[wrangler] 4.73.0 - npm audit reports high security vulnerabilities #12912
Description
What versions & operating system are you using?
Output of npx envinfo --system --npmPackages '{wrangler,create-cloudflare,miniflare,@cloudflare/*}' --binaries:
System:
OS: macOS 26.3.1
CPU: (12) arm64 Apple M2 Max
Memory: 6.59 GB / 64.00 GB
Shell: 5.9 - /bin/zsh
Binaries:
Node: 25.6.1 - /Users/brycewray/.nvm/versions/node/v25.6.1/bin/node
npm: 11.11.1 - /Users/brycewray/.nvm/versions/node/v25.6.1/bin/npm
npmPackages:
wrangler: ^4.73.0 => 4.73.0
Please provide a link to a minimal reproduction
(n/a)
Describe the Bug
Getting the following with npm audit:
# npm audit report
undici 7.0.0 - 7.23.0
Severity: high
Undici: Malicious WebSocket 64-bit length overflows parser and crashes the client - https://github.com/advisories/GHSA-f269-vfmq-vjvj
Undici has an HTTP Request/Response Smuggling issue - https://github.com/advisories/GHSA-2mjp-6q6p-2qxm
Undici has Unbounded Memory Consumption in WebSocket permessage-deflate Decompression - https://github.com/advisories/GHSA-vrm6-8vpv-qv8q
Undici has Unhandled Exception in WebSocket Client Due to Invalid server_max_window_bits Validation - https://github.com/advisories/GHSA-v9p9-hfj2-hcw8
Undici has CRLF Injection in undici via `upgrade` option - https://github.com/advisories/GHSA-4992-7rv2-5pvq
Undici has Unbounded Memory Consumption in its DeduplicationHandler via Response Buffering that leads to DoS - https://github.com/advisories/GHSA-phc3-fgpg-7m6h
fix available via `npm audit fix --force`
Will install wrangler@4.35.0, which is a breaking change
node_modules/undici
miniflare >=4.20250906.1
Depends on vulnerable versions of undici
node_modules/miniflare
wrangler <=0.0.0-31bfd374c || >=4.36.0
Depends on vulnerable versions of miniflare
node_modules/wrangler
3 high severity vulnerabilities
To address all issues (including breaking changes), run:
npm audit fix --force
Please provide any relevant error logs
No response