You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
#132347fc50c1 Thanks @natewong1313! - Support serving videos locally, add publicUrl option for stable stream preview URLs, and add caption upload support via ReadableStream
Videos uploaded while in local mode are now served at /cdn-cgi/mf/stream/<video-id>/watch. The preview field in StreamVideo is now directly fetchable during development.
A new publicUrl option on MiniflareOptions allows callers (e.g. Wrangler, the Vite plugin) to advertise a stable, externally-reachable URL for the Miniflare instance. When set, Stream preview URLs use this value instead of the runtime entry URL, so they remain valid across runtime restarts and port changes. The same value is also exposed as a mutable miniflare.publicUrl property.
The helper functions buildPublicUrl and getLocallyAccessibleHost are now exported from miniflare, enabling consumers to construct client-reachable URLs that correctly handle IPv6 addresses (bracketing) and wildcard listen addresses (0.0.0.0, ::, * → 127.0.0.1).
Caption uploads via ReadableStream are now supported in local mode. They no longer throw a "not supported in local mode" error.
The filesystem-based dev registry used chokidar with default settings, which on Windows backs onto fs.watch (ReadDirectoryChangesW). That API is known to drop or delay create events for files added shortly after the watcher attaches, which is especially common under CI virtualization. When this happened, a process that had attached its watcher before another process registered its worker would never be notified of the new entry until the next 30-second heartbeat — long enough to time out cross-process service-binding calls.
Switch to chokidar's polling mode on Windows so the dev registry observes cross-process worker registrations reliably. The registry directory is small and a 100ms poll interval has negligible cost. Non-Windows platforms continue to use the more efficient native filesystem-event backend.
#135607567ef7 Thanks @vaishnav-mk! - Preserve NonRetryableError message and name when the workflows_preserve_non_retryable_error_message compatibility flag is enabled, instead of replacing it with a generic error message.
Bumps the bundled @clack/core dependency used internally by @cloudflare/cli from 0.3.x to 1.2.0, and the @clack/prompts dependency in create-cloudflare from 0.6.x to 1.2.0. Clack v1 includes a number of API changes, but no user-facing prompt behaviour changes are expected.
Custom domain routes can now include optional enabled and previews_enabled boolean fields to control whether a custom domain serves production and/or preview traffic. When omitted, the API defaults apply (production enabled, previews disabled).
When an ai_search_namespaces binding inherits from the existing deployment, the bindings table now correctly shows (inherited) instead of a raw Symbol(inherit_binding) string.
When the Cloudflare WAF blocks an API request, the response is an HTML page rather than JSON. Previously, this caused a confusing "Received a malformed response from the API" error with a truncated HTML snippet. Wrangler now detects WAF block pages and displays a clear error message explaining that the request was blocked by the firewall, along with the Cloudflare Ray ID (when available) for use in support tickets.
For other non-JSON responses that aren't WAF blocks, the "malformed response" error also now includes the Ray ID to help reference failing requests in support tickets.
#135607567ef7 Thanks @vaishnav-mk! - Preserve NonRetryableError message and name when the workflows_preserve_non_retryable_error_message compatibility flag is enabled, instead of replacing it with a generic error message.
#117842831b54 Thanks @JPeer264! - fix(wrangler): Bind the console methods directly instead of using a global proxy
Bumps the bundled @clack/core dependency used internally by @cloudflare/cli from 0.3.x to 1.2.0, and the @clack/prompts dependency in create-cloudflare from 0.6.x to 1.2.0. Clack v1 includes a number of API changes, but no user-facing prompt behaviour changes are expected.
Next steps: Take a moment to review the security alert above. Review
the linked package source code to understand the potential risk. Ensure the
package is not malicious before proceeding. If you're unsure how to proceed,
reach out to your security team or ask the Socket team for help at
support@socket.dev.
Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/mdbox@0.1.1. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
renovate
Bot
force-pushed
the
renovate/all-minor-patch
branch
from
This PR contains the following updates:
^4.20260423.1→^4.20260425.1^1.52.5→^1.52.6^7.0.0-dev.20260423.1→^7.0.0-dev.20260425.1v6.3.0→v6.4.02.7.12→2.7.13^4.20260421.0→^4.20260424.0^0.6.5→^0.6.6^2.5.103→^2.5.109^4.84.1→^4.85.0Release Notes
cloudflare/workerd (@cloudflare/workers-types)
v4.20260425.1Compare Source
v4.20260424.1Compare Source
scalar/scalar (@scalar/api-reference)
v1.52.6microsoft/typescript-go (@typescript/native-preview)
v7.0.0-dev.20260425.1Compare Source
v7.0.0-dev.20260424.2Compare Source
v7.0.0-dev.20260424.1Compare Source
actions/setup-node (actions/setup-node)
v6.4.0Compare Source
denoland/deno (deno)
v2.7.13Compare Source
(#33265)
(#33305)
tests (#33303)
Windows (#33253)
(#33261)
(#33350)
validation (#33332)
(#33331)
(#33314)
(#33310)
(#33355)
(#33349)
cloudflare/workers-sdk (miniflare)
v4.20260424.0Minor Changes
#13234
7fc50c1Thanks @natewong1313! - Support serving videos locally, addpublicUrloption for stable stream preview URLs, and add caption upload support via ReadableStreamVideos uploaded while in local mode are now served at
/cdn-cgi/mf/stream/<video-id>/watch. Thepreviewfield inStreamVideois now directly fetchable during development.A new
publicUrloption onMiniflareOptionsallows callers (e.g. Wrangler, the Vite plugin) to advertise a stable, externally-reachable URL for the Miniflare instance. When set, Stream preview URLs use this value instead of the runtime entry URL, so they remain valid across runtime restarts and port changes. The same value is also exposed as a mutableminiflare.publicUrlproperty.The helper functions
buildPublicUrlandgetLocallyAccessibleHostare now exported fromminiflare, enabling consumers to construct client-reachable URLs that correctly handle IPv6 addresses (bracketing) and wildcard listen addresses (0.0.0.0,::,*→127.0.0.1).Caption uploads via
ReadableStreamare now supported in local mode. They no longer throw a "not supported in local mode" error.Patch Changes
#13633
3494842Thanks @dependabot! - Update dependencies of "miniflare", "wrangler"The following dependency versions have been updated:
#13645
7d728fbThanks @dependabot! - Update dependencies of "miniflare", "wrangler"The following dependency versions have been updated:
#13657
df9319dThanks @dependabot! - Update dependencies of "miniflare", "wrangler"The following dependency versions have been updated:
#13659
3ceeec3Thanks @petebacondarwin! - Make the dev registry watcher reliable on WindowsThe filesystem-based dev registry used
chokidarwith default settings, which on Windows backs ontofs.watch(ReadDirectoryChangesW). That API is known to drop or delay create events for files added shortly after the watcher attaches, which is especially common under CI virtualization. When this happened, a process that had attached its watcher before another process registered its worker would never be notified of the new entry until the next 30-second heartbeat — long enough to time out cross-process service-binding calls.Switch to chokidar's polling mode on Windows so the dev registry observes cross-process worker registrations reliably. The registry directory is small and a 100ms poll interval has negligible cost. Non-Windows platforms continue to use the more efficient native filesystem-event backend.
#13560
7567ef7Thanks @vaishnav-mk! - Preserve NonRetryableError message and name when theworkflows_preserve_non_retryable_error_messagecompatibility flag is enabled, instead of replacing it with a generic error message.#13644
377715dThanks @MattieTK! - Update@clack/coreand@clack/promptsto v1.2.0Bumps the bundled
@clack/coredependency used internally by@cloudflare/clifrom0.3.xto1.2.0, and the@clack/promptsdependency increate-cloudflarefrom0.6.xto1.2.0. Clack v1 includes a number of API changes, but no user-facing prompt behaviour changes are expected.unjs/nypm (nypm)
v0.6.6Compare Source
compare changes
🩹 Fixes
/package.json(#230)package.jsonfrom pure esm packages (#234)🏡 Chore
❤️ Contributors
cloudflare/workers-sdk (wrangler)
v4.85.0Minor Changes
#13222
5680287Thanks @maxwellpeterson! - Add enabled and previews_enabled support for custom domain routesCustom domain routes can now include optional
enabledandpreviews_enabledboolean fields to control whether a custom domain serves production and/or preview traffic. When omitted, the API defaults apply (production enabled, previews disabled).Patch Changes
#13622
5a2968aThanks @petebacondarwin! - Fix inheritedai_search_namespacesbinding display inwrangler deployWhen an
ai_search_namespacesbinding inherits from the existing deployment, the bindings table now correctly shows(inherited)instead of a rawSymbol(inherit_binding)string.#13633
3494842Thanks @dependabot! - Update dependencies of "miniflare", "wrangler"The following dependency versions have been updated:
#13645
7d728fbThanks @dependabot! - Update dependencies of "miniflare", "wrangler"The following dependency versions have been updated:
#13657
df9319dThanks @dependabot! - Update dependencies of "miniflare", "wrangler"The following dependency versions have been updated:
#13574
d5e3c57Thanks @dario-piotrowicz! - Detect Cloudflare WAF block pages and include Ray ID in API error messagesWhen the Cloudflare WAF blocks an API request, the response is an HTML page rather than JSON. Previously, this caused a confusing "Received a malformed response from the API" error with a truncated HTML snippet. Wrangler now detects WAF block pages and displays a clear error message explaining that the request was blocked by the firewall, along with the Cloudflare Ray ID (when available) for use in support tickets.
For other non-JSON responses that aren't WAF blocks, the "malformed response" error also now includes the Ray ID to help reference failing requests in support tickets.
#13560
7567ef7Thanks @vaishnav-mk! - Preserve NonRetryableError message and name when theworkflows_preserve_non_retryable_error_messagecompatibility flag is enabled, instead of replacing it with a generic error message.#11784
2831b54Thanks @JPeer264! - fix(wrangler): Bind the console methods directly instead of using a global proxy#13644
377715dThanks @MattieTK! - Update@clack/coreand@clack/promptsto v1.2.0Bumps the bundled
@clack/coredependency used internally by@cloudflare/clifrom0.3.xto1.2.0, and the@clack/promptsdependency increate-cloudflarefrom0.6.xto1.2.0. Clack v1 includes a number of API changes, but no user-facing prompt behaviour changes are expected.Updated dependencies [
3494842,7d728fb,df9319d,3ceeec3,7567ef7,0a95061,7fc50c1,377715d]:Configuration
📅 Schedule: (UTC)
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.
This PR was generated by Mend Renovate. View the repository job log.