chore(deps): update dependency cloudflare to ^6.3.0

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
cloudflare	^6.0.0 → ^6.3.0

---

Release Notes

cloudflare/cloudflare-typescript (cloudflare)

v6.3.0

Compare Source

Full Changelog: v6.2.0...v6.3.0

Features

New Resources

• dls: add DLS (Data Localization Suite) resource with regions (list/get) and regionalServices.prefixBindings (create/list/delete/edit/get) sub-resources (4dcf0db)

New Sub-Resources

• organizations: add billing.usage sub-resource — FOCUS v1.3 cost-and-usage dataset (get) at /organizations/{organization_id}/billable/usage (2c93faf)
• r2: add buckets.objects sub-resource — list, delete, get, upload (PUT) for direct R2 object operations (94a26fc)
• workers: add observability.queries sub-resource — create and list saved telemetry queries (d1f8d27)
• zero-trust: add access.samlCertificates sub-resource — list, get, getPem, rotate SAML signing certificate sets at the account level (4d75785)
• zero-trust: add identityProviders.samlCertificate sub-resource — create a SAML encryption certificate set bound to an Identity Provider (4d75785)

New Methods

• billing: add usage.get method — FOCUS v1.3 cost-and-usage dataset at /accounts/{account_id}/billable/usage (returns UsageGetResponse with BillingAccountId, ChargeCategory, ConsumedQuantity, BilledCost, EffectiveCost, etc.) (665f6ea)
• secrets-store: add stores.get method — fetch a single store by ID (GET /accounts/{account_id}/secrets_store/stores/{store_id}) returning StoreGetResponse (542f312)
• workers: add scripts.secrets.bulkUpdate method — PATCH /accounts/{account_id}/workers/scripts/{script_name}/secrets-bulk for bulk secret updates (840cea9)
• workers-for-platforms: add dispatch.namespaces.scripts.secrets.bulkUpdate method — same bulk-update endpoint for dispatch-namespace scripts (840cea9)

New Fields and Parameters

• ai: add format?: 'openrouter' query param to models.list for returning models in the OpenRouter marketplace format (a3ba7fc)
• aisearch: add degraded?: boolean response field to InstanceStatsResponse and namespaces.instances.InstanceStatsResponse — set when status counts are unavailable (e.g. legacy stats query exceeded D1 statement-size limit) (49c2987)
• cloudforce-one: add alpha2: string field to threatEvents.countries.list response items (CountryListResponseItem.Result) alongside the existing alpha3/name fields (0aa9ae0)
• custom-certificates: private_key on CustomCertificateCreateParams is now optional when custom_csr_id is provided (previously always required) (6e90245)
• logpush: add mnm_flow_logs to the dataset enum on datasets.fields.get, datasets.jobs.get, LogpushJob.dataset, and JobCreateParams.dataset (5bc2413)
• organizations: Organizations API moved from Closed Beta to Public Beta — affects organizations.create, update, list, delete, get, and organizationProfile.update/get docstrings (54b7f07)
• radar: add CONTENT_TYPE dimension and contentType?: Array<'HTML' | 'IMAGES' | 'JSON' | 'JAVASCRIPT' | 'CSS' | 'PLAIN_TEXT' | 'FONTS' | 'XML' | 'YAML' | 'VIDEO' | 'AUDIO' | 'MARKDOWN' | 'DOCUMENTS' | 'BINARY' | 'SERIALIZATION' | 'OTHER'> filter param to radar.http.summaryV2, timeseriesGroups, and related HTTP analytics methods (d5bc24a)
• spectrum: add virtual_network_id?: string field to OriginDNS config on AppCreateResponse, AppUpdateResponse, AppListResponse, AppGetResponse, AppCreateParams, and AppUpdateParams — routes origin traffic through tunnel virtual networks (1afad1f)
• workers: add 'opentelemetry-metrics' enum value to logpushDataset field on observability.destinations (DestinationCreateResponse.Configuration, DestinationUpdateResponse.Configuration, DestinationListResponse.Configuration) (d1f8d27)
• workers: add observability.traces.propagation_policy?: 'authenticated' | 'accept' field on Worker, WorkerCreateParams, WorkerUpdateParams, ScriptSetting, SettingEditParams, and script-and-version-settings — controls how inbound traceparent/tracestate headers are honored (d1f8d27)
• workers: add ends_with filter operation and ENDS_WITH comparison enum value to observability.telemetry.query filters (d1f8d27)
• workers: add preview?: { id?: string; name?: string; slug?: string } field to TelemetryQueryResponse.UnionMember0 and UnionMember1 event items — surfaces preview deployment metadata on telemetry results (d1f8d27)
• workers: narrow observability.telemetry source field type from string | unknown to string | { [key: string]: unknown } — non-breaking type refinement that gives consumers better inference (d1f8d27)
• zero-trust: add Cloudflare-as-Identity-Provider — new 'cloudflare' value in IdentityProviderType and IdentityProviderTypeParam unions, plus a new AccessCloudflare interface variant added to IdentityProvider, IdentityProviderParam, IdentityProviderListResponse, IdentityProviderCreateParams, and IdentityProviderUpdateParams unions (4d75785)
• zero-trust: add AccessCloudflareAccountMemberRule policy rule type to AccessRule union (and AccessRuleParam) — matches users who are members of a specific Cloudflare account; pairs with the new Cloudflare IdP type (4d75785)
• zero-trust: add saml_certificate_set? and saml_certificate_set_id? fields across all 16 Identity Provider variants (AzureAD, AccessCentrify, AccessCloudflare, AccessFacebook, AccessGitHub, AccessGoogle, AccessGoogleApps, AccessLinkedin, AccessOIDC, AccessOkta, AccessOnelogin, AccessOnetimepin, AccessPingone, AccessSAML, AccessYandex, and the new AccessCloudflare) — references the bound SAML encryption certificate set (4d75785)
• zero-trust: add error_details? (with cause, is_upstream, mcp_code, retryable, status_code fields) and is_shared_oauth_callback_enabled?: boolean to access.aiControls.mcp.portals and mcp.servers response types — surfaces MCP gateway error details and shared-OAuth-callback rollout state (dc1c78c)
• zero-trust: add portal_description? and server_description? fields to access.aiControls.mcp.portals Server.UpdatedPrompt (Create/Update/List/Get response variants); the older description? field is now @deprecated in favor of these — portal-level wins when present, otherwise falls back to server-level (dc1c78c)
• zero-trust: refine access.aiControls.mcp.servers.ServerSyncResponse from unknown to { error?: string; error_details?: ServerSyncResponse.ErrorDetails; status?: string } — gives consumers a typed shape with MCP error details (dc1c78c)
• zero-trust: add auth_state?: Array<'Good' | 'Notified' | 'Will Block' | 'Blocked'> field to KolideInput and KolideInputParam device-posture types — restricts the posture check to specific Kolide auth states (dc1c78c)

Deprecations

• zero-trust: access.aiControls.mcp.portals Server.UpdatedPrompt.description? is now @deprecated. Use the new portal_description? or server_description? fields instead. The deprecated field is still populated for backward compatibility (portal-level wins when present, otherwise falls back to server-level) and will be removed after a deprecation window. (dc1c78c)

Breaking Changes

• billing: the underlying API endpoint for client.billing.usage.paygo() changed from GET /accounts/{account_id}/billing/usage/paygo to GET /accounts/{account_id}/paygo-usage. The SDK call site, method signature, params, and return type are unchanged — existing code does not need to be modified. This is recorded as a breaking change because the underlying API contract moved; users on older SDK versions may see 404s if the old URL is retired by the Cloudflare API server. (665f6ea)

Chores

• ai: documentation tightening across model list responses (a3ba7fc)
• cloudforce-one: documentation refresh on threat-events country fields (0aa9ae0)
• email-sending: internal client-name string update (1199217)
• intel: rephrase sinkhole field descriptions for clarity (b471160)
• radar: trailing chore from previous sync round (6446c29)
• workers-for-platforms: documentation updates on existing dispatch endpoints alongside the bulkUpdate addition (074b214)
• zero-trust: generated-output churn alongside the SAML certificate work (dc1c78c), (40ea4d5)
• sync codegen shared files (api.md, .stats.yml, scripts/detect-breaking-changes, src/index.ts, src/resources/index.ts) across multiple sync rounds (4d7dd4d), (fdef412), (22e2a09), (7e4b075)

v6.2.0

Compare Source

Full Changelog: v6.2.0...v6.3.0

Features

New Resources

• dls: add DLS (Data Localization Suite) resource with regions (list/get) and regionalServices.prefixBindings (create/list/delete/edit/get) sub-resources (4dcf0db)

New Sub-Resources

• organizations: add billing.usage sub-resource — FOCUS v1.3 cost-and-usage dataset (get) at /organizations/{organization_id}/billable/usage (2c93faf)
• r2: add buckets.objects sub-resource — list, delete, get, upload (PUT) for direct R2 object operations (94a26fc)
• workers: add observability.queries sub-resource — create and list saved telemetry queries (d1f8d27)
• zero-trust: add access.samlCertificates sub-resource — list, get, getPem, rotate SAML signing certificate sets at the account level (4d75785)
• zero-trust: add identityProviders.samlCertificate sub-resource — create a SAML encryption certificate set bound to an Identity Provider (4d75785)

New Methods

• billing: add usage.get method — FOCUS v1.3 cost-and-usage dataset at /accounts/{account_id}/billable/usage (returns UsageGetResponse with BillingAccountId, ChargeCategory, ConsumedQuantity, BilledCost, EffectiveCost, etc.) (665f6ea)
• secrets-store: add stores.get method — fetch a single store by ID (GET /accounts/{account_id}/secrets_store/stores/{store_id}) returning StoreGetResponse (542f312)
• workers: add scripts.secrets.bulkUpdate method — PATCH /accounts/{account_id}/workers/scripts/{script_name}/secrets-bulk for bulk secret updates (840cea9)
• workers-for-platforms: add dispatch.namespaces.scripts.secrets.bulkUpdate method — same bulk-update endpoint for dispatch-namespace scripts (840cea9)

New Fields and Parameters

• ai: add format?: 'openrouter' query param to models.list for returning models in the OpenRouter marketplace format (a3ba7fc)
• aisearch: add degraded?: boolean response field to InstanceStatsResponse and namespaces.instances.InstanceStatsResponse — set when status counts are unavailable (e.g. legacy stats query exceeded D1 statement-size limit) (49c2987)
• cloudforce-one: add alpha2: string field to threatEvents.countries.list response items (CountryListResponseItem.Result) alongside the existing alpha3/name fields (0aa9ae0)
• custom-certificates: private_key on CustomCertificateCreateParams is now optional when custom_csr_id is provided (previously always required) (6e90245)
• logpush: add mnm_flow_logs to the dataset enum on datasets.fields.get, datasets.jobs.get, LogpushJob.dataset, and JobCreateParams.dataset (5bc2413)
• organizations: Organizations API moved from Closed Beta to Public Beta — affects organizations.create, update, list, delete, get, and organizationProfile.update/get docstrings (54b7f07)
• radar: add CONTENT_TYPE dimension and contentType?: Array<'HTML' | 'IMAGES' | 'JSON' | 'JAVASCRIPT' | 'CSS' | 'PLAIN_TEXT' | 'FONTS' | 'XML' | 'YAML' | 'VIDEO' | 'AUDIO' | 'MARKDOWN' | 'DOCUMENTS' | 'BINARY' | 'SERIALIZATION' | 'OTHER'> filter param to radar.http.summaryV2, timeseriesGroups, and related HTTP analytics methods (d5bc24a)
• spectrum: add virtual_network_id?: string field to OriginDNS config on AppCreateResponse, AppUpdateResponse, AppListResponse, AppGetResponse, AppCreateParams, and AppUpdateParams — routes origin traffic through tunnel virtual networks (1afad1f)
• workers: add 'opentelemetry-metrics' enum value to logpushDataset field on observability.destinations (DestinationCreateResponse.Configuration, DestinationUpdateResponse.Configuration, DestinationListResponse.Configuration) (d1f8d27)
• workers: add observability.traces.propagation_policy?: 'authenticated' | 'accept' field on Worker, WorkerCreateParams, WorkerUpdateParams, ScriptSetting, SettingEditParams, and script-and-version-settings — controls how inbound traceparent/tracestate headers are honored (d1f8d27)
• workers: add ends_with filter operation and ENDS_WITH comparison enum value to observability.telemetry.query filters (d1f8d27)
• workers: add preview?: { id?: string; name?: string; slug?: string } field to TelemetryQueryResponse.UnionMember0 and UnionMember1 event items — surfaces preview deployment metadata on telemetry results (d1f8d27)
• workers: narrow observability.telemetry source field type from string | unknown to string | { [key: string]: unknown } — non-breaking type refinement that gives consumers better inference (d1f8d27)
• zero-trust: add Cloudflare-as-Identity-Provider — new 'cloudflare' value in IdentityProviderType and IdentityProviderTypeParam unions, plus a new AccessCloudflare interface variant added to IdentityProvider, IdentityProviderParam, IdentityProviderListResponse, IdentityProviderCreateParams, and IdentityProviderUpdateParams unions (4d75785)
• zero-trust: add AccessCloudflareAccountMemberRule policy rule type to AccessRule union (and AccessRuleParam) — matches users who are members of a specific Cloudflare account; pairs with the new Cloudflare IdP type (4d75785)
• zero-trust: add saml_certificate_set? and saml_certificate_set_id? fields across all 16 Identity Provider variants (AzureAD, AccessCentrify, AccessCloudflare, AccessFacebook, AccessGitHub, AccessGoogle, AccessGoogleApps, AccessLinkedin, AccessOIDC, AccessOkta, AccessOnelogin, AccessOnetimepin, AccessPingone, AccessSAML, AccessYandex, and the new AccessCloudflare) — references the bound SAML encryption certificate set (4d75785)
• zero-trust: add error_details? (with cause, is_upstream, mcp_code, retryable, status_code fields) and is_shared_oauth_callback_enabled?: boolean to access.aiControls.mcp.portals and mcp.servers response types — surfaces MCP gateway error details and shared-OAuth-callback rollout state (dc1c78c)
• zero-trust: add portal_description? and server_description? fields to access.aiControls.mcp.portals Server.UpdatedPrompt (Create/Update/List/Get response variants); the older description? field is now @deprecated in favor of these — portal-level wins when present, otherwise falls back to server-level (dc1c78c)
• zero-trust: refine access.aiControls.mcp.servers.ServerSyncResponse from unknown to { error?: string; error_details?: ServerSyncResponse.ErrorDetails; status?: string } — gives consumers a typed shape with MCP error details (dc1c78c)
• zero-trust: add auth_state?: Array<'Good' | 'Notified' | 'Will Block' | 'Blocked'> field to KolideInput and KolideInputParam device-posture types — restricts the posture check to specific Kolide auth states (dc1c78c)

