Update NPM Development dependencies

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@cloudflare/workers-types	4.20260118.0 → 4.20260124.0
@types/react (source)	19.2.8 → 19.2.9
miniflare (source)	4.20260114.0 → 4.20260120.0
prettier (source)	3.8.0 → 3.8.1
typescript-eslint (source)	8.53.0 → 8.53.1
wasm-pack	^0.13.1 → ^0.14.0
wrangler (source)	4.59.2 → 4.60.0

---

Release Notes

cloudflare/workerd (@​cloudflare/workers-types)

v4.20260124.0

Compare Source

v4.20260123.0

Compare Source

v4.20260122.0

Compare Source

v4.20260120.0

Compare Source

cloudflare/workers-sdk (miniflare)

v4.20260120.0

Compare Source

Patch Changes

• #​11993 788bf78 Thanks @​dependabot! - chore: update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260116.0	1.20260120.0

v4.20260116.0

Compare Source

Minor Changes

• #​11942 133bf95 Thanks @​penalosa! - Add support for Email Sending API's MessageBuilder interface in local mode

  Miniflare now supports the simplified MessageBuilder interface for sending emails, alongside the existing EmailMessage support.

  Example usage:

  await env.EMAIL.send({
  	from: { name: "Alice", email: "alice@example.com" },
  	to: ["bob@example.com"],
  	subject: "Hello",
  	text: "Plain text version",
  	html: "<h1>HTML version</h1>",
  	attachments: [
  		{
  			disposition: "attachment",
  			filename: "report.pdf",
  			type: "application/pdf",
  			content: pdfData,
  		},
  	],
  });

  In local mode, email content (text, HTML, attachments) is stored to temporary files that you can open in your editor or browser for inspection. File paths are logged to the console when emails are sent.

Patch Changes

• #​11925 8e4a0e5 Thanks @​dependabot! - chore: update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260114.0	1.20260115.0

• #​11942 133bf95 Thanks @​penalosa! - chore: update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260115.0	1.20260116.0

• #​11967 202c59e Thanks @​emily-shen! - chore: update undici

  The following dependency versions have been updated:

  Dependency	From	To
  undici	7.14.0	7.18.2

• #​11943 25e2c60 Thanks @​vicb! - Bump capnp-es to ^0.0.14

prettier/prettier (prettier)

v3.8.1

Compare Source

typescript-eslint/typescript-eslint (typescript-eslint)

v8.53.1

Compare Source

This was a version bump only for typescript-eslint to align it with other projects, there were no code changes.

You can read about our versioning strategy and releases on our website.

drager/wasm-pack (wasm-pack)

v0.14.0

Compare Source

• ✨ Features

  • Support arbitrary wasm targets (WASI support) - RReverser, pull/1524

    Allows building for targets other than wasm32-unknown-unknown, enabling WASI and other custom wasm targets.

  • macOS ARM (aarch64-apple-darwin) build support - kaleidawave, pull/1529

    Adds native Apple Silicon support in release builds and NPM package.

  • Allow --split-linked-modules flag for wasm-bindgen - codeart1st, pull/1443

  • Custom build profile support - rafaelbeckel, pull/1428

    Allows using custom cargo profiles via --profile.

• 🤕 Fixes

  • Fix NPM package download URL - qinyuhang, pull/1543

  • Filter build artifacts to only .wasm files - [drager], pull/1535

  • Handle undefined VERSION in installer script - BrianHung, pull/1512

  • Fix it_gets_wasm_bindgen_version test - mshroyer, pull/1509

• 🛠️ Maintenance

  • Update dependencies to latest versions - [drager], pull/1536

  • Security workflow permissions fixes - [drager]

  • Bump ring from 0.17.8 to 0.17.14 - dependabot, pull/1516

  • Bump brace-expansion from 1.1.11 to 1.1.12 in /npm - dependabot, pull/1515

  • Bump rustls from 0.23.16 to 0.23.18 - dependabot, pull/1451

  • Fix tar vulnerability (CVE-2026-23745) in npm package

    Override tar dependency to ^7.5.3 to fix arbitrary file overwrite and symlink poisoning vulnerability (GHSA-8qq5-rm4j-mr97).

  • Fix axios vulnerabilities in npm package

    Override axios dependency to ^0.30.0 to fix SSRF/credential leakage via absolute URL and XSRF-TOKEN leakage (CSRF) vulnerabilities.

• 📖 Documentation

  • Update documentation links to drager's repo - yutannihilation, pull/1513

  • Document prerequisites for webdriver tests - mshroyer, pull/1509

cloudflare/workers-sdk (wrangler)

v4.60.0

Compare Source

Minor Changes

• #​11113 bba0968 Thanks @​AmirSa12! - Add wrangler complete command for shell completion scripts (bash, zsh, powershell)

  Usage:

  # Bash
  wrangler complete bash >> ~/.bashrc
  
  # Zsh
  wrangler complete zsh >> ~/.zshrc
  
  # Fish
  wrangler complete fish >> ~/.config/fish/completions/wrangler.fish
  
  # PowerShell
  wrangler complete powershell > $PROFILE

  • Uses @bomb.sh/tab library for cross-shell compatibility
  • Completions are dynamically generated from experimental_getWranglerCommands() API

• #​11893 f9e8a45 Thanks @​NuroDev! - wrangler types now generates per-environment TypeScript interfaces when named environments exist in your configuration.

  When your configuration has named environments (an env object), wrangler types now generates both:

  • Per-environment interfaces (e.g., StagingEnv, ProductionEnv) containing only the bindings explicitly declared in each environment, plus inherited secrets
  • An aggregated Env interface with all bindings from all environments (top-level + named environments), where:
    • Bindings present in all environments are required
    • Bindings not present in all environments are optional
    • Secrets are always required (since they're inherited everywhere)
    • Conflicting binding types across environments produce union types (e.g., KVNamespace | R2Bucket)

  However, if your config does not contain any environments, or you manually specify an environment via --env, wrangler types will continue to generate a single interface as before.

  Example:

  Given the following wrangler.jsonc:

  {
  	"name": "my-worker",
  	"kv_namespaces": [
  		{
  			"binding": "SHARED_KV",
  			"id": "abc123",
  		},
  	],
  	"env": {
  		"staging": {
  			"kv_namespaces": [
  				{ "binding": "SHARED_KV", "id": "staging-kv" },
  				{ "binding": "STAGING_CACHE", "id": "staging-cache" },
  			],
  		},
  	},
  }

  Running wrangler types will generate:

  declare namespace Cloudflare {
  	interface StagingEnv {
  		SHARED_KV: KVNamespace;
  		STAGING_CACHE: KVNamespace;
  	}
  	interface Env {
  		SHARED_KV: KVNamespace; // Required: in all environments
  		STAGING_CACHE?: KVNamespace; // Optional: only in staging
  	}
  }
  interface Env extends Cloudflare.Env {}

Patch Changes

• #​12030 614bbd7 Thanks @​jbwcloudflare! - Fix wrangler pages project validate to respect file count limits from CF_PAGES_UPLOAD_JWT

• #​11993 788bf78 Thanks @​dependabot! - chore: update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260116.0	1.20260120.0

• #​12039 1375577 Thanks @​dimitropoulos! - Fixed the flag casing for the time period flag for the d1 insights command.

• #​12026 c3407ad Thanks @​dario-piotrowicz! - Fix wrangler setup not automatically selecting workers as the target for new SvelteKit apps

  The Sveltekit adapter:cloudflare adapter now accepts two different targets workers or pages. Since the wrangler auto configuration only targets workers, wrangler should instruct the adapter to use the workers variant. (The auto configuration process would in any case not work if the user were to target pages.)

• Updated dependencies [788bf78, ae108f0]:

  • miniflare@​4.20260120.0
  • @​cloudflare/unenv-preset@​2.11.0
  • @​cloudflare/kv-asset-handler@​0.4.2

v4.59.3

Compare Source

Patch Changes

• #​9396 75386b1 Thanks @​gnekich! - Fix wrangler login with custom callback-host/callback-port

  The Cloudflare OAuth API always requires the redirect_uri to be localhost:8976. However, sometimes the Wrangler OAuth server needed to listen on a different host/port, for example when running from inside a container. We were previously incorrectly setting the redirect_uri to the configured callback host/port, but it needs to be up to the user to map localhost:8976 to the Wrangler OAuth server in the container.

  Example:

  You might run Wrangler inside a docker container like this: docker run -p 8989:8976 <image>, which forwards port 8976 on your host to 8989 inside the container.

  Then inside the container, run wrangler login --callback-host=0.0.0.0 --callback-port=8989

  The OAuth link still has a redirect_uri set tolocalhost:8976. For example https://dash.cloudflare.com/oauth2/auth?...&redirect_uri=http%3A%2F%2Flocalhost%3A8976%2Foauth%2Fcallback&...

  However the redirect to localhost:8976 is then forwarded to the Wrangler OAuth server inside your container, allowing the login to complete.

• #​11925 8e4a0e5 Thanks @​dependabot! - chore: update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260114.0	1.20260115.0

• #​11942 133bf95 Thanks @​penalosa! - chore: update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260115.0	1.20260116.0

• #​11922 93d8d78 Thanks @​dario-piotrowicz! - Improve telemetry errors being sent to Sentry by wrangler init when it delegates to C3 by ensuring that they contain the output of the C3 execution.

• #​11940 69ff962 Thanks @​penalosa! - Show helpful messages for file not found errors (ENOENT)

  When users encounter file not found errors, Wrangler now displays a helpful message with the missing file path and common causes, instead of reporting to Sentry.

• #​11904 22727c2 Thanks @​danielrs! - Fix false positive infinite loop detection for exact path redirects

  Fixed an issue where the redirect validation incorrectly flagged exact path redirects like / /index.html 200 as infinite loops. This was particularly problematic when html_handling is set to "none", where such redirects are valid.

  The fix makes the validation more specific to only block wildcard patterns (like /* /index.html) that would actually cause infinite loops, while allowing exact path matches that are valid in certain configurations.

  Fixes: #​11824

• #​11946 fa39a73 Thanks @​MattieTK! - Fix configFileName returning wrong filename for .jsonc config files

  Previously, users with a wrangler.jsonc config file would see error messages and hints referring to wrangler.json instead of wrangler.jsonc. This was because the configFormat function collapsed both .json and .jsonc files into a single "jsonc" value, losing the distinction between them.

  Now configFormat returns "json" for .json files and "jsonc" for .jsonc files, allowing configFileName to return the correct filename for each format.

• #​11968 4ac7c82 Thanks @​MattieTK! - fix: include version components in command event metrics

  Adds wranglerMajorVersion, wranglerMinorVersion, and wranglerPatchVersion to command events (wrangler command started, wrangler command completed, wrangler command errored). These properties were previously only included in adhoc events.

• #​11940 69ff962 Thanks @​penalosa! - Improve error message when creating duplicate KV namespace

  When attempting to create a KV namespace with a title that already exists, Wrangler now provides a clear, user-friendly error message instead of the generic API error. The new message explains that the namespace already exists and suggests running wrangler kv namespace list to see existing namespaces with their IDs, or choosing a different namespace name.

• #​11962 029531a Thanks @​dario-piotrowicz! - Cache chosen account in memory to avoid repeated prompts

  When users have multiple accounts and no node_modules directory exists for file caching, Wrangler (run via npx and equivalent commands) would prompt for account selection multiple times during a single command. Now the selected account is also stored in process memory, preventing duplicate prompts and potential issues from inconsistent account choices.

• #​11964 d58fbd1 Thanks @​dario-piotrowicz! - Make name the positional argument for wrangler delete instead of script

  The script argument was meaningless for the delete command since it deletes by worker name, not by entry point path. The name argument is now accepted as a positional argument, allowing users to run wrangler delete my-worker instead of wrangler delete --name my-worker. The script argument is now hidden but still accepted for backwards compatibility.

• #​11967 202c59e Thanks @​emily-shen! - chore: update undici

  The following dependency versions have been updated:

  Dependency	From	To
  undici	7.14.0	7.18.2

• #​11940 69ff962 Thanks @​penalosa! - Improve error handling for Vite config transformations

  Replace assertions with proper error handling when transforming Vite configs. When Wrangler encounters a Vite config that uses a function or lacks a plugins array, it now provides clear, actionable error messages instead of crashing with assertion failures. The check function gracefully skips incompatible configs with debug logging.

• Updated dependencies [8e4a0e5, 133bf95, 202c59e, 133bf95, 25e2c60]:

  • miniflare@​4.20260116.0

---

Configuration

📅 Schedule: Branch creation - "before 4am on Monday" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.