Skip to content

Maintenance: Update Patch & Minor#201

Merged
dle-renovate-bot[bot] merged 1 commit into
masterfrom
dle-renovate/minor-patch
Jun 23, 2026
Merged

Maintenance: Update Patch & Minor#201
dle-renovate-bot[bot] merged 1 commit into
masterfrom
dle-renovate/minor-patch

Conversation

@dle-renovate-bot

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Type Update Change Pending
@lucide/svelte (source) devDependencies minor ^1.18.0^1.21.0
@sveltejs/adapter-cloudflare (source) devDependencies patch ^7.2.8^7.2.9
@sveltejs/enhanced-img (source) devDependencies minor ^0.10.4^0.11.0
@sveltejs/kit (source) devDependencies minor ^2.65.1^2.66.0 2.67.0
@types/node (source) devDependencies patch ^25.9.3^25.9.4
wrangler (source) devDependencies minor ^4.100.0^4.103.0

Release Notes

lucide-icons/lucide (@​lucide/svelte)

v1.21.0: Version 1.21.0

Compare Source

What's Changed

New Contributors

Full Changelog: lucide-icons/lucide@1.20.0...1.21.0

v1.20.0: Version 1.20.0

Compare Source

What's Changed

New Contributors

Full Changelog: lucide-icons/lucide@1.19.0...1.20.0

v1.19.0: Version 1.19.0

Compare Source

What's Changed

New Contributors

Full Changelog: lucide-icons/lucide@1.18.0...1.19.0

sveltejs/kit (@​sveltejs/adapter-cloudflare)

v7.2.9

Compare Source

Patch Changes
sveltejs/kit (@​sveltejs/enhanced-img)

v0.11.0

Compare Source

Minor Changes
  • feat: export EnhancedImgAttributes type (#​15649)
Patch Changes
  • fix: exclude imports with ? character from transformation (#​15617)
sveltejs/kit (@​sveltejs/kit)

v2.66.0

Compare Source

Minor Changes
  • feat: precompress prerendered .md and .mdx files (#​15893)

  • feat: warn the user when they forget to make boolean inputs optional in their form schemas (#​15804)

Patch Changes
  • fix: blur active element before component update during navigation so that blur/focusout handlers fire while old component data is still valid (#​15452)

  • fix: ensure base is available from $service-worker during development (#​15882)

  • fix: use correct relative asset paths when rendering an error page for a missing __data.json request (#​15884)

  • fix: preserve active for await consumers across query.live reconnects (#​16022)

  • fix: settle query.live reconnect promise on all exit paths, preventing invalidateAll() from deadlocking when a live query is offline or interrupted (#​16022)

  • fix: preserve last value when a query.live stream completes without yielding on reconnect (#​16022)

  • fix: remove types: ['node'] from generated tsconfig to avoid errors when @types/node is not installed (#​15709)

  • fix: prefer pages over endpoints when prerendering (#​16076)

  • fix: restore snapshots after afterNavigate callbacks (#​16066)

  • fix: support ws:/wss: and trusted-types-eval for CSP sources (#​15938)

  • fix: omit empty file inputs from remote form data (#​15898)

  • fix: fail early if a route with +page and +server is marked as prerenderable (#​16075)

  • fix: wait a tick before resetting forms (#​15805)

  • fix: preflight schemas apply correctly when chained before for (#​15863)

  • fix: blank page in SPA mode when root layout load() throws (#​15798)

  • fix: pass all unknown options from the sveltekit Vite plugin through to vite-plugin-svelte (#​16010)

v2.65.2

Compare Source

Patch Changes
  • fix: throw an error when prerendering a root +server.js that returns a non-HTML response (#​15994)

  • fix: decode base64-serialized fetch bodies before caching them for client-side replay (#​16034)

  • fix: correctly access explicit dynamic public environment variables from prerendered pages and service workers (#​16024)

  • fix: allow preloadCode to be called during initial page load (#​16028)

  • fix: send cache-control: private, no-store on remote function responses so personalized query results can never be cached by shared caches (#​16020)

  • fix: preserve the HTTP status and error body when a remote function request fails in transport (e.g. a 401/403 from a handle hook), instead of reporting a generic 500 (#​16021)

  • fix: avoid loading universal nodes during build analysis when the app uses a hash router (#​16042)

  • fix: correctly serve client entry during development when using the pnpm global virtual store (#​16045)

  • fix: normalize path separators when comparing config (#​16037)

  • fix: ensure building resolves correctly to allow avoiding build-time explicit environment variable validation (#​16058)

  • fix: prevent unhandled promise rejections when remote function failures are consumed via current/error instead of await (#​16018)

cloudflare/workers-sdk (wrangler)

v4.103.0

Compare Source

Minor Changes
  • #​14295 cfd6205 Thanks @​dario-piotrowicz! - Move unstable_getWorkerNameFromProject from wrangler to @cloudflare/workers-utils

    The unstable_getWorkerNameFromProject export has been removed from the wrangler package. This function is now available as getWorkerNameFromProject (without the unstable_ prefix) from @cloudflare/workers-utils. If you were importing this function from wrangler, update your import to use @cloudflare/workers-utils instead.

  • #​14295 cfd6205 Thanks @​dario-piotrowicz! - Remove experimental autoconfig exports

    The experimental autoconfig exports (experimental_getDetailsForAutoConfig, experimental_runAutoConfig, experimental_AutoConfigFramework) have been removed. This logic has been moved to the @cloudflare/autoconfig package (without the experimental_ prefixes since the package itself is pre-v1).

Patch Changes
  • #​14366 c6579d3 Thanks @​jamesopstad! - Resolve relative cf-worker entrypoint imports relative to the importing module

    When loading the experimental cloudflare.config.ts, a relative entrypoint imported with import ... with { type: "cf-worker" } (e.g. ./src/index.ts) is now anchored to the module where the import is written, rather than being passed through verbatim and later resolved against the top-level config file. This fixes incorrect resolution when the import lives in a file other than the entry config — for example a config that re-exports from a nested file.

    Bare specifiers (such as @scope/pkg) and virtual modules (such as virtual:foo) are still left unresolved so that consumers can apply their own resolution.

  • #​14316 444b75e Thanks @​matingathani! - Prevent wrangler dev crash when source-mapping a truncated error chunk

    When a worker logs many errors in quick succession, the stderr chunks received by wrangler dev can be truncated mid-stack-frame, leaving a call site with an invalid column number. The source map library throws in that case, which was crashing the wrangler process entirely. The error is now caught and the original (un-source-mapped) text is returned instead.

  • #​14118 b38823f Thanks @​aicayzer! - Fix Uint8Array step outputs in local Workflows being persisted with the full backing ArrayBuffer

    A Uint8Array returned from a Workflows step under wrangler dev was serialised together with its full underlying ArrayBuffer, causing a raw SQLITE_TOOBIG error at view sizes well below the documented 1MiB step-output limit. For example, a 200KB view sliced from an 800KB buffer (a common pattern from crypto.getRandomValues or arr.slice(...) on a larger pool) would fail. The view's bytes are now copied to a tight buffer before persistence, bringing local behaviour in line with production. Fixes #​14101.

  • Updated dependencies [b38823f]:

    • miniflare@​4.20260617.1

v4.102.0

Compare Source

Minor Changes
  • #​14340 f6e49dd Thanks @​emily-shen! - Add cf-wrangler build delegate support

    The experimental cf-wrangler delegate binary now accepts build and emits the Build Output API directory through Wrangler's new-config build path. This lets parent tools invoke Wrangler's build-output implementation with cf-wrangler build instead of shelling out through the public Wrangler CLI.

  • #​14324 36777db Thanks @​jamesopstad! - Add experimental --experimental-cf-build-output flag to wrangler build

    When used alongside --experimental-new-config, wrangler build now emits a self-contained Build Output API directory under .cloudflare/output/v0/ instead of delegating to wrangler deploy --dry-run.

Patch Changes
  • #​14347 673b09e Thanks @​jamesopstad! - Update undici from 7.24.8 to 7.28.0

  • #​14346 e930bd4 Thanks @​haidargit! - Bump ws from 8.20.1 to 8.21.0 to address GHSA-96hv-2xvq-fx4p

    GHSA-96hv-2xvq-fx4p / CVE-2026-48779 (high severity) reports a remote memory-exhaustion DoS in ws@<8.21.0: a peer sending a high volume of tiny fragments and data chunks over modest network traffic can crash a ws server or client via OOM. The fix shipped in ws@8.21.0 (commit 2b2abd45, released 2026-05-22), which also introduces the maxBufferedChunks and maxFragments options. This change bumps the workspace catalog entry so that miniflare, wrangler, and @cloudflare/vite-plugin all pick up the patched release.

  • #​14314 5c3bb11 Thanks @​harryzcy! - Bump esbuild to 0.28.1

    This update includes several bug fixes from esbuild versions 0.27.3 through 0.28.1. See the esbuild changelog for details.

  • #​14331 296ad65 Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

    The following dependency versions have been updated:

    Dependency From To
    workerd 1.20260616.1 1.20260617.1
  • #​14275 594544d Thanks @​alsuren! - Resolve auto-provisioned D1 bindings via the API in remote subcommands

    Remote D1 subcommands (d1 execute --remote, d1 export --remote, d1 info, d1 insights, d1 delete, d1 migrations apply --remote, d1 migrations list --remote, d1 time-travel) previously failed with:

    Found a database with name or binding DB but it is missing a database_id, which is needed for operations on remote resources.

    when the [[d1_databases]] config entry only had binding and database_name (the shape wrangler deploy writes for automatically-provisioned bindings). They now resolve the real database UUID via GET /accounts/:accountId/d1/database/:name?fields=uuid and proceed as if database_id had been set in config.

    If the config entry only has a binding (no database_name, no database_id), the lookup uses the same name wrangler deploy would create via auto provisioning (<worker name>-<binding-lowercased-with-dashes>).

    Non-404 API failures (auth, rate-limit, server errors) now propagate verbatim instead of being masked as "database not found".

  • #​14315 a79b899 Thanks @​matingathani! - Respect find_additional_modules = false when no_bundle is set

    When using no_bundle = true, wrangler was always scanning for and attaching additional modules even if find_additional_modules was explicitly set to false in the config. Additional modules are now only collected when find_additional_modules is not false, consistent with the bundled code path.

  • #​14269 5dfb788 Thanks @​mattjohnsonpint! - Support dev.plugin on typed services bindings

    Wrangler only honored dev.plugin on unsafe.bindings entries, so users authoring a service binding via services[] could not wire it to a local Miniflare plugin during wrangler dev — they had to fall back to unsafe.bindings and accept a "directly supported by wrangler" warning. Typed services bindings now accept the same dev: { plugin, options? } shape, route the binding through Miniflare's external-plugin pathway in wrangler dev, and strip the field at deploy time. Validation rejects malformed dev shapes.

  • #​14328 ca61558 Thanks @​edevil! - Mention temporary preview accounts in wrangler whoami output when unauthenticated

    When you run wrangler whoami without being logged in, Wrangler now also tells you that you can deploy without logging in by running a command like wrangler deploy --temporary to use a temporary preview account.

  • Updated dependencies [673b09e, e930bd4, 5c3bb11, 296ad65]:

    • miniflare@​4.20260617.0

v4.101.0

Compare Source

Minor Changes
  • #​14276 32f9307 Thanks @​dario-piotrowicz! - Graduate autoconfig from experimental to stable

    The --experimental-autoconfig and --x-autoconfig deploy CLI flags have been replaced with --autoconfig.

    Note that the --autoconfig flag defaults to true and that it can be used to disable Wrangler's auto-configuration logic by setting it to false via --autoconfig=false or --no-autoconfig

  • #​14287 41f391f Thanks @​edmundhung! - Add per-Worker resource accessors to createTestHarness()

    createTestHarness() now provides methods for accessing configured KV namespaces, R2 buckets, D1 databases, and Durable Object namespaces. Use server.getWorker(name) to access resources scoped to that specific Worker:

    const worker = server.getWorker("api-worker");
    const bucket = await worker.getR2Bucket("BUCKET");
    const db = await worker.getD1Database("DB");
  • #​14264 21dbc12 Thanks @​dario-piotrowicz! - Suggest Cloudflare skills installation after commands instead of before

    The automatic prompt to install Cloudflare skills for detected AI coding agents no longer runs before every Wrangler command. Instead, Wrangler now suggests installing skills, when appropriate, after some commands complete successfully. Commands that output JSON suppress the suggestion to keep their output clean. The --install-skills flag remains available on all commands to explicitly run the skills installation flow before the command executes, without prompting.

    As before, Wrangler asks the skills installation question at most once. The skills install metadata file is now written before the confirmation prompt is shown, so even if the user interrupts the process (e.g. CTRL+C, closing the terminal) during the prompt, the question is recorded as unanswered and will not reappear on subsequent runs.

  • #​14042 7e63948 Thanks @​edevil! - Add a --temporary flag that creates and uses a temporary Cloudflare preview account when you have no credentials, instead of starting the OAuth login flow.

    It's registered only on the commands the short-lived account token can serve — Workers (deploy, versions upload, and related commands), KV, D1, Hyperdrive, Queues, and certificate commands — and is for unauthenticated use only: passing it while already authenticated (OAuth, CLOUDFLARE_API_TOKEN, or a global API key) errors rather than silently ignoring the flag. Before provisioning, Wrangler handles Cloudflare's Terms of Service and Privacy Policy (interactive terminals prompt for yes; non-interactive shells print a notice and continue). Wrangler then runs with the short-lived token and prints a claim URL so the account can be claimed before it expires. The cached account is cleared on successful login or logout.

  • #​14299 035917f Thanks @​petebacondarwin! - Send the login user telemetry event when wrangler login --scopes ... succeeds

    wrangler login was already reporting the login user event when called without --scopes, but the scoped login path returned early before the event could be sent. Both paths now report the event, so successful scoped logins are counted alongside unscoped ones.

