fix(deps): update all non-major dependencies

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@cloudflare/workers-types	4.20260210.0 → 4.20260303.0
@eslint/eslintrc	3.3.3 → 3.3.4
@eslint/js (source)	9.39.2 → 9.39.3
@eslint/json	1.0.0 → 1.0.1
@types/node (source)	25.2.2 → 25.3.0
dotenv	17.2.4 → 17.3.1
drizzle-kit (source)	0.31.8 → 0.31.9
eslint (source)	9.39.2 → 9.39.3
oidc-provider	9.6.0 → 9.6.1
pino (source)	10.3.0 → 10.3.1
typescript-eslint (source)	8.54.0 → 8.56.1
wrangler (source)	4.64.0 → 4.68.0

---

Release Notes

cloudflare/workerd (@​cloudflare/workers-types)

v4.20260303.0

Compare Source

v4.20260302.0

Compare Source

v4.20260228.0

Compare Source

v4.20260227.0

Compare Source

v4.20260219.0

Compare Source

v4.20260218.0

Compare Source

v4.20260217.0

Compare Source

v4.20260214.0

Compare Source

v4.20260213.0

Compare Source

v4.20260212.0

Compare Source

eslint/eslintrc (@​eslint/eslintrc)

v3.3.4

Compare Source

Bug Fixes

• update ajv to 6.14.0 to address security vulnerabilities (#​221) (9139140)
• update minimatch to 3.1.3 to address security vulnerabilities (#​224) (30339d0)

eslint/eslint (@​eslint/js)

v9.39.3

Compare Source

Bug Fixes

• 791bf8d fix: restore TypeScript 4.0 compatibility in types (#​20504) (sethamus)

Chores

• 8594a43 chore: upgrade @​eslint/js@​9.39.3 (#​20529) (Milos Djermanovic)
• 9ceef92 chore: package.json update for @​eslint/js release (Jenkins)
• af498c6 chore: ignore /docs/v9.x in link checker (#​20453) (Milos Djermanovic)

eslint/json (@​eslint/json)

v1.0.1

Compare Source

Bug Fixes

• update eslint (#​208) (249ccda)

motdotla/dotenv (dotenv)

v17.3.1

Compare Source

Changed

• Fix as2 example command in README and update spanish README

v17.3.0

Compare Source

Added

• Add a new README section on dotenv’s approach to the agentic future.

Changed

• Rewrite README to get humans started more quickly with less noise while simultaneously making more accessible for llms and agents to go deeper into details.

drizzle-team/drizzle-orm (drizzle-kit)

v0.31.9

Compare Source

• drizzle-kit api improvements for D1 connections

panva/node-oidc-provider (oidc-provider)

v9.6.1

Compare Source

Refactor

• extract NON_REJECTABLE_CLAIMS into shared constant (2b7c025)
• extract shared grant handler helpers to reduce duplication (f5eee9e)
• extract shared token finder for introspection and revocation (666c2b0)

Fixes

• required PAR should not affect CIBA and DAG (8167bd0)

pinojs/pino (pino)

v10.3.1

Compare Source

What's Changed

• build(deps): bump actions/checkout from 6.0.1 to 6.0.2 by @​dependabot[bot] in #​2385
• build(deps-dev): bump eslint-plugin-n from 17.23.1 to 17.23.2 by @​dependabot[bot] in #​2386
• docs: clarify transport level filtering behavior by @​mcollina in #​2390
• fix(transport): sanitize invalid NODE_OPTIONS preloads for workers by @​mcollina in #​2391

Full Changelog: pinojs/pino@v10.3.0...v10.3.1

typescript-eslint/typescript-eslint (typescript-eslint)

v8.56.1

Compare Source

This was a version bump only for typescript-eslint to align it with other projects, there were no code changes.

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

v8.56.0

Compare Source

🚀 Features

• support ESLint v10 (#​12057)

❤️ Thank You

• Brad Zacher @​bradzacher
• Joshua Chen

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

v8.55.0

Compare Source

This was a version bump only for typescript-eslint to align it with other projects, there were no code changes.

