Skip to content

security: bump wrangler to ^4 across worker modules (fix undici/ws/esbuild vulns)#1

Open
ColbySmithCode wants to merge 1 commit into
mainfrom
security/wrangler-v4
Open

security: bump wrangler to ^4 across worker modules (fix undici/ws/esbuild vulns)#1
ColbySmithCode wants to merge 1 commit into
mainfrom
security/wrangler-v4

Conversation

@ColbySmithCode

Copy link
Copy Markdown
Owner

What

Bumps wrangler ^3.0.0^4.103.0 in 5 worker modules: customers, donors, grants, impact, volunteers.

Why

npm audit --audit-level=high flagged 5 vulnerabilities per module (2 high: undici, ws; 3 moderate: esbuild), all transitive through wrangler@3 → miniflare.

  • These are devDependencies — local dev/build tooling. They do not ship to the deployed Workers, so production exposure is low.
  • The only fix path is the wrangler v4 major (breaking), so this is flagged for manual review rather than auto-applied via npm audit fix --force.
  • ✅ Verified locally: npm audit reports 0 vulnerabilities after the bump.

Note

The operations module has a wrangler.toml but no package.json, so it had nothing to audit/bump. No secrets were found anywhere in this repo (working tree or history).

Reviewer note

Sanity-check wrangler dev / wrangler deploy still work under v4 before merging — see the Wrangler v3→v4 migration notes.

🤖 Generated with Claude Code

npm audit flagged 5 vulnerabilities per module (2 high: undici, ws;
3 moderate: esbuild), all transitive through wrangler@3 -> miniflare.
These are devDependencies (local dev/build tooling) and do not ship to the
deployed Workers, but the fix requires the wrangler v4 major. Affects the
customers, donors, grants, impact, and volunteers worker packages.
Verified: npm audit reports 0 vulns after the bump.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant