chore(deps): bump the cloudflare group across 1 directory with 5 updates

[dependabot]

Bumps the cloudflare group with 5 updates in the / directory:

Package	From	To
@cloudflare/vitest-pool-workers	0.14.7	0.16.9
@cloudflare/workers-types	4.20260410.1	4.20260526.1
wrangler	4.83.0	4.94.0
@cloudflare/containers	0.0.25	0.3.4
@cloudflare/sandbox	0.9.1	0.10.2

Updates @cloudflare/vitest-pool-workers from 0.14.7 to 0.16.9

Release notes

Sourced from @​cloudflare/vitest-pool-workers's releases.

@​cloudflare/vitest-pool-workers@​0.16.9

Patch Changes

• #13933 90092c0 Thanks @​petebacondarwin! - Derive bundler externals from package.json and shrink the published bundle

  The bundler's external list was previously hand-maintained and out of sync with package.json — undici and semver were both listed as external despite being only devDependencies. The published dist/pool/index.mjs consequently contained a top-level import { fetch } from "undici" that was only resolvable because pnpm happened to hoist undici from other packages' devDependencies during local development.

  The bundler now derives its external list from dependencies + peerDependencies in package.json, making it impossible for a devDependency to silently end up externalized.

  Combined with the new "sideEffects": false declaration in @cloudflare/workers-utils, the unused cloudflared / tunnel exports (and their transitive undici import) are now tree-shaken out of the pool entirely. dist/pool/index.mjs no longer references undici at all, and shrinks from ~489 KB to ~125 KB.

• Updated dependencies [52e9082, 0733688, fc1f7b9, 30657e1, 8c569c6, f598eac, 3a1fbed]:

  • wrangler@4.94.0
  • miniflare@4.20260521.0

@​cloudflare/vitest-pool-workers@​0.16.8

Patch Changes

• #13919 c7eab7f Thanks @​petebacondarwin! - Fix the outbound CF-Worker header reflecting the route pattern hostname instead of the parent zone, and falling back to <worker-name>.example.com under vite dev, vitest-pool-workers, and getPlatformProxy

  Two related issues affected the CF-Worker header on outbound subrequests in local development:

  1. Under @cloudflare/vite-plugin, @cloudflare/vitest-pool-workers, and getPlatformProxy, the header fell back to <worker-name>.example.com even when routes were configured, because unstable_getMiniflareWorkerOptions and the equivalent getPlatformProxy worker-options path did not propagate a zone value to Miniflare. This broke local development against services that reject unknown CF-Worker hosts (for example, Apple WeatherKit returns 403 Forbidden).
  2. Across the above paths and wrangler dev --local, when a route used the zone_name field (for example { pattern: "foo.example.com/*", zone_name: "example.com" }), the header was set to the pattern's hostname (foo.example.com) rather than the zone name (example.com). Production sets CF-Worker to the zone name that owns the Worker, so this was inconsistent with deployed behaviour.

  Both bugs are fixed: the new unstable_getMiniflareWorkerOptions / getPlatformProxy path now propagates a zone derived from the first configured route, and all four local-dev paths now prefer a route's explicit zone_name over the pattern hostname when computing that zone. When zone_name isn't set, the existing best-effort behaviour is preserved — for wrangler dev this means dev.host is still honoured as a local override and the pattern hostname is used as a final fallback. Resolving the parent zone for zone_id-only, custom_domain, or plain-string routes would require an API lookup, so locally we still approximate it with the pattern hostname.

  Note: dev.host is intentionally not consulted by the unstable_getMiniflareWorkerOptions / getPlatformProxy paths — the dev config block is specific to wrangler dev.

• Updated dependencies [fa1f61f, 2679e05, 7e40d98, adc9221, 735852d, d803737, c7eab7f, e04e180, 59cd880, 62abf97, e8c2031, e349fe0, da0fa8c, a5c9365]:

  • miniflare@4.20260520.0
  • wrangler@4.93.1

@​cloudflare/vitest-pool-workers@​0.16.7

Patch Changes

• #13961 2cb658c Thanks @​threepointone! - Preserve same-stub RPC call order for wrapped Worker and Durable Object entrypoints

  Previously, dynamically wrapped RPC methods could resolve and invoke out of order when many calls were fired without awaiting each individual call. This now queues method resolution per wrapper instance so calls begin in the order they were received.

