chore(deps): bump ws and @astrojs/cloudflare

[dependabot]

Bumps ws to 8.20.1 and updates ancestor dependency @astrojs/cloudflare. These dependencies need to be updated together.

Updates ws from 8.18.0 to 8.20.1

Release notes

Sourced from ws's releases.

8.20.1

Bug fixes

• Fixed an uninitialized memory disclosure issue in websocket.close() (c0327ec1).

Providing a TypedArray (e.g. Float32Array) as the reason argument for websocket.close(), rather than the supported string or Buffer types, caused uninitialized memory to be disclosed to the remote peer.

import { deepStrictEqual } from 'node:assert';
import { WebSocket, WebSocketServer } from 'ws';
const wss = new WebSocketServer(
{ port: 0, skipUTF8Validation: true },
function () {
const { port } = wss.address();
const ws = new WebSocket(ws://localhost:${port}, {
skipUTF8Validation: true
});
ws.on('close', function (code, reason) {
  deepStrictEqual(reason, Buffer.alloc(80));
});

}
);
wss.on('connection', function (ws) {
ws.close(1000, new Float32Array(20));
});

The issue was privately reported by Nikita Skovoroda.

8.20.0

Features

• Added exports for the PerMessageDeflate class and utilities for the Sec-WebSocket-Extensions and Sec-WebSocket-Protocol headers (d3503c1f).

8.19.0

Features

• Added the closeTimeout option (#2308).

Bug fixes

• Handled a forthcoming breaking change in Node.js core (19984854).

... (truncated)

Commits

• 5d9b316 [dist] 8.20.1
• c0327ec [security] Fix uninitialized memory disclosure in websocket.close()
• ce2a3d6 [ci] Test on node 26
• 58e45b8 [ci] Do not test on node 25
• 5f26c24 [ci] Run the lint step on node 24
• 8439255 [dist] 8.20.0
• d3503c1 [minor] Export the PerMessageDeflate class and header utils
• 3ee5349 [api] Convert the isServer and maxPayload parameters to options
• 91707b4 [doc] Add missing space
• 8b55319 [pkg] Update eslint to version 10.0.1
• Additional commits viewable in compare view

Updates @astrojs/cloudflare from 12.6.12 to 13.6.0

Release notes

Sourced from @​astrojs/cloudflare's releases.

@​astrojs/cloudflare@​13.6.0

13.6.0

Minor Changes

• #16729 01aa164 Thanks @​matthewp! - Adds @astrojs/cloudflare/fetch and @astrojs/cloudflare/hono exports for composing Cloudflare-specific setup with Astro's advanced routing handlers.

  @astrojs/cloudflare/fetch

  For use with astro/fetch in a custom fetch handler:

  import { astro, FetchState } from 'astro/fetch';
  import { cf } from '@astrojs/cloudflare/fetch';
  export default {
  async fetch(request: Request, env: Env, ctx: ExecutionContext) {
  const state = new FetchState(request);
  const asset = await cf(state, env, ctx);
  if (asset) return asset;
  return astro(state);
  },
  };

  @astrojs/cloudflare/hono

  For use with astro/hono as Hono middleware:

  import { Hono } from 'hono';
  import { actions, middleware, pages, i18n } from 'astro/hono';
  import { cf } from '@astrojs/cloudflare/hono';
  const app = new Hono<{ Bindings: Env }>();
  app.use(cf());
  app.use(actions());
  app.use(middleware());
  app.use(pages());
  app.use(i18n());
  export default app;

  Both handlers configure SESSION KV bindings, static asset serving via the ASSETS binding, locals.cfContext, client address, waitUntil, and prerendered error page fetch.

Patch Changes

• #16868 f9bae95 Thanks @​helio-cf! - Fixes user options passed to cloudflare({...}) (remoteBindings, inspectorPort, persistState, configPath, auxiliaryWorkers) being silently ignored during astro preview. The adapter now resolves the full @cloudflare/vite-plugin config once at integration setup time and reuses that single resolved value across the dev/build plugin, the prerenderer's preview server, and the astro preview entrypoint, so user options can no longer be dropped at one of the call sites.

... (truncated)

Changelog

Sourced from @​astrojs/cloudflare's changelog.

13.6.0

Minor Changes

• #16729 01aa164 Thanks @​matthewp! - Adds @astrojs/cloudflare/fetch and @astrojs/cloudflare/hono exports for composing Cloudflare-specific setup with Astro's advanced routing handlers.

  @astrojs/cloudflare/fetch

  For use with astro/fetch in a custom fetch handler:

  import { astro, FetchState } from 'astro/fetch';
  import { cf } from '@astrojs/cloudflare/fetch';
  export default {
  async fetch(request: Request, env: Env, ctx: ExecutionContext) {
  const state = new FetchState(request);
  const asset = await cf(state, env, ctx);
  if (asset) return asset;
  return astro(state);
  },
  };

  @astrojs/cloudflare/hono

  For use with astro/hono as Hono middleware:

  import { Hono } from 'hono';
  import { actions, middleware, pages, i18n } from 'astro/hono';
  import { cf } from '@astrojs/cloudflare/hono';
  const app = new Hono<{ Bindings: Env }>();
  app.use(cf());
  app.use(actions());
  app.use(middleware());
  app.use(pages());
  app.use(i18n());
  export default app;

  Both handlers configure SESSION KV bindings, static asset serving via the ASSETS binding, locals.cfContext, client address, waitUntil, and prerendered error page fetch.

Patch Changes

• #16868 f9bae95 Thanks @​helio-cf! - Fixes user options passed to cloudflare({...}) (remoteBindings, inspectorPort, persistState, configPath, auxiliaryWorkers) being silently ignored during astro preview. The adapter now resolves the full @cloudflare/vite-plugin config once at integration setup time and reuses that single resolved value across the dev/build plugin, the prerenderer's preview server, and the astro preview entrypoint, so user options can no longer be dropped at one of the call sites.

... (truncated)

Commits

• c7157e6 [ci] release (#16870)
• 4cff3a1 Skip SSR build for fully static Cloudflare sites (#16468)
• 9c72aef [ci] format
• 01aa164 Add Cloudflare fetch and Hono handlers for advanced routing (#16729)
• f9bae95 fix(cloudflare): resolve vite plugin config once across call sites (#16868)
• 1e49163 [ci] release (#16832)
• 1e7b988 [ci] format
• 98297af fix(cloudflare): correct assets.directory in wrangler.json when base is set (...
• c8e5a94 [ci] release (#16805)
• 428cb1b Forward user optimizeDeps settings to SSR environments in Cloudflare adapter ...
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[cloudflare-workers-and-pages]

Deploying with    Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status	Name	Latest Commit	Updated (UTC)
❌ Deployment failed View logs	rustlings	05f5983	May 29 2026, 03:14 AM