Skip to content

build(deps): bump undici, @cloudflare/vitest-pool-workers, miniflare and wrangler in /rust/sync-service#4192

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/rust/sync-service/multi-caa61afbe7
Open

build(deps): bump undici, @cloudflare/vitest-pool-workers, miniflare and wrangler in /rust/sync-service#4192
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/rust/sync-service/multi-caa61afbe7

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 18, 2026

Copy link
Copy Markdown
Contributor

Bumps undici to 8.5.0 and updates ancestor dependencies undici, @cloudflare/vitest-pool-workers, miniflare and wrangler. These dependencies need to be updated together.

Updates undici from 7.24.4 to 8.5.0

Release notes

Sourced from undici's releases.

v8.5.0

⚠️ Security Release

This release line addresses 8 security advisories. Most are fixed in v8.5.0; the SOCKS5 pool-reuse issue was fixed earlier in v8.2.0.

Action required: Upgrade to undici 8.5.0 or later.

npm install undici@^8.5.0

Summary

Advisory CVE Severity (CVSS) Fixed in Fix commit
GHSA-vxpw-j846-p89q CVE-2026-12151 High (7.5) 8.5.0 32dbf0b3
GHSA-38rv-x7px-6hhq CVE-2026-9675 High (7.5) 8.5.0 b4c287b3
GHSA-vmh5-mc38-953g CVE-2026-9697 High (7.4) 8.5.0 42d49559
GHSA-hm92-r4w5-c3mj CVE-2026-6734 High (7.5) 8.2.0 a516f870
GHSA-pr7r-676h-xcf6 CVE-2026-9678 Moderate (5.9) 8.5.0 cb105d7c
GHSA-p88m-4jfj-68fv CVE-2026-9679 Moderate (5.9) 8.5.0 5655ea43
GHSA-g8m3-5g58-fq7m CVE-2026-11525 Low (3.7) 8.5.0 5655ea43
GHSA-35p6-xmwp-9g52 CVE-2026-6733 Low (3.7) 8.5.0 6ea54ef8

High severity

WebSocket DoS via fragment count bypass — CVE-2026-12151

GHSA-vxpw-j846-p89q · CWE-400, CWE-770 Fix: 32dbf0b3 websocket: limit the number of fragments in a message (also c5ed7875 handle empty fragments and stream limits)

A malicious WebSocket server can stream a large number of small or empty continuation frames. Undici enforced a limit on cumulative payload size but did not limit the number of fragments per message, leading to unbounded memory growth and denial of service.

  • Affected: applications using new WebSocket(...) or WebSocketStream against untrusted endpoints.
  • Workaround: none — upgrade is required.

WebSocket DoS via cumulative fragment bypass — CVE-2026-9675

GHSA-38rv-x7px-6hhq · CWE-400, CWE-770 Fix: b4c287b3 fix(websocket): enforce max payload size across fragments

Undici validated the size of individual frames but did not track cumulative size across a fragmented message. An attacker could send many small fragments that each pass per-frame validation but collectively exceed the configured limit, causing memory exhaustion. This is a regression introduced in 8.1.0 (the

... (truncated)

Commits
  • a0806e1 Bumped v8.5.0 (#5429)
  • 8a0392c test: detect available python command in wpt runner (#5427)
  • f4045b9 ci: increase Node.js workflow timeout (#5426)
  • 363e44f chore: removed repro-h2-pipelining-default.mjs and lint (#5420)
  • c5ed787 websocket: handle empty fragments and stream limits
  • e114e77 align EventSource with spec (#5418)
  • 6df53c5 fix: preserve h2 queue on out-of-order completion (#5410)
  • 32dbf0b websocket: limit the number of fragments in a message
  • 0d6ecc5 add bodymixin.textStream() (#5416)
  • 42d4955 fix: honor requestTls when proxy is SOCKS5
  • Additional commits viewable in compare view

Updates @cloudflare/vitest-pool-workers from 0.12.5 to 0.16.17

Release notes

Sourced from @​cloudflare/vitest-pool-workers's releases.

@​cloudflare/vitest-pool-workers@​0.16.17

Patch Changes

@​cloudflare/vitest-pool-workers@​0.16.16

Patch Changes

@​cloudflare/vitest-pool-workers@​0.16.15

Patch Changes

@​cloudflare/vitest-pool-workers@​0.16.14

Patch Changes

@​cloudflare/vitest-pool-workers@​0.16.13

Patch Changes

@​cloudflare/vitest-pool-workers@​0.16.12

Patch Changes

  • #14152 3d7992e Thanks @​petebacondarwin! - Fix module resolution failing when project path contains spaces

    When a project lived under a directory with spaces (e.g. /Users/me/Documents/Master CMS/project), the vitest pool would fail with No such module "threads.js" before any test executed. The module fallback service now uses the rawSpecifier from workerd's fallback request to correctly decode file:// URLs, avoiding the double-encoding of spaces (%20%2520) that occurred when workerd resolved these URLs as relative paths.

  • #14105 337e912 Thanks @​dario-piotrowicz! - Remove trailing periods from URLs in terminal output

... (truncated)

Changelog

Sourced from @​cloudflare/vitest-pool-workers's changelog.

0.16.17

Patch Changes

0.16.16

Patch Changes

0.16.15

Patch Changes

0.16.14

Patch Changes

0.16.13

Patch Changes

0.16.12

Patch Changes

... (truncated)

Commits

Updates miniflare from 3.20250408.1 to 4.20260617.0

Release notes

Sourced from miniflare's releases.

miniflare@4.20260617.0

Patch Changes

  • #14347 673b09e Thanks @​jamesopstad! - Update undici from 7.24.8 to 7.28.0

  • #14346 e930bd4 Thanks @​haidargit! - Bump ws from 8.20.1 to 8.21.0 to address GHSA-96hv-2xvq-fx4p

    GHSA-96hv-2xvq-fx4p / CVE-2026-48779 (high severity) reports a remote memory-exhaustion DoS in ws@<8.21.0: a peer sending a high volume of tiny fragments and data chunks over modest network traffic can crash a ws server or client via OOM. The fix shipped in ws@8.21.0 (commit 2b2abd45, released 2026-05-22), which also introduces the maxBufferedChunks and maxFragments options. This change bumps the workspace catalog entry so that miniflare, wrangler, and @cloudflare/vite-plugin all pick up the patched release.

  • #14314 5c3bb11 Thanks @​harryzcy! - Bump esbuild to 0.28.1

    This update includes several bug fixes from esbuild versions 0.27.3 through 0.28.1. See the esbuild changelog for details.

  • #14331 296ad65 Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

    The following dependency versions have been updated:

    Dependency From To
    workerd 1.20260616.1 1.20260617.1

miniflare@4.20260616.0

Minor Changes

  • #14221 0e055d3 Thanks @​mglewis! - Support cf.image (transform via Workers) image transformations in local dev

    fetch(url, { cf: { image: { ... } } }) now transforms images locally via Sharp, instead of returning the original bytes unchanged. This mirrors the production "transform via Workers" feature, so Workers already using cf.image behave much more closely to production in wrangler dev.

    As with the Images binding, cf.image transforms require Sharp to be installed — transforms are silently skipped if Sharp is unavailable.

Patch Changes

  • #14271 27db82c Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

    The following dependency versions have been updated:

    Dependency From To
    workerd 1.20260611.1 1.20260612.1

  • #14298 2a6a26b Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

    The following dependency versions have been updated:

    Dependency From To
    workerd 1.20260612.1 1.20260615.1

  • #14317 9a424ed Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

... (truncated)

Changelog

Sourced from miniflare's changelog.

4.20260617.0

Patch Changes

  • #14347 673b09e Thanks @​jamesopstad! - Update undici from 7.24.8 to 7.28.0

  • #14346 e930bd4 Thanks @​haidargit! - Bump ws from 8.20.1 to 8.21.0 to address GHSA-96hv-2xvq-fx4p

    GHSA-96hv-2xvq-fx4p / CVE-2026-48779 (high severity) reports a remote memory-exhaustion DoS in ws@<8.21.0: a peer sending a high volume of tiny fragments and data chunks over modest network traffic can crash a ws server or client via OOM. The fix shipped in ws@8.21.0 (commit 2b2abd45, released 2026-05-22), which also introduces the maxBufferedChunks and maxFragments options. This change bumps the workspace catalog entry so that miniflare, wrangler, and @cloudflare/vite-plugin all pick up the patched release.

  • #14314 5c3bb11 Thanks @​harryzcy! - Bump esbuild to 0.28.1

    This update includes several bug fixes from esbuild versions 0.27.3 through 0.28.1. See the esbuild changelog for details.

  • #14331 296ad65 Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

    The following dependency versions have been updated:

    Dependency From To
    workerd 1.20260616.1 1.20260617.1

4.20260616.0

Minor Changes

  • #14221 0e055d3 Thanks @​mglewis! - Support cf.image (transform via Workers) image transformations in local dev

    fetch(url, { cf: { image: { ... } } }) now transforms images locally via Sharp, instead of returning the original bytes unchanged. This mirrors the production "transform via Workers" feature, so Workers already using cf.image behave much more closely to production in wrangler dev.

    As with the Images binding, cf.image transforms require Sharp to be installed — transforms are silently skipped if Sharp is unavailable.

Patch Changes

  • #14271 27db82c Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

    The following dependency versions have been updated:

    Dependency From To
    workerd 1.20260611.1 1.20260612.1

  • #14298 2a6a26b Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

    The following dependency versions have been updated:

    Dependency From To
    workerd 1.20260612.1 1.20260615.1

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for miniflare since your current version.


Updates wrangler from 4.59.3 to 4.102.0

Release notes

Sourced from wrangler's releases.

wrangler@4.102.0

Minor Changes

  • #14340 f6e49dd Thanks @​emily-shen! - Add cf-wrangler build delegate support

    The experimental cf-wrangler delegate binary now accepts build and emits the Build Output API directory through Wrangler's new-config build path. This lets parent tools invoke Wrangler's build-output implementation with cf-wrangler build instead of shelling out through the public Wrangler CLI.

  • #14324 36777db Thanks @​jamesopstad! - Add experimental --experimental-cf-build-output flag to wrangler build

    When used alongside --experimental-new-config, wrangler build now emits a self-contained Build Output API directory under .cloudflare/output/v0/ instead of delegating to wrangler deploy --dry-run.

Patch Changes

  • #14347 673b09e Thanks @​jamesopstad! - Update undici from 7.24.8 to 7.28.0

  • #14346 e930bd4 Thanks @​haidargit! - Bump ws from 8.20.1 to 8.21.0 to address GHSA-96hv-2xvq-fx4p

    GHSA-96hv-2xvq-fx4p / CVE-2026-48779 (high severity) reports a remote memory-exhaustion DoS in ws@<8.21.0: a peer sending a high volume of tiny fragments and data chunks over modest network traffic can crash a ws server or client via OOM. The fix shipped in ws@8.21.0 (commit 2b2abd45, released 2026-05-22), which also introduces the maxBufferedChunks and maxFragments options. This change bumps the workspace catalog entry so that miniflare, wrangler, and @cloudflare/vite-plugin all pick up the patched release.

  • #14314 5c3bb11 Thanks @​harryzcy! - Bump esbuild to 0.28.1

    This update includes several bug fixes from esbuild versions 0.27.3 through 0.28.1. See the esbuild changelog for details.

  • #14331 296ad65 Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

    The following dependency versions have been updated:

    Dependency From To
    workerd 1.20260616.1 1.20260617.1

  • #14275 594544d Thanks @​alsuren! - Resolve auto-provisioned D1 bindings via the API in remote subcommands

    Remote D1 subcommands (d1 execute --remote, d1 export --remote, d1 info, d1 insights, d1 delete, d1 migrations apply --remote, d1 migrations list --remote, d1 time-travel) previously failed with:

    Found a database with name or binding DB but it is missing a database_id, which is needed for operations on remote resources.

    when the [[d1_databases]] config entry only had binding and database_name (the shape wrangler deploy writes for automatically-provisioned bindings). They now resolve the real database UUID via GET /accounts/:accountId/d1/database/:name?fields=uuid and proceed as if database_id had been set in config.

    If the config entry only has a binding (no database_name, no database_id), the lookup uses the same name wrangler deploy would create via auto provisioning (<worker name>-<binding-lowercased-with-dashes>).

    Non-404 API failures (auth, rate-limit, server errors) now propagate verbatim instead of being masked as "database not found".

  • #14315 a79b899 Thanks @​matingathani! - Respect find_additional_modules = false when no_bundle is set

    When using no_bundle = true, wrangler was always scanning for and attaching additional modules even if find_additional_modules was explicitly set to false in the config. Additional modules are now only collected when find_additional_modules is not false, consistent with the bundled code path.

  • #14269 5dfb788 Thanks @​mattjohnsonpint! - Support dev.plugin on typed services bindings

    Wrangler only honored dev.plugin on unsafe.bindings entries, so users authoring a service binding via services[] could not wire it to a local Miniflare plugin during wrangler dev — they had to fall back to unsafe.bindings and accept a "directly supported by wrangler" warning. Typed services bindings now accept the same dev: { plugin, options? } shape, route the binding through Miniflare's external-plugin pathway in wrangler dev, and strip the field at deploy time. Validation rejects malformed dev shapes.

... (truncated)

Commits
  • dd7e101 Version Packages (#14327)
  • 5dfb788 Support dev.plugin on typed services bindings (#14269)
  • 296ad65 Bump the workerd-and-workers-types group across 1 directory with 2 updates (#...
  • f6e49dd add build command to cf-wrangler (#14340)
  • 36777db Wrangler support for experimental Build Output API (#14324)
  • a79b899 [wrangler] fix: respect find_additional_modules when no_bundle is set (#14315)
  • 5c3bb11 Bump esbuild to 0.28.1 (#14314)
  • ca61558 [wrangler] Mention temporary preview accounts in whoami when unauthenticated ...
  • 594544d D1 subcommands resolve auto-provisioned bindings via API (#14275)
  • 89a753e Version Packages (#14274)
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
build(deps): bump undici, @cloudflare/vitest-pool-workers, miniflare …
02d07b1 
…and wrangler

Bumps [undici](https://github.com/nodejs/undici) to 8.5.0 and updates ancestor dependencies [undici](https://github.com/nodejs/undici), [@cloudflare/vitest-pool-workers](https://github.com/cloudflare/workers-sdk/tree/HEAD/packages/vitest-pool-workers), [miniflare](https://github.com/cloudflare/workers-sdk/tree/HEAD/packages/miniflare) and [wrangler](https://github.com/cloudflare/workers-sdk/tree/HEAD/packages/wrangler). These dependencies need to be updated together.


Updates `undici` from 7.24.4 to 8.5.0
- [Release notes](https://github.com/nodejs/undici/releases)
- [Commits](nodejs/undici@v7.24.4...v8.5.0)

Updates `@cloudflare/vitest-pool-workers` from 0.12.5 to 0.16.17
- [Release notes](https://github.com/cloudflare/workers-sdk/releases)
- [Changelog](https://github.com/cloudflare/workers-sdk/blob/main/packages/vitest-pool-workers/CHANGELOG.md)
- [Commits](https://github.com/cloudflare/workers-sdk/commits/@cloudflare/vitest-pool-workers@0.16.17/packages/vitest-pool-workers)

Updates `miniflare` from 3.20250408.1 to 4.20260617.0
- [Release notes](https://github.com/cloudflare/workers-sdk/releases)
- [Changelog](https://github.com/cloudflare/workers-sdk/blob/main/packages/miniflare/CHANGELOG.md)
- [Commits](https://github.com/cloudflare/workers-sdk/commits/miniflare@4.20260617.0/packages/miniflare)

Updates `wrangler` from 4.59.3 to 4.102.0
- [Release notes](https://github.com/cloudflare/workers-sdk/releases)
- [Commits](https://github.com/cloudflare/workers-sdk/commits/wrangler@4.102.0/packages/wrangler)

---
updated-dependencies:
- dependency-name: undici
  dependency-version: 8.5.0
  dependency-type: indirect
- dependency-name: "@cloudflare/vitest-pool-workers"
  dependency-version: 0.16.17
  dependency-type: direct:development
- dependency-name: miniflare
  dependency-version: 4.20260617.0
  dependency-type: direct:development
- dependency-name: wrangler
  dependency-version: 4.102.0
  dependency-type: direct:development
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jun 18, 2026
@whutchinson98 whutchinson98 requested review from 404Wolf and synoet June 23, 2026 12:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@404Wolf 404Wolf Awaiting requested review from 404Wolf

@synoet synoet Awaiting requested review from synoet

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants