diff --git a/.changeset/dependabot-update-13926.md b/.changeset/dependabot-update-13926.md deleted file mode 100644 index 4ca5cc065e..0000000000 --- a/.changeset/dependabot-update-13926.md +++ /dev/null @@ -1,12 +0,0 @@ ---- -"miniflare": patch -"wrangler": patch ---- - -Update dependencies of "miniflare", "wrangler" - -The following dependency versions have been updated: - -| Dependency | From | To | -| ---------- | ------------ | ------------ | -| workerd | 1.20260511.1 | 1.20260515.1 | diff --git a/.changeset/filter-websocket-peer-disconnected.md b/.changeset/filter-websocket-peer-disconnected.md deleted file mode 100644 index b2a1d5652f..0000000000 --- a/.changeset/filter-websocket-peer-disconnected.md +++ /dev/null @@ -1,7 +0,0 @@ ---- -"@cloudflare/vitest-pool-workers": patch ---- - -Filter benign `disconnected: WebSocket peer disconnected` workerd stderr noise during test runs. - -The `ignoreMessages` array in the pool already filters several benign workerd disconnect messages (e.g. `disconnected: WebSocket was aborted`). On recent workerd versions, tests that exercise the WebSocket API also surface `disconnected: WebSocket peer disconnected` warnings during normal teardown. These are not user-actionable and obscure real test failures. Add the message to the existing filter alongside the other `disconnected:` entries. diff --git a/.changeset/fine-years-create.md b/.changeset/fine-years-create.md deleted file mode 100644 index 79ef87c3dc..0000000000 --- a/.changeset/fine-years-create.md +++ /dev/null @@ -1,7 +0,0 @@ ---- -"wrangler": patch ---- - -Improve `wrangler types --env-interface` for multi-worker projects. - -Custom env interfaces generated by `wrangler types` no longer expand from `Cloudflare.Env`, avoiding some unintended type expansion when multiple workers' generated types are used together. diff --git a/.changeset/fix-oauth-refresh-stale-token.md b/.changeset/fix-oauth-refresh-stale-token.md deleted file mode 100644 index 13d78f1abd..0000000000 --- a/.changeset/fix-oauth-refresh-stale-token.md +++ /dev/null @@ -1,9 +0,0 @@ ---- -"wrangler": patch ---- - -Fix `Failed to fetch auth token: 401 Unauthorized` from sibling-rotated refresh tokens - -`refreshToken` previously used the refresh token from module-level `localState`, which is populated once at startup and never re-read. OAuth refresh tokens are single-use, so when a sibling wrangler process (in another repo, another shell, or a parallel script) refreshes first, it rotates the token server-side and writes the new value to the shared config file (`~/Library/Preferences/.wrangler/config/default.toml` on macOS). The long-lived process — typically `wrangler dev` — then sends its stale in-memory token on the next refresh and gets `401 Unauthorized` from `https://dash.cloudflare.com/oauth2/token`, falling through to interactive login and timing out unattended. - -`refreshToken` now calls `reinitialiseAuthTokens()` before exchanging, picking up the latest refresh token written by any sibling process. The previously empty `catch {}` also now logs the underlying error at debug level so future refresh failures are diagnosable without source-diving. diff --git a/.changeset/fix-versions-secrets-placement.md b/.changeset/fix-versions-secrets-placement.md deleted file mode 100644 index 3e8a606697..0000000000 --- a/.changeset/fix-versions-secrets-placement.md +++ /dev/null @@ -1,7 +0,0 @@ ---- -"wrangler": patch ---- - -Fix `wrangler versions secret put/delete/bulk` to preserve the existing version's placement settings - -When creating a new version via `wrangler versions secret`, the previous code only re-emitted a bare `{ mode: "smart" }` placement when the API reported `placement_mode === "smart"`, dropping any other placement entirely. The new version is now created with the placement settings returned by the API, so placement settings survive a secret put/delete/bulk round-trip. diff --git a/.changeset/fix-wrangler-dev-query-string-rewrite.md b/.changeset/fix-wrangler-dev-query-string-rewrite.md deleted file mode 100644 index 23bd83cd3d..0000000000 --- a/.changeset/fix-wrangler-dev-query-string-rewrite.md +++ /dev/null @@ -1,9 +0,0 @@ ---- -"wrangler": patch ---- - -fix: stop rewriting query strings that happen to contain the request `Host` - -`wrangler dev` previously rewrote occurrences of the outer host inside `request.url`'s query string. For example, a request to `?echo=https%3A%2F%2Fdevelopment.test%2Fpath` with `Host: development.test` would be seen by the user worker as `?echo=https%3A%2F%2Fproduction.test%2Fpath`, silently mutating opaque application data such as `redirect_uri` values in OAuth flows. - -The proxy worker now sets the internal `MF-Original-URL` header *after* its blanket host-rewriting pass over request headers, so the URL passed to the user worker preserves the original query string. diff --git a/.changeset/green-books-accept.md b/.changeset/green-books-accept.md deleted file mode 100644 index f6638028c8..0000000000 --- a/.changeset/green-books-accept.md +++ /dev/null @@ -1,9 +0,0 @@ ---- -"wrangler": minor ---- - -Add `wrangler artifacts` commands for managing Artifacts repos and repo tokens. - -This adds CLI support for the Artifacts control-plane workflows that were previously only available through the API. You can now list and inspect namespaces, create, list, inspect, and delete repos, and issue repo-scoped tokens when you need to authenticate git access. - -The new commands support both human-readable output and `--json` output so they fit existing Wrangler automation patterns. diff --git a/.changeset/mighty-planes-give.md b/.changeset/mighty-planes-give.md deleted file mode 100644 index 06bec458aa..0000000000 --- a/.changeset/mighty-planes-give.md +++ /dev/null @@ -1,7 +0,0 @@ ---- -"wrangler": patch ---- - -Fix multi-environment warning when CLOUDFLARE_ENV is set - -Commands that warn when multiple environments are configured but none is specified (e.g. `wrangler deploy`, `wrangler secret put`) were not accounting for the `CLOUDFLARE_ENV` environment variable when deciding whether to show the warning. This caused a misleading warning to appear even when the target environment was correctly specified via `CLOUDFLARE_ENV`. diff --git a/.changeset/sour-falcons-share.md b/.changeset/sour-falcons-share.md deleted file mode 100644 index e85d42a9ad..0000000000 --- a/.changeset/sour-falcons-share.md +++ /dev/null @@ -1,7 +0,0 @@ ---- -"@cloudflare/vite-plugin": patch ---- - -Add a tunnel shortcut hint when CLI shortcuts are printed - -The Cloudflare Vite plugin now includes a `t + enter` tunnel hint alongside the other CLI shortcuts it prints. diff --git a/.changeset/versions-upload-keep-vars.md b/.changeset/versions-upload-keep-vars.md deleted file mode 100644 index 696d657872..0000000000 --- a/.changeset/versions-upload-keep-vars.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -"wrangler": minor ---- - -Add `--keep-vars` flag to `wrangler versions upload`, matching the existing behavior in `wrangler deploy`. When set, environment variables configured via the dashboard are preserved rather than being deleted before the upload. diff --git a/.changeset/vite-plugin-honor-upstream-protocol.md b/.changeset/vite-plugin-honor-upstream-protocol.md deleted file mode 100644 index a118d2ea99..0000000000 --- a/.changeset/vite-plugin-honor-upstream-protocol.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -"@cloudflare/vite-plugin": patch ---- - -Honor `X-Forwarded-Proto` when constructing the Worker's `request.url` - -When running the Vite dev server behind a TLS-terminating reverse proxy or tunnel, the Worker's `request.url` was always `http://...` even though the client reached the server over `https://...`. This caused frameworks that perform Origin/Host checks (e.g. CSRF protection) to reject requests with `403`. - -The Vite plugin now reads the `X-Forwarded-Proto` header from the incoming request and uses it to set the protocol of `request.url`. If the header is absent or invalid, the connection protocol is used as before. The same handling is applied to WebSocket upgrade URLs. - -Fixes [#13801](https://github.com/cloudflare/workers-sdk/issues/13801). diff --git a/packages/miniflare/CHANGELOG.md b/packages/miniflare/CHANGELOG.md index 2ee0344a0f..367976fcf6 100644 --- a/packages/miniflare/CHANGELOG.md +++ b/packages/miniflare/CHANGELOG.md @@ -1,5 +1,17 @@ # miniflare +## 4.20260515.0 + +### Patch Changes + +- [#13926](https://github.com/cloudflare/workers-sdk/pull/13926) [`19ed49a`](https://github.com/cloudflare/workers-sdk/commit/19ed49a008be273df0ce60a817f4f367f4cea8fd) Thanks [@dependabot](https://github.com/apps/dependabot)! - Update dependencies of "miniflare", "wrangler" + + The following dependency versions have been updated: + + | Dependency | From | To | + | ---------- | ------------ | ------------ | + | workerd | 1.20260511.1 | 1.20260515.1 | + ## 4.20260511.0 ### Patch Changes diff --git a/packages/miniflare/package.json b/packages/miniflare/package.json index abd542b1d4..71a6c35707 100644 --- a/packages/miniflare/package.json +++ b/packages/miniflare/package.json @@ -1,6 +1,6 @@ { "name": "miniflare", - "version": "4.20260511.0", + "version": "4.20260515.0", "description": "Fun, full-featured, fully-local simulator for Cloudflare Workers", "keywords": [ "cloudflare", diff --git a/packages/pages-shared/CHANGELOG.md b/packages/pages-shared/CHANGELOG.md index 78dc18efd0..d4f1523de3 100644 --- a/packages/pages-shared/CHANGELOG.md +++ b/packages/pages-shared/CHANGELOG.md @@ -1,5 +1,12 @@ # @cloudflare/pages-shared +## 0.13.136 + +### Patch Changes + +- Updated dependencies [[`19ed49a`](https://github.com/cloudflare/workers-sdk/commit/19ed49a008be273df0ce60a817f4f367f4cea8fd)]: + - miniflare@4.20260515.0 + ## 0.13.135 ### Patch Changes diff --git a/packages/pages-shared/package.json b/packages/pages-shared/package.json index ee1903fd33..8a9b9a5eb9 100644 --- a/packages/pages-shared/package.json +++ b/packages/pages-shared/package.json @@ -1,6 +1,6 @@ { "name": "@cloudflare/pages-shared", - "version": "0.13.135", + "version": "0.13.136", "repository": { "type": "git", "url": "https://github.com/cloudflare/workers-sdk.git", diff --git a/packages/vite-plugin-cloudflare/CHANGELOG.md b/packages/vite-plugin-cloudflare/CHANGELOG.md index 014bb57680..3fd1f2e911 100644 --- a/packages/vite-plugin-cloudflare/CHANGELOG.md +++ b/packages/vite-plugin-cloudflare/CHANGELOG.md @@ -1,5 +1,25 @@ # @cloudflare/vite-plugin +## 1.37.1 + +### Patch Changes + +- [#13922](https://github.com/cloudflare/workers-sdk/pull/13922) [`23800f8`](https://github.com/cloudflare/workers-sdk/commit/23800f8dfd6c3c3cb45c5584fe5be83f1f115237) Thanks [@edmundhung](https://github.com/edmundhung)! - Add a tunnel shortcut hint when CLI shortcuts are printed + + The Cloudflare Vite plugin now includes a `t + enter` tunnel hint alongside the other CLI shortcuts it prints. + +- [#13920](https://github.com/cloudflare/workers-sdk/pull/13920) [`f579e57`](https://github.com/cloudflare/workers-sdk/commit/f579e575aed085447fe405377c4cee3cb93351ac) Thanks [@petebacondarwin](https://github.com/petebacondarwin)! - Honor `X-Forwarded-Proto` when constructing the Worker's `request.url` + + When running the Vite dev server behind a TLS-terminating reverse proxy or tunnel, the Worker's `request.url` was always `http://...` even though the client reached the server over `https://...`. This caused frameworks that perform Origin/Host checks (e.g. CSRF protection) to reject requests with `403`. + + The Vite plugin now reads the `X-Forwarded-Proto` header from the incoming request and uses it to set the protocol of `request.url`. If the header is absent or invalid, the connection protocol is used as before. The same handling is applied to WebSocket upgrade URLs. + + Fixes [#13801](https://github.com/cloudflare/workers-sdk/issues/13801). + +- Updated dependencies [[`19ed49a`](https://github.com/cloudflare/workers-sdk/commit/19ed49a008be273df0ce60a817f4f367f4cea8fd), [`3ff0a50`](https://github.com/cloudflare/workers-sdk/commit/3ff0a50349a78c17d64c45c0411771cc2d2dba0a), [`bf688f7`](https://github.com/cloudflare/workers-sdk/commit/bf688f7735d602e963a7907a4a703aa7de2038fe), [`2e72c83`](https://github.com/cloudflare/workers-sdk/commit/2e72c83aa95d25de343c396df67c0a35b83b70cd), [`802eaf4`](https://github.com/cloudflare/workers-sdk/commit/802eaf47fa28f5bfa3a07b0782acdaac6f12781d), [`506aa02`](https://github.com/cloudflare/workers-sdk/commit/506aa0243dbec68718170a9cf30f03c0ad0dd2b5), [`8f5cdb1`](https://github.com/cloudflare/workers-sdk/commit/8f5cdb14dda20f6036c2305195041105d4d109e3), [`be8a98c`](https://github.com/cloudflare/workers-sdk/commit/be8a98c2be0c83a270415ff4591e1b9971aab747)]: + - miniflare@4.20260515.0 + - wrangler@4.92.0 + ## 1.37.0 ### Minor Changes diff --git a/packages/vite-plugin-cloudflare/package.json b/packages/vite-plugin-cloudflare/package.json index 766a393a31..7798a37fe1 100644 --- a/packages/vite-plugin-cloudflare/package.json +++ b/packages/vite-plugin-cloudflare/package.json @@ -1,6 +1,6 @@ { "name": "@cloudflare/vite-plugin", - "version": "1.37.0", + "version": "1.37.1", "description": "Cloudflare plugin for Vite", "keywords": [ "cloudflare", diff --git a/packages/vitest-pool-workers/CHANGELOG.md b/packages/vitest-pool-workers/CHANGELOG.md index e75beadc94..70b7b3c033 100644 --- a/packages/vitest-pool-workers/CHANGELOG.md +++ b/packages/vitest-pool-workers/CHANGELOG.md @@ -1,5 +1,17 @@ # @cloudflare/vitest-pool-workers +## 0.16.6 + +### Patch Changes + +- [#13833](https://github.com/cloudflare/workers-sdk/pull/13833) [`0e4a830`](https://github.com/cloudflare/workers-sdk/commit/0e4a830fa13d15614cad7655f14c3455009951c2) Thanks [@thegeekasteroid](https://github.com/thegeekasteroid)! - Filter benign `disconnected: WebSocket peer disconnected` workerd stderr noise during test runs. + + The `ignoreMessages` array in the pool already filters several benign workerd disconnect messages (e.g. `disconnected: WebSocket was aborted`). On recent workerd versions, tests that exercise the WebSocket API also surface `disconnected: WebSocket peer disconnected` warnings during normal teardown. These are not user-actionable and obscure real test failures. Add the message to the existing filter alongside the other `disconnected:` entries. + +- Updated dependencies [[`19ed49a`](https://github.com/cloudflare/workers-sdk/commit/19ed49a008be273df0ce60a817f4f367f4cea8fd), [`3ff0a50`](https://github.com/cloudflare/workers-sdk/commit/3ff0a50349a78c17d64c45c0411771cc2d2dba0a), [`bf688f7`](https://github.com/cloudflare/workers-sdk/commit/bf688f7735d602e963a7907a4a703aa7de2038fe), [`2e72c83`](https://github.com/cloudflare/workers-sdk/commit/2e72c83aa95d25de343c396df67c0a35b83b70cd), [`802eaf4`](https://github.com/cloudflare/workers-sdk/commit/802eaf47fa28f5bfa3a07b0782acdaac6f12781d), [`506aa02`](https://github.com/cloudflare/workers-sdk/commit/506aa0243dbec68718170a9cf30f03c0ad0dd2b5), [`8f5cdb1`](https://github.com/cloudflare/workers-sdk/commit/8f5cdb14dda20f6036c2305195041105d4d109e3), [`be8a98c`](https://github.com/cloudflare/workers-sdk/commit/be8a98c2be0c83a270415ff4591e1b9971aab747)]: + - miniflare@4.20260515.0 + - wrangler@4.92.0 + ## 0.16.5 ### Patch Changes diff --git a/packages/vitest-pool-workers/package.json b/packages/vitest-pool-workers/package.json index 87e1474ec9..967eb9725d 100644 --- a/packages/vitest-pool-workers/package.json +++ b/packages/vitest-pool-workers/package.json @@ -1,6 +1,6 @@ { "name": "@cloudflare/vitest-pool-workers", - "version": "0.16.5", + "version": "0.16.6", "description": "Workers Vitest integration for writing Vitest unit and integration tests that run inside the Workers runtime", "keywords": [ "cloudflare", diff --git a/packages/wrangler/CHANGELOG.md b/packages/wrangler/CHANGELOG.md index 29d2fe36f1..c5668f11d6 100644 --- a/packages/wrangler/CHANGELOG.md +++ b/packages/wrangler/CHANGELOG.md @@ -1,5 +1,54 @@ # wrangler +## 4.92.0 + +### Minor Changes + +- [#13670](https://github.com/cloudflare/workers-sdk/pull/13670) [`506aa02`](https://github.com/cloudflare/workers-sdk/commit/506aa0243dbec68718170a9cf30f03c0ad0dd2b5) Thanks [@elithrar](https://github.com/elithrar)! - Add `wrangler artifacts` commands for managing Artifacts repos and repo tokens. + + This adds CLI support for the Artifacts control-plane workflows that were previously only available through the API. You can now list and inspect namespaces, create, list, inspect, and delete repos, and issue repo-scoped tokens when you need to authenticate git access. + + The new commands support both human-readable output and `--json` output so they fit existing Wrangler automation patterns. + +- [#13916](https://github.com/cloudflare/workers-sdk/pull/13916) [`be8a98c`](https://github.com/cloudflare/workers-sdk/commit/be8a98c2be0c83a270415ff4591e1b9971aab747) Thanks [@emily-shen](https://github.com/emily-shen)! - Add `--keep-vars` flag to `wrangler versions upload`, matching the existing behavior in `wrangler deploy`. When set, environment variables configured via the dashboard are preserved rather than being deleted before the upload. + +### Patch Changes + +- [#13926](https://github.com/cloudflare/workers-sdk/pull/13926) [`19ed49a`](https://github.com/cloudflare/workers-sdk/commit/19ed49a008be273df0ce60a817f4f367f4cea8fd) Thanks [@dependabot](https://github.com/apps/dependabot)! - Update dependencies of "miniflare", "wrangler" + + The following dependency versions have been updated: + + | Dependency | From | To | + | ---------- | ------------ | ------------ | + | workerd | 1.20260511.1 | 1.20260515.1 | + +- [#11471](https://github.com/cloudflare/workers-sdk/pull/11471) [`3ff0a50`](https://github.com/cloudflare/workers-sdk/commit/3ff0a50349a78c17d64c45c0411771cc2d2dba0a) Thanks [@HW13](https://github.com/HW13)! - Improve `wrangler types --env-interface` for multi-worker projects. + + Custom env interfaces generated by `wrangler types` no longer expand from `Cloudflare.Env`, avoiding some unintended type expansion when multiple workers' generated types are used together. + +- [#13910](https://github.com/cloudflare/workers-sdk/pull/13910) [`bf688f7`](https://github.com/cloudflare/workers-sdk/commit/bf688f7735d602e963a7907a4a703aa7de2038fe) Thanks [@timoconnellaus](https://github.com/timoconnellaus)! - Fix `Failed to fetch auth token: 401 Unauthorized` from sibling-rotated refresh tokens + + `refreshToken` previously used the refresh token from module-level `localState`, which is populated once at startup and never re-read. OAuth refresh tokens are single-use, so when a sibling wrangler process (in another repo, another shell, or a parallel script) refreshes first, it rotates the token server-side and writes the new value to the shared config file (`~/Library/Preferences/.wrangler/config/default.toml` on macOS). The long-lived process — typically `wrangler dev` — then sends its stale in-memory token on the next refresh and gets `401 Unauthorized` from `https://dash.cloudflare.com/oauth2/token`, falling through to interactive login and timing out unattended. + + `refreshToken` now calls `reinitialiseAuthTokens()` before exchanging, picking up the latest refresh token written by any sibling process. The previously empty `catch {}` also now logs the underlying error at debug level so future refresh failures are diagnosable without source-diving. + +- [#13843](https://github.com/cloudflare/workers-sdk/pull/13843) [`2e72c83`](https://github.com/cloudflare/workers-sdk/commit/2e72c83aa95d25de343c396df67c0a35b83b70cd) Thanks [@nzws](https://github.com/nzws)! - Fix `wrangler versions secret put/delete/bulk` to preserve the existing version's placement settings + + When creating a new version via `wrangler versions secret`, the previous code only re-emitted a bare `{ mode: "smart" }` placement when the API reported `placement_mode === "smart"`, dropping any other placement entirely. The new version is now created with the placement settings returned by the API, so placement settings survive a secret put/delete/bulk round-trip. + +- [#13908](https://github.com/cloudflare/workers-sdk/pull/13908) [`802eaf4`](https://github.com/cloudflare/workers-sdk/commit/802eaf47fa28f5bfa3a07b0782acdaac6f12781d) Thanks [@shiminshen](https://github.com/shiminshen)! - fix: stop rewriting query strings that happen to contain the request `Host` + + `wrangler dev` previously rewrote occurrences of the outer host inside `request.url`'s query string. For example, a request to `?echo=https%3A%2F%2Fdevelopment.test%2Fpath` with `Host: development.test` would be seen by the user worker as `?echo=https%3A%2F%2Fproduction.test%2Fpath`, silently mutating opaque application data such as `redirect_uri` values in OAuth flows. + + The proxy worker now sets the internal `MF-Original-URL` header _after_ its blanket host-rewriting pass over request headers, so the URL passed to the user worker preserves the original query string. + +- [#13827](https://github.com/cloudflare/workers-sdk/pull/13827) [`8f5cdb1`](https://github.com/cloudflare/workers-sdk/commit/8f5cdb14dda20f6036c2305195041105d4d109e3) Thanks [@greyvugrin](https://github.com/greyvugrin)! - Fix multi-environment warning when CLOUDFLARE_ENV is set + + Commands that warn when multiple environments are configured but none is specified (e.g. `wrangler deploy`, `wrangler secret put`) were not accounting for the `CLOUDFLARE_ENV` environment variable when deciding whether to show the warning. This caused a misleading warning to appear even when the target environment was correctly specified via `CLOUDFLARE_ENV`. + +- Updated dependencies [[`19ed49a`](https://github.com/cloudflare/workers-sdk/commit/19ed49a008be273df0ce60a817f4f367f4cea8fd)]: + - miniflare@4.20260515.0 + ## 4.91.0 ### Minor Changes diff --git a/packages/wrangler/package.json b/packages/wrangler/package.json index 2333a4ae5f..1bbc45697f 100644 --- a/packages/wrangler/package.json +++ b/packages/wrangler/package.json @@ -1,6 +1,6 @@ { "name": "wrangler", - "version": "4.91.0", + "version": "4.92.0", "description": "Command-line interface for all things Cloudflare Workers", "keywords": [ "assembly",