Bump miniflare from 4.20260410.0 to 4.20260415.0

[dependabot]

Bumps miniflare from 4.20260410.0 to 4.20260415.0.

Release notes

Sourced from miniflare's releases.

miniflare@4.20260415.0

Patch Changes

• #13354 854d66c Thanks @​courtney-sims! - Prepares asset-worker for a more gradual rollout by refactoring and separating out the invocation from the business logic. In the future, this will provide space for us to route requests to new versions of asset-worker based on their plan, but should make no functional difference today.

• #13450 6f63eaa Thanks @​petebacondarwin! - Fix POST/PUT requests with non-2xx responses throwing "fetch failed"

  Previously, sending a POST or PUT request that received a non-2xx response (e.g. 401, 400, 403) would throw a TypeError: fetch failed error. This was caused by an undici bug where isTraversableNavigable() incorrectly returned true, causing the 401 credential-retry block to execute in Node.js and fail on stream-backed request bodies. This has been fixed upstream in undici v7.24.8, so we've bumped our dependency and removed the previous pnpm patch workaround.

• #13447 aef9825 Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260410.1	1.20260413.1

• #13475 eaaa728 Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260413.1	1.20260415.1

• #13472 58292f6 Thanks @​roerohan! - Fix wrangler dev crash when using a Flagship binding with remote: true

  In remote mode, the flagship binding is backed by a generic proxy worker that only has a default export. The plugin was requesting a named entrypoint "FlagshipBinding" which doesn't exist on it, causing workerd to reject the binding at startup. The named entrypoint is now omitted in remote mode so workerd routes to the default export, which correctly proxies all RPC calls to the remote Flagship service.

• #13386 5e5bbc1 Thanks @​mksglu! - Make startup network requests non-blocking on slow connections

  Wrangler makes network requests during startup (npm update check, request.cf data fetch) that previously blocked the CLI indefinitely on slow or degraded connections (airplane wifi, trains), causing 10+ second delays.

  • Update check: The banner now races the update check against a 100ms grace period. On a cache hit (most runs) the result resolves in <1ms via the I/O poll phase; on a cache miss the banner prints immediately without blocking. A 3s safety-net timeout caps the update-check library's auth-retry path.
  • request.cf fetch: The fetch to workers.cloudflare.com/cf.json now uses AbortSignal.timeout(3000), falling back to cached/default data on timeout.

• #13476 d5ff5a4 Thanks @​roerohan! - Fix wrangler dev crash when using a Stream binding with remote: true

  In remote mode, the Stream binding is backed by a generic proxy worker that only has a default export. The plugin was requesting a named entrypoint "StreamBinding" which doesn't exist on it, causing workerd to reject the binding at startup. The named entrypoint is now omitted in remote mode so workerd routes to the default export, which correctly proxies all RPC calls to the remote Stream service.

• #13426 89c7829 Thanks @​edmundhung! - Reject non-local /cdn-cgi/* requests in Miniflare

  Miniflare now validates Host and Origin on /cdn-cgi/* requests before request rewriting. Requests are still allowed for localhost, configured route hostnames, and the configured upstream hostname, but non-local hostnames can no longer reach internal development endpoints such as platform-proxy, handler routes, live reload, and the local explorer.

Changelog

Sourced from miniflare's changelog.

4.20260415.0

Patch Changes

• #13354 854d66c Thanks @​courtney-sims! - Prepares asset-worker for a more gradual rollout by refactoring and separating out the invocation from the business logic. In the future, this will provide space for us to route requests to new versions of asset-worker based on their plan, but should make no functional difference today.

• #13450 6f63eaa Thanks @​petebacondarwin! - Fix POST/PUT requests with non-2xx responses throwing "fetch failed"

  Previously, sending a POST or PUT request that received a non-2xx response (e.g. 401, 400, 403) would throw a TypeError: fetch failed error. This was caused by an undici bug where isTraversableNavigable() incorrectly returned true, causing the 401 credential-retry block to execute in Node.js and fail on stream-backed request bodies. This has been fixed upstream in undici v7.24.8, so we've bumped our dependency and removed the previous pnpm patch workaround.

• #13447 aef9825 Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260410.1	1.20260413.1

• #13475 eaaa728 Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260413.1	1.20260415.1

• #13472 58292f6 Thanks @​roerohan! - Fix wrangler dev crash when using a Flagship binding with remote: true

  In remote mode, the flagship binding is backed by a generic proxy worker that only has a default export. The plugin was requesting a named entrypoint "FlagshipBinding" which doesn't exist on it, causing workerd to reject the binding at startup. The named entrypoint is now omitted in remote mode so workerd routes to the default export, which correctly proxies all RPC calls to the remote Flagship service.

• #13386 5e5bbc1 Thanks @​mksglu! - Make startup network requests non-blocking on slow connections

  Wrangler makes network requests during startup (npm update check, request.cf data fetch) that previously blocked the CLI indefinitely on slow or degraded connections (airplane wifi, trains), causing 10+ second delays.

  • Update check: The banner now races the update check against a 100ms grace period. On a cache hit (most runs) the result resolves in <1ms via the I/O poll phase; on a cache miss the banner prints immediately without blocking. A 3s safety-net timeout caps the update-check library's auth-retry path.
  • request.cf fetch: The fetch to workers.cloudflare.com/cf.json now uses AbortSignal.timeout(3000), falling back to cached/default data on timeout.

• #13476 d5ff5a4 Thanks @​roerohan! - Fix wrangler dev crash when using a Stream binding with remote: true

  In remote mode, the Stream binding is backed by a generic proxy worker that only has a default export. The plugin was requesting a named entrypoint "StreamBinding" which doesn't exist on it, causing workerd to reject the binding at startup. The named entrypoint is now omitted in remote mode so workerd routes to the default export, which correctly proxies all RPC calls to the remote Stream service.

• #13426 89c7829 Thanks @​edmundhung! - Reject non-local /cdn-cgi/* requests in Miniflare

  Miniflare now validates Host and Origin on /cdn-cgi/* requests before request rewriting. Requests are still allowed for localhost, configured route hostnames, and the configured upstream hostname, but non-local hostnames can no longer reach internal development endpoints such as platform-proxy, handler routes, live reload, and the local explorer.

Commits

• 4af4d54 Version Packages (#13461)
• d5ff5a4 fix(miniflare): skip named entrypoint for stream binding in remote mode (#13476)
• 58292f6 fix(miniflare): skip named entrypoint for flagship binding in remote mode (#1...
• eaaa728 Bump the workerd-and-workers-types group with 2 updates (#13475)
• 6f63eaa [miniflare/wrangler] Bump undici to v7.24.8 and remove pnpm patch (#13450)
• 2852cd3 Remove no-empty-pattern oxlint override (set to "off") for miniflare (#13...
• aef9825 Bump the workerd-and-workers-types group with 2 updates (#13447)
• 854d66c WC-4866: Implement ctx.exports loopback in the Asset Worker (#13354)
• 89c7829 fix(miniflare): reject non-local /cdn-cgi requests (#13426)
• 5e5bbc1 [wrangler] Make startup network requests non-blocking on slow connections (#1...
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)