Deprecations

• zero-trust: access.aiControls.mcp.portals Server.UpdatedPrompt.description? is now @deprecated. Use the new portal_description? or server_description? fields instead. The deprecated field is still populated for backward compatibility (portal-level wins when present, otherwise falls back to server-level) and will be removed after a deprecation window. (dc1c78c)

Breaking Changes

• billing: the underlying API endpoint for client.billing.usage.paygo() changed from GET /accounts/{account_id}/billing/usage/paygo to GET /accounts/{account_id}/paygo-usage. The SDK call site, method signature, params, and return type are unchanged — existing code does not need to be modified. This is recorded as a breaking change because the underlying API contract moved; users on older SDK versions may see 404s if the old URL is retired by the Cloudflare API server. (665f6ea)

Chores

• ai: documentation tightening across model list responses (a3ba7fc)
• cloudforce-one: documentation refresh on threat-events country fields (0aa9ae0)
• email-sending: internal client-name string update (1199217)
• intel: rephrase sinkhole field descriptions for clarity (b471160)
• radar: trailing chore from previous sync round (6446c29)
• workers-for-platforms: documentation updates on existing dispatch endpoints alongside the bulkUpdate addition (074b214)
• zero-trust: generated-output churn alongside the SAML certificate work (dc1c78c), (40ea4d5)
• sync codegen shared files (api.md, .stats.yml, scripts/detect-breaking-changes, src/index.ts, src/resources/index.ts) across multiple sync rounds (4d7dd4d), (fdef412), (22e2a09), (7e4b075)

v6.1.0

Compare Source

Full Changelog: v6.0.0...v6.1.0

Features

• chore: skip failing deployment_groups tests (f4ce98e)
• feat(api): add zero_trust_device_deployment_groups resource (c05f6d6)
• feat(SCTR): add audit log, classification, and context endpoints to Security Center API (3791b84)

Chores

• api: update composite API spec (64244be)
• api: update composite API spec (7cb65d5)
• api: update composite API spec (8533ac8)
• api: update composite API spec (04ebcc4)
• api: update composite API spec (fb5ef8f)

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[cloudflare-workers-and-pages]

Deploying with    Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status	Name	Latest Commit	Preview URL	Updated (UTC)
✅ Deployment successful! View logs	floren	ddf0bf7	Commit Preview URL Branch Preview URL	May 21 2026, 11:57 PM