chore(deps): update minor and patch updates#1551
Merged
gjtorikian merged 1 commit intomainfrom Apr 15, 2026
Merged
Conversation
![renovate-approve[bot]](https://avatars.githubusercontent.com/in/7394?s=60&v=4){kind=small}
renovate
bot
force-pushed
the
renovate/minor-and-patch-updates
branch
from
03cb3fa to
1bfd346
Compare
renovate
bot
force-pushed
the
renovate/minor-and-patch-updates
branch
from
1bfd346 to
dc1b425
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
20.19.37→20.19.398.57.2→8.58.2^0.27.7→^0.28.010.1.0→10.2.029.15.1→29.15.24.20260317.2→4.20260415.03.8.1→3.8.30.21.5→0.21.88.57.2→8.58.2Warning
Some dependencies could not be looked up. Check the warning logs for more information.
Release Notes
typescript-eslint/typescript-eslint (@typescript-eslint/parser)
v8.58.2Compare Source
🩹 Fixes
❤️ Thank You
See GitHub Releases for more information.
You can read about our versioning strategy and releases on our website.
v8.58.1Compare Source
This was a version bump only for parser to align it with other projects, there were no code changes.
See GitHub Releases for more information.
You can read about our versioning strategy and releases on our website.
v8.58.0Compare Source
🚀 Features
❤️ Thank You
See GitHub Releases for more information.
You can read about our versioning strategy and releases on our website.
evanw/esbuild (esbuild)
v0.28.0Compare Source
Add support for
with { type: 'text' }imports (#4435)The import text proposal has reached stage 3 in the TC39 process, which means that it's recommended for implementation. It has also already been implemented by Deno and Bun. So with this release, esbuild also adds support for it. This behaves exactly the same as esbuild's existing
textloader. Here's an example:Add integrity checks to fallback download path (#4343)
Installing esbuild via npm is somewhat complicated with several different edge cases (see esbuild's documentation for details). If the regular installation of esbuild's platform-specific package fails, esbuild's install script attempts to download the platform-specific package itself (first with the
npmcommand, and then with a HTTP request toregistry.npmjs.orgas a last resort).This last resort path previously didn't have any integrity checks. With this release, esbuild will now verify that the hash of the downloaded binary matches the expected hash for the current release. This means the hashes for all of esbuild's platform-specific binary packages will now be embedded in the top-level
esbuildpackage. Hopefully this should work without any problems. But just in case, this change is being done as a breaking change release.Update the Go compiler from 1.25.7 to 1.26.1
This upgrade should not affect anything. However, there have been some significant internal changes to the Go compiler, so esbuild could potentially behave differently in certain edge cases:
You can read the Go 1.26 release notes for more information.
eslint/eslint (eslint)
v10.2.0Compare Source
Features
586ec2ffeat: Addmeta.languagessupport to rules (#20571) (Copilot)14207defeat: addTemporaltono-obj-calls(#20675) (Pixel998)bbb2c93feat: add Temporal to ES2026 globals (#20672) (Pixel998)Bug Fixes
542cb3efix: update first-party dependencies (#20714) (Francesco Trotta)Documentation
a2af743docs: addlanguageto configuration objects (#20712) (Francesco Trotta)845f23fdocs: Update README (GitHub Actions Bot)5fbcf59docs: removesourceTypefrom ts playground link (#20477) (Tanuj Kanti)8702a47docs: Update README (GitHub Actions Bot)ddeadeddocs: Update README (GitHub Actions Bot)2b44966docs: add Major Releases section to Manage Releases (#20269) (Milos Djermanovic)eab65c7docs: updateeslintversions in examples (#20664) (루밀LuMir)3e4a299docs: update ESM Dependencies policies with note for own-usage packages (#20660) (Milos Djermanovic)Chores
8120e30refactor: extract no unmodified loop condition (#20679) (kuldeep kumar)46e8469chore: update dependency markdownlint-cli2 to ^0.22.0 (#20697) (renovate[bot])01ed3aatest: add unit tests for unicode utilities (#20622) (Manish chaudhary)811f493ci: remove--legacy-peer-depsfrom types integration tests (#20667) (Milos Djermanovic)6b86fcfchore: update dependency npm-run-all2 to v8 (#20663) (renovate[bot])632c4f8chore: addprettierupdate commit to.git-blame-ignore-revs(#20662) (루밀LuMir)b0b0f21chore: update dependency eslint-plugin-regexp to ^3.1.0 (#20659) (Milos Djermanovic)228a2ddchore: update dependency eslint-plugin-eslint-plugin to ^7.3.2 (#20661) (Milos Djermanovic)3ab4d7etest: Add tests for eslintrc-style keys (#20645) (kuldeep kumar)jest-community/eslint-plugin-jest (eslint-plugin-jest)
v29.15.2Compare Source
Bug Fixes
cloudflare/workers-sdk (miniflare)
v4.20260415.0Compare Source
Patch Changes
#13354
854d66cThanks @courtney-sims! - Prepares asset-worker for a more gradual rollout by refactoring and separating out the invocation from the business logic. In the future, this will provide space for us to route requests to new versions of asset-worker based on their plan, but should make no functional difference today.#13450
6f63eaaThanks @petebacondarwin! - Fix POST/PUT requests with non-2xx responses throwing "fetch failed"Previously, sending a POST or PUT request that received a non-2xx response (e.g. 401, 400, 403) would throw a
TypeError: fetch failederror. This was caused by an undici bug whereisTraversableNavigable()incorrectly returnedtrue, causing the 401 credential-retry block to execute in Node.js and fail on stream-backed request bodies. This has been fixed upstream in undici v7.24.8, so we've bumped our dependency and removed the previous pnpm patch workaround.#13447
aef9825Thanks @dependabot! - Update dependencies of "miniflare", "wrangler"The following dependency versions have been updated:
#13475
eaaa728Thanks @dependabot! - Update dependencies of "miniflare", "wrangler"The following dependency versions have been updated:
#13472
58292f6Thanks @roerohan! - Fixwrangler devcrash when using a Flagship binding withremote: trueIn remote mode, the flagship binding is backed by a generic proxy worker that only has a default export. The plugin was requesting a named entrypoint
"FlagshipBinding"which doesn't exist on it, causing workerd to reject the binding at startup. The named entrypoint is now omitted in remote mode so workerd routes to the default export, which correctly proxies all RPC calls to the remote Flagship service.#13386
5e5bbc1Thanks @mksglu! - Make startup network requests non-blocking on slow connectionsWrangler makes network requests during startup (npm update check,
request.cfdata fetch) that previously blocked the CLI indefinitely on slow or degraded connections (airplane wifi, trains), causing 10+ second delays.update-checklibrary's auth-retry path.request.cffetch: The fetch toworkers.cloudflare.com/cf.jsonnow usesAbortSignal.timeout(3000), falling back to cached/default data on timeout.#13476
d5ff5a4Thanks @roerohan! - Fixwrangler devcrash when using a Stream binding withremote: trueIn remote mode, the Stream binding is backed by a generic proxy worker that only has a default export. The plugin was requesting a named entrypoint
"StreamBinding"which doesn't exist on it, causing workerd to reject the binding at startup. The named entrypoint is now omitted in remote mode so workerd routes to the default export, which correctly proxies all RPC calls to the remote Stream service.#13426
89c7829Thanks @edmundhung! - Reject non-local/cdn-cgi/*requests in MiniflareMiniflare now validates
HostandOriginon/cdn-cgi/*requests before request rewriting. Requests are still allowed for localhost, configured route hostnames, and the configured upstream hostname, but non-local hostnames can no longer reach internal development endpoints such as platform-proxy, handler routes, live reload, and the local explorer.v4.20260410.0Compare Source
Minor Changes
#13139
79fd529Thanks @roerohan! - feat: add Flagship feature flag binding supportAdds end-to-end support for the Flagship feature flag binding, which allows Workers to evaluate feature flags from Cloudflare's Flagship service. Configure it in
wrangler.jsonwith aflagshiparray containingbindingandapp_identries. In local dev, the binding returns default values for all flag evaluations; use"remote": truein the binding to evaluate flags against the live Flagship service.#13392
2589395Thanks @emily-shen! - Add telemetry to local REST APIThe local REST API (used by the local explorer) now collects anonymous usage telemetry. This respects any existing telemetry preferences, which can be disabled by running the command
wrangler telemetry disable.This only applies when the dev session is started via Wrangler, and not via the Vite plugin or standalone Miniflare.
