Update all non-major dependencies

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence	Type	Update
@cloudflare/vitest-pool-workers (source)	0.12.20 → 0.13.1			devDependencies	minor
@cloudflare/workers-types	4.20260307.1 → 4.20260317.1			devDependencies	minor
@types/node (source)	25.3.5 → 25.5.0			devDependencies	minor
discord-api-types (source)	0.38.41 → 0.38.42			devDependencies	patch
hono (source)	4.12.7 → 4.12.8			devDependencies	patch
kysely (source)	0.28.11 → 0.28.12			devDependencies	patch
miniflare (source)	4.20260301.1 → 4.20260312.1			devDependencies	minor
nanoid	5.1.6 → 5.1.7			devDependencies	patch
pnpm (source)	10.31.0 → 10.32.1			packageManager	minor
pnpm/action-setup	v4.2.0 → v4.4.0			action	minor
temporal-polyfill	0.3.0 → 0.3.2			devDependencies	patch
tsdown (source)	0.21.0 → 0.21.4			devDependencies	patch
wrangler (source)	4.71.0 → 4.74.0			devDependencies	minor

---

Release Notes

cloudflare/workers-sdk (@​cloudflare/vitest-pool-workers)

v0.13.1

Compare Source

Patch Changes

• Updated dependencies [ade0aed, 2b9a186, 65f1092, 7b0d8f5, 351e1e1, 2b9a186]:
  • miniflare@​4.20260312.1
  • wrangler@​4.74.0

v0.13.0

Compare Source

Minor Changes

• #​11632 a6ddbdb Thanks @​penalosa! - Support Vitest 4 in @cloudflare/vitest-pool-workers.

  This a breaking change to the @cloudflare/vitest-pool-workers integration in order to support Vitest v4. Along with supporting Vitest v4 (and dropping support for Vitest v2 and v3), we've made a number of changes that may require changes to your tests. Our aim has been to improve stability & the foundations of @cloudflare/vitest-pool-workers as we move towards a v1 release of the package.

  We've made a codemod to make the migration easier, which will make the required changes to your config file:

  npx jscodeshift -t node_modules/@​cloudflare/vitest-pool-workers/dist/codemods/vitest-v3-to-v4.mjs vitest.config.ts

  Or, without installing the package first:

  npx jscodeshift -t https://unpkg.com/@​cloudflare/vitest-pool-workers/dist/codemods/vitest-v3-to-v4.mjs --parser=ts vitest.config.ts

  • Config API: defineWorkersProject and defineWorkersConfig from @cloudflare/vitest-pool-workers/config have been replaced with a cloudflareTest() Vite plugin exported from @cloudflare/vitest-pool-workers. The test.poolOptions.workers options are now passed directly to cloudflareTest():

    Before:

    import { defineWorkersProject } from "@​cloudflare/vitest-pool-workers/config";
    
    export default defineWorkersProject({
    	test: {
    		poolOptions: {
    			workers: {
    				wrangler: { configPath: "./wrangler.jsonc" },
    			},
    		},
    	},
    });

    After:

    import { cloudflareTest } from "@​cloudflare/vitest-pool-workers";
    import { defineConfig } from "vitest/config";
    
    export default defineConfig({
    	plugins: [
    		cloudflareTest({
    			wrangler: { configPath: "./wrangler.jsonc" },
    		}),
    	],
    });

  • isolatedStorage & singleWorker: These have been removed in favour of a simpler isolation model that more closely matches Vitest. Storage isolation is now on a per test file basis, and you can make your test files share the same storage by using the Vitest flags --max-workers=1 --no-isolate

  • import { env, SELF } from "cloudflare:test": These have been removed in favour of import { env, exports } from "cloudflare:workers". exports.default.fetch() has the same behaviour as SELF.fetch(), except that it doesn't expose Assets. To test your assets, write an integration test using startDevWorker()

  • import { fetchMock } from "cloudflare:test": This has been removed. Instead, mock globalThis.fetch or use ecosystem libraries like MSW (recommended).

  • Vitest peer dependency: @cloudflare/vitest-pool-workers now requires vitest@^4.1.0.

Patch Changes

• Updated dependencies [f7de0fd, ff543e3, 8e89e85, e63539d, 8d1e130, 6ee18e1, ecc7f79, 1dda1c8, 4bb61b9]:
  • miniflare@​4.20260312.0
  • wrangler@​4.73.0

v0.12.21

Compare Source

Patch Changes

• #​12790 5451a7f Thanks @​petebacondarwin! - Bump devalue to ^5.6.3 to address security vulnerabilities

  Devalue had denial of service and prototype pollution vulnerabilities. This is a bundled dependency.

• Updated dependencies [5451a7f, 5451a7f, 82cc2a8, 3c67c2a, d645594, 211d75d, 6ed249b, 9f93b54, de65c58, cb14820, a7c87d1, b8c33f5, e4d9510]:

  • miniflare@​4.20260310.0
  • wrangler@​4.72.0

cloudflare/workerd (@​cloudflare/workers-types)

v4.20260317.1

Compare Source

v4.20260316.1

Compare Source

v4.20260313.1

Compare Source

v4.20260312.1

Compare Source

v4.20260310.1

Compare Source

discordjs/discord-api-types (discord-api-types)

v0.38.42

Compare Source

Features

• mark new modal components as stable (#​1556) (818b899)

honojs/hono (hono)

v4.12.8

Compare Source

What's Changed

• fix(utils/mime): Normalize input extension to lowercase before MIME check by @​TheEssem in #​4800
• fix(bearer-auth): escape regex metacharacters in bearer auth prefix option by @​otoneko1102 in #​4750

New Contributors

• @​TheEssem made their first contribution in #​4800

Full Changelog: honojs/hono@v4.12.7...v4.12.8

kysely-org/kysely (kysely)

v0.28.12: 0.28.12

Compare Source

Hey 👋

A small batch of bug fixes. Please report any issues. 🤞😰🤞

🚀 Features

🐞 Bugfixes

• fix: eb.ref(col, '->$').key(key) is injectable. by @​igalklebanov in #​1727

MySQL 🐬

• feat(mysql): Update types for mysql2@​v3.18.2 support #​1722 by @​fenichelar in #​1729

📖 Documentation

📦 CICD & Tooling

• chore: bump dependencies. by @​igalklebanov in #​1732
• chore: bump dependencies. by @​igalklebanov in #​1742

⚠️ Breaking Changes

🐤 New Contributors

• @​fenichelar made their first contribution in #​1729

Full Changelog: kysely-org/kysely@v0.28.11...v0.28.12

cloudflare/workers-sdk (miniflare)

v4.20260312.1

Compare Source

Patch Changes

• #​12869 ade0aed Thanks @​emily-shen! - Local explorer: validate host and origin headers before Miniflare modifies them

  If routes are set, Miniflare will alter the host and origin headers to match, causing the local explorer to mistakenly identify and block same-origin requests.

  Note the local explorer is a WIP experimental feature.

v4.20260312.0

Compare Source

Patch Changes

• #​12861 f7de0fd Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260310.1	1.20260312.1

• #​12864 ecc7f79 Thanks @​NuroDev! - Fix local explorer route matching to be more precise

  Previously, the route matching used startsWith("/cdn-cgi/explorer") which would incorrectly match paths like /cdn-cgi/explorerfoo or /cdn-cgi/explorereeeeee, causing unexpected behavior. The route matching has been improved to only match:

  • /cdn-cgi/explorer (exact match)
  • /cdn-cgi/explorer/ and any sub-paths (e.g., /cdn-cgi/explorer/api/*)

  Paths that merely start with /cdn-cgi/explorer but aren't actually the explorer (like /cdn-cgi/explorerfoo) will now correctly fall through to the user worker.

• #​12775 1dda1c8 Thanks @​fhanau! - Add support for worker connect handler in miniflare

v4.20260310.0

Compare Source

Minor Changes

• #​12826 de65c58 Thanks @​gabivlj! - Enable container egress interception in local dev without the experimental compatibility flag

  Container local development now always prepares the egress interceptor sidecar image needed for interceptOutboundHttp(). This makes container-to-Worker interception available by default in Wrangler, Miniflare, and the Cloudflare Vite plugin.

• #​12754 e4d9510 Thanks @​emily-shen! - Add cross-process support to the local explorer

  When running multiple miniflare processes, the local explorer will now be able to view and edit resources that are bound to workers in other miniflare instances.

Patch Changes

• #​12790 5451a7f Thanks @​petebacondarwin! - Bump hono to ^4.12.5 and devalue to ^5.6.3 to address security vulnerabilities

  Hono had multiple advisories including arbitrary file access via serveStatic, JWT algorithm confusion, and XSS through ErrorBoundary. Devalue had denial of service vulnerabilities in devalue.parse. These are bundled dependencies so the fix is delivered via this patch.

• #​12795 82cc2a8 Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260301.1	1.20260306.1

• #​12811 3c67c2a Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260306.1	1.20260307.1

• #​12827 d645594 Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260307.1	1.20260310.1

• #​12828 cb14820 Thanks @​jamesopstad! - Update @hey-api/openapi-ts to ^0.94.0

• #​12786 a7c87d1 Thanks @​emily-shen! - local explorer: validate origin and host headers

  The local explorer is a WIP experimental feature.

v4.20260305.0

Compare Source

Patch Changes

• #​12661 99037e3 Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260302.0	1.20260303.0

• #​12680 295297a Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260303.0	1.20260305.0

v4.20260302.0

Compare Source

Patch Changes

• #​12582 c2ed7c2 Thanks @​penalosa! - Internal refactor to use capnweb's native ReadableStream support to power remote Media and Dispatch Namespace bindings.

• #​12618 d920811 Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260219.0	1.20260227.0

• #​12637 896734d Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260227.0	1.20260302.0

• #​12602 58a4020 Thanks @​anonrig! - Optimize filesystem operations by using Node.js's throwIfNoEntry: false option

  This reduces the number of system calls made when checking for file existence by avoiding the overhead of throwing and catching errors for missing paths. This is an internal performance optimization with no user-visible behavioral changes.

ai/nanoid (nanoid)

v5.1.7

Compare Source

• Added --version to CLI (by @​mahmoodhamdi).
• Updated nanoid.js for CDN (by @​mahmoodhamdi).
• Fixed docs (by @​mahmoodhamdi).
• Fixed customRandom types (by @​oguimbal).

pnpm/pnpm (pnpm)

v10.32.1: pnpm 10.32.1

Compare Source

Patch Changes

• Fix a regression where pnpm-workspace.yaml without a packages field caused all directories to be treated as workspace projects. This broke projects that use pnpm-workspace.yaml only for settings (e.g. minimumReleaseAge) without defining workspace packages #​10909.

Platinum Sponsors

Gold Sponsors

v10.32.0: pnpm 10.32

Compare Source

Minor Changes

• Added --all flag to pnpm approve-builds that approves all pending builds without interactive prompts #​10136.

Patch Changes

• Reverted change related to setting explicitly the npm config file path, which caused regressions.
• Reverted fix related to lockfile-include-tarball-url. Fixes #​10915.

