fix(deps): update all non-major dependencies

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
@astrojs/cloudflare (source)	13.5.5 → 13.7.0
@astrojs/react (source)	5.0.5 → 5.0.7
@commitlint/cli (source)	21.0.1 → 21.0.2
@commitlint/config-conventional (source)	21.0.1 → 21.0.2
@tailwindcss/vite (source)	4.3.0 → 4.3.1
@types/react (source)	19.2.15 → 19.2.17
astro (source)	^6.3.8 → ^6.4.6
lucide-react (source)	^1.17.0 → ^1.18.0
prettier (source)	3.8.3 → 3.8.4
radix-ui (source)	^1.4.3 → ^1.5.0
react (source)	^19.2.6 → ^19.2.7
react-dom (source)	^19.2.6 → ^19.2.7
tailwindcss (source)	4.3.0 → 4.3.1
undici (source)	8.3.0 → 8.4.1
wrangler (source)	4.95.0 → 4.100.0
yarn (source)	4.15.0 → 4.16.0

---

Release Notes

withastro/astro (@​astrojs/cloudflare)

v13.7.0

Compare Source

Minor Changes

• #​16571 d4b0cd1 Thanks @​MA2153! - Sets immutable cache headers for static assets

  Static assets under _astro can be cached to improve performance. The adapter now automatically injects a Cache-Control header at build time when possible.

Patch Changes

• #​16968 7a5c001 Thanks @​astrobot-houston! - Fixes a build crash when using experimental.advancedRouting with a custom fetchFile that statically imports cf from @astrojs/cloudflare/fetch. The circular dependency between @astrojs/cloudflare/fetch and astro/app/entrypoint caused createApp or createGetEnv to be undefined at module evaluation time. Initialization is now deferred to the first cf() call, breaking the cycle.

• Updated dependencies []:

  • @​astrojs/underscore-redirects@​1.0.3

v13.6.1

Compare Source

Patch Changes

• #​16914 4bdd240 Thanks @​matthewp! - Fixes astro/fetch and astro/hono being discovered at runtime during dev instead of pre-bundled

• #​16693 9e6edc2 Thanks @​ArmandPhilippot! - Fixes a link in the documentation specifying where to open an issue for the adapter.

• Updated dependencies []:

  • @​astrojs/underscore-redirects@​1.0.3

v13.6.0

Compare Source

Minor Changes

• #​16729 01aa164 Thanks @​matthewp! - Adds @astrojs/cloudflare/fetch and @astrojs/cloudflare/hono exports for composing Cloudflare-specific setup with Astro's advanced routing handlers.

@astrojs/cloudflare/fetch

For use with astro/fetch in a custom fetch handler:

import { astro, FetchState } from 'astro/fetch';
import { cf } from '@​astrojs/cloudflare/fetch';

export default {
  async fetch(request: Request, env: Env, ctx: ExecutionContext) {
    const state = new FetchState(request);
    const asset = await cf(state, env, ctx);
    if (asset) return asset;
    return astro(state);
  },
};

@astrojs/cloudflare/hono

For use with astro/hono as Hono middleware:

import { Hono } from 'hono';
import { actions, middleware, pages, i18n } from 'astro/hono';
import { cf } from '@​astrojs/cloudflare/hono';

const app = new Hono<{ Bindings: Env }>();

app.use(cf());
app.use(actions());
app.use(middleware());
app.use(pages());
app.use(i18n());

export default app;

Both handlers configure SESSION KV bindings, static asset serving via the ASSETS binding, locals.cfContext, client address, waitUntil, and prerendered error page fetch.

Patch Changes

• #​16868 f9bae95 Thanks @​helio-cf! - Fixes user options passed to cloudflare({...}) (remoteBindings, inspectorPort, persistState, configPath, auxiliaryWorkers) being silently ignored during astro preview. The adapter now resolves the full @cloudflare/vite-plugin config once at integration setup time and reuses that single resolved value across the dev/build plugin, the prerenderer's preview server, and the astro preview entrypoint, so user options can no longer be dropped at one of the call sites.

