Skip to content

fix(deps): update all non-major dependencies#51

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/all-minor-patch
Open

fix(deps): update all non-major dependencies#51
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/all-minor-patch

Conversation

@renovate

@renovate renovate Bot commented Jan 12, 2026

Copy link
Copy Markdown
Contributor

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package Change Age Confidence
@cloudflare/vite-plugin (source) ^1.20.0^1.39.0 age confidence
@orpc/client (source) ^1.13.2^1.14.4 age confidence
@orpc/server (source) ^1.13.2^1.14.4 age confidence
@orpc/tanstack-query (source) ^1.13.2^1.14.4 age confidence
@playwright/test (source) ^1.57.0^1.60.0 age confidence
@preact/preset-vite ^2.10.2^2.10.5 age confidence
@preact/signals (source) ^2.5.1^2.9.1 age confidence
@rolldown/pluginutils (source) 1.0.0-beta.591.0.1 age confidence
@tanstack/react-query (source) ^5.90.16^5.100.14 age confidence
@types/node (source) ^24.10.4^24.12.4 age confidence
@types/react (source) ^19.2.7^19.2.15 age confidence
@vitejs/plugin-react (source) ^5.1.2^5.2.0 age confidence
@vitejs/plugin-react-swc (source) ^4.2.2^4.3.1 age confidence
@vitejs/plugin-vue (source) ^6.0.3^6.0.7 age confidence
bumpp ^10.3.2^10.4.1 age confidence
oxfmt (source) ^0.23.0^0.52.0 age confidence
pnpm (source) 10.27.0+sha512.72d699da16b1179c14ba9e64dc71c9a40988cbdc65c264cb0e489db7de917f20dcf4d64d8723625f2969ba52d4b7e2a1170682d9ac2a5dcaeaab732b7e16f04a10.34.1 age confidence
preact (source) ^10.28.2^10.29.2 age confidence
preact-render-to-string ^6.6.5^6.7.0 age confidence
react (source) ^19.2.3^19.2.6 age confidence
react-dom (source) ^19.2.3^19.2.6 age confidence
react-router (source) 7.12.07.16.0 age confidence
srvx (source) ^0.10.0^0.11.16 age confidence
tinyexec ^1.0.2^1.2.4 age confidence
tsdown (source) ^0.18.4^0.22.1 age confidence
unhead (source) ^2.1.1^2.1.15 age confidence
vite (source) ^7.3.1^7.3.3 age confidence
vue (source) ^3.5.26^3.5.35 age confidence
wrangler (source) ^4.57.0^4.95.0 age confidence
zod (source) ^4.3.5^4.4.3 age confidence

Release Notes

cloudflare/workers-sdk (@​cloudflare/vite-plugin)

v1.39.0

Minor Changes
  • #​13985 c809d30 Thanks @​jamesopstad! - Add assetsOnly (entry Worker) and devOnly (auxiliary Workers) options to the plugin config

    Both options accept a boolean or a function that returns a boolean. The function is evaluated lazily at build time, allowing frameworks to provide the value after initialization.

    Use assetsOnly on the entry Worker to skip building the Worker and instead emit an assets-only Wrangler config to the client output directory. This enables frameworks such as Astro to use the ssr environment during development but produce a fully static app for deployment.

    export default defineConfig({
      plugins: [
        cloudflare({
          assetsOnly: () => isStaticBuild,
        }),
      ],
    });

    Use devOnly on an auxiliary Worker to include it during vite dev but skip it at build time.

    export default defineConfig({
      plugins: [
        cloudflare({
          auxiliaryWorkers: [
            { configPath: "./dev-only-worker/wrangler.jsonc", devOnly: true },
          ],
        }),
      ],
    });
Patch Changes

v1.38.0

Compare Source

Minor Changes
  • #​13989 f598eac Thanks @​MattieTK! - Print a QR code alongside the tunnel URL when sharing via Cloudflare Tunnel

    When a tunnel is started (via wrangler dev --tunnel or the Vite plugin with tunnel: true), a scannable QR code is now printed to the terminal beneath the tunnel URL. This makes it easy to open the tunnel on a mobile device without manually copying the URL.

