chore(deps): update cloudflare to v6

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
cloudflare	^4.5.0 → ^6.0.0

---

Release Notes

cloudflare/cloudflare-typescript (cloudflare)

v6.3.0

Compare Source

Full Changelog: v6.2.0...v6.3.0

Features

New Resources

• dls: add DLS (Data Localization Suite) resource with regions (list/get) and regionalServices.prefixBindings (create/list/delete/edit/get) sub-resources (4dcf0db)

New Sub-Resources

• organizations: add billing.usage sub-resource — FOCUS v1.3 cost-and-usage dataset (get) at /organizations/{organization_id}/billable/usage (2c93faf)
• r2: add buckets.objects sub-resource — list, delete, get, upload (PUT) for direct R2 object operations (94a26fc)
• workers: add observability.queries sub-resource — create and list saved telemetry queries (d1f8d27)
• zero-trust: add access.samlCertificates sub-resource — list, get, getPem, rotate SAML signing certificate sets at the account level (4d75785)
• zero-trust: add identityProviders.samlCertificate sub-resource — create a SAML encryption certificate set bound to an Identity Provider (4d75785)

New Methods

• billing: add usage.get method — FOCUS v1.3 cost-and-usage dataset at /accounts/{account_id}/billable/usage (returns UsageGetResponse with BillingAccountId, ChargeCategory, ConsumedQuantity, BilledCost, EffectiveCost, etc.) (665f6ea)
• secrets-store: add stores.get method — fetch a single store by ID (GET /accounts/{account_id}/secrets_store/stores/{store_id}) returning StoreGetResponse (542f312)
• workers: add scripts.secrets.bulkUpdate method — PATCH /accounts/{account_id}/workers/scripts/{script_name}/secrets-bulk for bulk secret updates (840cea9)
• workers-for-platforms: add dispatch.namespaces.scripts.secrets.bulkUpdate method — same bulk-update endpoint for dispatch-namespace scripts (840cea9)

New Fields and Parameters

• ai: add format?: 'openrouter' query param to models.list for returning models in the OpenRouter marketplace format (a3ba7fc)
• aisearch: add degraded?: boolean response field to InstanceStatsResponse and namespaces.instances.InstanceStatsResponse — set when status counts are unavailable (e.g. legacy stats query exceeded D1 statement-size limit) (49c2987)
• cloudforce-one: add alpha2: string field to threatEvents.countries.list response items (CountryListResponseItem.Result) alongside the existing alpha3/name fields (0aa9ae0)
• custom-certificates: private_key on CustomCertificateCreateParams is now optional when custom_csr_id is provided (previously always required) (6e90245)
• logpush: add mnm_flow_logs to the dataset enum on datasets.fields.get, datasets.jobs.get, LogpushJob.dataset, and JobCreateParams.dataset (5bc2413)
• organizations: Organizations API moved from Closed Beta to Public Beta — affects organizations.create, update, list, delete, get, and organizationProfile.update/get docstrings (54b7f07)
• radar: add CONTENT_TYPE dimension and contentType?: Array<'HTML' | 'IMAGES' | 'JSON' | 'JAVASCRIPT' | 'CSS' | 'PLAIN_TEXT' | 'FONTS' | 'XML' | 'YAML' | 'VIDEO' | 'AUDIO' | 'MARKDOWN' | 'DOCUMENTS' | 'BINARY' | 'SERIALIZATION' | 'OTHER'> filter param to radar.http.summaryV2, timeseriesGroups, and related HTTP analytics methods (d5bc24a)
• spectrum: add virtual_network_id?: string field to OriginDNS config on AppCreateResponse, AppUpdateResponse, AppListResponse, AppGetResponse, AppCreateParams, and AppUpdateParams — routes origin traffic through tunnel virtual networks (1afad1f)
• workers: add 'opentelemetry-metrics' enum value to logpushDataset field on observability.destinations (DestinationCreateResponse.Configuration, DestinationUpdateResponse.Configuration, DestinationListResponse.Configuration) (d1f8d27)
• workers: add observability.traces.propagation_policy?: 'authenticated' | 'accept' field on Worker, WorkerCreateParams, WorkerUpdateParams, ScriptSetting, SettingEditParams, and script-and-version-settings — controls how inbound traceparent/tracestate headers are honored (d1f8d27)
• workers: add ends_with filter operation and ENDS_WITH comparison enum value to observability.telemetry.query filters (d1f8d27)
• workers: add preview?: { id?: string; name?: string; slug?: string } field to TelemetryQueryResponse.UnionMember0 and UnionMember1 event items — surfaces preview deployment metadata on telemetry results (d1f8d27)
• workers: narrow observability.telemetry source field type from string | unknown to string | { [key: string]: unknown } — non-breaking type refinement that gives consumers better inference (d1f8d27)
• zero-trust: add Cloudflare-as-Identity-Provider — new 'cloudflare' value in IdentityProviderType and IdentityProviderTypeParam unions, plus a new AccessCloudflare interface variant added to IdentityProvider, IdentityProviderParam, IdentityProviderListResponse, IdentityProviderCreateParams, and IdentityProviderUpdateParams unions (4d75785)
• zero-trust: add AccessCloudflareAccountMemberRule policy rule type to AccessRule union (and AccessRuleParam) — matches users who are members of a specific Cloudflare account; pairs with the new Cloudflare IdP type (4d75785)
• zero-trust: add saml_certificate_set? and saml_certificate_set_id? fields across all 16 Identity Provider variants (AzureAD, AccessCentrify, AccessCloudflare, AccessFacebook, AccessGitHub, AccessGoogle, AccessGoogleApps, AccessLinkedin, AccessOIDC, AccessOkta, AccessOnelogin, AccessOnetimepin, AccessPingone, AccessSAML, AccessYandex, and the new AccessCloudflare) — references the bound SAML encryption certificate set (4d75785)
• zero-trust: add error_details? (with cause, is_upstream, mcp_code, retryable, status_code fields) and is_shared_oauth_callback_enabled?: boolean to access.aiControls.mcp.portals and mcp.servers response types — surfaces MCP gateway error details and shared-OAuth-callback rollout state (dc1c78c)
• zero-trust: add portal_description? and server_description? fields to access.aiControls.mcp.portals Server.UpdatedPrompt (Create/Update/List/Get response variants); the older description? field is now @deprecated in favor of these — portal-level wins when present, otherwise falls back to server-level (dc1c78c)
• zero-trust: refine access.aiControls.mcp.servers.ServerSyncResponse from unknown to { error?: string; error_details?: ServerSyncResponse.ErrorDetails; status?: string } — gives consumers a typed shape with MCP error details (dc1c78c)
• zero-trust: add auth_state?: Array<'Good' | 'Notified' | 'Will Block' | 'Blocked'> field to KolideInput and KolideInputParam device-posture types — restricts the posture check to specific Kolide auth states (dc1c78c)

Deprecations

• zero-trust: access.aiControls.mcp.portals Server.UpdatedPrompt.description? is now @deprecated. Use the new portal_description? or server_description? fields instead. The deprecated field is still populated for backward compatibility (portal-level wins when present, otherwise falls back to server-level) and will be removed after a deprecation window. (dc1c78c)

Breaking Changes

• billing: the underlying API endpoint for client.billing.usage.paygo() changed from GET /accounts/{account_id}/billing/usage/paygo to GET /accounts/{account_id}/paygo-usage. The SDK call site, method signature, params, and return type are unchanged — existing code does not need to be modified. This is recorded as a breaking change because the underlying API contract moved; users on older SDK versions may see 404s if the old URL is retired by the Cloudflare API server. (665f6ea)

Chores

• ai: documentation tightening across model list responses (a3ba7fc)
• cloudforce-one: documentation refresh on threat-events country fields (0aa9ae0)
• email-sending: internal client-name string update (1199217)
• intel: rephrase sinkhole field descriptions for clarity (b471160)
• radar: trailing chore from previous sync round (6446c29)
• workers-for-platforms: documentation updates on existing dispatch endpoints alongside the bulkUpdate addition (074b214)
• zero-trust: generated-output churn alongside the SAML certificate work (dc1c78c), (40ea4d5)
• sync codegen shared files (api.md, .stats.yml, scripts/detect-breaking-changes, src/index.ts, src/resources/index.ts) across multiple sync rounds (4d7dd4d), (fdef412), (22e2a09), (7e4b075)

v6.2.0

Compare Source

Full Changelog: v6.2.0...v6.3.0

Features

New Resources

• dls: add DLS (Data Localization Suite) resource with regions (list/get) and regionalServices.prefixBindings (create/list/delete/edit/get) sub-resources (4dcf0db)

New Sub-Resources

• organizations: add billing.usage sub-resource — FOCUS v1.3 cost-and-usage dataset (get) at /organizations/{organization_id}/billable/usage (2c93faf)
• r2: add buckets.objects sub-resource — list, delete, get, upload (PUT) for direct R2 object operations (94a26fc)
• workers: add observability.queries sub-resource — create and list saved telemetry queries (d1f8d27)
• zero-trust: add access.samlCertificates sub-resource — list, get, getPem, rotate SAML signing certificate sets at the account level (4d75785)
• zero-trust: add identityProviders.samlCertificate sub-resource — create a SAML encryption certificate set bound to an Identity Provider (4d75785)

New Methods

• billing: add usage.get method — FOCUS v1.3 cost-and-usage dataset at /accounts/{account_id}/billable/usage (returns UsageGetResponse with BillingAccountId, ChargeCategory, ConsumedQuantity, BilledCost, EffectiveCost, etc.) (665f6ea)
• secrets-store: add stores.get method — fetch a single store by ID (GET /accounts/{account_id}/secrets_store/stores/{store_id}) returning StoreGetResponse (542f312)
• workers: add scripts.secrets.bulkUpdate method — PATCH /accounts/{account_id}/workers/scripts/{script_name}/secrets-bulk for bulk secret updates (840cea9)
• workers-for-platforms: add dispatch.namespaces.scripts.secrets.bulkUpdate method — same bulk-update endpoint for dispatch-namespace scripts (840cea9)

New Fields and Parameters

• ai: add format?: 'openrouter' query param to models.list for returning models in the OpenRouter marketplace format (a3ba7fc)
• aisearch: add degraded?: boolean response field to InstanceStatsResponse and namespaces.instances.InstanceStatsResponse — set when status counts are unavailable (e.g. legacy stats query exceeded D1 statement-size limit) (49c2987)
• cloudforce-one: add alpha2: string field to threatEvents.countries.list response items (CountryListResponseItem.Result) alongside the existing alpha3/name fields (0aa9ae0)
• custom-certificates: private_key on CustomCertificateCreateParams is now optional when custom_csr_id is provided (previously always required) (6e90245)
• logpush: add mnm_flow_logs to the dataset enum on datasets.fields.get, datasets.jobs.get, LogpushJob.dataset, and JobCreateParams.dataset (5bc2413)
• organizations: Organizations API moved from Closed Beta to Public Beta — affects organizations.create, update, list, delete, get, and organizationProfile.update/get docstrings (54b7f07)
• radar: add CONTENT_TYPE dimension and contentType?: Array<'HTML' | 'IMAGES' | 'JSON' | 'JAVASCRIPT' | 'CSS' | 'PLAIN_TEXT' | 'FONTS' | 'XML' | 'YAML' | 'VIDEO' | 'AUDIO' | 'MARKDOWN' | 'DOCUMENTS' | 'BINARY' | 'SERIALIZATION' | 'OTHER'> filter param to radar.http.summaryV2, timeseriesGroups, and related HTTP analytics methods (d5bc24a)
• spectrum: add virtual_network_id?: string field to OriginDNS config on AppCreateResponse, AppUpdateResponse, AppListResponse, AppGetResponse, AppCreateParams, and AppUpdateParams — routes origin traffic through tunnel virtual networks (1afad1f)
• workers: add 'opentelemetry-metrics' enum value to logpushDataset field on observability.destinations (DestinationCreateResponse.Configuration, DestinationUpdateResponse.Configuration, DestinationListResponse.Configuration) (d1f8d27)
• workers: add observability.traces.propagation_policy?: 'authenticated' | 'accept' field on Worker, WorkerCreateParams, WorkerUpdateParams, ScriptSetting, SettingEditParams, and script-and-version-settings — controls how inbound traceparent/tracestate headers are honored (d1f8d27)
• workers: add ends_with filter operation and ENDS_WITH comparison enum value to observability.telemetry.query filters (d1f8d27)
• workers: add preview?: { id?: string; name?: string; slug?: string } field to TelemetryQueryResponse.UnionMember0 and UnionMember1 event items — surfaces preview deployment metadata on telemetry results (d1f8d27)
• workers: narrow observability.telemetry source field type from string | unknown to string | { [key: string]: unknown } — non-breaking type refinement that gives consumers better inference (d1f8d27)
• zero-trust: add Cloudflare-as-Identity-Provider — new 'cloudflare' value in IdentityProviderType and IdentityProviderTypeParam unions, plus a new AccessCloudflare interface variant added to IdentityProvider, IdentityProviderParam, IdentityProviderListResponse, IdentityProviderCreateParams, and IdentityProviderUpdateParams unions (4d75785)
• zero-trust: add AccessCloudflareAccountMemberRule policy rule type to AccessRule union (and AccessRuleParam) — matches users who are members of a specific Cloudflare account; pairs with the new Cloudflare IdP type (4d75785)
• zero-trust: add saml_certificate_set? and saml_certificate_set_id? fields across all 16 Identity Provider variants (AzureAD, AccessCentrify, AccessCloudflare, AccessFacebook, AccessGitHub, AccessGoogle, AccessGoogleApps, AccessLinkedin, AccessOIDC, AccessOkta, AccessOnelogin, AccessOnetimepin, AccessPingone, AccessSAML, AccessYandex, and the new AccessCloudflare) — references the bound SAML encryption certificate set (4d75785)
• zero-trust: add error_details? (with cause, is_upstream, mcp_code, retryable, status_code fields) and is_shared_oauth_callback_enabled?: boolean to access.aiControls.mcp.portals and mcp.servers response types — surfaces MCP gateway error details and shared-OAuth-callback rollout state (dc1c78c)
• zero-trust: add portal_description? and server_description? fields to access.aiControls.mcp.portals Server.UpdatedPrompt (Create/Update/List/Get response variants); the older description? field is now @deprecated in favor of these — portal-level wins when present, otherwise falls back to server-level (dc1c78c)
• zero-trust: refine access.aiControls.mcp.servers.ServerSyncResponse from unknown to { error?: string; error_details?: ServerSyncResponse.ErrorDetails; status?: string } — gives consumers a typed shape with MCP error details (dc1c78c)
• zero-trust: add auth_state?: Array<'Good' | 'Notified' | 'Will Block' | 'Blocked'> field to KolideInput and KolideInputParam device-posture types — restricts the posture check to specific Kolide auth states (dc1c78c)

Deprecations

• zero-trust: access.aiControls.mcp.portals Server.UpdatedPrompt.description? is now @deprecated. Use the new portal_description? or server_description? fields instead. The deprecated field is still populated for backward compatibility (portal-level wins when present, otherwise falls back to server-level) and will be removed after a deprecation window. (dc1c78c)

Breaking Changes

• billing: the underlying API endpoint for client.billing.usage.paygo() changed from GET /accounts/{account_id}/billing/usage/paygo to GET /accounts/{account_id}/paygo-usage. The SDK call site, method signature, params, and return type are unchanged — existing code does not need to be modified. This is recorded as a breaking change because the underlying API contract moved; users on older SDK versions may see 404s if the old URL is retired by the Cloudflare API server. (665f6ea)

Chores

• ai: documentation tightening across model list responses (a3ba7fc)
• cloudforce-one: documentation refresh on threat-events country fields (0aa9ae0)
• email-sending: internal client-name string update (1199217)
• intel: rephrase sinkhole field descriptions for clarity (b471160)
• radar: trailing chore from previous sync round (6446c29)
• workers-for-platforms: documentation updates on existing dispatch endpoints alongside the bulkUpdate addition (074b214)
• zero-trust: generated-output churn alongside the SAML certificate work (dc1c78c), (40ea4d5)
• sync codegen shared files (api.md, .stats.yml, scripts/detect-breaking-changes, src/index.ts, src/resources/index.ts) across multiple sync rounds (4d7dd4d), (fdef412), (22e2a09), (7e4b075)

v6.1.0

Compare Source

Full Changelog: v6.0.0...v6.1.0

Features

• chore: skip failing deployment_groups tests (f4ce98e)
• feat(api): add zero_trust_device_deployment_groups resource (c05f6d6)
• feat(SCTR): add audit log, classification, and context endpoints to Security Center API (3791b84)

Chores

• api: update composite API spec (64244be)
• api: update composite API spec (7cb65d5)
• api: update composite API spec (8533ac8)
• api: update composite API spec (04ebcc4)
• api: update composite API spec (fb5ef8f)

v6.0.0

Compare Source

Full Changelog: v6.0.0...v6.1.0

Features

• chore: skip failing deployment_groups tests (f4ce98e)
• feat(api): add zero_trust_device_deployment_groups resource (c05f6d6)
• feat(SCTR): add audit log, classification, and context endpoints to Security Center API (3791b84)

Chores

• api: update composite API spec (64244be)
• api: update composite API spec (7cb65d5)
• api: update composite API spec (8533ac8)
• api: update composite API spec (04ebcc4)
• api: update composite API spec (fb5ef8f)

v5.2.0

Compare Source

Disclaimer: Please note that v6.0.0-beta.1 is in Beta and we are still testing it for stability.

Full Changelog: v5.2.0...v6.0.0-beta.1

In this release, you'll see a large number of breaking changes. This is primarily due to a change in OpenAPI definitions,
which our libraries are based off of, and codegen updates that we rely on to read those OpenAPI definitions and produce
our SDK libraries. As the codegen is always evolving and improving, so are our code bases.

Some breaking changes were introduced due to bug fixes, also listed below.

v5.1.0

Compare Source

Full Changelog: v5.1.0...v5.2.0

Features

• Add load balancer monitor groups endpoints (5764b60)
• Add Radar AS-SET lookup endpoint (e8480e8)
• Add to_markdown subresource to AI resource (770500f)
• Rename duplicate parameter in the to_markdown subresource (98ccef7)
• Deprecate Radar AI inference and leaked credential endpoints (932e696)
• Remove created_at and updated_at fields from Zero Trust organization (4656a4e)

Performance Improvements

• faster formatting (17f6c4f)

Chores

• do not install brew dependencies in ./scripts/bootstrap by default (257ac1d)
• improve example values (20f0585)
• internal: codegen related update (0448452)
• internal: fix incremental formatting in some cases (9abf5ab)
• internal: ignore .eslintcache (a80827e)
• internal: remove deprecated compilerOptions.baseUrl from tsconfig.json (ea38064)
• api: update composite API spec (ab0bebd, 04d593f, 3cd521d, 15ff36b, 38722d4, f5dbf2f, 944d006, 65fb516, 0227a05, 2a87192, 9b6e363, 3a8a22d, ceb49a5, f85cb6b, 3204575, 852e202, 02745e6, 47d98b6, 0c1056e, 79e8b83, d35bbfb, 87fc40c, 2a6e7ed, 30a4ab2, 0cab872, 36c1def, fabf439, eca4953, de00074, 5fef81c, a0bf932, 8292aee, d5b6a6a, 65fff47, c5cc86a, bb6586e, 29623b8, 1fa622c, 80d3e7a)

v5.0.0

Compare Source

Full Changelog: v5.0.0...v5.1.0

Features

• Merge branch 'vaishak/skip-worker-test' into 'main' (a556698)

Bug Fixes

• coerce nullable values to undefined (7847e84)
• correctly handle sending multipart/form-data requests with JSON (e9deab6)

Chores

• ci build action (23d3577)
• fix lint on the examples (dd14379)
• fix lint on the examples (dd14379)
• fix lint on the examples (5b2f145)
• internal: codegen related update (2860479)

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • "on the first day of the month"
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.