Platinum Sponsors

Gold Sponsors

pnpm/action-setup (pnpm/action-setup)

v4.4.0

Compare Source

Updated the action to use Node.js 24.

v4.3.0

Compare Source

What's Changed

• docs: fix the run_install example in the Readme by @​dreyks in #​175
• chore: remove unused @types/node-fetch dependency by @​silverwind in #​186
• Clarify that package_json_file is relative to GITHUB_WORKSPACE by @​chris-martin in #​184
• feat: store caching by @​jrmajor in #​188
• refactor: remove star imports by @​KSXGitHub in #​196
• fix(ci): exclude macos by @​KSXGitHub in #​197

New Contributors

• @​dreyks made their first contribution in #​175
• @​silverwind made their first contribution in #​186
• @​chris-martin made their first contribution in #​184
• @​jrmajor made their first contribution in #​188
• @​Boosted-Bonobo made their first contribution in #​199

Full Changelog: pnpm/action-setup@v4.2.0...v4.3.0

fullcalendar/temporal-polyfill (temporal-polyfill)

v0.3.2

Compare Source

• feature: function API in dist, though poorly documented and in alpha
• fix: incorrect placement of /*@​__PURE__*/ (#​90)

v0.3.1

Compare Source

• feature: More readable objects on console (#​46)
• feature: support require(esm) in Node.js to avoid dual package hazard (#​62)
• fix: use new Date() for maxPossibleTransition malfunctions in some environments (#​83)
• fix: Duration toLocaleString uses DateTimeFormatOptions (#​80)
• fix: ZonedDateTime should not be considered Formattable (#​78)
• fix: stop using locale en-GB for computations, not present in some environments (#​76)
• fix: result of Temporal.Now.timeZoneId() should not be cached (#​63)

rolldown/tsdown (tsdown)

v0.21.4

Compare Source

   🚀 Features

• css: Add CSS modules support  -  by @​sxzz in #​834 (2a88a)

   🐞 Bug Fixes

• exports: Preserve CRLF line endings in package.json  -  by @​sxzz (a4d4e)

    View changes on GitHub

v0.21.3

Compare Source

   🚀 Features

• copy: Add support for watching copy source files  -  by @​schplitt in #​721 (7c23a)

   🐞 Bug Fixes

• css: Watch inline CSS files in watch mode  -  by @​sxzz (2051a)
• exports: Sort inlined dependencies by package name  -  by @​sxzz (0ec71)
• publint: Support Yarn v1  -  by @​sxzz (4a291)
• unbundle: Root should be lowest common ancestor of entry files  -  by @​sxzz (f1823)

    View changes on GitHub

v0.21.2

Compare Source

   🚨 Breaking Changes

• exe: Add exe.outDir for separate executable output dir, defaults to build  -  by @​sxzz (d49ef)

Note: Executable is still an experimental feature and does not follow SemVer. Breaking changes may occur in any release.

   🚀 Features

• Add root option for controlling output directory structure  -  by @​sxzz (bad2d)
• deps: Rename onlyAllowBundle to onlyBundle  -  by @​peaklabs-dev and @​sxzz in #​819 (cbd7b)

   🐞 Bug Fixes

• css: Skip data URIs and external URLs in CSS url() rebasing  -  by @​sxzz (13907)

    View changes on GitHub

v0.21.1

Compare Source

   🚨 Breaking Changes

• css: Move all CSS support to @tsdown/css package  -  by @​sxzz in #​809 (1b1a1)

[!IMPORTANT]
If you are using CSS features (e.g., CSS imports), you now need to manually install the @tsdown/css package:

npm install @​tsdown/css -D
# or
pnpm add @​tsdown/css -D

Note: CSS support is still an experimental feature and does not follow SemVer. Breaking changes may occur in any release.

   🚀 Features

• css:
  • Add css.inject option to preserve CSS imports in JS output  -  by @​sxzz and Claude Haiku 4.5 in #​808 (ad745)
  • Support ?inline query for CSS imports  -  by @​sxzz in #​810 (b7379)
  • Support node_modules package resolution  -  by @​sxzz and Claude Haiku 4.5 in #​812 (b06b4)

   🐞 Bug Fixes

• Generate correct filename for sass files when dts is enabled  -  by @​ocavue in #​802 (848a7)
• css:
  • Handle virtual module IDs from framework plugins  -  by @​sxzz (c421f)
  • Ignore css imports with URL query  -  by @​ocavue and @​sxzz in #​806 (c1d23)

    View changes on GitHub

cloudflare/workers-sdk (wrangler)

v4.74.0

Compare Source

Minor Changes

• #​10896 351e1e1 Thanks @​devin-ai-integration! - feat: add --secrets-file parameter to wrangler deploy and wrangler versions upload

  You can now upload secrets alongside your Worker code in a single operation using the --secrets-file parameter on both wrangler deploy and wrangler versions upload. The file format matches what's used by wrangler versions secret bulk, supporting both JSON and .env formats.

  Example usage:

  wrangler deploy --secrets-file .env.production
  wrangler versions upload --secrets-file secrets.json

  Secrets not included in the file will be inherited from the previous version, matching the behavior of wrangler versions secret bulk.

• #​12873 2b9a186 Thanks @​gpanders! - Add wrangler containers instances <application_id> command to list container instances

  Lists all container instances for a given application, matching the Dash instances view. Displays instance ID, state, location, version, and creation time. Supports pagination for applications with many instances. Also adds paginated request support to the containers-shared API client.

Patch Changes

• #​12873 2b9a186 Thanks @​gpanders! - Add escapeCodeTimeout option to onKeyPress utility for faster Esc key detection

  The onKeyPress utility now accepts an optional escapeCodeTimeout parameter that controls how long readline waits to disambiguate a standalone Esc press from multi-byte escape sequences (e.g. arrow keys). The default remains readline's built-in 500ms, but callers can pass a lower value (e.g. 25ms) for near-instant Esc handling in interactive prompts.

• #​12676 65f1092 Thanks @​dario-piotrowicz! - Fix autoconfig package installation always failing at workspace roots

  When running autoconfig at the root of a monorepo workspace, package installation commands now include the appropriate workspace root flags (--workspace-root for pnpm, -W for yarn). This prevents errors like "Running this command will add the dependency to the workspace root" that previously occurred when configuring projects at the workspace root.

  Additionally, autoconfig now allows running at the workspace root if the root directory itself is listed as a workspace package (e.g., workspaces: ["packages/*", "."]).

• #​12841 7b0d8f5 Thanks @​dario-piotrowicz! - Fix unclear error when assets upload session returns a null response

  When deploying assets, if the Cloudflare API returns a null response object, Wrangler now provides a clear error message asking users to retry instead of failing with a confusing error.

• Updated dependencies [ade0aed]:

  • miniflare@​4.20260312.1

v4.73.0

Compare Source

Minor Changes

• #​12853 ff543e3 Thanks @​gpanders! - Deprecate SSH passthrough flags in wrangler containers ssh

  The --cipher, --log-file, --escape-char, --config-file, --pkcs11, --identity-file, --mac-spec, --option, and --tag flags are now deprecated. These flags expose OpenSSH-specific options that are tied to the current implementation. A future release will replace the underlying SSH transport, at which point these flags will be removed. They still function for now.

• #​12815 e63539d Thanks @​NuroDev! - Support disabling persistence in unstable_startWorker() and unstable_dev()

  You can now disable persistence entirely by setting persist: false in the dev options:

  const worker = await unstable_dev("./src/worker.ts", {
  	persist: false,
  });

  Or when using unstable_startWorker():

  const worker = await unstable_startWorker({
  	entrypoint: "./src/worker.ts",
  	dev: {
  		persist: false,
  	},
  });

  This is useful for testing scenarios where you want to ensure a clean state on each run without any persisted data from previous runs.

Patch Changes

• #​12861 f7de0fd Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260310.1	1

---

Configuration

📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM, only on Monday ( * 0-3 * * 1 ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.