No actual data values, keys, query contents, or resource IDs are collected.
Event schema:
{ "event": "localapi.<route>.<method>", // e.g. localapi.kv.keys.get "deviceId": "<uuid>", "timestamp": 1234567890, "properties": { "userAgent": "Mozilla/5.0 ...", // Only for localapi.local.workers.get: "workerCount": 2, "kvCount": 3, "d1Count": 1, "r2Count": 0, "doCount": 1, "workflowsCount": 0 } }Note: the Local Explorer and corresponding local REST API is still an experimental feature.
Patch Changes
#13393
c50cb5bThanks @dependabot! - Update dependencies of "miniflare", "wrangler"The following dependency versions have been updated:
#13335
5eff8c1Thanks @KennethRuan! - Return metadata in queue broker responseThe queue broker's
/messageand/batchendpoints now return a JSON response body containing queue metrics (backlogCount,backlogBytes,oldestMessageTimestamp) instead of an empty response. A newGET /metricsendpoint is also added to support themetrics()API.v4.20260409.0Compare Source
Minor Changes
#13133
42c7ef0Thanks @emily-shen! - explorer: list DO instances with name where possibleNote: The local explorer is a WIP experimental feature.
#13336
a42e0e8Thanks @emily-shen! - local explorer: fix handling on resources that are bound to multiple workersNote the local explorer is a experimental feature still.
Patch Changes
#13337
c510494Thanks @dependabot! - Update dependencies of "miniflare", "wrangler"The following dependency versions have been updated:
#13362
8b71ecaThanks @dependabot! - Update dependencies of "miniflare", "wrangler"The following dependency versions have been updated:
v4.20260405.0Compare Source
Minor Changes
#13240
a3e3b57Thanks @emily-shen! - local explorer: serve the local explorer's OpenAPI spec at /cdn-cgi/explorer/apiThe local explorer is supported by a REST API served from the worker's local address. It can be accessed independently of the UI, (e.g. by an AI agent) and is thus documented at this endpoint.
#13314
7a60d4bThanks @Ltadrian! - Fix hyperdrive local dev binding tls configuration bugPatch Changes
#13241
7d318e1Thanks @dependabot! - Update dependencies of "miniflare", "wrangler"The following dependency versions have been updated:
#13305
fa6d84fThanks @dependabot! - Update dependencies of "miniflare", "wrangler"The following dependency versions have been updated:
#13241
7d318e1Thanks @dependabot! - Update Images binding local mock to use chainable handle patternhosted.image(imageId)now returns a handle withdetails(),bytes(),update(), anddelete()methods, aligning with the updated workerd API (cloudflare/workerd#6288).v4.20260401.0Compare Source
Minor Changes
#13051
d5bffdeThanks @dario-piotrowicz! - DeprecatesupportedCompatibilityDateexportThe
supportedCompatibilityDateexport is now deprecated. Instead of relying on the workerd-derived compatibility date, callers should just use today's date directly, e.g.new Date().toISOString().slice(0, 10).#13011
b9b7e9dThanks @ruifigueira! - Add experimental headful browser rendering support for local developmentWhen developing locally with the Browser Rendering API, you can enable headful (visible) mode via the
X_BROWSER_HEADFULenvironment variable to see the browser while debugging:Note: when using
@cloudflare/playwright, two Chrome windows may appear — the initial blank page and the one created bybrowser.newPage(). This is expected behavior due to how Playwright handles browser contexts via CDP.#12992
48d83caThanks @RiscadoA! - Addvpc_networksbinding support for routing Worker traffic through a Cloudflare Tunnel or network.{ "vpc_networks": [ // Route through a specific Cloudflare Tunnel { "binding": "MY_FIRST_VPC", "tunnel_id": "<tunnel-id>" }, // Route through the Cloudflare One mesh network { "binding": "MY_SECOND_VPC", "network_id": "cf1:network" } ] }Patch Changes
#13155
5d29055Thanks @dependabot! - Update dependencies of "miniflare", "wrangler"The following dependency versions have been updated:
#13162
fb67a18Thanks @dependabot! - Update dependencies of "miniflare", "wrangler"The following dependency versions have been updated:
#13238
b2f53eaThanks @guybedford! - Fix source phase imports parsing in MiniflareMiniflare now uses the
acorn-import-phasesplugin to parseimport sourcesyntax when analyzing module dependencies. This fixesERR_MODULE_PARSEerrors when running Workers that use source phase imports for WebAssembly modules in local development.v4.20260329.0Compare Source
Minor Changes
#13025
9eff028Thanks @ruifigueira! - Add missing devtools endpoints to browser rendering local binding.The local browser rendering binding now implements the full set of devtools endpoints, matching the remote Browser Rendering API:
GET /v1/limits— returns local concurrency defaultsGET /v1/history— returns empty array (no persistence in local dev)GET /v1/devtools/session- list and inspect active sessionsGET /v1/devtools/session/:id— list and inspect active sessionGET /v1/devtools/browser/:id/json/version— Browser version metadata, includes webSocketDebuggerUrlGET /v1/devtools/browser/:id/json/list— A list of all available websocket targetsGET /v1/devtools/browser/:id/json— Alias forGET /v1/devtools/browser/:id/jsonGET /v1/devtools/browser/:id/json/protocol— The current devtools protocol, as JSON. Includes webSocketDebuggerUrl and devtoolsFrontendUrlPUT /v1/devtools/browser/:id/json/new— Opens a new tab. Responds with the websocket target data for the new tabGET /v1/devtools/browser/:id/json/activate/:target— Brings a page into the foreground (activate a tab)GET /v1/devtools/browser/:id/json/close/:target— Closes the target page identified by targetIdGET /v1/devtools/browser/:id/page/:target— WebSocket connection to a page targetGET /v1/devtools/browser/:id— WebSocket connection to a previously acquired browser sessionDELETE /v1/devtools/browser/:id— Closes a browser sessionPOST /v1/devtools/browser— Acquires a new sessionGET /v1/devtools/browser— Acquire a new session and connect via WebSocket in one step, returningcf-browser-session-idheader#13086
d4c6158Thanks @pombosilva! - Add Workflows support to the local explorer UI.The local explorer (
/cdn-cgi/explorer/) now includes a full Workflows dashboard for viewing and managing workflow instances during local development.UI features:
Patch Changes
#13111
f214760Thanks @dependabot! - Update dependencies of "miniflare", "wrangler"The following dependency versions have been updated:
#13078
9282493Thanks @penalosa! - Fix noisy EBUSY errors on Windows when disposing Miniflare instancesOn Windows,
workerdmay not release file handles immediately after disposal, causingEBUSYerrors when Miniflare tries to remove its temporary directory duringdispose(). Previously, this error propagated to the caller (e.g. vitest-pool-workers), producing repeated noisy error messages in test output. The cleanup is now best-effort — matching the existing exit hook behaviour — since the temporary directory lives inos.tmpdir()and will be cleaned up by the OS.#13090
a532eeaThanks @edmundhung! - RemoveLOCAL_EXPLORER_BASE_PATHandLOCAL_EXPLORER_API_PATHconstants in favor ofCorePaths.EXPLORERThese were redundant aliases introduced before
CorePathswas centralized. All internal consumers now useCorePaths.EXPLORERdirectly.v4.20260317.3Compare Source
Minor Changes
#13027
9fcdfcaThanks @G4brym! - feat: Addai_search_namespacesandai_searchbinding typesTwo new binding types for AI Search:
ai_search_namespaces: Namespace binding —namespaceis required and auto-provisioned at deploy time if it doesn't exist (like R2 buckets)ai_search: Single instance binding bound directly to a pre-existing instance in the default namespaceBoth are remote-only in local dev.
#13030
0386553Thanks @natewong1313! - Add local mode support for Stream bindingsMiniflare and
wrangler devnow support using Cloudflare Stream bindings locally.Supported operations:
upload()— upload video via URLvideo(id).details(),.update(),.delete(),.generateToken()videos.list()captions.generate(),.list(),.delete()downloads.generate(),.get(),.delete()watermarks.generate(),.list(),.get(),.delete()The following are not yet supported in local mode and will throw:
createDirectUpload()FileFileData is persisted across restarts by default. You must set
streamPersist: falsein Miniflare options to disable persistence.Patch Changes
#12686
1faff35Thanks @edmundhung! - Move internal proxy endpoint to reserved/cdn-cgi/pathThe internal HTTP endpoint used by
getPlatformProxyhas been moved to a reserved path. This is an internal change with no impact on thegetPlatformProxyAPI.#13080
f4ea4acThanks @penalosa! - fix: glob patterns for module rules no longer match double-extension filenames likefoo.wasm.jsPreviously, the
globsToRegExpshelper compiled glob patterns without a trailing$anchor. This caused patterns like**/*.wasmto match any path containing.wasmas a substring — including filenames such asfoo.wasm.jsormain.wasm.test.ts.When using
@cloudflare/vitest-pool-workerswith awrangler.configPath, Wrangler's defaultCompiledWasmmodule rule (**/*.wasm) was silently applied to test files whose names contained.wasm, causing them to be loaded as WebAssembly binaries instead of JavaScript and failing at runtime.The fix restores the
$end anchor in the compiled regex so that**/*.wasmonly matches paths that literally end in.wasm, while the leading^remains absent to allow matching anywhere within an absolute path.prettier/prettier (prettier)
v3.8.3Compare Source
v3.8.2Compare Source
rolldown/tsdown (tsdown)
v0.21.8Compare Source
🚀 Features
ignoreRulestype to autocomplete known values - by @mrlubos in #892 (c8f5c)extensionsoption for subpath export keys - by @SinhSinhAn and @sxzz in #899 (1bb7a)baseline-widely-availabletarget - by @sxzz in #896 (d6a16)🐞 Bug Fixes
View changes on GitHub
v0.21.7Compare Source
🚀 Features
moduleoption for attw and publint to allow passing imported modules directly - by @sxzz (31e90)🐞 Bug Fixes
View changes on GitHub
v0.21.6Compare Source
🚀 Features
cjsReexportoption to eliminate dual module type hazard - by @mandarini and @sxzz in #856 (875c1)binoption to auto-generate package.json bin field - by @sxzz in #869 (7ebd6)🐞 Bug Fixes
.modulefrom CSS output filenames - by @sxzz in #866 (03ade)View changes on GitHub
typescript-eslint/typescript-eslint (typescript-eslint)
v8.58.2Compare Source
🩹 Fixes
❤️ Thank You
See GitHub Releases for more information.
You can read about our versioning strategy and releases on our website.
v8.58.1Compare Source
This was a version bump only for typescript-eslint to align it with other projects, there were no code changes.
See GitHub Releases for more information.
You can read about our versioning strategy and releases on our website.
v8.58.0Compare Source
🚀 Features
❤️ Thank You
See GitHub Releases for more information.
You can read about our versioning strategy and releases on our website.
Configuration
📅 Schedule: (in timezone UTC)
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.
This PR was generated by Mend Renovate. View the repository job log.