chore(deps): update cloudflare

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
@cloudflare/vitest-pool-workers (source)	^0.13.1 → ^0.16.15
@cloudflare/workers-types	^4.20260317.1 → ^4.20260612.1

---

Release Notes

cloudflare/workers-sdk (@​cloudflare/vitest-pool-workers)

v0.16.15

Compare Source

Patch Changes

• Updated dependencies [98c9afe, e305126, f3990b2, 4597f08, 25722ac, 41f75c0, 10b5538, 818c105, 2ae6099, 2047a32, 2047a32, e8561c2]:
  • wrangler@​4.100.0
  • miniflare@​4.20260611.0

v0.16.14

Compare Source

Patch Changes

• Updated dependencies [23aecac, b932e47, d076bcc, 24497d0, 4bb572f, 165adb2, 776098c, 0706fbf, 7993711, 48c4ff0, 8cf8c61, 8923f97, b205fb7, a61ac29]:
  • wrangler@​4.99.0
  • miniflare@​4.20260609.0

v0.16.13

Compare Source

Patch Changes

• Updated dependencies [c6c61b5, c6c61b5, a3eea27, 7a6b1a4, 7539a9b, 1fdd8de, 3b8b80a, 0bb2d55, 8400fb9, b502d54, 7949f81, d462013, c2280cd, 3b8b80a, ea12b58, acf7817]:
  • wrangler@​4.98.0
  • miniflare@​4.20260603.0

v0.16.12

Compare Source

Patch Changes

• #​14152 3d7992e Thanks @​petebacondarwin! - Fix module resolution failing when project path contains spaces

  When a project lived under a directory with spaces (e.g. /Users/me/Documents/Master CMS/project), the vitest pool would fail with No such module "threads.js" before any test executed. The module fallback service now uses the rawSpecifier from workerd's fallback request to correctly decode file:// URLs, avoiding the double-encoding of spaces (%20 → %2520) that occurred when workerd resolved these URLs as relative paths.

• #​14105 337e912 Thanks @​dario-piotrowicz! - Remove trailing periods from URLs in terminal output

  URLs printed to the terminal with a sentence-ending period (e.g. https://example.com/path.) would include the period when clicked in some terminal emulators, causing 404 errors. This removes trailing periods from all URLs displayed in CLI output across wrangler, miniflare, vitest-pool-workers, and workers-utils.

• #​14112 3a746ac Thanks @​penalosa! - Pin non-bundled runtime dependencies to exact versions

  Dependencies that are not bundled into a package's published output are installed directly into consumers' dependency trees, so they are now pinned to exact versions instead of semver ranges. This closes a supply-chain gap where an unpinned external dependency could resolve to a compromised upstream release on a fresh install. A new pnpm check:pinned-deps lint enforces this for all published packages (and for the shared pnpm catalog) going forward.

• #​14061 da8e306 Thanks @​Vardiak! - Preserve Durable Object WebSocket handler invocation order

  Durable Object WebSocket events could begin executing out of order in the Workers Vitest integration when several events arrived while the test wrapper was resolving user code.

  Handler invocation now preserves arrival order while still allowing asynchronous handler completion to run concurrently.

• Updated dependencies [b210c5e, aec1bb8, e06cbb7, 9a26191, 5565823, 4ef790b, 890fca7, 6fc9777, 337e912, 8e7b74f, e86489a, 42288d4, 65b5f9e, 3a746ac, 64ef9fd, 94b29f7]:

  • wrangler@​4.97.0
  • miniflare@​4.20260601.0

v0.16.11

Compare Source

Patch Changes

• #​14087 e3c862a Thanks @​edmundhung! - Fix Durable Object RPC dispatch for constructors that return proxies

  Durable Object RPC methods mediated by a returned Proxy are now resolved through that proxy after validating prototype exposure. This allows wrappers that bind methods to the underlying instance to use private fields and methods in Vitest, while matching workerd's rejection of constructor-assigned RPC overrides.

• Updated dependencies [e3c862a, cbb39bd, cbb39bd, 408432a, 1103c07, 7bb5c7a, 5b5cbd3, e3c862a, e3c862a, 97d7d81, c647ccc, e3c862a, e3c862a, e3c862a, e3c862a, e3c862a, b64b7e4, e3c862a, e3c862a, e4c8fd9, 2dffeeb, e3c862a, e3c862a, 4c0da7b, 972d13d, 13cbadb, 59e43e4]:

  • miniflare@​4.20260529.0
  • wrangler@​4.96.0

v0.16.10

Compare Source

Patch Changes

• Updated dependencies [ca5b604, c1fd2fd, 49c1a59, fee1ce4, b3962ff, d042705, 420e457, 8b1467e]:
  • wrangler@​4.95.0
  • miniflare@​4.20260526.0

v0.16.9

Compare Source

Patch Changes

• #​13933 90092c0 Thanks @​petebacondarwin! - Derive bundler externals from package.json and shrink the published bundle

  The bundler's external list was previously hand-maintained and out of sync with package.json — undici and semver were both listed as external despite being only devDependencies. The published dist/pool/index.mjs consequently contained a top-level import { fetch } from "undici" that was only resolvable because pnpm happened to hoist undici from other packages' devDependencies during local development.

  The bundler now derives its external list from dependencies + peerDependencies in package.json, making it impossible for a devDependency to silently end up externalized.

  Combined with the new "sideEffects": false declaration in @cloudflare/workers-utils, the unused cloudflared / tunnel exports (and their transitive undici import) are now tree-shaken out of the pool entirely. dist/pool/index.mjs no longer references undici at all, and shrinks from ~489 KB to ~125 KB.

• Updated dependencies [52e9082, 0733688, fc1f7b9, 30657e1, 8c569c6, f598eac, 3a1fbed]:

  • wrangler@​4.94.0
  • miniflare@​4.20260521.0

v0.16.8

Compare Source

Patch Changes

• #​13919 c7eab7f Thanks @​petebacondarwin! - Fix the outbound CF-Worker header reflecting the route pattern hostname instead of the parent zone, and falling back to <worker-name>.example.com under vite dev, vitest-pool-workers, and getPlatformProxy

  Two related issues affected the CF-Worker header on outbound subrequests in local development:

  1. Under @cloudflare/vite-plugin, @cloudflare/vitest-pool-workers, and getPlatformProxy, the header fell back to <worker-name>.example.com even when routes were configured, because unstable_getMiniflareWorkerOptions and the equivalent getPlatformProxy worker-options path did not propagate a zone value to Miniflare. This broke local development against services that reject unknown CF-Worker hosts (for example, Apple WeatherKit returns 403 Forbidden).
  2. Across the above paths and wrangler dev --local, when a route used the zone_name field (for example { pattern: "foo.example.com/*", zone_name: "example.com" }), the header was set to the pattern's hostname (foo.example.com) rather than the zone name (example.com). Production sets CF-Worker to the zone name that owns the Worker, so this was inconsistent with deployed behaviour.

  Both bugs are fixed: the new unstable_getMiniflareWorkerOptions / getPlatformProxy path now propagates a zone derived from the first configured route, and all four local-dev paths now prefer a route's explicit zone_name over the pattern hostname when computing that zone. When zone_name isn't set, the existing best-effort behaviour is preserved — for wrangler dev this means dev.host is still honoured as a local override and the pattern hostname is used as a final fallback. Resolving the parent zone for zone_id-only, custom_domain, or plain-string routes would require an API lookup, so locally we still approximate it with the pattern hostname.

  Note: dev.host is intentionally not consulted by the unstable_getMiniflareWorkerOptions / getPlatformProxy paths — the dev config block is specific to wrangler dev.

• Updated dependencies [fa1f61f, 2679e05, 7e40d98, adc9221, 735852d, d803737, c7eab7f, e04e180, 59cd880, 62abf97, e8c2031, e349fe0, da0fa8c, a5c9365]:

  • miniflare@​4.20260520.0
  • wrangler@​4.93.1

v0.16.7

Compare Source

Patch Changes

• #​13961 2cb658c Thanks @​threepointone! - Preserve same-stub RPC call order for wrapped Worker and Durable Object entrypoints

  Previously, dynamically wrapped RPC methods could resolve and invoke out of order when many calls were fired without awaiting each individual call. This now queues method resolution per wrapper instance so calls begin in the order they were received.

• Updated dependencies [aac7ca0, b25dc0d, ae047ee, a4f22bc, f78d435, aac7ca0, c5c9e20, ebf4b24, b27eb18, 895baf5, 7bcdf45]:

  • wrangler@​4.93.0
  • miniflare@​4.20260518.0

v0.16.6

Compare Source

Patch Changes

• #​13833 0e4a830 Thanks @​thegeekasteroid! - Filter benign disconnected: WebSocket peer disconnected workerd stderr noise during test runs.

  The ignoreMessages array in the pool already filters several benign workerd disconnect messages (e.g. disconnected: WebSocket was aborted). On recent workerd versions, tests that exercise the WebSocket API also surface disconnected: WebSocket peer disconnected warnings during normal teardown. These are not user-actionable and obscure real test failures. Add the message to the existing filter alongside the other disconnected: entries.

• Updated dependencies [19ed49a, 3ff0a50, bf688f7, 2e72c83, 802eaf4, 506aa02, 8f5cdb1, be8a98c]:

  • miniflare@​4.20260515.0
  • wrangler@​4.92.0

v0.16.5

Compare Source

Patch Changes

• Updated dependencies [d4794a8, 58b4403, 4352f87, a9e6741, da664d5, bdc398c, f781a2b, 1420f10, c8be316]:
  • wrangler@​4.91.0
  • miniflare@​4.20260511.0

v0.16.4

Compare Source

Patch Changes

• Updated dependencies [4e44ce6, b0cee1d, d878e13, 971dfe3, 971dfe3, 5d936c5]:
  • miniflare@​4.20260508.0
  • wrangler@​4.90.1

v0.16.3

Compare Source

Patch Changes

• Updated dependencies [8852b0c, 248bc08, e414e56]:
  • wrangler@​4.90.0
  • miniflare@​4.20260507.1

v0.16.2

Compare Source

Patch Changes

• #​11094 9367435 Thanks @​bbridges! - Allow .wasm files to be imported as .wasm?module.

• Updated dependencies [dd3baf3, 5cf6f81]:

  • wrangler@​4.89.1
  • miniflare@​4.20260507.1

v0.16.1

Compare Source

Patch Changes

• Updated dependencies [2284f20, 332f527, 039bada, 18e833d, b6cea17, 1a54ac5, 53e846a, f3fed88, beff19c, af42fed, 1a54ac5]:
  • miniflare@​4.20260507.0
  • wrangler@​4.89.0

v0.16.0

Compare Source

Minor Changes

• #​13810 2b8c0cc Thanks @​jamesopstad! - Stabilize the secrets configuration property

  The secrets property in the Wrangler config file is no longer experimental and will no longer emit an experimental warning when used. Required secrets are validated during local development and deploy, and used as the source of truth for type generation.

  {
    "secrets": {
      "required": ["API_KEY", "DB_PASSWORD"]
    }
  }

Patch Changes

• #​12974 1127114 Thanks @​ask-bonk! - Rewrite self-referencing service bindings to kCurrentWorker before renaming the runner worker

  When a wrangler config has a service binding to itself (e.g. services: [{ binding: "SELF", service: "my-worker" }] where the worker is named "my-worker"), the binding's literal name pointed to a worker that no longer existed once vitest-pool-workers renamed the runner to vitest-pool-workers-runner-<project>. The self-reference is now rewritten to the miniflare kCurrentWorker symbol, which resolves at request time relative to the referer worker and so survives the rename. Previously this rewrite lived in wrangler's unstable_getMiniflareWorkerOptions, but it's only needed for vitest-pool-workers' rename — other consumers (getPlatformProxy, @cloudflare/vite-plugin) preserve the original worker name and so don't need it.

• Updated dependencies [e07825a, 58899d8, 3020214, 0099265, 25f5ef2, bb27219, 194d75e, 12fb5db, 18b9d5b, 9f532f7, 1127114, 3ceadef, 2b8c0cc, 1a5cc86]:

  • wrangler@​4.88.0
  • miniflare@​4.20260504.0

v0.15.2

Compare Source

Patch Changes

• Updated dependencies [22e1a61, 00523c8, b5ac54b, e653edf, e1eff94, 1c4d850, 6d28037, 9a1f014, e539008, 0bf64a7, 0827815, b04eedf, 6457fb3, c07d0cb, e539008]:
  • miniflare@​4.20260430.0
  • wrangler@​4.87.0

v0.15.1

Compare Source

Patch Changes

• Updated dependencies [ea943ff, 21b87b2, 62e9f2a, 9eb9e69, 2dc6175, 0a5db08, 033d6ec, ae8eae3, f2e2241, 4f6ed93, ed2f4ec, ef24ff2, 92bb8a5, 6d27479, f2e2241, 118027d, fcc491a, e6c437a, e867ac2]:
  • wrangler@​4.86.0
  • miniflare@​4.20260426.0

v0.15.0

Compare Source

Minor Changes

• #​13623 b156b2e Thanks @​penalosa! - Add reset() and abortAllDurableObjects() helpers to cloudflare:test

  The reset() helper deletes all data from attached bindings, and resets all Durable Object instances. This is useful for resetting state between test blocks.

  The abortAllDurableObjects() helper resets all Durable Object instances without deleting persisted data.

  import { reset } from "cloudflare:test";
  import { afterEach } from "vitest";
  
  afterEach(async () => {
    await reset();
  });

Patch Changes

• Updated dependencies [5a2968a, 5680287, 3494842, 7d728fb, df9319d, d5e3c57, 3ceeec3, 7567ef7, 2831b54, 7fc50c1, 377715d]:
  • wrangler@​4.85.0
  • miniflare@​4.20260424.0

v0.14.9

Compare Source

Patch Changes

• Updated dependencies [8fec8b8, 2f3d7b9, a610749]:
  • miniflare@​4.20260421.0
  • wrangler@​4.84.1

v0.14.8

Compare Source

Patch Changes

• #​13548 1aee990 Thanks @​emily-shen! - Update warning message when attempting to access exports not defined on the main worker

  Previously this referred to the SELF worker, which is now a deprecated API in the Vitest integration.

• #​13607 d5d0446 Thanks @​petebacondarwin! - fix: Restore workflow binding before async cleanup in WorkflowIntrospectorHandle.dispose()

  Previously, dispose() awaited all instance abort operations before restoring the original env binding. On slower CI environments (especially Windows), this left a window where the next test could see a stale proxy, causing "Trying to mock step multiple times" errors or failed introspection. The binding is now restored synchronously before the async instance cleanup begins.

• #​13007 2c3258d Thanks @​sheplu! - Reduce default log verbosity from VERBOSE to INFO

  The pool logger was previously hardcoded to VERBOSE, causing noisy debug messages on every test run (e.g. [vpw:debug] Adding compatibility flag...). Only informational, warning, and error messages are now printed by default.

  For debugging, set NODE_DEBUG=vitest-pool-workers to restore the detailed output.

• Updated dependencies [05f4443, 4a9ba90, d8c895a, b35617b, 7dc0433, 8ca78bb, b6e1351, d8314c6, b35617b, 7f50300, 4fda685, be5e6a0, e456952, 59eec63, 50bf819, cc1413a, d0a9d1c, 4eb1da9, 8ca78bb, 266c418, 6d887db, 5716d69]:

  • wrangler@​4.84.0
  • miniflare@​4.20260420.0

v0.14.7

Compare Source

Patch Changes

• Updated dependencies [854d66c, 6f63eaa, aef9825, eaaa728, 58292f6, 5e5bbc1, d5ff5a4, 07a918c, 89c7829, 60565dd, 6cbcdeb, 90aee27]:
  • miniflare@​4.20260415.0
  • wrangler@​4.83.0

v0.14.6

Compare Source

Patch Changes

• Updated dependencies [9b2b6ba]:
  • wrangler@​4.82.2

v0.14.5

Compare Source

Patch Changes

• Updated dependencies [6b11b07, dd4e888]:
  • wrangler@​4.82.1

v0.14.4

Compare Source

Patch Changes

• Updated dependencies [5338bb6, 79fd529, 28bc2be, 4fd138b, bafb96b, c50cb5b, 2589395, 525a46b, 5eff8c1, 1313275]:
  • wrangler@​4.82.0
  • miniflare@​4.20260410.0

v0.14.3

Compare Source

Patch Changes

• Updated dependencies [42c7ef0, c510494, 8b71eca, a42e0e8, 7ca6f6e]:
  • miniflare@​4.20260409.0
  • wrangler@​4.81.1

v0.14.2

Compare Source

Patch Changes

• #​13095 65e6684 Thanks @​penalosa! - Reject V8 coverage provider with a clear error message

  V8 native code coverage (`@vitest/coverage

✂ Note

PR body was truncated to here.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[pkg-pr-new]

Open in StackBlitz

npm i https://pkg.pr.new/@kagal/acme@9

npm i https://pkg.pr.new/@kagal/ca@9

npm i https://pkg.pr.new/@kagal/ct@9

commit: 0b581d1

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​cloudflare/​vitest-pool-workers@​0.16.15
	@​cloudflare/​workers-types@​4.20260612.1

View full report