• #​16468 4cff3a1 Thanks @​matthewp! - Fixes static Cloudflare builds with server islands or image endpoints that failed at preview time due to mismatched output directories.

• Updated dependencies [f732f3c]:

  • @​astrojs/internal-helpers@​0.10.0
  • @​astrojs/underscore-redirects@​1.0.3

withastro/astro (@​astrojs/react)

v5.0.7

Compare Source

Patch Changes

• #​16900 17a0fbd Thanks @​ocavue! - Bumps devalue dependency to v5.8.1

v5.0.6

Compare Source

Patch Changes

• Updated dependencies [f732f3c]:
  • @​astrojs/internal-helpers@​0.10.0

conventional-changelog/commitlint (@​commitlint/cli)

v21.0.2

Compare Source

Bug Fixes

• disallow same commit hash for --from and --to (#​4773) (121005e)

conventional-changelog/commitlint (@​commitlint/config-conventional)

v21.0.2

Compare Source

Note: Version bump only for package @​commitlint/config-conventional

tailwindlabs/tailwindcss (@​tailwindcss/vite)

v4.3.1

Compare Source

Added

• Add --silent option to suppress output in @tailwindcss/cli (#​20100)

Fixed

• Remove deprecation warnings by using Module#registerHooks instead of Module#register on Node 26+ (#​20028)
• Canonicalization: don't crash when plugin utilities throw for unsupported values (#​20052)
• Allow @apply to be used with CSS mixins (#​19427)
• Ensure not-* correctly negates @container queries, including style(…) queries (#​20059)
• Ensure drop-shadow-* color utilities work with custom shadow values containing calc(…) (#​20080)
• Fix 'Sourcemap is likely to be incorrect' warnings when using @tailwindcss/vite (#​20103)
• Ensure @tailwindcss/webpack can be installed in Rspack projects without requiring webpack as a peer dependency (#​20027)
• Canonicalization: don't suggest invalid calc(…) expressions (e.g. px-[calc(1rem+0px)] → px-[calc(1rem+0)]) (#​20127)
• Canonicalization: avoid suggesting large spacing-scale values for arbitrary lengths (e.g. left-[99999px] → left-[99999px], not left-24999.75) (#​20130)
• Ensure @tailwindcss/cli in --watch mode recovers when a tracked dependency is deleted and restored (#​20137)
• Ensure standalone @tailwindcss/cli binaries are ignored when scanning for class candidates (#​20139)
• Ensure class candidates are extracted from Twig addClass(…) and removeClass(…) calls (#​20198)
• Don't crash in the Ruby or Vue preprocessors when scanning files containing invalid UTF-8 bytes (#​19588)
• Allow @variant to be used inside addBase (#​19480)
• Ensure @source globs with symlinks are preserved (#​20203)
• Ensure later @source rules can re-include files excluded by earlier @source not rules (#​20203)
• Upgrade: don't migrate empty class rules to invalid @utility rules (#​20205)
• Ensure transitions between inset-shadow-none and other inset shadows work correctly (#​20208)
• Ensure explicitly referenced @source directories are scanned even when ignored by git (#​20214)
• Ensure @source globs ending in **/* preserve dynamic path segments to avoid scanning too many files (#​20217)
• Canonicalization: don't fold calc(…) divisions when the result would require high precision (e.g. w-[calc(100%/3.5)] → w-[calc(100%/3.5)], not w-[28.571428571428573%]) (#​20221)
• Serve ESM type declarations to ESM importers of @tailwindcss/postcss (#​20228)

Changed

• Generate 0 instead of calc(var(--spacing) * 0) for spacing utilities like m-0 and left-0 (#​20196)
• Generate var(--spacing) instead of calc(var(--spacing) * 1) for spacing utilities like m-1 and left-1 (#​20196)

withastro/astro (astro)

v6.4.6

Compare Source

Patch Changes

• #​16765 b10e86e Thanks @​fkatsuhiro! - Fixes an issue where renaming an image file while the dev server is running triggers a build error. Now Astro correctly hot-reloads the image without crashing.

• #​17026 add3df1 Thanks @​matthewp! - Hardens addAttribute to drop attribute names containing characters that are invalid per the HTML spec (", ', >, /, =, whitespace)

• #​17033 ffda27b Thanks @​matthewp! - Validates the request origin against allowedDomains before fetching prerendered error pages. When allowedDomains is configured and the Host header matches, the original origin is used. Otherwise, the fetch falls back to localhost.

v6.4.5

Compare Source

Patch Changes

• #​16985 4ecff32 Thanks @​maximslo! - Fixes the experimental.logger destination not being used for the "Server listening on..." startup message. The logger is now resolved before the server starts listening, and adapterLogger re-creates itself when the underlying logger changes so the startup message uses the correct destination.

• #​16947 e0703a6 Thanks @​ematipico! - Fixes Astro.request.url not reflecting validated X-Forwarded-Proto/X-Forwarded-Host headers when security.allowedDomains is configured. Previously, only Astro.url was updated with the forwarded origin while Astro.request.url retained the socket-derived URL, causing the two to diverge behind TLS-terminating proxies.

• #​16997 dc45246 Thanks @​matthewp! - Reverts a change to isNode runtime detection that caused a significant build time regression for Cloudflare adapter users with large prerendered sites

v6.4.4

Compare Source

Patch Changes

• #​16926 1b39ae8 Thanks @​narendraio! - Prevents App.match() from throwing on request paths that contain an invalid percent-sequence.

• #​16924 2c0bc94 Thanks @​astrobot-houston! - Fixes an issue where editing a client-side component (e.g. with client:idle, client:load, etc.) caused an unnecessary full program reload of the backend during development.

• #​16958 2c1d50f Thanks @​fkatsuhiro! - Fixes a bug where static file endpoints using getStaticPaths with .html in dynamic param values (e.g. { path: 'file.html' }) would fail with a NoMatchingStaticPathFound error during build. The .html suffix is no longer incorrectly stripped from endpoint route pathnames.

• #​16855 c610cda Thanks @​astrobot-houston! - Fixes dynamic routes returning 500 "TypeError: Missing parameter" when using domain-based i18n routing in SSR.

• #​16946 606c37b Thanks @​ematipico! - Fixes Astro.routePattern to preserve original casing of dynamic parameter names from filenames. Previously, a file at src/pages/blog/[postId].astro would return /blog/[postid] for Astro.routePattern due to an internal .toLowerCase() call. It now correctly returns /blog/[postId].

• #​16720 16d49b6 Thanks @​thomas-callahan-collibra! - Fix an issue where dynamic routes would return the string [object Object] instead of the expected content, in certain runtimes.

• #​16703 17390a6 Thanks @​henrybrewer00-dotcom! - Fixes styles being stripped when the project root is started with a path whose case differs from the actual filesystem case (e.g. running astro dev from d:\dev\app while the folder on disk is D:\dev\app).

• #​16855 c610cda Thanks @​astrobot-houston! - Fixes Astro.currentLocale returning the default locale instead of the domain's locale on dynamic routes served from a mapped domain.

v6.4.3

Compare Source

Patch Changes

• #​16900 17a0fbd Thanks @​ocavue! - Bumps devalue dependency to v5.8.1

• #​16016 0d85e1b Thanks @​felmonon! - Fix a false positive in the dev toolbar accessibility audit for anchors with text inside closed <details> elements.

• #​16911 79c6c46 Thanks @​astrobot-houston! - Fixes a bug where experimental.advancedRouting with astro/hono handlers threw TypeError: Cannot read properties of undefined (reading 'route') for unmatched routes instead of rendering the custom 404 page.

• #​16899 239c469 Thanks @​matthewp! - Fixes a false "does not call the middleware() handler" warning when using astro() in a custom src/app.ts and the first request is a redirect route.

• #​16887 493acdb Thanks @​astrobot-houston! - Fixes redirectToDefaultLocale not working after the Advanced Routing refactoring.