    The QR code uses Unicode block characters for a compact representation and is generated best-effort -- if generation fails for any reason, the tunnel URL is still displayed as before.

Patch Changes

v1.37.3

Compare Source

Patch Changes
  • #​13978 fa1f61f Thanks @​sassyconsultingllc! - Bump ws from 8.18.0 to 8.20.1 to address GHSA-58qx-3vcg-4xpx

    GHSA-58qx-3vcg-4xpx / CVE-2026-45736 reports an uninitialized-memory disclosure in ws@<8.20.1 when a TypedArray is passed as the reason argument to WebSocket.close(). The fix shipped in ws@8.20.1 on 2026-05-12. This change bumps the workspace catalog entry so that miniflare, wrangler, and @cloudflare/vite-plugin all pick up the patched release.

  • #​13912 d803737 Thanks @​petebacondarwin! - Fix /cdn-cgi/* host validation incorrectly accepting subdomains of exact configured routes

    Miniflare's /cdn-cgi/* host/origin validator was treating exact configured routes the same as wildcard configured routes, so a request whose Host or Origin hostname was a subdomain of an exact route (e.g. sub.my-custom-site.com for a my-custom-site.com/* route) was incorrectly accepted. Exact configured routes and the configured upstream hostname are now required to match the request hostname exactly. Subdomain matching is only applied to wildcard routes such as *.example.com/*. Localhost hostnames continue to be allowed as before.

    This affects wrangler dev and local development through @cloudflare/vite-plugin, both of which use Miniflare under the hood.

  • #​13919 c7eab7f Thanks @​petebacondarwin! - Fix the outbound CF-Worker header reflecting the route pattern hostname instead of the parent zone, and falling back to <worker-name>.example.com under vite dev, vitest-pool-workers, and getPlatformProxy

    Two related issues affected the CF-Worker header on outbound subrequests in local development:

    1. Under @cloudflare/vite-plugin, @cloudflare/vitest-pool-workers, and getPlatformProxy, the header fell back to <worker-name>.example.com even when routes were configured, because unstable_getMiniflareWorkerOptions and the equivalent getPlatformProxy worker-options path did not propagate a zone value to Miniflare. This broke local development against services that reject unknown CF-Worker hosts (for example, Apple WeatherKit returns 403 Forbidden).
    2. Across the above paths and wrangler dev --local, when a route used the zone_name field (for example { pattern: "foo.example.com/*", zone_name: "example.com" }), the header was set to the pattern's hostname (foo.example.com) rather than the zone name (example.com). Production sets CF-Worker to the zone name that owns the Worker, so this was inconsistent with deployed behaviour.

    Both bugs are fixed: the new unstable_getMiniflareWorkerOptions / getPlatformProxy path now propagates a zone derived from the first configured route, and all four local-dev paths now prefer a route's explicit zone_name over the pattern hostname when computing that zone. When zone_name isn't set, the existing best-effort behaviour is preserved — for wrangler dev this means dev.host is still honoured as a local override and the pattern hostname is used as a final fallback. Resolving the parent zone for zone_id-only, custom_domain, or plain-string routes would require an API lookup, so locally we still approximate it with the pattern hostname.

    Note: dev.host is intentionally not consulted by the unstable_getMiniflareWorkerOptions / getPlatformProxy paths — the dev config block is specific to wrangler dev.

  • Updated dependencies [fa1f61f, 2679e05, 7e40d98, adc9221, 735852d, d803737, c7eab7f, e04e180, 59cd880, 62abf97, e8c2031, e349fe0, da0fa8c, a5c9365]:

    • miniflare@​4.20260520.0
    • wrangler@​4.93.1

v1.37.2

Compare Source

Patch Changes

v1.37.1

Compare Source

Patch Changes
  • #​13922 23800f8 Thanks @​edmundhung! - Add a tunnel shortcut hint when CLI shortcuts are printed

    The Cloudflare Vite plugin now includes a t + enter tunnel hint alongside the other CLI shortcuts it prints.

  • #​13920 f579e57 Thanks @​petebacondarwin! - Honor X-Forwarded-Proto when constructing the Worker's request.url

    When running the Vite dev server behind a TLS-terminating reverse proxy or tunnel, the Worker's request.url was always http://... even though the client reached the server over https://.... This caused frameworks that perform Origin/Host checks (e.g. CSRF protection) to reject requests with 403.

    The Vite plugin now reads the X-Forwarded-Proto header from the incoming request and uses it to set the protocol of request.url. If the header is absent or invalid, the connection protocol is used as before. The same handling is applied to WebSocket upgrade URLs.

    Fixes #​13801.

  • Updated dependencies [19ed49a, 3ff0a50, bf688f7, 2e72c83, 802eaf4, 506aa02, 8f5cdb1, be8a98c]:

    • miniflare@​4.20260515.0
    • wrangler@​4.92.0

v1.37.0

Compare Source

Minor Changes
  • #​13903 7ce6f6f Thanks @​edmundhung! - Add named tunnel support to the cloudflare() Vite plugin

    You can now expose your local dev server publicly with a stable hostname by configuring tunnel with a named Cloudflare Tunnel:

    cloudflare({
      tunnel: { name: "my-tunnel", autoStart: true },
    });

    If autoStart is omitted or set to false, you can still start or close the tunnel by pressing t + enter.

Patch Changes

v1.36.4

Compare Source

Patch Changes

v1.36.3

Compare Source

Patch Changes

v1.36.2

Compare Source

Patch Changes
  • Updated dependencies [dd3baf3, 5cf6f81]:
    • wrangler@​4.89.1
    • miniflare@​4.20260507.1

v1.36.1

Compare Source

Patch Changes
  • #​13802 a7fd465 Thanks @​deodad! - Fix .dev.vars written for vite preview to round-trip values containing quotes

    When the plugin emits dist/<env>/.dev.vars for vite preview, it previously wrote each value as a double-quoted dotenv string with " escaped to \". dotenv (the parser wrangler uses) does not unescape \" inside double-quoted values, so values containing " arrived at the worker with literal backslashes still in them.

    The plugin now quotes strings using the first quote character that does not appear in the value (with the priority order: single → backtick → double), all of which dotenv strips correctly. If a value contains every supported quote character it throws instead of silently corrupting the value.

  • Updated dependencies [2284f20, 332f527, 039bada, 18e833d, b6cea17, 1a54ac5, 53e846a, f3fed88, beff19c, af42fed, 1a54ac5]:

    • miniflare@​4.20260507.0
    • wrangler@​4.89.0

v1.36.0

Compare Source

Minor Changes
  • #​13810 2b8c0cc Thanks @​jamesopstad! - Stabilize the secrets configuration property

    The secrets property in the Wrangler config file is no longer experimental and will no longer emit an experimental warning when used. Required secrets are validated during local development and deploy, and used as the source of truth for type generation.

    {
      "secrets": {
        "required": ["API_KEY", "DB_PASSWORD"]
      }
    }
Patch Changes

v1.35.0

Compare Source

Minor Changes
  • #​13618 c07d0cb Thanks @​jamesopstad! - Support V2 protocol for module fallback service

    When the new_module_registry compatibility flag is set, requests sent to unsafeModuleFallbackService() use a different protocol. The Vite plugin now supports both protocols in its handling of additional module types.

