Skip to content

chore(deps): bump the npm_and_yarn group across 1 directory with 3 updates#3

Open
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/npm_and_yarn-e305e73cd8
Open

chore(deps): bump the npm_and_yarn group across 1 directory with 3 updates#3
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/npm_and_yarn-e305e73cd8

Conversation

@dependabot
Copy link
Copy Markdown

@dependabot dependabot bot commented on behalf of github Apr 8, 2026

Bumps the npm_and_yarn group with 3 updates in the / directory: agents, drizzle-orm and wrangler.

Updates agents from 0.2.35 to 0.10.0

Release notes

Sourced from agents's releases.

agents@0.10.0

Minor Changes

  • #1256 dfab937 Thanks @​threepointone! - Add durable fiber execution to the Agent base class.

    runFiber(name, fn) registers work in SQLite, holds a keepAlive ref, and enables recovery via onFiberRecovered after DO eviction. ctx.stash() and this.stash() checkpoint progress that survives eviction.

    AIChatAgent gains unstable_chatRecovery — when enabled, each chat turn is wrapped in a fiber. onChatRecovery provides provider-specific recovery (Workers AI continuation, OpenAI response retrieval, Anthropic synthetic message). continueLastTurn() appends to the interrupted assistant message seamlessly.

    Think now extends Agent directly (no mixin). Fiber support is inherited from the base class.

    Breaking (experimental APIs only):

    • Removed withFibers mixin (agents/experimental/forever)
    • Removed withDurableChat mixin (@cloudflare/ai-chat/experimental/forever)
    • Removed ./experimental/forever export from both packages
    • Think no longer has a fibers flag — recovery is automatic via alarm housekeeping

Patch Changes

  • #1259 1933eb4 Thanks @​threepointone! - Run fiber recovery eagerly in onStart() instead of deferring to the next alarm. Interrupted fibers are now detected immediately on the first request after DO wake, with the alarm path as a fallback. A re-entrancy guard prevents double recovery.

  • #1263 e3ceb82 Thanks @​threepointone! - Fix routeAgentEmail() keeping the target DO non-hibernatable for ~100-120s after onEmail() returns. Replaces bare closure RPC targets with a single RpcTarget bridge (EmailBridge) that has explicit Symbol.dispose lifecycle, allowing the runtime to tear down the bidirectional RPC session promptly instead of tying it to the caller's execution context lifetime.

  • c5ca556 Thanks @​threepointone! - Cap vite peer dependency at >=6.0.0 <9.0.0 to avoid silently accepting untested future major versions.

  • #1271 0cc2dae Thanks @​threepointone! - Add optional MCPServerFilter parameter to getAITools(), listTools(), listPrompts(), listResources(), and listResourceTemplates() for scoping results to specific MCP servers by ID, name, or connection state.

  • #1267 d1ee61a Thanks @​dmmulroy! - Fix MCP streamable HTTP client session lifecycle so closing connections explicitly terminates active sessions and persists session IDs across reconnects/restores.

  • #1270 87b4512 Thanks @​threepointone! - Wire Session into Think as the storage layer, achieving full feature parity with AIChatAgent plus Session-backed advantages.

    Think (@cloudflare/think):

    • Session integration: this.messages backed by session.getHistory(), tree-structured messages, context blocks, compaction, FTS5 search
    • configureSession() override for context blocks, compaction, search, skills (sync or async)
    • assembleContext() returns { system, messages } with context block composition
    • onChatResponse() lifecycle hook fires from all turn paths
    • Non-destructive regeneration via trigger: "regenerate-message" with Session branching
    • saveMessages() for programmatic turn entry (scheduled responses, webhooks, proactive agents)
    • continueLastTurn() for extending the last assistant response
    • Custom body persistence across hibernation
    • sanitizeMessageForPersistence() hook for PII redaction
    • messageConcurrency strategies (queue/latest/merge/drop/debounce)
    • resetTurnState() extracted as protected method
    • unstable_chatRecovery with runFiber wrapping on all 4 turn paths
    • onChatRecovery() hook with ChatRecoveryContext
    • hasPendingInteraction() / waitUntilStable() for quiescence detection
    • Re-export Session from @cloudflare/think
    • Constructor wraps onStart — subclasses never need super.onStart()

... (truncated)

Changelog

Sourced from agents's changelog.