• #​16908 ef53ab9 Thanks @​florian-lefebvre! - Improves optimized fallbacks generation when using the Fonts API by using better metrics for bold variants

lucide-icons/lucide (lucide-react)

v1.18.0: Version 1.18.0

Compare Source

What's Changed

• chore(site): Remove survey from site by @​ericfennis in #​4417
• feat(icons): added play-off icon by @​Ahmed-Dghaies in #​4412
• fix(metadata): add missing use-cases prop on play-off.json by @​karsa-mistmere in #​4423
• fix(docs): force hide #bb-banner, if html.has-bb-banner is missing by @​karsa-mistmere in #​4422
• fix(docs): Remove @next from installation instructions for@lucide/svelte by @​alecglassford in #​4432
• feat(packages/angular): add support for Angular v22 and onwards by @​karsa-mistmere in #​4450
• fix(ci): add check to skip release if latest tag was created today by @​ericfennis in #​4085
• feat(icons): added webcam-off icon by @​jordan-burnett in #​4242

New Contributors

• @​alecglassford made their first contribution in #​4432
• @​jordan-burnett made their first contribution in #​4242

Full Changelog: lucide-icons/lucide@1.17.0...1.18.0

prettier/prettier (prettier)

v3.8.4

Compare Source

radix-ui/primitives (radix-ui)

v1.5.0

Context Menu

• Added support for a controlled open prop on ContextMenu.Root. This is intended for reading the open state and closing the menu programmatically, though we discourage opening the menu programmatically since opening the menu depends on user interaction to position the menu.

  function ControlledContextMenu() {
    const [open, setOpen] = React.useState(false);
    return (
      <ContextMenu.Root open={open} onOpenChange={setOpen}>
        <ContextMenu.Trigger>Open</ContextMenu.Trigger>
        <ContextMenu.Content>
          <button type="button" onClick={() => setOpen(false)}>
            Close me
          </button>
          <ContextMenu.Item>Item 1</ContextMenu.Item>
          <ContextMenu.Item>Item 2</ContextMenu.Item>
        </ContextMenu.Content>
      </ContextMenu.Root>
    );
  }

• Fixed a bug in where submenus remained expanded after re-opening on long-press touch events.

Dialog

• Fixed a bug where iOS text selection and editing on HTML inputs within dialogs were broken.
• Fixed a bug causing disabled pointer events in closed dialogs.

One-Time Password Field

• Fixed pasting into One-Time Password Field in environments that do not support the legacy "Text" clipboard format by reading the pasted value as "text/plain".
• Fixed issues with focus management in React 19.2+.
• Fixed a bug to ensure that pasted values exceeding the field length are truncated.

Popper

• Fixed a "Maximum update depth exceeded" bug for pages with a large number of popper instances.
• Exposed data-side and data-align on PopperAnchor element

Presence

• Fixed a "Maximum update depth exceeded" bug in React 19 that could occur when Presence was given a child with an unstable ref.

Radio Group

• Added unstable RadioGroupItemProvider, RadioGroupItemTrigger and RadioGroupItemBubbleInput parts. These expose the previously internal composition of a radio item that included a visually hidden input so consumers can directly access and recompose them. The RadioGroupItem component continues to render them by default.

  import { RadioGroup } from 'radix-ui';
  
  function ExampleRadioGroup() {
    return (
      <RadioGroup.Root>
        {['one', 'two', 'three'].map((value) => (
          <RadioGroup.unstable_ItemProvider key={value} value={value}>
            <RadioGroup.unstable_ItemTrigger>
              <RadioGroup.Indicator />
            </RadioGroup.unstable_ItemTrigger>
            {/* the hidden input is now exposed and can be omitted if not needed */}
            <RadioGroup.unstable_ItemBubbleInput />
          </RadioGroup.unstable_ItemProvider>
        ))}
      </RadioGroup.Root>
    );
  }

Select

• Added unstable Provider and BubbleInput parts to Select. These expose the previously internal composition that included a visually hidden select so consumers can directly access and recompose them. Select continues to render them by default.

  import { Select } from 'radix-ui';
  
  function ExampleSelect() {
    return (
      <Select.unstable_Provider>
        <Select.Trigger />
        <Select.Portal />
        {/* the hidden input is now exposed and can be omitted if not needed */}
        <Select.unstable_BubbleInput />
      </Select.unstable_Provider>
    );
  }

• Added support for presence-based exit animations.

