chore(deps): update dependency wrangler to v4.93.1

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
wrangler (source)	4.84.0 → 4.93.1

---

Release Notes

cloudflare/workers-sdk (wrangler)

v4.93.1

Compare Source

Patch Changes

• #​13978 fa1f61f Thanks @​sassyconsultingllc! - Bump ws from 8.18.0 to 8.20.1 to address GHSA-58qx-3vcg-4xpx

  GHSA-58qx-3vcg-4xpx / CVE-2026-45736 reports an uninitialized-memory disclosure in ws@<8.20.1 when a TypedArray is passed as the reason argument to WebSocket.close(). The fix shipped in ws@8.20.1 on 2026-05-12. This change bumps the workspace catalog entry so that miniflare, wrangler, and @cloudflare/vite-plugin all pick up the patched release.

• #​13977 2679e05 Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260518.1	1.20260519.1

• #​13984 7e40d98 Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260519.1	1.20260520.1

• #​13963 adc9221 Thanks @​gabivlj! - Preserve sibling container image tags during local dev cleanup

  Wrangler now keeps other cloudflare-dev image tags from the same dev session when multiple containers share a Dockerfile. Previously, duplicate-image cleanup could remove earlier container tags if Docker BuildKit produced the same image ID for each build.

• #​13839 735852d Thanks @​matingathani! - fix: show actionable hint when /memberships returns a bad-credentials error (code 9106)

  Previously, wrangler threw a raw Cloudflare API error ("Missing X-Auth-Key, X-Auth-Email or Authorization headers") with no guidance. Now it emits a UserError explaining that an environment variable such as CLOUDFLARE_API_TOKEN, CLOUDFLARE_API_KEY, or CLOUDFLARE_EMAIL may be set to an invalid value, and suggests running wrangler logout / wrangler login to re-authenticate.

• #​13912 d803737 Thanks @​petebacondarwin! - Fix /cdn-cgi/* host validation incorrectly accepting subdomains of exact configured routes

  Miniflare's /cdn-cgi/* host/origin validator was treating exact configured routes the same as wildcard configured routes, so a request whose Host or Origin hostname was a subdomain of an exact route (e.g. sub.my-custom-site.com for a my-custom-site.com/* route) was incorrectly accepted. Exact configured routes and the configured upstream hostname are now required to match the request hostname exactly. Subdomain matching is only applied to wildcard routes such as *.example.com/*. Localhost hostnames continue to be allowed as before.

  This affects wrangler dev and local development through @cloudflare/vite-plugin, both of which use Miniflare under the hood.

• #​13919 c7eab7f Thanks @​petebacondarwin! - Fix the outbound CF-Worker header reflecting the route pattern hostname instead of the parent zone, and falling back to <worker-name>.example.com under vite dev, vitest-pool-workers, and getPlatformProxy

  Two related issues affected the CF-Worker header on outbound subrequests in local development:

  1. Under @cloudflare/vite-plugin, @cloudflare/vitest-pool-workers, and getPlatformProxy, the header fell back to <worker-name>.example.com even when routes were configured, because unstable_getMiniflareWorkerOptions and the equivalent getPlatformProxy worker-options path did not propagate a zone value to Miniflare. This broke local development against services that reject unknown CF-Worker hosts (for example, Apple WeatherKit returns 403 Forbidden).
  2. Across the above paths and wrangler dev --local, when a route used the zone_name field (for example { pattern: "foo.example.com/*", zone_name: "example.com" }), the header was set to the pattern's hostname (foo.example.com) rather than the zone name (example.com). Production sets CF-Worker to the zone name that owns the Worker, so this was inconsistent with deployed behaviour.

  Both bugs are fixed: the new unstable_getMiniflareWorkerOptions / getPlatformProxy path now propagates a zone derived from the first configured route, and all four local-dev paths now prefer a route's explicit zone_name over the pattern hostname when computing that zone. When zone_name isn't set, the existing best-effort behaviour is preserved — for wrangler dev this means dev.host is still honoured as a local override and the pattern hostname is used as a final fallback. Resolving the parent zone for zone_id-only, custom_domain, or plain-string routes would require an API lookup, so locally we still approximate it with the pattern hostname.

  Note: dev.host is intentionally not consulted by the unstable_getMiniflareWorkerOptions / getPlatformProxy paths — the dev config block is specific to wrangler dev.

• #​13990 e04e180 Thanks @​petebacondarwin! - Improve the log message shown when an asset upload attempt fails and is retried

  The retry message now reports which attempt is being made (e.g. Asset upload failed. Retrying... 1 of 5 attempts.), making it easier to gauge how close Wrangler is to exhausting its retry budget. The raw error object is no longer appended to this user-facing message; it is instead logged at debug level (visible via WRANGLER_LOG=debug).

• #​13954 62abf97 Thanks @​petebacondarwin! - Read the on-disk OAuth state lazily so CLOUDFLARE_API_TOKEN from .env takes priority correctly

  Wrangler previously read its OAuth state from the user auth config file (for example ~/.config/.wrangler/config/default.toml) eagerly at module-import time. That happens before .env files are loaded, so the in-memory state would always hold the OAuth tokens even when the user only wanted to authenticate via CLOUDFLARE_API_TOKEN. If that stored OAuth token happened to be expired, Wrangler would try to refresh it (and fail), aborting the command with Failed to fetch auth token: 400 Bad Request and Not logged in. — even though a valid API token was in scope.

  Wrangler now reads the auth config file on demand, after .env has been loaded. When CLOUDFLARE_API_TOKEN (or CLOUDFLARE_API_KEY + CLOUDFLARE_EMAIL) is present, the OAuth state on disk is no longer consulted, the OAuth refresh endpoint is no longer called, and the env-based token is used directly. Sibling-process refresh-token rotation is also handled naturally because every check reads the current file contents.

  Internally, the exported reinitialiseAuthTokens() function is removed — there is no module-level OAuth cache left to invalidate.

  Fixes #​13744.

• #​13951 e349fe0 Thanks @​sejoker! - Enforce minimum 60 second interval for R2 Data Catalog sinks

  R2 Data Catalog sinks now require a minimum --roll-interval of 60 seconds to prevent compaction issues in the R2 Data Catalog. This validation is applied when creating sinks via wrangler pipelines sinks create with type r2-data-catalog, and during the interactive wrangler pipelines setup flow.

  Regular R2 sinks are not affected and can still use intervals as low as 10 seconds.

• #​13959 da0fa8c Thanks @​dmmulroy! - Recognize Artifacts repositories that are still being created

  Wrangler's Artifacts repo status type now accepts the creating lifecycle state alongside existing in-progress statuses.

• #​13964 a5c9365 Thanks @​danielrs! - Use dedicated API endpoint for wrangler secret bulk

  wrangler secret bulk now uses a more efficient, dedicated API endpoint. This reduces the operation from 2 API calls to 1 and eliminates the risk of accidentally affecting non-secret bindings.

• Updated dependencies [fa1f61f, 2679e05, 7e40d98, d803737, 59cd880, e8c2031]:

  • miniflare@​4.20260520.0

v4.93.0

Compare Source

Minor Changes

• #​13901 aac7ca0 Thanks @​bghira! - Add wrangler ai models schema command for fetching model schemas

  You can now run wrangler ai models schema <model> to fetch the input and output schema for a Workers AI model from the public model catalog schema endpoint.

• #​12656 ae047ee Thanks @​mikenomitch! - Add --containers-rollout=none

  This allows you to skip deploying a container. This is useful if you know that your container is not going to be updated or you don't have Docker locally, but still want to make changes to your Worker.

• #​13901 aac7ca0 Thanks @​bghira! - Add wrangler ai models list command for querying the Workers AI model catalog

  wrangler ai models list accepts --search, --task, --author, --source, and --hide-experimental, matching the public model catalog search endpoint.

Patch Changes

• #​13948 b25dc0d Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260515.1	1.20260518.1

• #​13882 a4f22bc Thanks @​matingathani! - Throw a clear error when a D1 migration is cancelled instead of silently returning

• #​13950 f78d435 Thanks @​dario-piotrowicz! - Improve the Docker CLI error message to be more actionable.

  Include a link to Docker installation docs, platform-specific instructions for starting the daemon, and guidance for alternative Docker-compatible CLIs.

• #​11896 c5c9e20 Thanks @​staticpayload! - Surface remote proxy session errors

  When remote bindings fail to start, include the controller reason and root cause in the error message to make failures like missing cloudflared clearer.

• #​13932 ebf4b24 Thanks @​zebp! - Fix local Workflow startup when compatibility flags include experimental

  Miniflare now deduplicates compatibility flags for the internal Workflow engine service. This prevents wrangler dev from failing with Compatibility flag specified multiple times: experimental when the user's Worker already enables that flag.

• #​13929 895baf5 Thanks @​Caio-Nogueira! - Prompt to provision a workers.dev subdomain before deploying Workflows

  Wrangler now checks for the account-level workers.dev subdomain when deploying Workflows, even if the Worker is not being published to workers.dev. If the subdomain has not been registered yet, Wrangler prompts to create one before calling the Workflows deploy API so users avoid an opaque server-side deployment failure.

• #​13930 7bcdf45 Thanks @​shiminshen! - Sweep stale .wrangler/tmp/* dirs left behind by abnormal exits

  A wrangler dev session creates .wrangler/tmp/bundle-* and .wrangler/tmp/dev-* directories at startup and removes them via a signal-exit hook on graceful shutdown. When the process exited abnormally (SIGKILL, OOM, host crash) those directories were left behind and accumulated across sessions, slowing down dependency-walking tools that follow the bundle-emitted absolute-path imports.

  wrangler now sweeps entries in .wrangler/tmp/ older than 24 hours when a new temporary directory is requested, bounding the leak regardless of how prior sessions exited.

• Updated dependencies [b25dc0d, ebf4b24, b27eb18]:

  • miniflare@​4.20260518.0

v4.92.0

Compare Source

Minor Changes

• #​13670 506aa02 Thanks @​elithrar! - Add wrangler artifacts commands for managing Artifacts repos and repo tokens.

  This adds CLI support for the Artifacts control-plane workflows that were previously only available through the API. You can now list and inspect namespaces, create, list, inspect, and delete repos, and issue repo-scoped tokens when you need to authenticate git access.

  The new commands support both human-readable output and --json output so they fit existing Wrangler automation patterns.

• #​13916 be8a98c Thanks @​emily-shen! - Add --keep-vars flag to wrangler versions upload, matching the existing behavior in wrangler deploy. When set, environment variables configured via the dashboard are preserved rather than being deleted before the upload.

Patch Changes

• #​13926 19ed49a Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260511.1	1.20260515.1

• #​11471 3ff0a50 Thanks @​HW13! - Improve wrangler types --env-interface for multi-worker projects.

  Custom env interfaces generated by wrangler types no longer expand from Cloudflare.Env, avoiding some unintended type expansion when multiple workers' generated types are used together.

• #​13910 bf688f7 Thanks @​timoconnellaus! - Fix Failed to fetch auth token: 401 Unauthorized from sibling-rotated refresh tokens

  refreshToken previously used the refresh token from module-level localState, which is populated once at startup and never re-read. OAuth refresh tokens are single-use, so when a sibling wrangler process (in another repo, another shell, or a parallel script) refreshes first, it rotates the token server-side and writes the new value to the shared config file (~/Library/Preferences/.wrangler/config/default.toml on macOS). The long-lived process — typically wrangler dev — then sends its stale in-memory token on the next refresh and gets 401 Unauthorized from https://dash.cloudflare.com/oauth2/token, falling through to interactive login and timing out unattended.

  refreshToken now calls reinitialiseAuthTokens() before exchanging, picking up the latest refresh token written by any sibling process. The previously empty catch {} also now logs the underlying error at debug level so future refresh failures are diagnosable without source-diving.

• #​13843 2e72c83 Thanks @​nzws! - Fix wrangler versions secret put/delete/bulk to preserve the existing version's placement settings

  When creating a new version via wrangler versions secret, the previous code only re-emitted a bare { mode: "smart" } placement when the API reported placement_mode === "smart", dropping any other placement entirely. The new version is now created with the placement settings returned by the API, so placement settings survive a secret put/delete/bulk round-trip.

• #​13908 802eaf4 Thanks @​shiminshen! - fix: stop rewriting query strings that happen to contain the request Host

  wrangler dev previously rewrote occurrences of the outer host inside request.url's query string. For example, a request to ?echo=https%3A%2F%2Fdevelopment.test%2Fpath with Host: development.test would be seen by the user worker as ?echo=https%3A%2F%2Fproduction.test%2Fpath, silently mutating opaque application data such as redirect_uri values in OAuth flows.

  The proxy worker now sets the internal MF-Original-URL header after its blanket host-rewriting pass over request headers, so the URL passed to the user worker preserves the original query string.

• #​13827 8f5cdb1 Thanks @​greyvugrin! - Fix multi-environment warning when CLOUDFLARE_ENV is set

  Commands that warn when multiple environments are configured but none is specified (e.g. wrangler deploy, wrangler secret put) were not accounting for the CLOUDFLARE_ENV environment variable when deciding whether to show the warning. This caused a misleading warning to appear even when the target environment was correctly specified via CLOUDFLARE_ENV.

• Updated dependencies [19ed49a]:

  • miniflare@​4.20260515.0

v4.91.0

Compare Source

Minor Changes

• #​13822 c8be316 Thanks @​edmundhung! - Add named tunnel support and tunnel shortcuts to wrangler dev

  You can now use wrangler dev --tunnel --tunnel-name <name> to start a dev session with an existing named Cloudflare Tunnel, or set --tunnel-name ahead of time and start it later by pressing t to start or close the tunnel. This gives you a stable public hostname for local development instead of the temporary trycloudflare.com URL used by Quick Tunnels.

Patch Changes

• #​13848 d4794a8 Thanks @​MattieTK! - Condense repeated environment configuration warnings

  Wrangler now summarises repeated missing vars and define entries in environment configuration warnings. Experimental unsafe warnings are also only emitted once when the field appears at both the top level and in the active environment.

• #​13894 58b4403 Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260508.1	1.20260511.1

• #​13780 4352f87 Thanks @​matingathani! - Normalize legacy instance type aliases (standard → standard-1, dev → lite) to prevent phantom EDIT diffs on every deploy

• #​13834 a9e6741 Thanks @​matingathani! - fix: hotkeys now work with Caps Lock enabled

  Wrangler's dev server hotkeys (e.g. b to open browser and x to exit) did not respond when Caps Lock was enabled. These hotkeys now work consistently whether or not Caps Lock is on.

• #​13750 da664d5 Thanks @​matingathani! - fix: automatically delete log files older than 30 days and add WRANGLER_WRITE_LOGS=false to disable disk logging

  Wrangler previously accumulated log files in ~/.wrangler/logs/ indefinitely, causing some users to accumulate gigabytes of logs over time.

  Log files older than 30 days are now automatically cleaned up on the first log write. Disk logging can be disabled entirely by setting WRANGLER_WRITE_LOGS=false.

• #​13914 bdc398c Thanks @​Maximo-Guk! - preserve native shape of non-string vars in worker previews

  wrangler preview previously coerced every non-string entry in previews.vars (arrays, objects, numbers, booleans) into a plain_text binding via JSON.stringify, so at runtime the worker saw a literal string instead of the value declared in wrangler.jsonc. wrangler deploy already serializes non-string vars as json bindings so the Workers runtime parses them back into native JS values; previews now match.

  Before:

  // wrangler.jsonc — previews.vars
  { "ALLOWLIST": ["a@example.com", "b@example.com"] }
  // runtime
  typeof env.ALLOWLIST === "string" // true (was '["a@example.com","b@example.com"]')

  After:

  typeof env.ALLOWLIST === "object"; // Array.isArray(env.ALLOWLIST) === true

• #​13778 1420f10 Thanks @​maxwellpeterson! - Propagate unsafe.bindings and service binding cross_account_grant to worker previews

  Worker previews now propagate unsafe.bindings declared on the previews config block to the deployment metadata, mirroring the deploy-time behavior. Without this, internal binding shapes that wrangler doesn't yet model (notably service bindings carrying cross_account_grant) were silently dropped on previews while working fine on regular deploys. The same change wires through cross_account_grant on typed services bindings.

• Updated dependencies [58b4403, f781a2b]:

  • miniflare@​4.20260511.0

v4.90.1

Compare Source

Patch Changes

• #​13866 4e44ce6 Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260507.1	1.20260508.1

• #​13837 b0cee1d Thanks @​matingathani! - Fix beta/open-beta status message ignoring printBanner: false — when a command sets printBanner: (args) => !args.json, the status banner no longer appears in JSON output

• #​13887 d878e13 Thanks @​apeacock1991! - Fix wrangler dev hanging on shutdown when remote bindings are present

  startDev() registers dev hotkeys before authenticating the user. During interactive dev sessions, the auth callback re-registers hotkeys, which updates the local unregisterHotKeys variable to a new cleanup function. However, the unregisterHotKeys value returned to callers was captured as a direct reference to the initial registration, so it would call the stale cleanup function instead of the current one.

  This has been fixed by returning a wrapper function () => unregisterHotKeys?.() instead of the variable directly. The wrapper evaluates unregisterHotKeys at call time, ensuring it always invokes the latest cleanup function even after re-registration.

• #​13867 971dfe3 Thanks @​petebacondarwin! - Fix race in RemoteProxySession.updateBindings so it waits for the remote worker to finish reloading with the new bindings before resolving

  Previously, updateBindings resolved as soon as the config update event was dispatched, long before the remote worker had been re-uploaded and the local proxy worker had unpaused. Callers that issued requests immediately afterwards could see flaky failures — typically "WebSocket connection failed" for JSRPC bindings such as service bindings or dispatch namespaces — because the local proxy worker was still in its paused state during the reload window. updateBindings now waits for the next reloadComplete event and for the local proxy worker's runtime-message queue to drain before returning, so callers can safely issue requests after await session.updateBindings(...). If the reload fails, the rejection from updateBindings carries the underlying error.

• #​13867 971dfe3 Thanks @​petebacondarwin! - Fix unhandled AbortError from wrangler dev's remote tail WebSocket when the bundle rebuilds or the dev session shuts down

  The remote-runtime tail-logs WebSocket (#activeTail in RemoteRuntimeController) was constructed with the same AbortSignal that onBundleStart aborts to cancel in-flight preview-session operations. The abort destroyed the WebSocket's underlying upgrade request with AbortError, which had no error listener attached and propagated as an unhandled exception. We now attach an error listener at WebSocket construction that ignores errors (logging at debug level), matching the safeguards already present on the terminate paths in #previewToken and teardown().

• Updated dependencies [4e44ce6, 5d936c5]:

  • miniflare@​4.20260508.0

v4.90.0

Compare Source

Minor Changes

• #​12279 248bc08 Thanks @​penalosa! - Add deprecation warning for delivery_delay in queue producer bindings

  The delivery_delay setting in [[queues.producers]] was silently having no effect since 2024. This change adds a deprecation warning when the setting is used, informing users that queue-level settings should be configured using wrangler queues update instead. The setting will be removed in a future version.

Patch Changes

• #​13853 8852b0c Thanks @​gpanders! - Fix Containers SSH config

• #​13858 e414e56 Thanks @​penalosa! - Fix wrangler whoami and account selection failing for Account API Tokens

  The /memberships fallback for Account API Tokens was checking for code 9109, but /memberships actually returns 9106 for that case. Correct the code so the fallback to /accounts triggers as intended.

• Updated dependencies []:

  • miniflare@​4.20260507.1

v4.89.1

Compare Source

Patch Changes

• #​13824 dd3baf3 Thanks @​emily-shen! - Fix container deployment being skipped for Workers for Platforms user workers

  Previously, deploying a worker with --dispatch-namespace would early-exit before calling deployContainers(), meaning container-app registration that links the image to the Durable Object namespace was never executed for WfP user workers. Container deployment now runs before the WfP early exit.

• Updated dependencies [5cf6f81]:

  • miniflare@​4.20260507.1

v4.89.0

Compare Source

Minor Changes

• #​13055 f3fed88 Thanks @​GregBrimble! - Introducing the cache configuration option for Workers.

  You can now set { cache: { enabled: true } } in your Wrangler configuration file to enable a HTTP cache in front of your Worker's fetch handler. This is also supported in [previews] configuration — previews.cache overrides the top-level cache setting for preview deployments, and falls back to the top-level value when absent. More information can be found in our documentation.

• #​13776 1a54ac5 Thanks @​petebacondarwin! - wrangler dev and other Miniflare-backed commands now run the local workerd runtime with TZ=UTC to match production

  Previously, wrangler dev (and other commands that spin up Miniflare, such as wrangler kv, wrangler d1, wrangler r2, wrangler check) inherited the host machine's timezone, so Date and Intl APIs inside a Worker observed the developer's local timezone during local development but UTC in production. This caused subtle, hard-to-debug differences between local and deployed behaviour.

  Local development now matches production. Code that previously relied on the host timezone during wrangler dev will need to either accept UTC (the production behaviour) or explicitly construct dates/formatters with the desired timezone.

Patch Changes

• #​13829 2284f20 Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260504.1	1.20260506.1

• #​13841 332f527 Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260506.1	1.20260507.1

• #​13777 18e833d Thanks @​matingathani! - fix: throw a clear error when _routes.json contains invalid JSON instead of silently skipping it

• #​13751 b6cea17 Thanks @​matingathani! - fix: ensure wrangler types --check --env-file does not falsely report stale types when .dev.vars exists

• #​13775 53e846a Thanks @​maxwellpeterson! - Fix wrangler preview not propagating the assets binding to preview deployments

  Previously, wrangler preview would upload the asset manifest correctly but the resulting preview deployment had no ASSETS binding (or whatever name was configured under assets.binding). Workers reading from the binding would see undefined and fail at runtime.

  The fix emits the assets binding into the deployment's env map alongside other bindings, mirroring wrangler deploy.

• #​13770 beff19c Thanks @​petebacondarwin! - Only show accounts available for the current login auth in wrangler whoami and the interactive account picker

  Wrangler now lists the intersection of /accounts and /memberships instead of either endpoint alone, dropping accounts the active OAuth token or API token has no membership in. The accounts field of wrangler whoami --json is filtered the same way. When /memberships is inaccessible to the current auth (e.g. Account API Tokens) Wrangler falls back to /accounts so those tokens continue to work as before.

• #​13832 af42fed Thanks @​gpanders! - Show containers ssh in wrangler containers --help and in wrangler containers ssh --help

  The containers ssh command was previously hidden, so it did not appear in the list of subcommands shown by wrangler containers --help, and its description was omitted from wrangler containers ssh --help. The command is now listed with its description in both places.

• Updated dependencies [2284f20, 332f527, 039bada, 1a54ac5]:

  • miniflare@​4.20260507.0

v4.88.0

Compare Source

Minor Changes

• #​13760 e07825a Thanks @​danielgek! - Add builtin storage option to wrangler ai-search create.

  wrangler ai-search create now supports a third storage type, builtin, in addition to r2 and web-crawler. When --type builtin is selected (or chosen interactively), Wrangler creates the instance using Cloudflare-managed storage by omitting type and source from the API request — the API treats an absent type as builtin storage. Builtin instances do not accept --source, --prefix, --include-items, or --exclude-items.

• #​13721 58899d8 Thanks @​danielgek! - Add optional custom_metadata step to wrangler ai-search create

  The wrangler ai-search create interactive wizard now lets you declare custom metadata fields that the new AI Search instance should index. Each field is a field_name paired with a data_type (text, number, boolean, or datetime).

  You can provide fields up-front via the new repeatable --custom-metadata flag using field_name:data_type syntax:

  wrangler ai-search create my-instance \
    --type r2 --source my-bucket \
    --custom-metadata title:text \
    --custom-metadata views:number

  For larger schemas, use --custom-metadata-schema to point at a JSON file containing an array of { field_name, data_type } objects:

  wrangler ai-search create my-instance \
    --type r2 --source my-bucket \
    --custom-metadata-schema schema.json

  [
    { "field_name": "title", "data_type": "text" },
    { "field_name": "views", "data_type": "number" }
  ]

• #​13701 18b9d5b Thanks @​dario-piotrowicz! - Prompt for missing name and compatibility date interactively during wrangler deploy

  When deploying without a project name or compatibility_date in your configuration or CLI arguments, wrangler deploy now interactively prompts for the missing values instead of immediately failing with an error. For compatibility date, the prompt offers to use today's date; if you decline, the existing error is shown. The compatibility date prompt is skipped when --latest is passed. In non-interactive or CI environments, behavior is unchanged.

  Additionally, when no config file exists, wrangler deploy now offers to save the prompted name and compatibility date to a wrangler.jsonc file for future use. This interactive flow is available for all wrangler deploy invocations — not just asset-only deployments.

• #​13810 2b8c0cc Thanks @​jamesopstad! - Stabilize the secrets configuration property

  The secrets property in the Wrangler config file is no longer experimental and will no longer emit an experimental warning when used. Required secrets are validated during local development and deploy, and used as the source of truth for type generation.

  {
    "secrets": {
      "required": ["API_KEY", "DB_PASSWORD"]
    }
  }

Patch Changes

• #​13765 3020214 Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260430.1	1.20260501.1

• #​13800 0099265 Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260501.1	1.20260504.1

• #​13812 25f5ef2 Thanks @​emily-shen! - fix: --alias CLI flag now works in wrangler deploy

  The --alias flag was accepted but silently ignored during wrangler deploy — only config.alias took effect. We now collect aliases from both config and CLI flags.

• #​13772 194d75e Thanks @​zakcutner! - Fix wrangler types to generate Fetcher for unsafe.bindings entries with type: "service"

  Previously, all entries in unsafe.bindings (other than ratelimit) generated a fallback any type. wrangler types now generates Fetcher for unsafe bindings declared with type: "service", matching the type used for regular service bindings.

• #​13818 9f532f7 Thanks @​1000hz! - Support Flagship bindings in Worker Previews

  wrangler preview now accepts flagship entries in the previews block and includes them in Preview deployment bindings. This lets Workers that use Flagship bindings deploy Preview versions with preview-specific Flagship app IDs.

• #​12974 1127114 Thanks @​ask-bonk! - Fix props and fetcher-type service bindings being dropped in unstable_getMiniflareWorkerOptions

  The post-processing in unstable_getMiniflareWorkerOptions was rebuilding serviceBindings from scratch, which silently dropped props on service bindings and dropped fetcher-type bindings entirely. It was also re-deriving durableObjects identically to what buildMiniflareBindingOptions already produces. Both have been removed; buildMiniflareBindingOptions now produces the final bindings unchanged.

• #​13739 3ceadef Thanks @​edmundhung! - Skip confirmation prompts in wrangler versions deploy when versions are provided as CLI arguments

  Passing version IDs or version specs to wrangler versions deploy now applies those values directly instead of opening interactive prompts to confirm the same versions and percentages. This makes the command easier to automate without requiring --yes.

• #​13745 1a5cc86 Thanks @​edmundhung! - fix: preserve request ports in Origin and Referer headers when using wrangler dev --host

• Updated dependencies [3020214, 0099265, bb27219, 12fb5db]:

  • miniflare@​4.20260504.0

v4.87.0

Compare Source

Minor Changes

• #​13726 b5ac54b Thanks @​penalosa! - Hard fail on Node.js < 22

  Wrangler no longer supports Node.js 20.x, as it reached end-of-life on 2026-04-30. The minimum supported Node.js version is now 22.0.0. See https://github.com/nodejs/release?tab=readme-ov-file#end-of-life-releases.

• #​13717 9a1f014 Thanks @​NuroDev! - Add an experimental experimental_generateTypes() programmatic API.

  Wrangler now exposes experimental_generateTypes() from the package root so you can generate Worker types in code using the same logic as wrangler types. The API supports the same core type-generation options (include env/runtime toggles) and returns structured output with separate env and runtime content alongside the combined formatted output.

Patch Changes

• #​13732 22e1a61 Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260426.1	1.20260429.1

• #​13754 00523c8 Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260429.1	1.20260430.1

• #​13711 1c4d850 Thanks @​dario-piotrowicz! - fix: skip auto-config and OpenNext delegation when --config is explicitly provided

  When --config is passed to wrangler deploy, the user is explicitly targeting a specific Worker configuration. Previously, wrangler would ignore --config and delegate to opennextjs-cloudflare deploy if it detected an OpenNext project in the working directory, silently deploying the wrong Worker. Now, both auto-config detection and OpenNext delegation are skipped when --config is provided, matching th

✂ Note

PR body was truncated to here.

---

Configuration

📅 Schedule: (in timezone Africa/Johannesburg)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

📚 Docs preview deployed

https://scratchyjs-docs-pr-96.asjas.workers.dev

Updates automatically on every push to this PR.

[github-actions]

⚡ Benchmark Results

benchmarks/renderer/ring-buffer.bench.ts

Suite — Benchmark	ops/sec	mean (µs)	p99 (µs)	±rme
SharedRingBuffer – small payload (64 B) — write 64 bytes	688.2 K	0.0015	0.0053	±1.01%
SharedRingBuffer – small payload (64 B) — write + read 64 bytes	502.2 K	0.0020	0.0078	±1.19%
SharedRingBuffer – medium payload (1 KB) — write 1 KB	293.6 K	0.0034	0.0118	±0.53%
SharedRingBuffer – medium payload (1 KB) — write + read 1 KB	260.1 K	0.0038	0.0167	±0.50%
SharedRingBuffer – large payload (16 KB) — write 16 KB	59.4 K	0.0168	0.0400	±0.82%
SharedRingBuffer – large payload (16 KB) — write + read 16 KB	74.4 K	0.0134	0.0397	±30.43%
SharedRingBuffer – sequential throughput (100 × 64 B) — 100 write + read cycles	42.7 K	0.0234	0.0366	±0.37%
SharedRingBuffer – introspection — availableToRead	14.89 M	0.0001	0.0001	±0.10%
SharedRingBuffer – introspection — isEmpty	14.93 M	0.0001	0.0001	±0.12%
SharedRingBuffer – introspection — isFull	14.76 M	0.0001	0.0001	±0.11%

benchmarks/renderer/shared-buffer.bench.ts

Suite — Benchmark	ops/sec	mean (µs)	p99 (µs)	±rme
SharedBuffer – allocation — createSharedBuffer(4 KB)	656.5 K	0.0015	0.0065	±1.00%
SharedBuffer – allocation — createSharedBuffer(64 KB)	48.4 K	0.0207	0.0406	±12.45%
SharedBuffer – small payload round-trip — write small JSON	359.2 K	0.0028	0.0099	±0.35%
SharedBuffer – small payload round-trip — write + read small JSON	250.4 K	0.0040	0.0138	±0.42%
SharedBuffer – medium payload round-trip — write medium JSON (~2 KB)	96.2 K	0.0104	0.0273	±0.42%
SharedBuffer – medium payload round-trip — write + read medium JSON (~2 KB)	58.3 K	0.0172	0.0384	±0.38%
SharedBuffer – large payload round-trip — write large JSON (~10 KB)	15.6 K	0.0639	0.0997	±0.36%
SharedBuffer – large payload round-trip — write + read large JSON (~10 KB)	7.7 K	0.1291	0.1597	±0.32%