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

cloudflare/workers-sdk (wrangler)

v4.68.0

Compare Source

Minor Changes

• #​12614 8d882fa Thanks @​dario-piotrowicz! - Enable autoconfig for wrangler deploy by default (while allowing users to still disable it via --x-autoconfig=false if necessary)

• #​12614 8d882fa Thanks @​dario-piotrowicz! - Mark the wrangler setup command as stable

v4.67.1

Compare Source

Patch Changes

• #​12595 e93dc01 Thanks @​dario-piotrowicz! - Add a warning in the autoconfig logic letting users know that support for projects inside workspaces is limited

• #​12582 c2ed7c2 Thanks @​penalosa! - Internal refactor to use capnweb's native ReadableStream support to power remote Media and Dispatch Namespace bindings.

• #​12618 d920811 Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260219.0	1.20260227.0

• #​12637 896734d Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260227.0	1.20260302.0

• #​12601 ebdbe52 Thanks @​43081j! - Switch to empathic for file-system upwards traversal to reduce dependency bloat.

• #​12602 58a4020 Thanks @​anonrig! - Optimize filesystem operations by using Node.js's throwIfNoEntry: false option

  This reduces the number of system calls made when checking for file existence by avoiding the overhead of throwing and catching errors for missing paths. This is an internal performance optimization with no user-visible behavioral changes.

• #​12591 6f6cd94 Thanks @​martinezjandrew! - Implemented logic within wrangler containers registries configure to check if a specified secret name is already in-use and offer to reuse that secret. Also added --skip-confirmation flag to the command to skip all interactive prompts.

• Updated dependencies [c2ed7c2, d920811, 896734d, 58a4020]:

  • miniflare@​4.20260302.0

v4.67.0

Compare Source

Minor Changes

• #​12401 8723684 Thanks @​jonesphillip! - Add validation retry loops to pipelines setup command

  The wrangler pipelines setup command now prompts users to retry when validation errors occur, instead of failing the entire setup process. This includes:

  • Validation retry prompts for pipeline names, bucket names, and field names
  • A "simple" mode for sink configuration that uses sensible defaults
  • Automatic bucket creation when buckets don't exist
  • Automatic Data Catalog enablement when not already active

  This improves the setup experience by allowing users to correct mistakes without restarting the entire configuration flow.

• #​12395 aa82c2b Thanks @​cmackenzie1! - Generate typed pipeline bindings from stream schemas

  When running wrangler types, pipeline bindings now generate TypeScript types based on the stream's schema definition. This gives you full autocomplete and type checking when sending data to your pipelines.

  // wrangler.json
  {
  	"pipelines": [
  		{ "binding": "ANALYTICS", "pipeline": "analytics-stream-id" },
  	],
  }

  If your stream has a schema with fields like user_id (string) and event_count (int32), the generated types will be:

  declare namespace Cloudflare {
  	type AnalyticsStreamRecord = { user_id: string; event_count: number };
  	interface Env {
  		ANALYTICS: Pipeline<Cloudflare.AnalyticsStreamRecord>;
  	}
  }

  For unstructured streams or when not authenticated, bindings fall back to the generic Pipeline<PipelineRecord> type.

Patch Changes

• #​12592 aaa7200 Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260217.0	1.20260218.0

• #​12606 2f19a40 Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260218.0	1.20260219.0

• #​12604 e2a6600 Thanks @​petebacondarwin! - fix: pass --env flag to auxiliary workers in multi-worker mode

  When running wrangler dev with multiple config files (e.g. -c ./apps/api/wrangler.jsonc -c ./apps/queues/wrangler.jsonc -e=dev), the --env flag was not being passed to auxiliary (non-primary) workers. This meant that environment-specific configuration (such as queue bindings) was not applied to auxiliary workers, causing features like queue consumers to not be triggered in local development.

• #​12597 0b17117 Thanks @​sdnts! - The maximum allowed delivery and retry delays for Queues is now 24 hours

• #​12598 ca58062 Thanks @​mattzcarey! - Stop redacting wrangler whoami output in non-interactive mode

  wrangler whoami is explicitly invoked to retrieve account info, so email and account names should always be visible. Redacting them in non-interactive/CI environments makes it difficult for coding agents and automated tools to identify which account to use. Other error messages that may appear unexpectedly in CI logs (e.g. multi-account selection errors) remain redacted.