• Fixed the bubble hidden input so that submits an empty string when no value is selected.

• Fixed select closing unexpectedly after touch-scrolling its content when rendered inside an open shadow DOM.

• Fixed SelectValue logging invalid prop errors when used with both asChild and a placeholder

Slider

• Added unstable ThumbProvider, ThumbTrigger, and BubbleInput parts to Slider. SliderThumb was previously a single component that implicitly rendered a hidden native input for form submission. It is now composed from these new parts, which are exposed so consumers can decouple the visually hidden input from the thumb. SliderThumb continues to render them by default.

  import { Slider } from 'radix-ui';
  
  function ExampleSlider() {
    return (
      <Slider.Root defaultValue={[data.price.min, data.price.max]}>
        <Slider.Track>
          <Slider.Range />
        </Slider.Track>
  
        <Slider.unstable_ThumbProvider name="price[min]">
          <Slider.unstable_ThumbTrigger />
          {/* the hidden input is now exposed and can be omitted if not needed */}
          <Slider.unstable_BubbleInput />
        </Slider.unstable_ThumbProvider>
  
        <Slider.unstable_ThumbProvider name="price[max]">
          <Slider.unstable_ThumbTrigger />
          <Slider.unstable_BubbleInput />
        </Slider.unstable_ThumbProvider>
      </Slider.Root>
    );
  }

• Added focusVisible for non-keyboard interactions with slider thumbs for progressively enabling styles using :focus-visible alongside programmatic focus management.

• Fixed a Slider bug where very small step values made the thumbs unresponsive.

• Fixed focus bugs for sliders in a scrollable context.

Slot

• Added support for nested Slottable items via a render prop. This allows a slotted element to be wrapped while still merging Slot props and refs onto it.
• Fixed infinite re-render loop in React 19 caused by Slot creating a new ref callback on every render.
• Improved error messages for invalid slot children.

Switch

• Added unstable Provider, Trigger and BubbleInput parts to Switch. These expose the previously internal composition that included a visually hidden input so consumers can directly access and recompose them. The Switch component continues to render them by default.

  import { Switch } from 'radix-ui';
  
  function ExampleSwitch() {
    return (
      <Switch.unstable_Provider>
        <Switch.unstable_Trigger>
          <Switch.Thumb />
        </Switch.unstable_Trigger>
        {/* the hidden input is now exposed and can be omitted if not needed */}
        <Switch.unstable_BubbleInput />
      </Switch.unstable_Provider>
    );
  }

Tooltip

• Fixed a runtime error when an event target is a non-Node entity.
• Fixed a Tooltip bug so that skipDelayDuration={0} works as expected. Previously, the open delay could still be skipped when moving between triggers.

Other changes

• Use React's built-in useSyncExternalStore (React 18+) instead of importing the CJS-only use-sync-external-store/shim, with a fallback for React < 18. The shim called require("react") at module-evaluation time, which crashed ESM-only browser bundles when importing some components from the radix-ui package.
• Fixed triggers referencing a non-existent elements via aria-controls when their content is removed from the DOM (credit to @​dodomorandi for the original PR).
• Fixed a performance bottleneck where opening an overlay re-scanned the document and re-inserted the focus guards on every mount, forcing a synchronous reflow. The shared guard pair is now cached and only written to the DOM when their edge position actually changes.
• Added missing use client directives to modules causing errors in RSC modules.
• Added align prop to Menu.SubContent.
• Fixed missing data-state attribute for Scroll Area scrollbars.
• Allow to specify container for Toast.Announce.

facebook/react (react)

v19.2.7

Compare Source

facebook/react (react-dom)

v19.2.7

Compare Source

nodejs/undici (undici)

v8.4.1

Compare Source

What's Changed

• test: avoid localhost lookup in fetch cookies tests by @​mcollina in #​5363
• fix: prevent race condition between onEnd and onTrailers in HTTP/2 client (#​5216) by @​mcollina in #​5343
• fix(dns): skip requests without origin by @​marko1olo in #​5376
• docs: add Getting Started guide by @​AliMahmoudDev in #​5371
• docs: fix code examples that crash at runtime and other inaccuracies by @​AliMahmoudDev in #​5386
• fix: handle paused parser on socket end (issue #​5360) by @​mcollina in #​5389
• fix(client): reject pipelined TLS altname errors by @​marko1olo in #​5373
• docs: fix multiple inaccuracies in API documentation by @​AliMahmoudDev in #​5384
• docs: fix remaining broken links in API documentation by @​AliMahmoudDev in #​5342

New Contributors

• @​marko1olo made their first contribution in #​5376

Full Changelog: nodejs/undici@v8.4.0...v8.4.1

v8.4.0

Compare Source

What's Changed

• fix: register connect listener before initiating requests in close-and-destroy test by @​mcollina in #​5272
• test: stabilize tls-cert-leak regression by @​mcollina in #​5306
• fix: replace tspl with native test context in test/examples.js by @​mcollina in #​5300
• http2: remove redundant request stream binding by @​trivikr in #​5302
• test: limit cache-tests workers on Windows by @​mcollina in #​5309
• test: use test context cleanup hooks in parser issue tests by @​mcollina in #​5282
• Add redirect option to strip headers on redirect by @​mcollina in #​5281
• chore(test): fix lint failure by @​aduh95 in #​5316
• chore(ci): use npm ci instead of npm install by @​aduh95 in #​5315
• docs: clarify formData security considerations by @​mcollina in #​5320
• docs: add EventSource server example by @​Will-thom in #​5321
• fix(core): simplify addAbortListener util by @​aduh95 in #​5317
• build(deps-dev): bump ws from 8.20.0 to 8.21.0 by @​dependabot[bot] in #​5325
• build(deps-dev): bump jsondiffpatch from 0.7.3 to 0.7.6 by @​dependabot[bot] in #​5313
• docs: match undici EoL to node version it's bundled in by @​trivikr in #​5330
• fix: handle all HTTP/2 request stream sync errors by @​mcollina in #​5311
• fix: preserve timeout errors for HTTP/2 requests by @​mcollina in #​5091
• fix(core): normalize autoSelectFamily timeout AggregateError by @​youcefzemmar in #​5329
• chore(core): define kEnumerableProperty atomically by @​aduh95 in #​5332
• chore(core): use regex.exec instead of string.match by @​aduh95 in #​5331
• fix: reset invalid HTTP/2 sessions by @​mcollina in #​5310
• feat(connect): add preferH2 connector option to offer h2 first in ALPN by @​Antamansid in #​5327
• test: fix flaky http2 trailers test by @​mcollina in #​5338
• fix(mock): restore single-arg MockCallHistory.filterCallsByX by @​youcefzemmar in #​5328
• docs: document missing error types in Errors.md by @​cesarvspr in #​5339
• build(deps): bump github/codeql-action from 4.35.3 to 4.36.1 by @​dependabot[bot] in #​5346
• build(deps): bump actions/dependency-review-action from 4.9.0 to 5.0.0 by @​dependabot[bot] in #​5347
• build(deps): bump uWebSockets.js from v20.67.0 to v20.68.0 in /benchmarks by @​dependabot[bot] in #​5352
• build(deps): bump concurrently from 9.2.1 to 10.0.3 in /benchmarks by @​dependabot[bot] in #​5353
• build(deps): bump step-security/harden-runner from 2.19.1 to 2.19.4 by @​dependabot[bot] in #​5348
• build(deps): bump actions/checkout from 6.0.2 to 6.0.3 by @​dependabot[bot] in #​5351
• build(deps): bump codecov/codecov-action from 6.0.0 to 6.0.1 by @​dependabot[bot] in #​5349
• docs: improve connect option documentation in Client.md by @​AliMahmoudDev in #​5344
• fix(mock): do not persist snapshots on close in playback mode by @​GeoffreyBooth in #​5359
• fix(fetch): remove abort listener when request settles by @​ATOM00blue in #​5318
• test: add Node.js global fetch regression coverage by @​mcollina in #​5361
• fix(h2): make Client multiplex on h2 (#​4143) by @​mcollina in #​5362

New Contributors

• @​Will-thom made their first contribution in #​5321
• @​youcefzemmar made their first contribution in #​5329
• @​Antamansid made their first contribution in #​5327
• @​cesarvspr made their first contribution in #​5339
• @​AliMahmoudDev made their first contribution in #​5344
• @​ATOM00blue made their first contribution in #​5318

Full Changelog: nodejs/undici@v8.3.0...v8.4.0

cloudflare/workers-sdk (wrangler)

v4.100.0

Compare Source

Minor Changes

• #​14119 2047a32 Thanks @​tahmid-23! - Serve local R2 bucket objects publicly via the dev server

  When running wrangler dev locally, objects in each local R2 binding are now reachable under /cdn-cgi/local/r2/public/<bucket-id>/<key> on the existing dev server, simulating a public bucket. The <bucket-id> is the bucket's bucket_name when set, otherwise its binding. Bindings configured with remote: true are not exposed.

• #​14202 e8561c2 Thanks @​jamesopstad! - Add experimental --x-new-config flag for authoring config in TypeScript

  This is an experimental, opt-in feature. When enabled, wrangler dev, wrangler build, wrangler deploy, wrangler versions upload, and wrangler versions deploy load the Worker's configuration from a cloudflare.config.ts file instead of wrangler.json / wrangler.jsonc / wrangler.toml. Additionally, an optional wrangler.config.ts file can be provided for Wrangler-specific dev/build configuration.

  • cloudflare.config.ts (required) — Worker runtime configuration (bindings, triggers, observability, placement, limits, compatibility, routes, etc.). Authored via defineWorker from wrangler/experimental-config.
  • wrangler.config.ts (optional) — Tooling / bundling / dev-server configuration (noBundle, minify, alias, define, rules, tsconfig, build, dev, assetsDirectory, etc.). Authored via defineWranglerConfig from wrangler/experimental-config.

  Per-environment configuration is via ctx.mode branching inside the function form of either file.

  Example cloudflare.config.ts:

  import { defineWorker, bindings } from "wrangler/experimental-config";
  import * as entrypoint from "./src/index.ts" with { type: "cf-worker" };
  
  export default defineWorker((ctx) => ({
  	name: "my-worker",
  	entrypoint,
  	compatibilityDate: "2026-05-18",
  	env: {
  		MY_KV: bindings.kv(),
  		MY_TEXT: bindings.text(`The mode is ${ctx.mode}`),
  	},
  }));

  Example wrangler.config.ts:

  import { defineWranglerConfig } from "wrangler/experimental-config";
  
  export default defineWranglerConfig({
    minify: true,
    assetsDirectory: "./public",
  });

  Because this is experimental, the flag, the config formats, and the wrangler/experimental-config exports may change in any release.

Patch Changes

• #​14185 98c9afe Thanks @​penalosa! - Use the shared env-credential resolver from @cloudflare/workers-auth

  No user-facing behaviour change. Credential resolution order (global API key + email → CLOUDFLARE_API_TOKEN → stored OAuth token) is preserved.

• #​14184 e305126 Thanks @​penalosa! - Add an experimental cf-wrangler delegate entrypoint for projects that can't use @cloudflare/vite-plugin (service workers, old compatibility dates, Python, Rust, etc.).

  cf-wrangler dev starts the same local dev server as wrangler dev — it sits directly on wrangler's internal dev server, so the bundling and runtime behaviour are identical — but exposes a deliberately narrow CLI surface (--mode, --port, --host, --local) for a parent CLI to delegate to, and other dev server config options are read from the wrangler config file.

  This replaces the separate @cloudflare/wrangler-bundler package. This is an internal integration point and is not intended to be run directly by users.

• #​14246 f3990b2 Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260609.1	1.20260610.1

• #​14256 4597f08 Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260610.1	1.20260611.1

• #​14243 25722ac Thanks @​com6056! - Fi

✂ Note

PR body was truncated to here.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • Only on Sunday and Saturday (* * * * 0,6)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[cloudflare-workers-and-pages]

Deploying with    Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status	Name	Latest Commit	Updated (UTC)
❌ Deployment failed View logs	seren-dev	6bc430f	Jun 16 2026, 12:00 AM

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud