumpwsfrom 8.18.0 to 8.20.1 to address GHSA-58qx-3vcg-4xpxGHSA-58qx-3vcg-4xpx / CVE-2026-45736 reports an uninitialized-memory disclosure in
ws@<8.20.1when aTypedArrayis passed as the reason argument toWebSocket.close(). The fix shipped in ws@8.20.1 on 2026-05-12. This change bumps the workspace catalog entry so thatminiflare,wrangler, and@cloudflare/vite-pluginall pick up the patched release.#13977
2679e05Thanks @dependabot! - Update dependencies of "miniflare", "wrangler"The following dependency versions have been updated:
#13984
7e40d98Thanks @dependabot! - Update dependencies of "miniflare", "wrangler"The following dependency versions have been updated:
#13963
adc9221Thanks @gabivlj! - Preserve sibling container image tags during local dev cleanupWrangler now keeps other
cloudflare-devimage tags from the same dev session when multiple containers share a Dockerfile. Previously, duplicate-image cleanup could remove earlier container tags if Docker BuildKit produced the same image ID for each build.#13839
735852dThanks @matingathani! - fix: show actionable hint when/membershipsreturns a bad-credentials error (code 9106)Previously,
wranglerthrew a raw Cloudflare API error ("Missing X-Auth-Key, X-Auth-Email or Authorization headers") with no guidance. Now it emits aUserErrorexplaining that an environment variable such asCLOUDFLARE_API_TOKEN,CLOUDFLARE_API_KEY, orCLOUDFLARE_EMAILmay be set to an invalid value, and suggests runningwrangler logout/wrangler loginto re-authenticate.#13912
d803737Thanks @petebacondarwin! - Fix/cdn-cgi/*host validation incorrectly accepting subdomains of exact configured routesMiniflare's
/cdn-cgi/*host/origin validator was treating exact configured routes the same as wildcard configured routes, so a request whoseHostorOriginhostname was a subdomain of an exact route (e.g.sub.my-custom-site.comfor amy-custom-site.com/*route) was incorrectly accepted. Exact configured routes and the configuredupstreamhostname are now required to match the request hostname exactly. Subdomain matching is only applied to wildcard routes such as*.example.com/*. Localhost hostnames continue to be allowed as before.This affects
wrangler devand local development through@cloudflare/vite-plugin, both of which use Miniflare under the hood.#13919
c7eab7fThanks @petebacondarwin! - Fix the outboundCF-Workerheader reflecting the route pattern hostname instead of the parent zone, and falling back to<worker-name>.example.comundervite dev,vitest-pool-workers, andgetPlatformProxyTwo related issues affected the
CF-Workerheader on outbound subrequests in local development:@cloudflare/vite-plugin,@cloudflare/vitest-pool-workers, andgetPlatformProxy, the header fell back to<worker-name>.example.comeven whenrouteswere configured, becauseunstable_getMiniflareWorkerOptionsand the equivalentgetPlatformProxyworker-options path did not propagate azonevalue to Miniflare. This broke local development against services that reject unknownCF-Workerhosts (for example, Apple WeatherKit returns403 Forbidden).wrangler dev --local, when a route used thezone_namefield (for example{ pattern: "foo.example.com/*", zone_name: "example.com" }), the header was set to the pattern's hostname (foo.example.com) rather than the zone name (example.com). Production setsCF-Workerto the zone name that owns the Worker, so this was inconsistent with deployed behaviour.Both bugs are fixed: the new
unstable_getMiniflareWorkerOptions/getPlatformProxypath now propagates azonederived from the first configured route, and all four local-dev paths now prefer a route's explicitzone_nameover the pattern hostname when computing that zone. Whenzone_nameisn't set, the existing best-effort behaviour is preserved — forwrangler devthis meansdev.hostis still honoured as a local override and the pattern hostname is used as a final fallback. Resolving the parent zone forzone_id-only,custom_domain, or plain-string routes would require an API lookup, so locally we still approximate it with the pattern hostname.Note:
dev.hostis intentionally not consulted by theunstable_getMiniflareWorkerOptions/getPlatformProxypaths — thedevconfig block is specific towrangler dev.#13954
62abf97Thanks @petebacondarwin! - Read the on-disk OAuth state lazily soCLOUDFLARE_API_TOKENfrom.envtakes priority correctlyWrangler previously read its OAuth state from the user auth config file (for example
~/.config/.wrangler/config/default.toml) eagerly at module-import time. That happens before.envfiles are loaded, so the in-memory state would always hold the OAuth tokens even when the user only wanted to authenticate viaCLOUDFLARE_API_TOKEN. If that stored OAuth token happened to be expired, Wrangler would try to refresh it (and fail), aborting the command withFailed to fetch auth token: 400 Bad RequestandNot logged in.— even though a valid API token was in scope.Wrangler now reads the auth config file on demand, after
.envhas been loaded. WhenCLOUDFLARE_API_TOKEN(orCLOUDFLARE_API_KEY+CLOUDFLARE_EMAIL) is present, the OAuth state on disk is no longer consulted, the OAuth refresh endpoint is no longer called, and the env-based token is used directly. Sibling-process refresh-token rotation is also handled naturally because every check reads the current file contents.Internally, the exported
reinitialiseAuthTokens()function is removed — there is no module-level OAuth cache left to invalidate.Fixes #13744.
#13951
e349fe0Thanks @sejoker! - Enforce minimum 60 second interval for R2 Data Catalog sinksR2 Data Catalog sinks now require a minimum
--roll-intervalof 60 seconds to prevent compaction issues in the R2 Data Catalog. This validation is applied when creating sinks viawrangler pipelines sinks createwith typer2-data-catalog, and during the interactivewrangler pipelines setupflow.Regular R2 sinks are not affected and can still use intervals as low as 10 seconds.
#13959
da0fa8cThanks @dmmulroy! - Recognize Artifacts repositories that are still being createdWrangler's Artifacts repo status type now accepts the
creatinglifecycle state alongside existing in-progress statuses.#13964
a5c9365Thanks @danielrs! - Use dedicated API endpoint forwrangler secret bulkwrangler secret bulknow uses a more efficient, dedicated API endpoint. This reduces the operation from 2 API calls to 1 and eliminates the risk of accidentally affecting non-secret bindings.Updated dependencies [
fa1f61f,2679e05,7e40d98,d803737,59cd880,e8c2031]:@cloudflare/containers-shared@0.15.1
Patch Changes
#13963
adc9221Thanks @gabivlj! - Preserve sibling container image tags during local dev cleanupWrangler now keeps other
cloudflare-devimage tags from the same dev session when multiple containers share a Dockerfile. Previously, duplicate-image cleanup could remove earlier container tags if Docker BuildKit produced the same image ID for each build.