• Updated dependencies [aac7ca0, b25dc0d, ae047ee, a4f22bc, f78d435, aac7ca0, c5c9e20, ebf4b24, b27eb18, 895baf5, 7bcdf45]:

  • wrangler@4.93.0
  • miniflare@4.20260518.0

@​cloudflare/vitest-pool-workers@​0.16.6

Patch Changes

• #13833 0e4a830 Thanks @​thegeekasteroid! - Filter benign disconnected: WebSocket peer disconnected workerd stderr noise during test runs.

  The ignoreMessages array in the pool already filters several benign workerd disconnect messages (e.g. disconnected: WebSocket was aborted). On recent workerd versions, tests that exercise the WebSocket API also surface disconnected: WebSocket peer disconnected warnings during normal teardown. These are not user-actionable and obscure real test failures. Add the message to the existing filter alongside the other disconnected: entries.

... (truncated)

Changelog

Sourced from @​cloudflare/vitest-pool-workers's changelog.

0.16.9

Patch Changes

• #13933 90092c0 Thanks @​petebacondarwin! - Derive bundler externals from package.json and shrink the published bundle

  The bundler's external list was previously hand-maintained and out of sync with package.json — undici and semver were both listed as external despite being only devDependencies. The published dist/pool/index.mjs consequently contained a top-level import { fetch } from "undici" that was only resolvable because pnpm happened to hoist undici from other packages' devDependencies during local development.

  The bundler now derives its external list from dependencies + peerDependencies in package.json, making it impossible for a devDependency to silently end up externalized.

  Combined with the new "sideEffects": false declaration in @cloudflare/workers-utils, the unused cloudflared / tunnel exports (and their transitive undici import) are now tree-shaken out of the pool entirely. dist/pool/index.mjs no longer references undici at all, and shrinks from ~489 KB to ~125 KB.

• Updated dependencies [52e9082, 0733688, fc1f7b9, 30657e1, 8c569c6, f598eac, 3a1fbed]:

  • wrangler@4.94.0
  • miniflare@4.20260521.0

0.16.8

Patch Changes

• #13919 c7eab7f Thanks @​petebacondarwin! - Fix the outbound CF-Worker header reflecting the route pattern hostname instead of the parent zone, and falling back to <worker-name>.example.com under vite dev, vitest-pool-workers, and getPlatformProxy

  Two related issues affected the CF-Worker header on outbound subrequests in local development:

  1. Under @cloudflare/vite-plugin, @cloudflare/vitest-pool-workers, and getPlatformProxy, the header fell back to <worker-name>.example.com even when routes were configured, because unstable_getMiniflareWorkerOptions and the equivalent getPlatformProxy worker-options path did not propagate a zone value to Miniflare. This broke local development against services that reject unknown CF-Worker hosts (for example, Apple WeatherKit returns 403 Forbidden).
  2. Across the above paths and wrangler dev --local, when a route used the zone_name field (for example { pattern: "foo.example.com/*", zone_name: "example.com" }), the header was set to the pattern's hostname (foo.example.com) rather than the zone name (example.com). Production sets CF-Worker to the zone name that owns the Worker, so this was inconsistent with deployed behaviour.

  Both bugs are fixed: the new unstable_getMiniflareWorkerOptions / getPlatformProxy path now propagates a zone derived from the first configured route, and all four local-dev paths now prefer a route's explicit zone_name over the pattern hostname when computing that zone. When zone_name isn't set, the existing best-effort behaviour is preserved — for wrangler dev this means dev.host is still honoured as a local override and the pattern hostname is used as a final fallback. Resolving the parent zone for zone_id-only, custom_domain, or plain-string routes would require an API lookup, so locally we still approximate it with the pattern hostname.

  Note: dev.host is intentionally not consulted by the unstable_getMiniflareWorkerOptions / getPlatformProxy paths — the dev config block is specific to wrangler dev.

• Updated dependencies [fa1f61f, 2679e05, 7e40d98, adc9221, 735852d, d803737, c7eab7f, e04e180, 59cd880, 62abf97, e8c2031, e349fe0, da0fa8c, a5c9365]:

  • miniflare@4.20260520.0
  • wrangler@4.93.1

0.16.7

Patch Changes

• #13961 2cb658c Thanks @​threepointone! - Preserve same-stub RPC call order for wrapped Worker and Durable Object entrypoints

  Previously, dynamically wrapped RPC methods could resolve and invoke out of order when many calls were fired without awaiting each individual call. This now queues method resolution per wrapper instance so calls begin in the order they were received.

• Updated dependencies [aac7ca0, b25dc0d, ae047ee, a4f22bc, f78d435, aac7ca0, c5c9e20, ebf4b24, b27eb18, 895baf5, 7bcdf45]:

  • wrangler@4.93.0
  • miniflare@4.20260518.0

0.16.6

Patch Changes

... (truncated)

Commits

• b92f87c Version Packages (#13995)
• 90092c0 [vitest-pool-workers] Stop externalizing devDependencies from the published b...
• 5ee65d5 Version Packages (#13969)
• ee8857f Version Packages (#13931)
• 2cb658c [vitest-pool-workers] Preserve wrapped RPC call ordering (#13961)
• a3fa623 Version Packages (#13918)
• 0e4a830 fix(vitest-pool-workers): filter benign "WebSocket peer disconnected" workerd...
• adbf8cb Version Packages (#13895)
• b7d79a9 Version Packages (#13859)
• 9e794f4 Enable require-description-when-disabling lint rule on the vitest-pool-worker...
• Additional commits viewable in compare view

Updates @cloudflare/workers-types from 4.20260410.1 to 4.20260526.1

Commits

• See full diff in compare view

Updates wrangler from 4.83.0 to 4.94.0

Release notes

Sourced from wrangler's releases.

wrangler@4.94.0

Minor Changes

• #13897 52e9082 Thanks @​dario-piotrowicz! - Add automatic Cloudflare skills installation for AI coding agents

  Wrangler now detects AI coding agents and offers to install Cloudflare skill files from the cloudflare/skills GitHub repository. Users are prompted once interactively; subsequent runs skip the prompt. Use --install-skills to install without prompting.

• #13989 f598eac Thanks @​MattieTK! - Print a QR code alongside the tunnel URL when sharing via Cloudflare Tunnel

  When a tunnel is started (via wrangler dev --tunnel or the Vite plugin with tunnel: true), a scannable QR code is now printed to the terminal beneath the tunnel URL. This makes it easy to open the tunnel on a mobile device without manually copying the URL.

  The QR code uses Unicode block characters for a compact representation and is generated best-effort -- if generation fails for any reason, the tunnel URL is still displayed as before.

• #13467 3a1fbed Thanks @​deloreyj! - Add schedule property to Workflow bindings for cron-based triggering

  Note: This is a configuration-only change. Scheduled triggering of Workflow instances is not yet available — adding schedule to a Workflow binding will not result in scheduled invocations at this time. This change lays the groundwork for an upcoming feature.

  Workflow bindings in wrangler.json now accept an optional schedule field that configures one or more cron expressions to automatically trigger new workflow instances on a schedule.

  // wrangler.json
  {
    "workflows": [
      {
        "binding": "MY_WORKFLOW",
        "name": "my-workflow",
        "class_name": "MyWorkflow",
        "schedule": "0 9 * * 1"
      }
    ]
  }

  Multiple schedules can be provided as an array:

  {
    "workflows": [
      {
        "binding": "MY_WORKFLOW",
        "name": "my-workflow",
        "class_name": "MyWorkflow",
        "schedule": ["0 9 * * 1", "0 17 * * 5"]
      }
    ]
  }

  The schedule is sent to the Workflows control plane on wrangler deploy. Configuring schedule on a workflow binding that references an external script_name is an error — the schedule must be configured on the worker that defines the workflow.

... (truncated)

Commits

• b92f87c Version Packages (#13995)
• fc1f7b9 [wrangler] Fix Access Service Token authentication for service-auth-only apps...
• f598eac [wrangler][vite-plugin] Print QR code for tunnel URLs (#13989)
• 52e9082 Add automatic Cloudflare skills installation for AI coding agents (#13897)
• 0733688 build(deps): bump the workerd-and-workers-types group with 2 updates (#13993)
• 8c569c6 [wrangler] Include column names in D1 SQL export (#12277)
• 3a1fbed [wrangler] Add schedule property to Workflow bindings for cron-based triggeri...
• 90092c0 [vitest-pool-workers] Stop externalizing devDependencies from the published b...
• 5ee65d5 Version Packages (#13969)
• e04e180 [wrangler] Improve asset upload retry log message (#13990)
• Additional commits viewable in compare view

Updates @cloudflare/containers from 0.0.25 to 0.3.4

Release notes

Sourced from @​cloudflare/containers's releases.

v0.3.4

Patch Changes

• 8442f40: Fix a race in Container where concurrent container.fetch calls to a cold container could throw "start() cannot be called on a container that is already running.".

• cf01432: Ensure pending stop events are processed when the persisted container lifecycle state is still running but the underlying container has already exited.

  Migrate the root unit test suite from Jest to Vitest and add a test:unit script for running src/tests directly.

• cf41295: Fix subclass sleepAfter overrides being ignored during the initial activity timeout setup. Previously, the base Container constructor called renewActivityTimeout() inside blockConcurrencyWhile() before subclass class-field initializers ran, so the first sleepAfterMs was always computed from the base default ('10m') regardless of whether the subclass declared sleepAfter = '2h'. A container could then be killed by the activity timeout before the subclass's longer window took effect on the next renewActivityTimeout call. Declarations like:

  class BigContainer extends Container {
    sleepAfter = '2h';
  }

  are now honored from the very first alarm check.

• 07fedbb: Preserve Cloudchamber startup rate-limit errors in the Containers helper and return HTTP 429 from containerFetch() when startup is rate limited.

v0.3.3

Patch Changes

• 7901d0b: Attach custom labels to your containers to help with observability and attribution. Set a labels property on your Container subclass, or pass labels in the startOptions argument to start() / startAndWaitForPorts(), and tag containers by tenant, environment, feature flag, canary cohort, or any other dimension you want to track. In local development, labels are visible on the underlying Docker container via docker inspect.

  class MyContainer extends Container {
    labels = { tenant: 'acme', env: 'prod' };
  }

v0.3.2

Patch Changes

• e8895f1: Preserve response headers when proxying WebSocket upgrades through Container.fetch().

v0.3.1

Patch Changes

• 0c06874: Remove debug console.log(props) statement from ContainerProxy initialization

v0.3.0

Minor Changes

• 9b32add: Opt in to interceptOutboundHttps when interceptHttps = true

v0.2.4

Patch Changes

... (truncated)

Changelog

Sourced from @​cloudflare/containers's changelog.

0.3.4

Patch Changes

• 8442f40: Fix a race in Container where concurrent container.fetch calls to a cold container could throw "start() cannot be called on a container that is already running.".

• cf01432: Ensure pending stop events are processed when the persisted container lifecycle state is still running but the underlying container has already exited.

  Migrate the root unit test suite from Jest to Vitest and add a test:unit script for running src/tests directly.

• cf41295: Fix subclass sleepAfter overrides being ignored during the initial activity timeout setup. Previously, the base Container constructor called renewActivityTimeout() inside blockConcurrencyWhile() before subclass class-field initializers ran, so the first sleepAfterMs was always computed from the base default ('10m') regardless of whether the subclass declared sleepAfter = '2h'. A container could then be killed by the activity timeout before the subclass's longer window took effect on the next renewActivityTimeout call. Declarations like:

  class BigContainer extends Container {
    sleepAfter = '2h';
  }

  are now honored from the very first alarm check.

• 07fedbb: Preserve Cloudchamber startup rate-limit errors in the Containers helper and return HTTP 429 from containerFetch() when startup is rate limited.

0.3.3

Patch Changes

• 7901d0b: Attach custom labels to your containers to help with observability and attribution. Set a labels property on your Container subclass, or pass labels in the startOptions argument to start() / startAndWaitForPorts(), and tag containers by tenant, environment, feature flag, canary cohort, or any other dimension you want to track. In local development, labels are visible on the underlying Docker container via docker inspect.

  class MyContainer extends Container {
    labels = { tenant: 'acme', env: 'prod' };
  }

0.3.2

Patch Changes

• e8895f1: Preserve response headers when proxying WebSocket upgrades through Container.fetch().

0.3.1

Patch Changes

• 0c06874: Remove debug console.log(props) statement from ContainerProxy initialization

0.3.0

Minor Changes

• 9b32add: Opt in to interceptOutboundHttps when interceptHttps = true

... (truncated)

Commits

• See full diff in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​cloudflare/containers since your current version.

Updates @cloudflare/sandbox from 0.9.1 to 0.10.2

Release notes

Sourced from @​cloudflare/sandbox's releases.

@​cloudflare/sandbox@​0.10.2

Patch Changes

• #695 c6bf7dc Thanks @​aron-cf! - Add sandbox.tunnels namespace with quick-tunnel support. Call sandbox.tunnels.get(port) to obtain a https://<words>.trycloudflare.com URL that proxies to localhost:<port> inside the sandbox. The call is idempotent: repeated calls for the same port return the same record from per-sandbox Durable Object storage. No Cloudflare account or DNS setup required.

  const tunnel = await sandbox.tunnels.get(8080);
  console.log(tunnel.url);
  // → https://random-words-here.trycloudflare.com
  const same = await sandbox.tunnels.get(8080);
  console.log(same.url === tunnel.url); // true
  await sandbox.tunnels.list();
  await sandbox.tunnels.destroy(8080); // or destroy(tunnel)

• #691 3ca24fc Thanks @​scuffi! - Add credential-less R2 bucket mounting via egress interception

• #703 68c8b71 Thanks @​aron-cf! - Fix inconsistencies in the sandbox.desktop interface between RPC and HTTP transports

@​cloudflare/sandbox@​0.10.1

Patch Changes

• #683 718d4e7 Thanks @​aron-cf! - readFile now accepts encoding: 'none' on the rpc transport, returning a result whose content is a ReadableStream<Uint8Array> of raw binary data with no base64 encoding or buffering. Mirrors the existing writeFile support for ReadableStream input.

  // Stream a binary file without buffering or base64 overhead (rpc transport only)
  const { content, size, mimeType } = await sandbox.readFile(
    '/workspace/image.png',
    { encoding: 'none' }
  );

@​cloudflare/sandbox@​0.10.0

Minor Changes

• #659 7c09e87 Thanks @​mvanhorn! - Update the default sandbox image runtime from Node.js 20 to Node.js 24 so published images use the current Node.js LTS release. If your workload needs a different Node.js version, build a custom image with the NODE_VERSION Docker build argument.

Patch Changes

• #679 21a5a2e Thanks @​aron-cf! - Fixed createBackup and restoreBackup with localBucket: true failing on the rpc transport for archives larger than ~24 MiB.

• #659 7c09e87 Thanks @​mvanhorn! - Add NODE_VERSION build arg to the Dockerfile, allowing operators to customize the Node.js version used in sandbox container images.

@​cloudflare/sandbox@​0.9.4

Patch Changes

• #669 10d3239 Thanks @​aron-cf! - Ensure the RPC transport successfully connects once the container has started. This should reduce the likelihood of hitting an `RPCTransportError: WebSocket upgrade failed: 503 Service

... (truncated)

Commits

• 3b58a22 Version Packages (#699)
• 68c8b71 Fix inconsistent interfaces between HTTP and RPC clients (#703)
• 3ca24fc Implement no credential R2 binding mount support (#691)
• 9e9e3f8 Bump turbo from 2.9.6 to 2.9.14 (#713)
• dbcc489 fixup! Fix tunnels RPC when using vite-plugin
• 2aca660 fixup! Attempt to fix tunnels rpc
• aa1d485 fixup! Attempt to fix tunnels rpc
• 412ed98 Fix tunnels RPC when using vite-plugin
• 154861e Bump idna from 3.11 to 3.15 in /bridge/examples/workspace-chat/backend (#707)
• 67406b4 Bump ws from 8.20.0 to 8.20.1 (#705)
• Additional commits viewable in compare view