fix(deps): update all non-major dependencies#22637
Merged
Merged
Conversation
b439589 to
2570643
Compare
sapphi-red
approved these changes
Jun 8, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
^7.29.0→^7.29.7^1.5.0→^1.5.1^4.1.0→^4.2.0^24.12.4→^24.13.1^19.2.15→^19.2.174.1.7→4.1.8^2.10.33→^2.10.34^2.0.0→^2.1.0^1.23.2→^1.23.3^4.20260526.0→^4.20260603.0^0.52.0→^0.53.0^19.2.6→^19.2.719.2.6→19.2.7^19.2.6→^19.2.7^19.2.6→^19.2.7^19.2.6→^19.2.7^5.56.0→^5.56.3^4.4.8→^4.6.0^8.60.0→^8.60.1^0.3.0→^0.3.1^8.0.14→^8.0.16^4.1.7→^4.1.8^3.3.3→^3.3.4Release Notes
bombshell-dev/clack (@clack/prompts)
v1.5.1Compare Source
Patch Changes
#548
2356e97Thanks @43081j! - Remove sourcemaps and enable pretty-ish build output.#546
56e9d67Thanks @ghostdevv! - docs: add jsdoc fordate,limit-options, andmessagesUpdated dependencies [
2356e97]:shikijs/shiki (@shikijs/vitepress-twoslash)
v4.2.0Compare Source
🚀 Features
🐞 Bug Fixes
View changes on GitHub
vitest-dev/vitest (@vitest/utils)
v4.1.8Compare Source
🐞 Bug Fixes
cdpAPI whenallowWrite/allowExec: false[backport to v4] - by @hi-ogawa and Codex in #10450 (e4067)View changes on GitHub
web-platform-dx/baseline-browser-mapping (baseline-browser-mapping)
v2.10.34Compare Source
guybedford/es-module-lexer (es-module-lexer)
v2.1.0Compare Source
What's Changed
New Contributors
Full Changelog: guybedford/es-module-lexer@2.0.0...2.1.0
cloudflare/workers-sdk (miniflare)
v4.20260603.0Compare Source
Minor Changes
#14164
b502d54Thanks @G4brym! - Rename theweb_searchbinding kind towebsearchPre-launch rename of the public binding type from
web_searchtowebsearchso the on-the-wire shape matches the product name (Web Search). The wrangler config key, the binding-type string sent to the Cloudflare API, and the miniflare option key all move fromweb_search/webSearchtowebsearch.Update your wrangler config:
The runtime
WebSearchtype exposed onenv.WEBSEARCHis unchanged.#13863
3b8b80aThanks @aslakhellesoy! - Support cross-worker workflow bindings via the dev registryWhen a workflow binding has a
scriptNamethat refers to a worker registered in another Miniflare instance (viaunsafeDevRegistryPath), miniflare now reroutes the engine'sUSER_WORKFLOWbinding through the dev-registry-proxy worker — the same mechanism Durable Objects already use for cross-workerscriptNamebindings.Previously the workflow engine was bound directly to a local service
core:user:<scriptName>, so workerd refused to start when that script lived in a different process.This unblocks
getPlatformProxy()(and any other split-Miniflare setup) for users whose workflow class is defined in a separate worker — for example SvelteKit/Remix on Cloudflare, whereadapter-cloudflare's dev integration runs the user's worker in a sidecar.See #7459.
Patch Changes
#14175
a3eea27Thanks @dependabot! - Update dependencies of "miniflare", "wrangler"The following dependency versions have been updated:
#14081
1fdd8deThanks @dario-piotrowicz! - Detect early workerd exit instead of hanging indefinitelyWhen
workerdexits during startup before writing all expected listen events to the control file descriptor (e.g. due to an IPv6 bind failure, permission error, or missing library), Miniflare'swaitForPorts()would block forever. This causedwrangler devto stall at "Starting local server..." with no error and no timeout.The fix races
waitForPorts()against the child process exit event so that any unexpectedworkerdtermination is detected immediately. Whenworkerdexits early, Miniflare now throwsERR_RUNTIME_FAILUREwith the runtime's stderr output included in the error message, making the root cause diagnosable without external tools.v4.20260601.0Compare Source
Patch Changes
#14147
e06cbb7Thanks @dependabot! - Update dependencies of "miniflare", "wrangler"The following dependency versions have been updated:
#14086
4ef790bThanks @dario-piotrowicz! - Use127.0.0.1instead oflocalhostfor the runtime inspector addressOn systems where
getaddrinfo("localhost")returns::1but IPv6 is disabled at the kernel level,workerdfails to bind the inspector socket and silently continues without emitting thelisten-inspectorevent to the control FD. This causedwrangler devto hang indefinitely at "Starting local server..." with no error output.Using
127.0.0.1explicitly is consistent withDEFAULT_HOST,--debug-port, andresolveLocalhost()already in the codebase.#14105
337e912Thanks @dario-piotrowicz! - Remove trailing periods from URLs in terminal outputURLs printed to the terminal with a sentence-ending period (e.g.
https://example.com/path.) would include the period when clicked in some terminal emulators, causing 404 errors. This removes trailing periods from all URLs displayed in CLI output across wrangler, miniflare, vitest-pool-workers, and workers-utils.#14112
3a746acThanks @penalosa! - Pin non-bundled runtime dependencies to exact versionsDependencies that are not bundled into a package's published output are installed directly into consumers' dependency trees, so they are now pinned to exact versions instead of semver ranges. This closes a supply-chain gap where an unpinned external dependency could resolve to a compromised upstream release on a fresh install. A new
pnpm check:pinned-depslint enforces this for all published packages (and for the shared pnpm catalog) going forward.v4.20260529.0Compare Source
Minor Changes
#14087
e3c862aThanks @edmundhung! - Add support for the newweb_searchbinding kind.Cloudflare Web Search is a managed, zero-setup web discovery primitive for agents and Workers. Declare the binding as a single object in
wrangler.jsonc:{ "web_search": { "binding": "WEBSEARCH" } }There is exactly one shared web corpus, so there is no namespace, instance, or other field to specify -- only the variable name. The binding exposes a single
search()method that returns URLs and catalog metadata for a query. Web Search is discovery-only -- to read a result's content the caller invokes the globalfetch()API against the result'surl.The binding is always remote in local development: Miniflare proxies to the production Web Search service via the remote-bindings transport. Adds the
websearch.runOAuth scope towrangler login.Also adds a
wrangler websearch searchcommand for running ad-hoc queries from the CLI:--limitis optional (defaults to 10, capped at 20).--jsonprints the raw response; without it the results render as a pretty table.#13610
cbb39bdThanks @petebacondarwin! - Add support foragent_memorybindingsAgent Memory bindings allow Workers to connect to Cloudflare's Agent Memory service for storing and retrieving agent conversation state. This binding is remote-only, meaning it always connects to the Cloudflare API during
wrangler devrather than using a local simulation.To configure an
agent_memorybinding, add the following to yourwrangler.json:{ "agent_memory": [ { "binding": "MY_MEMORY", "namespace": "my-namespace" } ] }Wrangler will automatically provision the namespace during deployment if it does not already exist. Type generation via
wrangler typesis also supported.This change also adds the
agent-memory:writeOAuth scope to Wrangler's default login scopes, sowrangler logincan request the permissions needed to provision and manage Agent Memory namespaces.#14087
e3c862aThanks @edmundhung! - Renamepipelinefield tostreamin pipeline bindings configurationThe
pipelinefield insidepipelinesbindings has been renamed tostreamto align with the updated API wire format. The oldpipelinefield is still accepted but deprecated and will emit a warning.Before:
After:
#14079
972d13dThanks @edmundhung! - Add JSON output to/cdn-cgi/handler/scheduledThe
/cdn-cgi/handler/scheduledendpoint now accepts?format=jsonto return the scheduled handler result as JSON, including whether the handler calledcontroller.noRetry(). Requests withoutformat=jsonstill return the existing text outcome for backward compatibility.Patch Changes
#14106
7bb5c7aThanks @dario-piotrowicz! - Add timeout to browser-rendering browser launch to prevent infinite hangsThe browser-rendering plugin's
launchBrowser()function now passes a 5-minute timeout towaitForLineOutput()when waiting for Chrome to print its DevTools WebSocket URL. Previously, if Chrome failed to start or crashed before printing the URL, the promise would hang forever. This could cause CI pipelines and local dev sessions to get stuck indefinitely.#14087
e3c862aThanks @edmundhung! - Update dependencies of "miniflare", "wrangler"The following dependency versions have been updated:
#14076
97d7d81Thanks @dependabot! - Update dependencies of "miniflare", "wrangler"The following dependency versions have been updated:
#14100
c647cccThanks @dependabot! - Update dependencies of "miniflare", "wrangler"The following dependency versions have been updated:
#14087
e3c862aThanks @edmundhung! - Fixwrangler devcrash under Yarn PnP when the worker emits a structured log or the inspector forwards a stack trace.getFreshSourceMapSupportwas unconditionally indexingrequire.cache, but whenminiflareisimported from ESM under Yarn PnP, Node's ESM->CJS bridge (loadCJSModuleinnode:internal/modules/esm/translators) hands the wrapped CJS module a re-inventedrequirethat only carries.resolveand.main, with no.cache. Fall back tocreateRequire(__filename)in that case so the fresh-load cache-swap keeps working.oxc-project/oxc (oxfmt)
v0.53.0Compare Source
facebook/react (react)
v19.2.7Compare Source
facebook/react (react-dom)
v19.2.7Compare Source
sveltejs/svelte (svelte)
v5.56.3Compare Source
Patch Changes
fix: ignore errors that occur in destroyed effects (#18384)
fix: type BigInts in
$state.snapshot(...)return values (#18388)v5.56.2Compare Source
Patch Changes
fix: properly track effect end node for async sibling component (#18371)
fix: prevent false-positive reactivity loss warning (#18373)
chore: bump esrap dependency (#18372)
fix: ignore declaration tags for animation directive (#18366)
fix: reject pending async deriveds on discard (#18308)
v5.56.1Compare Source
Patch Changes
fix: error at compile time on duplicate snippet/declaration tag definitions (#18351)
fix: parse declaration tag contents more robustly (#18353)
fix: correctly transform references to earlier declarators in a declaration tag (e.g.
{let a = $state(0), b = $derived(a * 2)}) (#18348)fix: avoid spurious
state_referenced_locallywarnings for$deriveddeclarations in declaration tags (#18348)fix: tolerate whitespace before
let/constin declaration tags (#18348)fix: prevent infinite loop when a tag's expression ends with a trailing
/at the end of the input (#18350)fix: more robust parsing of declaration tags with regards to
type(#18330)fix: preserve newlines in spread input values when the
typeattribute is applied aftervalue(#18345)fix: update
SvelteURLSearchParamswhen setting duplicate keys to the same joined value (#18336)fix: check references for blockers on server, too (#18352)
sveltejs/language-tools (svelte-check)
v4.6.0Compare Source
Minor Changes
vite.config.js/ts(#3031)Patch Changes
151cf45]:v4.5.0Compare Source
Minor Changes
Patch Changes
fix: properly handle props with the name
slotinside Svelte 5 snippets (#3030)feat: add support for svelte config ts/mts files (#3009)
typescript-eslint/typescript-eslint (typescript-eslint)
v8.60.1Compare Source
This was a version bump only for typescript-eslint to align it with other projects, there were no code changes.
See GitHub Releases for more information.
You can read about our versioning strategy and releases on our website.
Gugustinette/unrun (unrun)
v0.3.1Compare Source
🐞 Bug Fixes
View changes on GitHub
vitejs/vite (vite)
v8.0.16Compare Source
Bug Fixes
v8.0.15Compare Source
Features
Bug Fixes
Miscellaneous Chores
Code Refactoring
collectAllModulesfunction (#22562) (6978a9c)vuejs/language-tools (vue-tsc)
v3.3.4Compare Source
language-core
checkRequiredFallthroughAttributesis enabled (#6088) - Thanks to @KazariEX!htmlAttributesoption (#6089) - Thanks to @KazariEX!language-service
typescript-plugin
classandstyleas a boolean property (#6081) - Thanks to @KazariEX!Configuration
📅 Schedule: (UTC)
* 0-3 * * 1)🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.
This PR was generated by Mend Renovate. View the repository job log.