fix(deps): update all non-major dependencies#1282
Open
renovate[bot] wants to merge 1 commit into
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
8.0.0-rc.6→8.0.1^1.40.2→^1.44.0^9.39.4→^9.39.5^1.61.0→^1.61.1^4.3.1→^4.3.2^24.13.2→^24.13.3^1.7.1→^1.8.0^2.1.0→^2.3.1^9.39.4→^9.39.5^4.16.2→^4.17.1^3.1.0→^3.1.1^11.3.5→^11.3.6^17.6.0→^17.7.0^0.55.0→^0.58.0^1.61.0→^1.61.110.34.3→10.34.57.17.0→7.18.1^1.1.1→^1.1.5^0.11.16→^0.11.22^6.4.2→^6.4.3^4.3.1→^4.3.2^0.22.2→^0.22.5^8.61.1→^8.63.0^8.0.16→^8.1.4^4.1.9→^4.1.10^4.100.0→^4.110.0v0.5.6→v0.5.7Release Notes
babel/babel (@babel/core)
v8.0.1Compare Source
💥 Breaking Change
babel-core,babel-plugin-transform-object-rest-spread,babel-plugin-transform-runtime,babel-preset-env,babel-standalonepreset-env'suseBuiltIns(@nicolo-ribaudo)v8.0.0Compare Source
👓 Spec Compliance
babel-core💥 Breaking Change
babel-cli,babel-node,babel-plugin-proposal-decorators,babel-plugin-transform-classes,babel-plugin-transform-function-name,babel-plugin-transform-modules-commonjs,babel-plugin-transform-object-rest-spread,babel-plugin-transform-parameters,babel-plugin-transform-react-constant-elements,babel-plugin-transform-regenerator,babel-preset-env,babel-registermodules: auto(@nicolo-ribaudo)babel-plugin-transform-runtime,babel-runtime-corejs3,babel-runtime@babe/runtime-corejs3(@liuxingbaoyu)babel-parserlocations: "packed"(@liuxingbaoyu)🐛 Bug Fix
babel-generatorbabel-plugin-transform-modules-systemjs📝 Documentation
🏠 Internal
🏃♀️ Performance
babel-corecloudflare/workers-sdk (@cloudflare/vite-plugin)
v1.44.0Compare Source
Minor Changes
#14535
1b965c5Thanks @Naapperas! - Support dynamic retry delays for Workflow steps in local devA step's
retries.delaycan now be a function that computes the delay per failed attempt, in addition to a static duration. The function receives{ ctx, error }and returns a delay (a number of milliseconds or a duration string like"30 seconds"), and its result is fed into the configuredbackoff.The function is invoked once per failed attempt with a 5 second timeout. If it throws, times out, or returns an invalid value, the step fails without further retries.
Patch Changes
0283a1f,7b28392,1b965c5]:v1.43.3Compare Source
Patch Changes
e3f0cd6,8511ddf,9f74a5f,e3f0cd6,c782e2a,2fedb1f,17d2fc1]:v1.43.2Compare Source
Patch Changes
54f74b8,0852346,54f74b8]:v1.43.1Compare Source
Patch Changes
e7e5780,d88555e,5fd8bee,5d9990e,bf49a41,1ac96a1,f416dd9,1ca8d8f,16fbf81,b973ed3]:v1.43.0Compare Source
Minor Changes
#14382
fd92d56Thanks @petebacondarwin! - Add support for declarative Durable Object exportswrangler deploynow accepts anexportsmap inwrangler.jsonas a declarative alternative to the legacymigrationsarray.Each entry in
exportsis keyed by Durable Object class name.typecarries the export kind (currently always"durable-object"); thestatefield carries the lifecycle and defaults to"created"(live) when omitted:{ "exports": { // Provision a new Durable Object class (`MyDO`) "MyDO": { "type": "durable-object", "storage": "sqlite" }, // Delete Durable Object class (`OldGone`) "OldGone": { "type": "durable-object", "state": "deleted" }, // Rename a Durable Object class (from `OldName` to `NewName`) "OldName": { "type": "durable-object", "state": "renamed", "renamed_to": "NewName" }, "NewName": { "type": "durable-object", "storage": "sqlite" }, // Transfer a Durable Object (`Outgoing`) to a new Worker (`target-worker`) "Outgoing": { "type": "durable-object", "state": "transferred", "transferred_to": "target-worker" }, // Prepare to receive the transfer of a Durable Object (`Incoming`) from another Worker (`source-worker`) "Incoming": { "type": "durable-object", "state": "expecting-transfer", "storage": "sqlite", "transfer_from": "source-worker" } } }When a Worker declares Durable Object class bindings but no lifecycle for them (neither a
migrationsarray nor anexportsmap), wrangler warns and now suggests a declarativeexportsentry for each class (previously it suggested a legacymigrationsblock).The deployment response now surfaces the server's reconciliation result — created namespaces, applied tombstones, structured per-scenario info entries, and a
removable_entrieshint for stale tombstones that are safe to delete from the config. Blocking errors return the structured per-class detail with scenario tags, suggested remediation, and any referencing-script context.wrangler versions uploadalso forwardsexports. Declarativeexportslifecycle changes are reconciled when the version is deployed (wrangler versions deployorwrangler deploy), so aversions uploadpayload can declare new classes inexportswithout immediately provisioning them. An actor binding (durable_objects.bindings) to a class declared only inexportson the sameversions uploadis rejected with a clear error (code 100406) — the binding cannot be resolved until the namespace is provisioned. Either stage the new class viactx.exports.X(no binding required) onversions uploadand add the binding at deploy time, or usewrangler deployto provision and bind in one step (the same constraint applies to themigrationsflow).Multi-version deploys (
wrangler versions deploy A@50% B@50%) where the selected versions disagree on declarativeexportsare rejected server-side with a clear message: deploy the version that changesexportsat 100% first, then run the percentage-split deploy. This prevents traffic on one branch routing to code that references unprovisioned or just-deleted DO namespaces. Single-version (100%) deploys are unaffected.Local development (
wrangler dev,vite devandunstable_startWorker) reads Durable Object SQLite storage settings from the newexportsfield, so applications using the declarative flow get correct local-dev storage without needing to also declare amigrationsblock.@cloudflare/vitest-pool-workersalso picks up Durable Object configuration fromexports, so tests against anexports-only Worker run with the correct local SQLite storage and can reach unbound Durable Object classes viactx.exports.X.wrangler typesis also aware ofexports. Live entries (includingexpecting-transfer, the receiving side of a two-phase transfer) are added toCloudflare.GlobalProps.durableNamespaces, which typesctx.exports.Xfor unbound Durable Objects declared only viaexports.Patch Changes
aa5d580,6b0ce98,fd92d56,bfe48db,be3f792,0277bfa,98793d8,e1532eb]:v1.42.4Compare Source
Patch Changes
#14490
75d8cb0Thanks @petebacondarwin! - Preserve D1 migration paths in generated Worker configsWhen a Worker config with a D1 binding is built by the Vite plugin, the generated
wrangler.jsonnow pointsmigrations_dirback to the source migration directory. This lets tools that read the generated config, such ascreateTestHarness(), find the same D1 migrations as the source Worker config.Updated dependencies [
75d8cb0,75d8cb0,75d8cb0,75d8cb0,75d8cb0,f10d4ad,75d8cb0,75d8cb0,75d8cb0,75d8cb0,d292046,75d8cb0,75d8cb0,75d8cb0,75d8cb0,75d8cb0,75d8cb0,e0cc2cb,75d8cb0,75d8cb0,75d8cb0]:v1.42.3Compare Source
Patch Changes
5f40dd5,34e0cef,3b743c1,daa5389,8a5cf8c]:v1.42.2Compare Source
Patch Changes
#14358
4ef872fThanks @gabivlj! - Fix container egress interception on arm64 Docker runtimesBoth
wrangler devand the Cloudflare Vite plugin no longer force theproxy-everythingsidecar image to pull aslinux/amd64, allowing Docker to select the native image from the multi-platform manifest. SetMINIFLARE_CONTAINER_EGRESS_IMAGE_PLATFORMto force a specific platform when needed.Updated dependencies [
a085dec,9a0de8f,fab565f,3f02864,4ef872f,2a02858,e312dec]:v1.42.1Compare Source
Patch Changes
#14366
c6579d3Thanks @jamesopstad! - Resolve relativecf-workerentrypoint imports relative to the importing moduleWhen loading the experimental