0.10.0

Minor Changes

  • #1256 dfab937 Thanks @​threepointone! - Add durable fiber execution to the Agent base class.

    runFiber(name, fn) registers work in SQLite, holds a keepAlive ref, and enables recovery via onFiberRecovered after DO eviction. ctx.stash() and this.stash() checkpoint progress that survives eviction.

    AIChatAgent gains unstable_chatRecovery — when enabled, each chat turn is wrapped in a fiber. onChatRecovery provides provider-specific recovery (Workers AI continuation, OpenAI response retrieval, Anthropic synthetic message). continueLastTurn() appends to the interrupted assistant message seamlessly.

    Think now extends Agent directly (no mixin). Fiber support is inherited from the base class.

    Breaking (experimental APIs only):

    • Removed withFibers mixin (agents/experimental/forever)
    • Removed withDurableChat mixin (@cloudflare/ai-chat/experimental/forever)
    • Removed ./experimental/forever export from both packages
    • Think no longer has a fibers flag — recovery is automatic via alarm housekeeping

Patch Changes

  • #1259 1933eb4 Thanks @​threepointone! - Run fiber recovery eagerly in onStart() instead of deferring to the next alarm. Interrupted fibers are now detected immediately on the first request after DO wake, with the alarm path as a fallback. A re-entrancy guard prevents double recovery.

  • #1263 e3ceb82 Thanks @​threepointone! - Fix routeAgentEmail() keeping the target DO non-hibernatable for ~100-120s after onEmail() returns. Replaces bare closure RPC targets with a single RpcTarget bridge (EmailBridge) that has explicit Symbol.dispose lifecycle, allowing the runtime to tear down the bidirectional RPC session promptly instead of tying it to the caller's execution context lifetime.

  • c5ca556 Thanks @​threepointone! - Cap vite peer dependency at >=6.0.0 <9.0.0 to avoid silently accepting untested future major versions.

  • #1271 0cc2dae Thanks @​threepointone! - Add optional MCPServerFilter parameter to getAITools(), listTools(), listPrompts(), listResources(), and listResourceTemplates() for scoping results to specific MCP servers by ID, name, or connection state.

  • #1267 d1ee61a Thanks @​dmmulroy! - Fix MCP streamable HTTP client session lifecycle so closing connections explicitly terminates active sessions and persists session IDs across reconnects/restores.

  • #1270 87b4512 Thanks @​threepointone! - Wire Session into Think as the storage layer, achieving full feature parity with AIChatAgent plus Session-backed advantages.

    Think (@cloudflare/think):

    • Session integration: this.messages backed by session.getHistory(), tree-structured messages, context blocks, compaction, FTS5 search
    • configureSession() override for context blocks, compaction, search, skills (sync or async)
    • assembleContext() returns { system, messages } with context block composition
    • onChatResponse() lifecycle hook fires from all turn paths
    • Non-destructive regeneration via trigger: "regenerate-message" with Session branching
    • saveMessages() for programmatic turn entry (scheduled responses, webhooks, proactive agents)
    • continueLastTurn() for extending the last assistant response
    • Custom body persistence across hibernation
    • sanitizeMessageForPersistence() hook for PII redaction
    • messageConcurrency strategies (queue/latest/merge/drop/debounce)
    • resetTurnState() extracted as protected method
    • unstable_chatRecovery with runFiber wrapping on all 4 turn paths
    • onChatRecovery() hook with ChatRecoveryContext
    • hasPendingInteraction() / waitUntilStable() for quiescence detection
    • Re-export Session from @cloudflare/think

... (truncated)

Commits
  • b035ff1 Version Packages (#1258)
  • 0cc2dae feat: add MCPServerFilter to scope getAITools and list methods (#1271)
  • c5ca556 Update deps and fix peer dependency ranges
  • e3ceb82 fix: use RpcTarget bridge for email callbacks to fix DO hibernation (#1263)
  • 87b4512 feat(think): Session integration + full AIChatAgent parity (Phases 1-5) (#1270)
  • d1ee61a fix(mcp): streamable-http client session lifecycle — explicit termination, se...
  • 8a3a84e feat: inference buffer — durable response buffer for long-running inference c...
  • 1933eb4 Eager fiber recovery on wake (onStart) (#1259)
  • dfab937 Unified fiber architecture: durable execution baked into Agent (#1256)
  • 8db4ef1 Add stream recovery and continuation to withDurableChat mixin (#1254)
  • Additional commits viewable in compare view

Updates drizzle-orm from 0.44.7 to 0.45.2

Release notes

Sourced from drizzle-orm's releases.

0.45.2

  • Fixed sql.identifier(), sql.as() escaping issues. Previously all the values passed to this functions were not properly escaped causing a possible SQL Injection (CWE-89) vulnerability

Thanks to @​EthanKim88, @​0x90sh and @​wgoodall01 for reaching out to us with a reproduction and suggested fix

0.45.1

  • Fixed pg-native Pool detection in node-postgres transactions breaking in environments with forbidden require() (#5107)

0.45.0

  • Fixed pg-native Pool detection in node-postgres transactions
  • Allowed subqueries in select fields
  • Updated typo algorythm => algorithm
  • Fixed $onUpdate not handling SQL values (fixes #2388, tests implemented by L-Mario564 in #2911)
  • Fixed pg mappers not handling Date instances in bun-sql:postgresql driver responses for date, timestamp types (fixes #4493)
Commits
  • 273c780 + 0.45.2 (#5534)
  • 4aa6ecf Kit updates (#5490)
  • e8e6edf feat(drizzle-kit): support d1 via binding (#5302)
  • a086f59 Fixed pg-native Pool detection in node-postgres transactions breaking in envi...
  • c445637 Merge pull request #5095 from drizzle-team/main-workflows
  • e7b3aaa Merge branch 'main' into main-workflows
  • 0d885a5 refactor: Update condition for run-feature job to improve clarity and functio...
  • 45a1ffb Merge pull request #5087 from drizzle-team/main-workflows
  • 6357645 chore: Comment out NEON_HTTP_CONNECTION_STRING requirement in release workflows
  • 53dec98 refactor: Simplify release router workflow by removing unnecessary switch job...
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for drizzle-orm since your current version.


Updates wrangler from 4.50.0 to 4.59.1

Commits
  • 37a8607 Version Packages (#11890)
  • 99b1f32 fix: execute git commands in pages deploy safely (#11889)
  • e98c95a Version Packages (#11836)
  • ad65efa Add --check flag to wrangler types (#11852)
  • beb96af feat(unenv-preset): add support for native node:sqlite module (#11841)
  • b0e54b2 [wrangler] Add AI agent detection to analytics events (#11820)
  • 2203af4 Add Node.js 24 and 25 compatibility to the test suites for Miniflare, Wrangle...
  • b6148ed chore(deps): bump the workerd-and-workers-types group with 2 updates (#11872)
  • 0eb973d Do not warn user when using a redirected config that came from a config with ...
  • 0f8d69d containers: users can set multiple tiers for constraints (#11755)
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
chore(deps): bump the npm_and_yarn group across 1 directory with 3 up…
ae024df 
…dates

Bumps the npm_and_yarn group with 3 updates in the / directory: [agents](https://github.com/cloudflare/agents/tree/HEAD/packages/agents), [drizzle-orm](https://github.com/drizzle-team/drizzle-orm) and [wrangler](https://github.com/cloudflare/workers-sdk/tree/HEAD/packages/wrangler).


Updates `agents` from 0.2.35 to 0.10.0
- [Release notes](https://github.com/cloudflare/agents/releases)
- [Changelog](https://github.com/cloudflare/agents/blob/main/packages/agents/CHANGELOG.md)
- [Commits](https://github.com/cloudflare/agents/commits/agents@0.10.0/packages/agents)

Updates `drizzle-orm` from 0.44.7 to 0.45.2
- [Release notes](https://github.com/drizzle-team/drizzle-orm/releases)
- [Commits](drizzle-team/drizzle-orm@0.44.7...0.45.2)

Updates `wrangler` from 4.50.0 to 4.59.1
- [Release notes](https://github.com/cloudflare/workers-sdk/releases)
- [Commits](https://github.com/cloudflare/workers-sdk/commits/wrangler@4.59.1/packages/wrangler)

---
updated-dependencies:
- dependency-name: agents
  dependency-version: 0.10.0
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: drizzle-orm
  dependency-version: 0.45.2
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: wrangler
  dependency-version: 4.59.1
  dependency-type: direct:development
  dependency-group: npm_and_yarn
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Apr 8, 2026
@dependabot dependabot bot mentioned this pull request Apr 8, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code size/XS

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants