Bump wrangler from 4.76.0 to 4.77.0

[dependabot]

Bumps wrangler from 4.76.0 to 4.77.0.

Release notes

Sourced from wrangler's releases.

wrangler@4.77.0

Minor Changes

• #13023 593c4db Thanks @​jamesopstad! - Add wrangler versions upload support for the experimental secrets configuration property

  When the new secrets property is defined, wrangler versions upload now validates that all secrets declared in secrets.required are configured on the Worker before the upload succeeds. If any required secrets are missing, the upload fails with a clear error listing which secrets need to be set.

  When secrets is not defined, the existing behavior is unchanged.

  // wrangler.jsonc
  {
    "secrets": {
      "required": ["API_KEY", "DB_PASSWORD"]
    }
  }

• #12732 c2e9163 Thanks @​jamesopstad! - Add deploy support for the experimental secrets configuration property

  When the new secrets property is defined, wrangler deploy now validates that all secrets declared in secrets.required are configured on the Worker before the deploy succeeds. If any required secrets are missing, the deploy fails with a clear error listing which secrets need to be set.

  When secrets is not defined, the existing behavior is unchanged.

  // wrangler.jsonc
  {
    "secrets": {
      "required": ["API_KEY", "DB_PASSWORD"]
    }
  }

Patch Changes

• #12896 451dae3 Thanks @​petebacondarwin! - fix: Add retry and timeout protection to remote preview API calls

  Remote preview sessions (wrangler dev --remote) now automatically retry transient 5xx API errors (up to 3 attempts with linear backoff) and enforce a 30-second per-request timeout. Previously, a single hung or failed API response during session creation or worker upload could block the dev session reload indefinitely.

• #12569 379f2a2 Thanks @​MattieTK! - Use qwik add cloudflare-workers instead of qwik add cloudflare-pages for Workers targets

  Both the wrangler autoconfig and C3 Workers template for Qwik were running qwik add cloudflare-pages even when targeting Cloudflare Workers. This caused the wrong adapter directory structure to be scaffolded (adapters/cloudflare-pages/ instead of adapters/cloudflare-workers/), and required post-hoc cleanup of Pages-specific files like _routes.json.

  Qwik now provides a dedicated cloudflare-workers adapter that generates the correct Workers configuration, including wrangler.jsonc with main and assets fields, a public/.assetsignore file, and the correct adapters/cloudflare-workers/vite.config.ts.

  Also adds --skipConfirmation=true to all qwik add invocations so the interactive prompt is skipped in automated contexts.

• #11899 9a1cf29 Thanks @​hoodmane! - Remove cf-requirements support for Python workers. It hasn't worked with the runtime for a while now.

• #11800 875da60 Thanks @​southpolesteve! - Add upgrade hint to unexpected configuration field warnings when an update is available

... (truncated)

Commits

• a61451f Version Packages (#12980)
• 593c4db Add versions upload support for explicit secrets (#13023)
• 875da60 [wrangler] Add upgrade hint to unexpected configuration field warnings (#11800)
• b045d2d fix: Optimize Edge Preview Authenticated Proxy and typo issues (#11046)
• c2e9163 Add deploy support for explicit secrets (#12732)
• 9a1cf29 Remove cf-requirements support from wrangler (#11899)
• cf98836 Use Vite 8 and Vitest 4 everywhere (#12947)
• 663be1c [wrangler] Fix e2e flakes in startWorker, deployments, and containers tests (...
• 379f2a2 [wrangler][C3] Use qwik add cloudflare-workers instead of cloudflare-pages (#...
• f3871f8 [wrangler] Shard E2E tests across 4 parallel CI jobs (#12941)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	wrangler@​4.76.0 ⏵ 4.77.0	+1

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Obfuscated code: npm miniflare is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: ? → npm/wrangler@4.77.0 → npm/miniflare@4.20260317.2 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/miniflare@4.20260317.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report