benchmarks/utils/ip-address.bench.ts

Suite — Benchmark	ops/sec	mean (µs)	p99 (µs)	±rme
getClientIPAddress – no IP headers — no IP-related headers → null	2.62 M	0.0004	0.0007	±0.69%
getClientIPAddress – single header — cf-connecting-ip (Cloudflare)	1.53 M	0.0007	0.0011	±0.41%
getClientIPAddress – single header — x-forwarded-for (simple)	1.85 M	0.0005	0.0009	±0.37%
getClientIPAddress – single header — x-real-ip	1.42 M	0.0007	0.0013	±1.11%
getClientIPAddress – single header — true-client-ip (Akamai / Cloudflare Enterprise)	1.45 M	0.0007	0.0010	±1.11%
getClientIPAddress – x-forwarded-for multi-hop — 2-hop chain	1.78 M	0.0006	0.0008	±0.12%
getClientIPAddress – x-forwarded-for multi-hop — 4-hop chain	1.61 M	0.0006	0.0010	±1.19%
getClientIPAddress – Forwarded header (RFC 7239) — simple for= directive	969.6 K	0.0010	0.0015	±1.07%
getClientIPAddress – Forwarded header (RFC 7239) — for= with port	733.4 K	0.0014	0.0023	±0.47%
getClientIPAddress – Forwarded header (RFC 7239) — IPv6 literal	714.2 K	0.0014	0.0024	±2.11%
getClientIPAddress – Forwarded header (RFC 7239) — multi-hop Forwarded	803.6 K	0.0012	0.0021	±0.41%
getClientIPAddress – IPv6 addresses — x-forwarded-for IPv6	1.11 M	0.0009	0.0016	±0.35%

benchmarks/utils/promise.bench.ts

Suite — Benchmark	ops/sec	mean (µs)	p99 (µs)	±rme
promiseHash – concurrent resolution — 2 already-resolved promises	847.6 K	0.0012	0.0029	±1.29%
promiseHash – concurrent resolution — 5 already-resolved promises	513.2 K	0.0019	0.0029	±0.42%
promiseHash – concurrent resolution — 10 already-resolved promises	288.2 K	0.0035	0.0084	±1.90%
promiseHash – concurrent resolution — 5 promises with object values	467.6 K	0.0021	0.0034	±1.01%
timeout – wrapping fast promises — timeout wrapping an already-resolved promise (1 s budget)	929.6 K	0.0011	0.0021	±0.40%
timeout – wrapping fast promises — timeout wrapping an already-resolved object (5 s budget)	895.0 K	0.0011	0.0017	±0.38%

benchmarks/utils/safe-redirect.bench.ts

Suite — Benchmark	ops/sec	mean (µs)	p99 (µs)	±rme
safeRedirect – valid paths — root path /	7.32 M	0.0001	0.0002	±0.12%
safeRedirect – valid paths — simple path /dashboard	3.52 M	0.0003	0.0003	±0.11%
safeRedirect – valid paths — nested path /settings/profile	3.21 M	0.0003	0.0003	±0.11%
safeRedirect – valid paths — path with query string /search?q=hello	3.48 M	0.0003	0.0003	±0.11%
safeRedirect – valid paths — path with hash /docs#section	3.40 M	0.0003	0.0005	±0.25%
safeRedirect – rejected inputs — absolute URL https://evil.com	4.75 M	0.0002	0.0002	±0.11%
safeRedirect – rejected inputs — protocol-relative URL //evil.com	4.61 M	0.0002	0.0002	±0.11%
safeRedirect – rejected inputs — backslash-relative /\evil.com	4.60 M	0.0002	0.0004	±0.12%
safeRedirect – rejected inputs — path traversal /../etc/passwd	4.18 M	0.0002	0.0003	±0.15%
safeRedirect – rejected inputs — null input	16.26 M	0.0001	0.0001	±0.11%
safeRedirect – rejected inputs — undefined input	16.20 M	0.0001	0.0001	±0.10%
safeRedirect – rejected inputs — empty string	16.22 M	0.0001	0.0001	±0.11%
safeRedirect – percent-encoded bypass — percent-encoded // (%2F%2F)	4.40 M	0.0002	0.0002	±0.11%
safeRedirect – percent-encoded bypass — percent-encoded path traversal (%2e%2e)	4.66 M	0.0002	0.0002	±0.11%
safeRedirect – percent-encoded bypass — mixed percent-encoded absolute URL	4.28 M	0.0002	0.0003	±0.11%
safeRedirect – custom default redirect — valid path with custom default	3.57 M	0.0003	0.0003	±0.21%
safeRedirect – custom default redirect — invalid input with custom default	4.45 M	0.0002	0.0002	±0.11%

ℹ️ No base results from main found — delta column omitted on first run.

[socket-security]

All alerts resolved. Learn more about Socket for GitHub.

This PR previously contained dependency changes with security issues that have been resolved, removed, or ignored.

View full report

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	typescript@​6.0.3

View full report