• Updated dependencies [f239077, aaa7200, 2f19a40, 5f9f0b4, 452cdc8, 527e4f5, 0b17117]:

  • miniflare@​4.20260219.0
  • @​cloudflare/unenv-preset@​2.14.0

v4.66.0

Compare Source

Minor Changes

• #​12466 caf9b11 Thanks @​petebacondarwin! - Add WRANGLER_CACHE_DIR environment variable and smart cache directory detection

  Wrangler now intelligently detects where to store cache files:

  1. Use WRANGLER_CACHE_DIR env var if set
  2. Use existing cache directory if found (node_modules/.cache/wrangler or .wrangler/cache)
  3. Create cache in node_modules/.cache/wrangler if node_modules exists
  4. Otherwise use .wrangler/cache

  This improves compatibility with Yarn PnP, pnpm, and other package managers that don't use traditional node_modules directories, without requiring any configuration.

• #​12572 936187d Thanks @​dario-piotrowicz! - Ensure the nodejs_compat flag is always applied in autoconfig

  Previously, the autoconfig feature relied on individual framework configurations to specify Node.js compatibility flags, some could set nodejs_compat while others nodejs_als.

  Now instead nodejs_compat is always included as a compatibility flag, this is generally beneficial and the user can always remove the flag afterwards if they want to.

• #​12560 c4c86f8 Thanks @​taylorlee! - Support --tag and --message flags on wrangler deploy

  They have the same behavior that they do as during wrangler versions upload, as both
  are set on the version.

  The message is also reused for the deployment as well, with the same behavior as used
  during wrangler versions deploy.

Patch Changes

• #​12543 5a868a0 Thanks @​G4brym! - Fix AI Search binding failing in local dev

  Using AI Search bindings with wrangler dev would fail with "RPC stub points at a non-serializable type". AI Search bindings now work correctly in local development.

• #​12552 c58e81b Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260212.0	1.20260213.0

• #​12568 33a9a8f Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260213.0	1.20260214.0

• #​12576 8077c14 Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260214.0	1.20260217.0

• #​12466 caf9b11 Thanks @​petebacondarwin! - fix: exclude .wrangler directory from Pages uploads

  The .wrangler directory contains local cache and state files that should never be deployed. This aligns Pages upload behavior with Workers Assets, which already excludes .wrangler via .assetsignore.

• #​12556 7d2355e Thanks @​ascorbic! - Fix port availability check probing the wrong host when host changes

  memoizeGetPort correctly invalidated its cached port when called with a different host, but then still probed the original host for port availability. This could return a port that was free on the original host but already in use on the requested one, leading to bind failures at startup.

• #​12562 7ea69af Thanks @​MattieTK! - Support function-based Vite configs in autoconfig setup

  wrangler setup and wrangler deploy --x-autoconfig can now automatically add the Cloudflare Vite plugin to projects that use function-based defineConfig() patterns. Previously, autoconfig would fail with "Cannot modify Vite config: expected an object literal but found ArrowFunctionExpression" for configs like:

  export default defineConfig(({ isSsrBuild }) => ({
  	plugins: [reactRouter(), tsconfigPaths()],
  }));

  This pattern is used by several official framework templates, including React Router's node-postgres and node-custom-server templates. The following defineConfig() patterns are now supported:

  • defineConfig({ ... }) (object literal, already worked)
  • defineConfig(() => ({ ... })) (arrow function with expression body)
  • defineConfig(({ isSsrBuild }) => ({ ... })) (arrow function with destructured params)
  • defineConfig(() => { return { ... }; }) (arrow function with block body)
  • defineConfig(function() { return { ... }; }) (function expression)

• #​12548 5cc7158 Thanks @​dario-piotrowicz! - Fix .assetsignore formatting when autoconfig creates a new file

  Previously, when wrangler setup or wrangler deploy --x-autoconfig created a new .assetsignore file via autoconfig, it would add unnecessary leading empty lines before the wrangler-specific entries. Empty separator lines should only be added when appending to an existing .assetsignore file. This fix ensures newly created .assetsignore files start cleanly without leading blank lines.

• #​12556 7d2355e Thanks @​ascorbic! - Improve error message when port binding is blocked by a sandbox or security policy

  When running wrangler dev inside a restricted environment (such as an AI coding agent sandbox or locked-down container), the port availability check would fail with a raw EPERM error. This now provides a clear message explaining that a sandbox or security policy is blocking network access, rather than the generic permission error that previously pointed at the file system.

• #​12545 c9d0f9d Thanks @​dario-piotrowicz! - Improve framework detection when multiple frameworks are found

  When autoconfig detects multiple frameworks in a project, Wrangler now applies smarter logic to select the most appropriate one. Selecting the wrong one is acceptable locally where the user can change the detected framework, in CI an error is instead thrown.

• #​12548 5cc7158 Thanks @​dario-piotrowicz! - Add trailing newline to generated package.json and wrangler.jsonc files

• #​12548 5cc7158 Thanks @​dario-piotrowicz! - Fix .gitignore formatting when autoconfig creates a new file

  Previously, when wrangler setup or wrangler deploy created a new .gitignore file via autoconfig, it would add unnecessary leading empty lines before the wrangler-specific entries. Empty separator lines should only be added when appending to an existing .gitignore file. This fix ensures newly created .gitignore files start cleanly without leading blank lines.

• #​12545 c9d0f9d Thanks @​dario-piotrowicz! - Throw actionable error when autoconfig is run in the root of a workspace

  When running Wrangler commands that trigger auto-configuration (like wrangler dev or wrangler deploy) in the root directory of a monorepo workspace, a helpful error is now shown directing users to run the command in a specific project's directory instead.

• Updated dependencies [5a868a0, c58e81b, 33a9a8f, 8077c14, caf9b11, 9a565d5, 7f18183, 39491f9, 43c462a]:

  • miniflare@​4.20260217.0
  • @​cloudflare/unenv-preset@​2.13.0

v4.65.0

Compare Source

Minor Changes

• #​12473 b900c5a Thanks @​petebacondarwin! - Add CF_PAGES environment variables to wrangler pages dev

  wrangler pages dev now automatically injects Pages-specific environment variables (CF_PAGES, CF_PAGES_BRANCH, CF_PAGES_COMMIT_SHA, CF_PAGES_URL) for improved dev/prod parity. This enables frameworks like SvelteKit to auto-detect the Pages environment during local development.

  • CF_PAGES is set to "1" to indicate the Pages environment
  • CF_PAGES_BRANCH defaults to the current git branch (or "local" if not in a git repo)
  • CF_PAGES_COMMIT_SHA defaults to the current git commit SHA (or a placeholder if not in a git repo)
  • CF_PAGES_URL is set to a simulated commit preview URL (e.g., https://<sha>.<project-name>.pages.dev)

  These variables are displayed with their actual values in the bindings table during startup, making it easy to verify what branch and commit SHA were detected.

  These variables can be overridden by user-defined vars in the Wrangler configuration, .env, .dev.vars, or via CLI flags.

• #​12464 10a1c4a Thanks @​petebacondarwin! - Allow deleting KV namespaces by name

  You can now delete a KV namespace by providing its name as a positional argument:

  wrangler kv namespace delete my-namespace

  This aligns the delete command with the create command, which also accepts a namespace name.
  The existing --namespace-id and --binding flags continue to work as before.

• #​12382 d7b492c Thanks @​dario-piotrowicz! - Add Pages detection to autoconfig flows

  When running the autoconfig logic (via wrangler setup, wrangler deploy --x-autoconfig, or the programmatic autoconfig API), Wrangler now detects when a project appears to be a Pages project and handles it appropriately:

  • For wrangler deploy, it warns the user but still allows them to proceed
  • For wrangler setup and the programmatic autoconfig API, it throws a fatal error

• #​12461 8809411 Thanks @​penalosa! - Support type: inherit bindings when using startWorker()

  This is an internal binding type that should not be used by external users of the API

• #​12515 1a9eddd Thanks @​ascorbic! - Add --json flag to wrangler whoami for machine-readable output

  wrangler whoami --json now outputs structured JSON containing authentication status, auth type, email, accounts, and token permissions. When the user is not authenticated, the command exits with a non-zero status code and outputs {"loggedIn":false}, making it easy to check auth status in shell scripts without parsing text output.

  # Parse the JSON output
  wrangler whoami --json | jq '.accounts'
  
  # Check if authenticated in a script. Returns 0 if authenticated, non-zero if not.
  if wrangler whoami --json > /dev/null 2>&1; then
    echo "Authenticated"
  else
    echo "Not authenticated"
  fi
  

Patch Changes

• #​12437 ad817dd Thanks @​MattieTK! - fix: use project's package manager in wranger autoconfig

  wrangler setup now correctly detects and uses the project's package manager based on lockfiles (pnpm-lock.yaml, yarn.lock, bun.lockb, package-lock.json) and the packageManager field in package.json. Previously, it would fall back to the package manager used to execute the command when run directly from the terminal, causing failures in pnpm and yarn workspace projects if the wrong manager was used in this step due to the workspace: protocol not being supported by npm.

  This change leverages the package manager detection already performed by @netlify/build-info during framework detection, ensuring consistent behaviour across the autoconfig process.

• #​12541 f7fa326 Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260210.0	1.20260212.0

• #​12498 734792a Thanks @​dario-piotrowicz! - Fix: make sure that remote proxy sessions's logs can be silenced when the wrangler log level is set to "none"

• #​12135 cc5ac22 Thanks @​edmundhung! - Fix spurious config diffs when bindings from local and remote config are shown in different order

  When comparing local and remote Worker configurations, binding arrays like kv_namespaces would incorrectly show additions and removals if the elements were in a different order. The diff now correctly recognizes these as equivalent by reordering remote arrays to match the local config's order before comparison.

• #​12476 62a8d48 Thanks @​MattieTK! - fix: use unscoped binary name for OpenNext autoconfig command overrides

  The build, deploy, and version command overrides in the Next.js (OpenNext) autoconfig handler used the scoped package name @opennextjs/cloudflare, which pnpm interprets as a workspace filter rather than a binary name. This caused wrangler deploy --x-autoconfig to fail for pnpm-based Next.js projects with ERR_PNPM_RECURSIVE_EXEC_FIRST_FAIL. Changed to use the unscoped binary name opennextjs-cloudflare, which resolves correctly across all package managers.

• #​12516 84252b7 Thanks @​edmundhung! - Stop proxying localhost requests when proxy environment variables are set

  When HTTP_PROXY or HTTPS_PROXY is configured, all fetch requests including ones to localhost were routed through the proxy. This caused wrangler dev and the Vite plugin to fail with "TypeError: fetch failed" because the proxy can't reach local addresses.

  This switches from ProxyAgent to undici's EnvHttpProxyAgent, which supports the NO_PROXY environment variable. When NO_PROXY is not set, it defaults to localhost,127.0.0.1,::1 so local requests are never proxied.

  The NO_PROXY config only applies to the request destination, not the proxy server address. So a proxy running on localhost (e.g. HTTP_PROXY=http://127.0.0.1:11451) still works for outbound API calls.

• #​12506 e5efa5d Thanks @​sesteves! - Fix wrangler r2 sql query displaying [object Object] for nested values

  SQL functions that return complex types such as arrays of objects (e.g. approx_top_k) were rendered as [object Object] in the table output because String() was called directly on non-primitive values. These values are now serialized with JSON.stringify so they display as readable JSON strings.

• #​11725 be9745f Thanks @​dario-piotrowicz! - Fix incorrect logic during autoconfiguration (when running wrangler setup or wrangler deploy --x-autoconfig) that caused parts of the project's package.json file, removed during the process, to incorrectly be added back

• #​12458 122791d Thanks @​jkoe-cf! - Remove default values for delivery delay and message retention and update messaging on limits

  Fixes the issue of the default maximum message retention (365400 seconds) being longer than the maximum allowed retention period for free tier users (86400 seconds).

  Previous:

  • Wrangler set a default value of 365400 seconds max message retention if the setting was not explicitly provided in the Wrangler configuration.
  • The maximum retention period was documented as 1209600 seconds for all queues users because it was required to be on paid tier.
  • Wrangler also set a default value of 0 seconds for delivery delay if the setting was not explicitly provided in the Wrangler configuration.

  Updated:

  • Wrangler no longer sets a default value for max message retention so that the default can be applied at the API.
  • The maximum retention period is now documented as 86400 seconds for free tier queues and 1209600 seconds for paid tier queues
  • Wrangler also no longer sets a default value for delivery delay so that the default can be applied at the API.

• #​12513 41e18aa Thanks @​pombosilva! - Add confirmation prompt when deploying workflows with names that belong to different workers.

  When deploying a workflow with a name that already exists and is currently associated with a different worker script, Wrangler will now display a warning and prompt for confirmation before proceeding. This helps prevent accidentally overriding workflows.

  In non-interactive environments this check is skipped by default. Use the --strict flag to enable the check in non-interactive environments, which will cause the deployment to fail if workflow conflicts are detected.

• Updated dependencies [f7fa326, 7aaa2a5, d06ad09]:

  • miniflare@​4.20260212.0

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.