chore(deps): bump the cloudflare group across 1 directory with 5 updates

[dependabot]

Bumps the cloudflare group with 5 updates in the / directory:

Package	From	To
@cloudflare/vitest-pool-workers	0.14.7	0.16.12
@cloudflare/workers-types	4.20260410.1	4.20260602.1
wrangler	4.83.0	4.97.0
@cloudflare/containers	0.0.25	0.3.6
@cloudflare/sandbox	0.9.1	0.11.0

Updates @cloudflare/vitest-pool-workers from 0.14.7 to 0.16.12

Release notes

Sourced from @​cloudflare/vitest-pool-workers's releases.

@​cloudflare/vitest-pool-workers@​0.16.12

Patch Changes

• #14152 3d7992e Thanks @​petebacondarwin! - Fix module resolution failing when project path contains spaces

  When a project lived under a directory with spaces (e.g. /Users/me/Documents/Master CMS/project), the vitest pool would fail with No such module "threads.js" before any test executed. The module fallback service now uses the rawSpecifier from workerd's fallback request to correctly decode file:// URLs, avoiding the double-encoding of spaces (%20 → %2520) that occurred when workerd resolved these URLs as relative paths.

• #14105 337e912 Thanks @​dario-piotrowicz! - Remove trailing periods from URLs in terminal output

  URLs printed to the terminal with a sentence-ending period (e.g. https://example.com/path.) would include the period when clicked in some terminal emulators, causing 404 errors. This removes trailing periods from all URLs displayed in CLI output across wrangler, miniflare, vitest-pool-workers, and workers-utils.

• #14112 3a746ac Thanks @​penalosa! - Pin non-bundled runtime dependencies to exact versions

  Dependencies that are not bundled into a package's published output are installed directly into consumers' dependency trees, so they are now pinned to exact versions instead of semver ranges. This closes a supply-chain gap where an unpinned external dependency could resolve to a compromised upstream release on a fresh install. A new pnpm check:pinned-deps lint enforces this for all published packages (and for the shared pnpm catalog) going forward.

• #14061 da8e306 Thanks @​Vardiak! - Preserve Durable Object WebSocket handler invocation order

  Durable Object WebSocket events could begin executing out of order in the Workers Vitest integration when several events arrived while the test wrapper was resolving user code.

  Handler invocation now preserves arrival order while still allowing asynchronous handler completion to run concurrently.

• Updated dependencies [b210c5e, aec1bb8, e06cbb7, 9a26191, 5565823, 4ef790b, 890fca7, 6fc9777, 337e912, 8e7b74f, e86489a, 42288d4, 65b5f9e, 3a746ac, 64ef9fd, 94b29f7]:

  • wrangler@4.97.0
  • miniflare@4.20260601.0

@​cloudflare/vitest-pool-workers@​0.16.11

Patch Changes

• #14070 96ae856 Thanks @​dmmulroy! - Fix Durable Object RPC dispatch for constructors that return proxies

  Durable Object RPC methods mediated by a returned Proxy are now resolved through that proxy after validating prototype exposure. This allows wrappers that bind methods to the underlying instance to use private fields and methods in Vitest, while matching workerd's rejection of constructor-assigned RPC overrides.

• Updated dependencies [a2ef1a3, cbb39bd, cbb39bd, 408432a, 1103c07, 7bb5c7a, 5b5cbd3, a2ef1a3, 2c1d8b2, ce4eb20, 5fa3de6, 37176e5, 0ce88ea, 66d86ba, 9dee4cc, 97d7d81, c647ccc, f623ae4, c8c7ec0, 39d8717, ee56ec0, b64b7e4, e4c8fd9, 2dffeeb, 972d13d, 4c0da7b, 13cbadb, 59e43e4]:

  • miniflare@4.20260529.0
  • wrangler@4.96.0

@​cloudflare/vitest-pool-workers@​0.16.10

Patch Changes

• Updated dependencies [ca5b604, c1fd2fd, 49c1a59, fee1ce4, b3962ff, d042705, 420e457, 8b1467e]:
  • wrangler@4.95.0
  • miniflare@4.20260526.0

@​cloudflare/vitest-pool-workers@​0.16.9

Patch Changes

• #13933 90092c0 Thanks @​petebacondarwin! - Derive bundler externals from package.json and shrink the published bundle

  The bundler's external list was previously hand-maintained and out of sync with package.json — undici and semver were both listed as external despite being only devDependencies. The published dist/pool/index.mjs consequently contained a top-level import { fetch } from "undici" that was only resolvable because pnpm happened to hoist undici from other packages' devDependencies during local development.

... (truncated)

Changelog

Sourced from @​cloudflare/vitest-pool-workers's changelog.

0.16.12

Patch Changes

• #14152 3d7992e Thanks @​petebacondarwin! - Fix module resolution failing when project path contains spaces

  When a project lived under a directory with spaces (e.g. /Users/me/Documents/Master CMS/project), the vitest pool would fail with No such module "threads.js" before any test executed. The module fallback service now uses the rawSpecifier from workerd's fallback request to correctly decode file:// URLs, avoiding the double-encoding of spaces (%20 → %2520) that occurred when workerd resolved these URLs as relative paths.

• #14105 337e912 Thanks @​dario-piotrowicz! - Remove trailing periods from URLs in terminal output

  URLs printed to the terminal with a sentence-ending period (e.g. https://example.com/path.) would include the period when clicked in some terminal emulators, causing 404 errors. This removes trailing periods from all URLs displayed in CLI output across wrangler, miniflare, vitest-pool-workers, and workers-utils.

• #14112 3a746ac Thanks @​penalosa! - Pin non-bundled runtime dependencies to exact versions

  Dependencies that are not bundled into a package's published output are installed directly into consumers' dependency trees, so they are now pinned to exact versions instead of semver ranges. This closes a supply-chain gap where an unpinned external dependency could resolve to a compromised upstream release on a fresh install. A new pnpm check:pinned-deps lint enforces this for all published packages (and for the shared pnpm catalog) going forward.

• #14061 da8e306 Thanks @​Vardiak! - Preserve Durable Object WebSocket handler invocation order

  Durable Object WebSocket events could begin executing out of order in the Workers Vitest integration when several events arrived while the test wrapper was resolving user code.

  Handler invocation now preserves arrival order while still allowing asynchronous handler completion to run concurrently.

• Updated dependencies [b210c5e, aec1bb8, e06cbb7, 9a26191, 5565823, 4ef790b, 890fca7, 6fc9777, 337e912, 8e7b74f, e86489a, 42288d4, 65b5f9e, 3a746ac, 64ef9fd, 94b29f7]:

  • wrangler@4.97.0
  • miniflare@4.20260601.0

0.16.11

Patch Changes

• #14087 e3c862a Thanks @​edmundhung! - Fix Durable Object RPC dispatch for constructors that return proxies

  Durable Object RPC methods mediated by a returned Proxy are now resolved through that proxy after validating prototype exposure. This allows wrappers that bind methods to the underlying instance to use private fields and methods in Vitest, while matching workerd's rejection of constructor-assigned RPC overrides.

• Updated dependencies [e3c862a, cbb39bd, cbb39bd, 408432a, 1103c07, 7bb5c7a, 5b5cbd3, e3c862a, e3c862a, 97d7d81, c647ccc, e3c862a, e3c862a, e3c862a, e3c862a, e3c862a, b64b7e4, e3c862a, e3c862a, e4c8fd9, 2dffeeb, e3c862a, e3c862a, 4c0da7b, 972d13d, 13cbadb, 59e43e4]:

  • miniflare@4.20260529.0
  • wrangler@4.96.0

0.16.10

Patch Changes

• Updated dependencies [ca5b604, c1fd2fd, 49c1a59, fee1ce4, b3962ff, d042705, 420e457, 8b1467e]:
  • wrangler@4.95.0
  • miniflare@4.20260526.0

0.16.9

Patch Changes

... (truncated)

Commits

• 0b60424 Version Packages (#14142)
• 3d7992e [vitest-pool-workers] Fix module resolution for paths with spaces (#14152)
• da8e306 [vitest-pool-workers] Preserve Durable Object handler order (for hibernated D...
• 0998725 Set disallowTypeAnnotations to false in `@typescript-eslint/consistent-ty...
• 3a746ac [tools] Lint that all non-bundled deps of published packages are pinned (#14112)
• 337e912 Remove trailing periods from URLs in terminal output (#14105)
• 50ef724 Version Packages (#14082)
• e3c862a Revert "Version Packages" (#14087)
• 689f381 Version Packages (#14048)
• 96ae856 [vitest-pool-workers] Dispatch RPC methods through proxied Durable Object ins...
• Additional commits viewable in compare view

Updates @cloudflare/workers-types from 4.20260410.1 to 4.20260602.1

Commits

• See full diff in compare view

Updates wrangler from 4.83.0 to 4.97.0

Release notes

Sourced from wrangler's releases.

wrangler@4.97.0

Minor Changes

• #13996 94b29f7 Thanks @​vaishnav-mk! - Add restart-from-step options to wrangler workflows instances restart

  You can now restart a Workflow instance from a specific step using --from-step-name, with optional --from-step-count and --from-step-type disambiguation. These options work for both remote Workflow instances and local wrangler dev --local sessions.

Patch Changes

• #14141 b210c5e Thanks @​MattieTK! - Add re-authentication hint to account fetch error messages

  When Wrangler fails to automatically retrieve account IDs, the error messages now suggest running wrangler login as a troubleshooting step. This addresses confusion for users who encounter these errors after OAuth system changes or other authentication issues.

• #14078 aec1bb8 Thanks @​MattieTK! - Bump am-i-vibing from 0.1.1 to 0.4.0

  This updates the agentic environment detection library to the latest version, which includes improved detection coverage for newer AI coding agents.

• #14147 e06cbb7 Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260529.1	1.20260601.1

• #14027 9a26191 Thanks @​matingathani! - Gracefully handle EMFILE error when assets directory exceeds OS watcher limit

  Previously, when wrangler dev was pointed at an assets directory with more than ~4,096 subdirectories, the chokidar file watcher threw an EMFILE: too many open files error that was not caught, causing an infinite error loop that made the dev server unresponsive.

  Now the error is caught and wrangler:

  1. Logs a clear warning explaining the platform watcher limit was hit
  2. Recommends reducing the number of subdirectories by flattening or restructuring the assets directory
  3. Disables the assets watcher gracefully so the dev server continues working without hot-reload

• #14041 5565823 Thanks @​matingathani! - Fix wrangler complete printing the AI skills prompt into shell completion output

  Previously, running eval "$(wrangler complete zsh)" (or any other shell) would fail with errors like zsh: command not found: --install-skills because the interactive AI agent skills installation prompt was included in the completion script output.

  The skills prompt is now skipped when running wrangler complete, so the generated completion script is clean and can be sourced correctly.

• #13881 890fca7 Thanks @​matingathani! - Show a clear error when --metadata is not valid JSON instead of silently ignoring the value

• #14149 6fc9777 Thanks @​mattjohnsonpint! - Fix wrangler deploy --upload-source-maps silently skipping source maps when the entry file ends with magic comments after //# sourceMappingURL=

  Wrangler previously assumed the //# sourceMappingURL= comment was the last non-empty line of a module. Tools like sentry-cli sourcemaps inject append a //# debugId= comment after it, which silently caused source maps to be omitted from the upload form, most commonly when deploying with --no-bundle --upload-source-maps. Wrangler now scans trailing magic comments (lines starting with //# or //@) and detects the //# sourceMappingURL= comment regardless of which other magic comments follow it.

• #14105 337e912 Thanks @​dario-piotrowicz! - Remove trailing periods from URLs in terminal output

  URLs printed to the terminal with a sentence-ending period (e.g. https://example.com/path.) would include the period when clicked in some terminal emulators, causing 404 errors. This removes trailing periods from all URLs displayed in CLI output across wrangler, miniflare, vitest-pool-workers, and workers-utils.

... (truncated)

Commits

• 0b60424 Version Packages (#14142)
• 42288d4 fix: Include currentAgentSkillsInstalled in command telemetry events (#14155)
• 6fc9777 [wrangler] fix: don't assume sourceMappingURL is on the last line (#14149)
• 94b29f7 [workflows] Restart from step (#13996)
• e06cbb7 Bump the workerd-and-workers-types group with 2 updates (#14147)
• 5565823 [wrangler] Fix wrangler complete printing AI skills prompt into shell compl...
• 8e7b74f [wrangler] fix: send Workflows schedules as { cron } objects on deploy (#14150)
• 9a26191 [wrangler] fix: gracefully handle EMFILE when assets watcher exceeds director...
• aec1bb8 [wrangler] Bump am-i-vibing from 0.1.1 to 0.4.0 (#14078)
• 890fca7 [wrangler] fix: show clear error when --metadata is not valid JSON (#13881)
• Additional commits viewable in compare view

Updates @cloudflare/containers from 0.0.25 to 0.3.6

Release notes

Sourced from @​cloudflare/containers's releases.

v0.3.6

Patch Changes

• 9650b2d: Use IdentityTransformStream when proxying deferred HTTP response bodies.
• 5b6eb5f: Remove noisy logs emitted while checking container and port readiness.

v0.3.5

Patch Changes

• a3fe15b: Use the canonical AlarmInvocationInfo type from @cloudflare/workers-types for the alarm() parameter instead of an inline type. This is a no-op for users (the shape is identical), but keeps the override aligned with the Durable Object base class signature.

• ca72a22: Refreshed the examples/ projects:

  • All examples now use the latest TypeScript, Vitest, and Wrangler, and target a current Workers compatibility_date.
  • Worker types are generated by wrangler types, matching current Cloudflare guidance.
  • The examples/timeout/ snippet is now a fully runnable example.
  • Integration tests now run on arm64 hosts (e.g. Apple Silicon) and reliably clean up after themselves.

  No changes to the published library API.

• fc7e7f4: Add return types to exported functions and public methods to satisfy ESLint and improve type checking.

• eabe7ac: Clarify the license for this library matches that of @cloudflare/workers-sdk, which is dual licensed under either MIT OR Apache-2.0.

• df8699a: Tighten the return type of Container#onError from any to unknown. Subclasses that override onError can still return any value. This should be a no-op for most users.

• 45274ea: Preserve original errors as cause when wrapping abort/timeout errors during container startup, making it easier to debug the underlying failure.

• 19c1709: Reset container state after failed startup or terminal monitor errors, avoid stale monitor callbacks updating newer instances, and apply configured constructor startup options.

v0.3.4

Patch Changes

• 8442f40: Fix a race in Container where concurrent container.fetch calls to a cold container could throw "start() cannot be called on a container that is already running.".

• cf01432: Ensure pending stop events are processed when the persisted container lifecycle state is still running but the underlying container has already exited.

  Migrate the root unit test suite from Jest to Vitest and add a test:unit script for running src/tests directly.

• cf41295: Fix subclass sleepAfter overrides being ignored during the initial activity timeout setup. Previously, the base Container constructor called renewActivityTimeout() inside blockConcurrencyWhile() before subclass class-field initializers ran, so the first sleepAfterMs was always computed from the base default ('10m') regardless of whether the subclass declared sleepAfter = '2h'. A container could then be killed by the activity timeout before the subclass's longer window took effect on the next renewActivityTimeout call. Declarations like:

  class BigContainer extends Container {
    sleepAfter = '2h';
  }

  are now honored from the very first alarm check.

• 07fedbb: Preserve Cloudchamber startup rate-limit errors in the Containers helper and return HTTP 429 from containerFetch() when startup is rate limited.

... (truncated)

Changelog

Sourced from @​cloudflare/containers's changelog.

0.3.6

Patch Changes

• 9650b2d: Use IdentityTransformStream when proxying deferred HTTP response bodies.
• 5b6eb5f: Remove noisy logs emitted while checking container and port readiness.

0.3.5

Patch Changes

• a3fe15b: Use the canonical AlarmInvocationInfo type from @cloudflare/workers-types for the alarm() parameter instead of an inline type. This is a no-op for users (the shape is identical), but keeps the override aligned with the Durable Object base class signature.

• ca72a22: Refreshed the examples/ projects:

  • All examples now use the latest TypeScript, Vitest, and Wrangler, and target a current Workers compatibility_date.
  • Worker types are generated by wrangler types, matching current Cloudflare guidance.
  • The examples/timeout/ snippet is now a fully runnable example.
  • Integration tests now run on arm64 hosts (e.g. Apple Silicon) and reliably clean up after themselves.

  No changes to the published library API.

• fc7e7f4: Add return types to exported functions and public methods to satisfy ESLint and improve type checking.

• eabe7ac: Clarify the license for this library matches that of @cloudflare/workers-sdk, which is dual licensed under either MIT OR Apache-2.0.

• df8699a: Tighten the return type of Container#onError from any to unknown. Subclasses that override onError can still return any value. This should be a no-op for most users.

• 45274ea: Preserve original errors as cause when wrapping abort/timeout errors during container startup, making it easier to debug the underlying failure.

• 19c1709: Reset container state after failed startup or terminal monitor errors, avoid stale monitor callbacks updating newer instances, and apply configured constructor startup options.

0.3.4

Patch Changes

• 8442f40: Fix a race in Container where concurrent container.fetch calls to a cold container could throw "start() cannot be called on a container that is already running.".

• cf01432: Ensure pending stop events are processed when the persisted container lifecycle state is still running but the underlying container has already exited.

  Migrate the root unit test suite from Jest to Vitest and add a test:unit script for running src/tests directly.

• cf41295: Fix subclass sleepAfter overrides being ignored during the initial activity timeout setup. Previously, the base Container constructor called renewActivityTimeout() inside blockConcurrencyWhile() before subclass class-field initializers ran, so the first sleepAfterMs was always computed from the base default ('10m') regardless of whether the subclass declared sleepAfter = '2h'. A container could then be killed by the activity timeout before the subclass's longer window took effect on the next renewActivityTimeout call. Declarations like:

  class BigContainer extends Container {
    sleepAfter = '2h';
  }

  are now honored from the very first alarm check.

• 07fedbb: Preserve Cloudchamber startup rate-limit errors in the Containers helper and return HTTP 429 from containerFetch() when startup is rate limited.

0.3.3

Patch Changes

... (truncated)

Commits

• See full diff in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​cloudflare/containers since your current version.

Updates @cloudflare/sandbox from 0.9.1 to 0.11.0

Release notes

Sourced from @​cloudflare/sandbox's releases.

@​cloudflare/sandbox@​0.11.0

Minor Changes

• #708 287ec04 Thanks @​ghostwriternr! - Prevent stale preview URLs from waking or reaching sandbox runtimes. Invalid, revoked, or destroyed preview URLs return 404 INVALID_TOKEN; authorized URLs that are not activated for the current runtime return 410 STALE_PREVIEW_URL until the port is exposed again. Existing preview URLs that previously survived container restart now return 410 STALE_PREVIEW_URL after a restart until the port is exposed again in the new runtime.

  getExposedPorts() and isPortExposed() now report only ports that are currently preview-forwardable in the active runtime. unexposePort() is now idempotent: revoking a port that is not currently exposed succeeds without contacting the container. Preview URL state no longer uses the container-local exposed-port registry or proxy routes.

Patch Changes

• #733 d4a739b Thanks @​scuffi! - Allow backup and restore presigned URLs to target non-default R2 endpoints. Set BACKUP_BUCKET_ENDPOINT, for example https://<account_id>.eu.r2.cloudflarestorage.com, when your backup bucket uses an R2 jurisdiction.

• #732 8b9ec84 Thanks @​ghostwriternr! - Add bridge endpoints for managing tunnels to sandbox services. HTTP clients can call POST /v1/sandbox/:id/tunnel/:port with an optional name body field for a predictable named URL, and DELETE /v1/sandbox/:id/tunnel/:port to remove the tunnel.

• #730 de68927 Thanks @​ghostwriternr! - Classify Office Open XML files such as .xlsx and .docx as binary when reading files so they are returned with base64 encoding instead of text decoding.

• #722 95bb7b9 Thanks @​aron-cf! - Add named-tunnel support to sandbox.tunnels.get(port, { name }). Named tunnels bind a user-controlled hostname (<name>.<your-zone>) backed by a Cloudflare Tunnel and a proxied CNAME on your zone, so the URL is stable across container restarts and across sandboxes that share the same name. Calling sandbox.destroy() tears down the Cloudflare tunnel and DNS record alongside the container.

  const tunnel = await sandbox.tunnels.get(8080, { name: 'app' });
  console.log(tunnel.url); // → https://app.example.com

@​cloudflare/sandbox@​0.10.3

Patch Changes

• #715 453b577 Thanks @​aron-cf! - Upgrade capnweb to 0.8.0.

• #714 0ec4f42 Thanks @​aron-cf! - Bundle cloudflared into the musl/Alpine images.

• #706 ae5f9a1 Thanks @​scuffi! - Add sessionless execution mode with a configurable default-session policy.

  Set enableDefaultSession: false in SandboxOptions to run implicit top-level operations without a persistent shell — each command gets a fresh process with no shared state. The option is scoped to the sandbox object returned by getSandbox(...); explicit per-call session IDs continue to target that session.

@​cloudflare/sandbox@​0.10.2

Patch Changes

• #695 c6bf7dc Thanks @​aron-cf! - Add sandbox.tunnels namespace with quick-tunnel support. Call sandbox.tunnels.get(port) to obtain a https://<words>.trycloudflare.com URL that proxies to localhost:<port> inside the sandbox. The call is idempotent: repeated calls for the same port return the same record from per-sandbox Durable Object storage. No Cloudflare account or DNS setup required.

  const tunnel = await sandbox.tunnels.get(8080);
  console.log(tunnel.url);
  // → https://random-words-here.trycloudflare.com
  const same = await sandbox.tunnels.get(8080);
  console.log(same.url === tunnel.url); // true
  await sandbox.tunnels.list();
  await sandbox.tunnels.destroy(8080); // or destroy(tunnel)

... (truncated)

Commits

• 14848f5 Stabilize Playwright browser caching
• 8d5b62f Version Packages (#729)
• 8b9ec84 Add exposed-port endpoint to Sandbox Bridge (#732)
• d4a739b Allow backup bucket URL override (#733)
• de68927 Fix Office file binary detection (#730)
• d05c6c7 Remove container-local preview port registry (#710)
• 986dbf8 Align preview port APIs with forwarding (#709)
• 287ec04 Enforce preview URL runtime activation (#708)
• 95bb7b9 Add support for named tunnels (#722)
• 4975fbf Allow more time for trycloudflare DNS to propagate in E2E (#728)
• Additional commits viewable in compare view