Patch Changes

v1.34.0

Compare Source

Minor Changes
  • #​13666 edcff69 Thanks @​edmundhung! - Add tunnel: true to the cloudflare() Vite plugin for sharing your local dev and preview servers via Cloudflare Quick Tunnels

    You can now expose your local dev server publicly by setting tunnel: true:

    cloudflare({
      tunnel: true,
    });

    You can also enable tunnel sharing dynamically using an environment variable:

    cloudflare({
      tunnel: process.env.ENABLE_DEV_TUNNEL === "true",
    });

    This starts a Cloudflare Quick Tunnel that gives you a random *.trycloudflare.com URL to share. The tunnel stops automatically when the dev or preview session ends. Quick tunnels don't require a Cloudflare account or any configuration.

    A warning is shown when Server-Sent Events (SSE) responses are detected through the tunnel, since quick tunnels don't support SSE.

Patch Changes

v1.33.2

Compare Source

Patch Changes
  • #​13636 1d54fb7 Thanks @​edmundhung! - Stop denying vite.config.* files from Vite dev server access

    This allows projects to access vite.config.* files during development when needed.

  • #​13653 48c61b6 Thanks @​jamesopstad! - Use the date that the plugin is built as the default compatibility date.

    When no compatibility date was set by the user, the plugin was falling back to the current date. This meant that the date could get ahead of the latest date supported by the installed version of workerd. We now populate the default compatibility date when the plugin is built. This means that it is updated with each release but then stays fixed.

  • #​13634 f3cb2b2 Thanks @​jamesopstad! - Simplify /cdn-cgi/ handling

    We now only add special handling for /cdn-cgi/handler/* routes, so that trigger handlers are invoked on the User Worker.

  • #​13611 6e99feb Thanks @​smaldd14! - Support Cloudflare-managed registry images in Vite plugin local dev

    Previously, using a registry.cloudflare.com image in a containers binding would crash vite dev with an unsupported error. The Vite plugin now configures the Cloudflare API client using CLOUDFLARE_API_TOKEN and CLOUDFLARE_ACCOUNT_ID before pulling container images, matching the behavior of wrangler dev.

  • Updated dependencies [5a2968a, 5680287, 3494842, 7d728fb, df9319d, d5e3c57, 3ceeec3, 7567ef7, 0a95061, 2831b54, 7fc50c1, 377715d]:

v1.33.1

Compare Source

Patch Changes

v1.33.0

Compare Source

Minor Changes
  • #​12600 50bf819 Thanks @​penalosa! - Use workerd's debug port to power cross-process service bindings, Durable Objects, and tail workers via the dev registry. This enables Durable Object RPC via the dev registry, and is an overall stability improvement.
Patch Changes

v1.32.3

Compare Source

Patch Changes

Note

PR body was truncated to here.


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • Between 12:00 AM and 03:59 AM, only on Monday (* 0-3 * * 1)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot force-pushed the renovate/all-minor-patch branch 5 times, most recently from 93b74ea to 9af78b3 Compare January 14, 2026 12:57
@renovate renovate Bot changed the title chore(deps): update all non-major dependencies fix(deps): update all non-major dependencies Jan 14, 2026
@renovate renovate Bot force-pushed the renovate/all-minor-patch branch 11 times, most recently from 72ad17d to 4c251c4 Compare January 22, 2026 13:50
@renovate renovate Bot force-pushed the renovate/all-minor-patch branch 10 times, most recently from 26bc7a7 to fa34362 Compare January 29, 2026 12:42
@renovate renovate Bot force-pushed the renovate/all-minor-patch branch 2 times, most recently from 17e1d15 to 426ecdb Compare January 30, 2026 21:45
@renovate renovate Bot force-pushed the renovate/all-minor-patch branch 14 times, most recently from 159a89f to 6456455 Compare February 12, 2026 19:56
@renovate renovate Bot force-pushed the renovate/all-minor-patch branch 13 times, most recently from 841bf0c to decd197 Compare February 20, 2026 10:41
@renovate renovate Bot force-pushed the renovate/all-minor-patch branch 2 times, most recently from aaf9fb9 to 37cdd82 Compare February 23, 2026 19:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants