chore(deps): update all non-major dependencies

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@graphql-tools/wrap (source)	11.1.7 → 11.1.8
@types/node (source)	24.10.13 → 24.10.15
@typescript-eslint/eslint-plugin (source)	8.55.0 → 8.56.1
@typescript-eslint/parser (source)	8.55.0 → 8.56.1
eslint (source)	9.39.2 → 9.39.3
globby	16.1.0 → 16.1.1
graphql	16.12.0 → 16.13.0
qs	6.14.2 → 6.15.0
rollup (source)	4.57.1 → 4.59.0
wrangler (source)	4.65.0 → 4.69.0

---

Release Notes

graphql-hive/gateway (@​graphql-tools/wrap)

v11.1.8

Compare Source

Patch Changes

• Updated dependencies [4065b7f]:
  • @​graphql-tools/delegate@​12.0.8

typescript-eslint/typescript-eslint (@​typescript-eslint/eslint-plugin)

v8.56.1

Compare Source

This was a version bump only for eslint-plugin to align it with other projects, there were no code changes.

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

v8.56.0

Compare Source

🚀 Features

• support ESLint v10 (#​12057)

🩹 Fixes

• use parser options from context.languageOptions (#​12043)

❤️ Thank You

• Brad Zacher @​bradzacher
• fnx @​DMartens
• Joshua Chen

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

typescript-eslint/typescript-eslint (@​typescript-eslint/parser)

v8.56.1

Compare Source

This was a version bump only for parser to align it with other projects, there were no code changes.

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

v8.56.0

Compare Source

🚀 Features

• support ESLint v10 (#​12057)

❤️ Thank You

• Brad Zacher @​bradzacher
• Joshua Chen

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

eslint/eslint (eslint)

v9.39.3

Compare Source

Bug Fixes

• 791bf8d fix: restore TypeScript 4.0 compatibility in types (#​20504) (sethamus)

Chores

• 8594a43 chore: upgrade @​eslint/js@​9.39.3 (#​20529) (Milos Djermanovic)
• 9ceef92 chore: package.json update for @​eslint/js release (Jenkins)
• af498c6 chore: ignore /docs/v9.x in link checker (#​20453) (Milos Djermanovic)

sindresorhus/globby (globby)

v16.1.1

Compare Source

• Fix negation patterns with absolute filesystem paths 72e9916

---

graphql/graphql-js (graphql)

v16.13.0

Compare Source

ljharb/qs (qs)

v6.15.0

Compare Source

• [New] parse: add strictMerge option to wrap object/primitive conflicts in an array (#​425, #​122)
• [Fix] duplicates option should not apply to bracket notation keys (#​514)

rollup/rollup (rollup)

v4.59.0

Compare Source

2026-02-22

Features

• Throw when the generated bundle contains paths that would leave the output directory (#​6276)

Pull Requests

• #​6275: Validate bundle stays within output dir (@​lukastaegert)

v4.58.0

Compare Source

2026-02-20

Features

• Also support __NO_SIDE_EFFECTS__ annotation before variable declarations declaring function expressions (#​6272)

Pull Requests

• #​6256: docs: document PreRenderedChunk properties including isDynamicEntry and isImplicitEntry (@​njg7194, @​lukastaegert)
• #​6259: docs: Correct typo and improve sentence structure in docs for output.experimentalMinChunkSize (@​millerick, @​lukastaegert)
• #​6260: fix(deps): update rust crate swc_compiler_base to v47 (@​renovate[bot], @​lukastaegert)
• #​6261: fix(deps): lock file maintenance minor/patch updates (@​renovate[bot], @​lukastaegert)
• #​6262: Avoid unnecessary cloning of the code string (@​lukastaegert)
• #​6263: fix(deps): update minor/patch updates (@​renovate[bot], @​lukastaegert)
• #​6265: chore(deps): lock file maintenance (@​renovate[bot])
• #​6267: fix(deps): update minor/patch updates (@​renovate[bot])
• #​6268: chore(deps): update dependency eslint-plugin-unicorn to v63 (@​renovate[bot], @​lukastaegert)
• #​6269: chore(deps): update dependency lru-cache to v11 (@​renovate[bot])
• #​6270: chore(deps): lock file maintenance (@​renovate[bot])
• #​6272: forward NO_SIDE_EFFECTS annotations to function expressions in variable declarations (@​lukastaegert)

cloudflare/workers-sdk (wrangler)

v4.69.0

Compare Source

Minor Changes

• #​12625 c0e9e08 Thanks @​WillTaylorDev! - Add cache configuration option for enabling worker cache (experimental)

  You can now enable cache before worker execution using the new cache configuration:

  {
  	"cache": {
  		"enabled": true,
  	},
  }

  This setting is environment-inheritable and opt-in. When enabled, cache behavior is applied before your worker runs.

  Note: This feature is experimental. The runtime API is not yet generally available.

Patch Changes

• #​12661 99037e3 Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260302.0	1.20260303.0

• #​12680 295297a Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260303.0	1.20260305.0

• #​12671 f765244 Thanks @​MattieTK! - fix: Only redact account names in CI environments, not all non-interactive contexts

  The multi-account selection error in getAccountId now only redacts account names
  when running in a CI environment (detected via ci-info). Non-interactive terminals
  such as coding agents and piped commands can now see account names, which they need
  to identify which account to configure. CI logs remain protected.

• Updated dependencies [99037e3, 295297a]:

  • miniflare@​4.20260305.0

v4.68.1

Compare Source

Patch Changes

• #​12648 3d6e421 Thanks @​petebacondarwin! - Fix Angular scaffolding to allow localhost SSR in development mode

  Recent versions of Angular's AngularAppEngine block serving SSR on localhost by default. This caused wrangler dev / wrangler pages dev to fail with URL with hostname "localhost" is not allowed.

  The fix passes allowedHosts: ["localhost"] to the AngularAppEngine constructor in server.ts, which is safe to do even in production since Cloudflare will already restrict which host is allowed.

• #​12657 294297e Thanks @​dario-piotrowicz! - Update Waku autoconfig logic

  As of 1.0.0-alpha.4, Waku projects can be built on top of the Cloudflare Vite plugin, and the changes here allow Wrangler autoconfig to support this. Running autoconfig on older versions of Waku will result in an error.

• Updated dependencies []:

  • miniflare@​4.20260302.0

v4.68.0

Compare Source

Minor Changes

• #​12614 8d882fa Thanks @​dario-piotrowicz! - Enable autoconfig for wrangler deploy by default (while allowing users to still disable it via --x-autoconfig=false if necessary)

• #​12614 8d882fa Thanks @​dario-piotrowicz! - Mark the wrangler setup command as stable

v4.67.1

Compare Source

Patch Changes

• #​12595 e93dc01 Thanks @​dario-piotrowicz! - Add a warning in the autoconfig logic letting users know that support for projects inside workspaces is limited

• #​12582 c2ed7c2 Thanks @​penalosa! - Internal refactor to use capnweb's native ReadableStream support to power remote Media and Dispatch Namespace bindings.

• #​12618 d920811 Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260219.0	1.20260227.0

• #​12637 896734d Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260227.0	1.20260302.0

• #​12601 ebdbe52 Thanks @​43081j! - Switch to empathic for file-system upwards traversal to reduce dependency bloat.

• #​12602 58a4020 Thanks @​anonrig! - Optimize filesystem operations by using Node.js's throwIfNoEntry: false option

  This reduces the number of system calls made when checking for file existence by avoiding the overhead of throwing and catching errors for missing paths. This is an internal performance optimization with no user-visible behavioral changes.

• #​12591 6f6cd94 Thanks @​martinezjandrew! - Implemented logic within wrangler containers registries configure to check if a specified secret name is already in-use and offer to reuse that secret. Also added --skip-confirmation flag to the command to skip all interactive prompts.

• Updated dependencies [c2ed7c2, d920811, 896734d, 58a4020]:

  • miniflare@​4.20260302.0

v4.67.0

Compare Source

Minor Changes

• #​12401 8723684 Thanks @​jonesphillip! - Add validation retry loops to pipelines setup command

  The wrangler pipelines setup command now prompts users to retry when validation errors occur, instead of failing the entire setup process. This includes:

  • Validation retry prompts for pipeline names, bucket names, and field names
  • A "simple" mode for sink configuration that uses sensible defaults
  • Automatic bucket creation when buckets don't exist
  • Automatic Data Catalog enablement when not already active

  This improves the setup experience by allowing users to correct mistakes without restarting the entire configuration flow.

• #​12395 aa82c2b Thanks @​cmackenzie1! - Generate typed pipeline bindings from stream schemas

  When running wrangler types, pipeline bindings now generate TypeScript types based on the stream's schema definition. This gives you full autocomplete and type checking when sending data to your pipelines.

  // wrangler.json
  {
  	"pipelines": [
  		{ "binding": "ANALYTICS", "pipeline": "analytics-stream-id" },
  	],
  }

  If your stream has a schema with fields like user_id (string) and event_count (int32), the generated types will be:

  declare namespace Cloudflare {
  	type AnalyticsStreamRecord = { user_id: string; event_count: number };
  	interface Env {
  		ANALYTICS: Pipeline<Cloudflare.AnalyticsStreamRecord>;
  	}
  }

  For unstructured streams or when not authenticated, bindings fall back to the generic Pipeline<PipelineRecord> type.

Patch Changes

• #​12592 aaa7200 Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260217.0	1.20260218.0

• #​12606 2f19a40 Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260218.0	1.20260219.0

• #​12604 e2a6600 Thanks @​petebacondarwin! - fix: pass --env flag to auxiliary workers in multi-worker mode

  When running wrangler dev with multiple config files (e.g. -c ./apps/api/wrangler.jsonc -c ./apps/queues/wrangler.jsonc -e=dev), the --env flag was not being passed to auxiliary (non-primary) workers. This meant that environment-specific configuration (such as queue bindings) was not applied to auxiliary workers, causing features like queue consumers to not be triggered in local development.

• #​12597 0b17117 Thanks @​sdnts! - The maximum allowed delivery and retry delays for Queues is now 24 hours

• #​12598 ca58062 Thanks @​mattzcarey! - Stop redacting wrangler whoami output in non-interactive mode

  wrangler whoami is explicitly invoked to retrieve account info, so email and account names should always be visible. Redacting them in non-interactive/CI environments makes it difficult for coding agents and automated tools to identify which account to use. Other error messages that may appear unexpectedly in CI logs (e.g. multi-account selection errors) remain redacted.

• Updated dependencies [f239077, aaa7200, 2f19a40, 5f9f0b4, 452cdc8, 527e4f5, 0b17117]:

  • miniflare@​4.20260219.0
  • @​cloudflare/unenv-preset@​2.14.0

v4.66.0

Compare Source

Minor Changes

• #​12466 caf9b11 Thanks @​petebacondarwin! - Add WRANGLER_CACHE_DIR environment variable and smart cache directory detection

  Wrangler now intelligently detects where to store cache files:

  1. Use WRANGLER_CACHE_DIR env var if set
  2. Use existing cache directory if found (node_modules/.cache/wrangler or .wrangler/cache)
  3. Create cache in node_modules/.cache/wrangler if node_modules exists
  4. Otherwise use .wrangler/cache

  This improves compatibility with Yarn PnP, pnpm, and other package managers that don't use traditional node_modules directories, without requiring any configuration.

• #​12572 936187d Thanks @​dario-piotrowicz! - Ensure the nodejs_compat flag is always applied in autoconfig

  Previously, the autoconfig feature relied on individual framework configurations to specify Node.js compatibility flags, some could set nodejs_compat while others nodejs_als.

  Now instead nodejs_compat is always included as a compatibility flag, this is generally beneficial and the user can always remove the flag afterwards if they want to.

• #​12560 c4c86f8 Thanks @​taylorlee! - Support --tag and --message flags on wrangler deploy

  They have the same behavior that they do as during wrangler versions upload, as both
  are set on the version.

  The message is also reused for the deployment as well, with the same behavior as used
  during wrangler versions deploy.

Patch Changes

• #​12543 5a868a0 Thanks @​G4brym! - Fix AI Search binding failing in local dev

  Using AI Search bindings with wrangler dev would fail with "RPC stub points at a non-serializable type". AI Search bindings now work correctly in local development.

• #​12552 c58e81b Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260212.0	1.20260213.0

• #​12568 33a9a8f Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260213.0	1.20260214.0

• #​12576 8077c14 Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260214.0	1.20260217.0

• #​12466 caf9b11 Thanks @​petebacondarwin! - fix: exclude .wrangler directory from Pages uploads

  The .wrangler directory contains local cache and state files that should never be deployed. This aligns Pages upload behavior with Workers Assets, which already excludes .wrangler via .assetsignore.

• #​12556 7d2355e Thanks @​ascorbic! - Fix port availability check probing the wrong host when host changes

  memoizeGetPort correctly invalidated its cached port when called with a different host, but then still probed the original host for port availability. This could return a port that was free on the original host but already in use on the requested one, leading to bind failures at startup.

• #​12562 7ea69af Thanks @​MattieTK! - Support function-based Vite configs in autoconfig setup

  wrangler setup and wrangler deploy --x-autoconfig can now automatically add the Cloudflare Vite plugin to projects that use function-based defineConfig() patterns. Previously, autoconfig would fail with "Cannot modify Vite config: expected an object literal but found ArrowFunctionExpression" for configs like:

  export default defineConfig(({ isSsrBuild }) => ({
  	plugins: [reactRouter(), tsconfigPaths()],
  }));

  This pattern is used by several official framework templates, including React Router's node-postgres and node-custom-server templates. The following defineConfig() patterns are now supported:

  • defineConfig({ ... }) (object literal, already worked)
  • defineConfig(() => ({ ... })) (arrow function with expression body)
  • defineConfig(({ isSsrBuild }) => ({ ... })) (arrow function with destructured params)
  • defineConfig(() => { return { ... }; }) (arrow function with block body)
  • defineConfig(function() { return { ... }; }) (function expression)

• #​12548 5cc7158 Thanks @​dario-piotrowicz! - Fix .assetsignore formatting when autoconfig creates a new file

  Previously, when wrangler setup or wrangler deploy --x-autoconfig created a new .assetsignore file via autoconfig, it would add unnecessary leading empty lines before the wrangler-specific entries. Empty separator lines should only be added when appending to an existing .assetsignore file. This fix ensures newly created .assetsignore files start cleanly without leading blank lines.

• #​12556 7d2355e Thanks @​ascorbic! - Improve error message when port binding is blocked by a sandbox or security policy

  When running wrangler dev inside a restricted environment (such as an AI coding agent sandbox or locked-down container), the port availability check would fail with a raw EPERM error. This now provides a clear message explaining that a sandbox or security policy is blocking network access, rather than the generic permission error that previously pointed at the file system.

• #​12545 c9d0f9d Thanks @​dario-piotrowicz! - Improve framework detection when multiple frameworks are found

  When autoconfig detects multiple frameworks in a project, Wrangler now applies smarter logic to select the most appropriate one. Selecting the wrong one is acceptable locally where the user can change the detected framework, in CI an error is instead thrown.

• #​12548 5cc7158 Thanks @​dario-piotrowicz! - Add trailing newline to generated package.json and wrangler.jsonc files

• #​12548 5cc7158 Thanks @​dario-piotrowicz! - Fix .gitignore formatting when autoconfig creates a new file

  Previously, when wrangler setup or wrangler deploy created a new .gitignore file via autoconfig, it would add unnecessary leading empty lines before the wrangler-specific entries. Empty separator lines should only be added when appending to an existing .gitignore file. This fix ensures newly created .gitignore files start cleanly without leading blank lines.

• #​12545 c9d0f9d Thanks @​dario-piotrowicz! - Throw actionable error when autoconfig is run in the root of a workspace

  When running Wrangler commands that trigger auto-configuration (like wrangler dev or wrangler deploy) in the root directory of a monorepo workspace, a helpful error is now shown directing users to run the command in a specific project's directory instead.

• Updated dependencies [5a868a0, c58e81b, 33a9a8f, 8077c14, caf9b11, 9a565d5, 7f18183, 39491f9, 43c462a]:

  • miniflare@​4.20260217.0
  • @​cloudflare/unenv-preset@​2.13.0

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

🚀 Snapshot Release (alpha)

The latest changes of this PR are available as alpha on npm (based on the declared changesets):

Package	Version	Info
graphql-modules	3.1.2-alpha-20260226214800-883e3b99b1a1a6b777662eb2040c517bfb70da37	npm ↗︎ unpkg ↗︎

[github-actions]

💻 Website Preview

The latest changes are available as preview in: https://pr-2656.graphql-modules.pages.dev