cloudflare.config.ts, a relative entrypoint imported withimport ... with { type: "cf-worker" }(e.g../src/index.ts) is now anchored to the module where the import is written, rather than being passed through verbatim and later resolved against the top-level config file. This fixes incorrect resolution when the import lives in a file other than the entry config — for example a config that re-exports from a nested file.Bare specifiers (such as
@scope/pkg) and virtual modules (such asvirtual:foo) are still left unresolved so that consumers can apply their own resolution.Updated dependencies [
c6579d3,444b75e,b38823f,cfd6205,cfd6205]:v1.42.0Compare Source
Minor Changes
#14339
aa49856Thanks @jamesopstad! - Add abuildcommand to the experimental, internalcf-vitedelegate binarycf-vite buildruns Vite's full multi-environment app build (via the Builder API) and enables the experimental Build Output API by default, emitting a self-contained.cloudflare/output/v0/directory. It forcesexperimental.newConfigandexperimental.newConfig.cfBuildOutputon, so acloudflare.config.tsis required at the project root.Patch Changes
#14346
e930bd4Thanks @haidargit! - Bumpwsfrom 8.20.1 to 8.21.0 to address GHSA-96hv-2xvq-fx4pGHSA-96hv-2xvq-fx4p / CVE-2026-48779 (high severity) reports a remote memory-exhaustion DoS in
ws@<8.21.0: a peer sending a high volume of tiny fragments and data chunks over modest network traffic can crash awsserver or client via OOM. The fix shipped in ws@8.21.0 (commit2b2abd45, released 2026-05-22), which also introduces themaxBufferedChunksandmaxFragmentsoptions. This change bumps the workspace catalog entry so thatminiflare,wrangler, and@cloudflare/vite-pluginall pick up the patched release.#14351
6c7df19Thanks @jamesopstad! - Force the experimental new config on by default in thecf-vite devdelegate#14218
4eed569Thanks @matingathani! - Allowresolve.externalcontaining only Node.js built-ins in Worker environmentsVitest 4 automatically sets
resolve.externalto the full list of Node.js built-in modules for non-standard Vite environments via its internalrunnerTransformplugin. Previously, the Cloudflare Vite plugin rejected any non-emptyresolve.externalarray, throwing an incompatibility error on startup when used alongside Vitest 4.The validation check now allows
resolve.externalarrays that contain only Node.js built-in module names (both barefsandnode:fsforms). The error is only thrown whenresolve.externalistrueor contains non-built-in package names that would prevent user code from being bundled into the Worker.Updated dependencies [
673b09e,e930bd4,f6e49dd,5c3bb11,296ad65,594544d,a79b899,5dfb788,ca61558,36777db]:v1.41.0Compare Source
Minor Changes
#14279
e6e4b07Thanks @jamesopstad! - Addexperimental.newConfig.cfBuildOutputoption to support future deployments via thecfCLIPatch Changes
0e055d3,27db82c,2a6a26b,9a424ed,ecfdd5a,604be26,1fb7ba5,208b3bb,41f391f,32f9307,8b2ce41,3578919,ee82c76,41f391f,21dbc12,7e63948,035917f]:eslint/eslint (@eslint/js)
v9.39.5Compare Source
microsoft/playwright (@playwright/test)
v1.61.1Compare Source
tailwindlabs/tailwindcss (@tailwindcss/vite)
v4.3.2Compare Source
Fixed
auto-rows-*andauto-cols-*utilities (e.g.auto-rows-12andauto-cols-16) (#20229)@tailwindcss/cliin--watchmode from crashing on Windows when@sourcepoints to a directory that doesn't exist (#20242)@tailwindcss/vitefrom crashing in Deno v2.8.x whencontext.parentURLis not a valid URL (#20245)@tailwindcss/cliin--watchmode rebuilds when the input CSS file changes in an ignored directory (#20246)@variantrules used inaddBase(…)to use custom variants defined later (#20247)@tailwindcss/vitefrom crashing during HMR when scanned files or directories are deleted (#20259)font-sizeinstead ofcolordeclarations fortext-[--spacing(…)](#20260)@sourcepatterns from scanning unrelated sibling files and folders (#20263)%]…[%in.tt,.tt2, and.txfiles (#20269)p.text-black[condition](#20269)@position-tryrules from triggering unknown at-rule warnings when optimizing CSS (#20277)--opacitytheme values (#20287)@tailwindcss/postcsswhen used with newer PostCSS patch releases (#20289)vitejs/release-scripts (@vitejs/release-scripts)
v1.8.0Compare Source
guybedford/es-module-lexer (es-module-lexer)
v2.3.1Compare Source
What's Changed
Full Changelog: guybedford/es-module-lexer@2.3.0...2.3.1
v2.3.0Compare Source
v2.2.0Compare Source
What's Changed
importwith 2+ args as a dynamic import by @soberm in #207New Contributors
Full Changelog: guybedford/es-module-lexer@2.1.0...2.2.0
eslint/eslint (eslint)
v9.39.5Compare Source
un-ts/eslint-plugin-import-x (eslint-plugin-import-x)
v4.17.1Compare Source
Patch Changes
cf25a01Thanks @marcalexiei! - fix(extensions): don't require an extension for package subpaths that resolve to a.d.ts(e.g.vitest/config)v4.17.0Compare Source
Minor Changes
4b2c0c5Thanks @regseb! - SupportRegExpin theimport-x/ignoresetting and theignoreoption of theno-unresolvedrule.Patch Changes
#494
1c84235Thanks @morgan-coded! - Fixedno-unresolvedcrashing when case-sensitive path checks encounterEACCESorEPERMon an ancestor directory.#481
3e13121Thanks @B4nan! - fix: memoize legacyNodeResolve resolver to avoid native memory leak#484
9a07009Thanks @sairus2k! - Make theextensionsrule check Node.js subpath imports (specifiers starting with#, e.g.#utils/helper). PreviouslyparsePathtreated a leading#as a URL hash fragment, so the rule skipped extension validation for these imports.Note: single-segment subpath imports without a slash (e.g.
#dep) are still skipped by the existing external-root-module classification; fixing that is deferred to avoid expanding scope.#468
240ed58Thanks @silverwind! - Makeextensionshandle.d.tscorrectly#479
e3cc7e4Thanks @mrginglymus! - fix: strip querystrings and hash fragments when checking for file existence#476
fce29b1Thanks @nbouvrette! - fix(deps): replace @package-json/types with an inline minimal typeota-meshi/eslint-plugin-regexp (eslint-plugin-regexp)
v3.1.1Compare Source
Patch Changes
jprichardson/node-fs-extra (fs-extra)
v11.3.6Compare Source
sindresorhus/globals (globals)
v17.7.0Compare Source
oxc-project/oxc (oxfmt)
v0.58.0Compare Source
v0.57.0Compare Source
v0.56.0Compare Source
pnpm/pnpm (pnpm)
v10.34.5Compare Source
v10.34.4: pnpm 10.34.4Compare Source
Patch Changes
352ae48: Security: validate config dependency names and versions before using them to build filesystem paths. Apnpm-workspace.yamlwith a traversal-shapedconfigDependenciesname (such as../../PWNED) or version (such as../../../PWNED) could previously causepnpm installto create symlinks or write package files outsidenode_modules/.pnpm-configand the store. Names must now be valid npm package names and versions must be exact semver versions. See GHSA-qrv3-253h-g69c.352ae48: Reject path-traversal and reserved dependency aliases (such as../../../escape,.bin,.pnpm, ornode_modules) that come from a lockfile rather than a freshly resolved manifest. A crafted lockfile alias could otherwise be joined directly under a hoistednode_modulesdirectory, letting package files be written outside the intended install root or overwrite pnpm-owned layout.The
nodeLinker: hoistedgraph builder now validates each alias at the directory sink (safeJoinModulesDir), matching the validation pnpm already performs when resolving aliases from manifests. See GHSA-fr4h-3cph-29xv.352ae48: Preventpnpm patch-removefrom removing files outside the configured patches directory.217fbe0: Hardened the warning printed when a project.npmrcuses environment variables in registry/auth settings: the suggestedpnpm config setcommand is now only included for keys made up of shell-inert characters. Because the key comes from a repository-controlled.npmrcand a shell expands$(...), backticks, and$VAReven inside double quotes, a crafted key could otherwise have turned the suggested copy-paste command into command execution.Platinum Sponsors
This PR was generated by Mend Renovate. View the repository job log.