Patch Changes
  • #​14271 27db82c Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

    The following dependency versions have been updated:

    Dependency From To
    workerd 1.20260611.1 1.20260612.1
  • #​14298 2a6a26b Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

    The following dependency versions have been updated:

    Dependency From To
    workerd 1.20260612.1 1.20260615.1
  • #​14317 9a424ed Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

    The following dependency versions have been updated:

    Dependency From To
    workerd 1.20260615.1 1.20260616.1
  • #​14282 ecfdd5a Thanks @​edmundhung! - Fix wrangler dev asset fallback with custom routes

    wrangler dev now applies Workers Assets fallback behavior consistently when routes are configured, including SPA fallback and 404-page handling.

  • #​13763 604be26 Thanks @​matingathani! - Show a clear error when deploying a service-worker format Worker with Durable Object migrations or bindings instead of an opaque API error

  • #​14240 1fb7ba5 Thanks @​ttoino! - Fix wrangler email sending commands

    The email sending commands previously failed against the Cloudflare API. They now work as expected:

    • email sending enable <domain> enables Email Sending for a domain
    • email sending disable <domain> disables Email Sending for a domain
    • email sending settings <domain> shows the Email Sending configuration for a domain
    • email sending dns get <domain> shows the DNS records to set up for a domain
    • email sending list previously listed zones. It now lists the domains that have Email Sending enabled — every enabled domain across your account by default, or just those under a specific domain when you pass a domain (or --zone-id).
  • #​13838 208b3bb Thanks @​matingathani! - Fix unhandled promise rejection when the worker entry point is deleted or moved during wrangler dev hot-reload — now logs a warning and skips the update instead of crashing

  • #​14241 8b2ce41 Thanks @​dario-piotrowicz! - Improve error messages for CLI flags, type generation, auth scopes, dev server tunnels, and compatibility flags

    Error messages across several areas now name the exact flags or values involved and suggest how to fix the problem:

    • KV commands (kv key put, kv key get, kv key delete): error messages now include -- prefixes and clear "Missing required option" / "Conflicting options" phrasing instead of the vague "Exactly one of the arguments ... is required".
    • wrangler types --include-env=false --include-runtime=false: the error now names both flags and explains what each does.
    • wrangler login --scopes: invalid scopes are individually identified instead of dumping the entire array.
    • wrangler dev --tunnel --remote: the error now explains why tunnels require local mode and suggests two concrete fixes.
    • Conflicting compatibility flags (nodejs_compat_populate_process_env / nodejs_compat_do_not_populate_process_env, global_navigator / no_global_navigator): errors now name the specific conflicting flags.
  • #​14228 3578919 Thanks @​dario-piotrowicz! - Improve Hyperdrive error messages for missing required options

    Error messages thrown when creating or updating a Hyperdrive config with missing individual parameters (e.g. --origin-host, --origin-port, --database, --origin-user, --origin-password, --origin-scheme, --access-client-id/--access-client-secret) now clearly state which option is missing, provide a usage example, and suggest --connection-string as an alternative where applicable.

  • #​14304 ee82c76 Thanks @​emily-shen! - Skip resource provisioning for asset-only deployments

    Previously, asset-only deployments would provision resources even when there was no user Worker script. On a subsequent deploy, we would re-attempt provisioning as the previous asset-only upload would/could not be bound to the previously provisioned resource. Provisioning would then error as the resource had already been created, blocking the deploy.

  • Updated dependencies [0e055d3, 27db82c, 2a6a26b, 9a424ed, 41f391f]:

    • miniflare@​4.20260616.0

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate.

| datasource | package                      | from    | to      |
| ---------- | ---------------------------- | ------- | ------- |
| npm        | @lucide/svelte               | 1.18.0  | 1.21.0  |
| npm        | @sveltejs/adapter-cloudflare | 7.2.8   | 7.2.9   |
| npm        | @sveltejs/enhanced-img       | 0.10.4  | 0.11.0  |
| npm        | @sveltejs/kit                | 2.65.1  | 2.66.0  |
| npm        | @types/node                  | 25.9.3  | 25.9.4  |
| npm        | wrangler                     | 4.100.0 | 4.103.0 |
@dle-renovate-bot dle-renovate-bot Bot enabled auto-merge (squash) June 23, 2026 00:53
@changeset-bot

changeset-bot Bot commented Jun 23, 2026

Copy link
Copy Markdown

⚠️ No Changeset found

Latest commit: 99aad1e

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@dle-renovate-bot dle-renovate-bot Bot merged commit f732e7f into master Jun 23, 2026
4 of 5 checks passed
@dle-renovate-bot dle-renovate-bot Bot deleted the dle-renovate/minor-patch branch June 23, 2026 00:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants