Bump miniflare from 4.20260305.0 to 4.20260312.0

[dependabot]

Bumps miniflare from 4.20260305.0 to 4.20260312.0.

Release notes

Sourced from miniflare's releases.

miniflare@4.20260312.0

Patch Changes

• #12861 f7de0fd Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260310.1	1.20260312.1

• #12864 ecc7f79 Thanks @​NuroDev! - Fix local explorer route matching to be more precise

  Previously, the route matching used startsWith("/cdn-cgi/explorer") which would incorrectly match paths like /cdn-cgi/explorerfoo or /cdn-cgi/explorereeeeee, causing unexpected behavior. The route matching has been improved to only match:

  • /cdn-cgi/explorer (exact match)
  • /cdn-cgi/explorer/ and any sub-paths (e.g., /cdn-cgi/explorer/api/*)

  Paths that merely start with /cdn-cgi/explorer but aren't actually the explorer (like /cdn-cgi/explorerfoo) will now correctly fall through to the user worker.

• #12775 1dda1c8 Thanks @​fhanau! - Add support for worker connect handler in miniflare

miniflare@4.20260310.0

Minor Changes

• #12826 de65c58 Thanks @​gabivlj! - Enable container egress interception in local dev without the experimental compatibility flag

  Container local development now always prepares the egress interceptor sidecar image needed for interceptOutboundHttp(). This makes container-to-Worker interception available by default in Wrangler, Miniflare, and the Cloudflare Vite plugin.

• #12754 e4d9510 Thanks @​emily-shen! - Add cross-process support to the local explorer

  When running multiple miniflare processes, the local explorer will now be able to view and edit resources that are bound to workers in other miniflare instances.

Patch Changes

• #12790 5451a7f Thanks @​petebacondarwin! - Bump hono to ^4.12.5 and devalue to ^5.6.3 to address security vulnerabilities

  Hono had multiple advisories including arbitrary file access via serveStatic, JWT algorithm confusion, and XSS through ErrorBoundary. Devalue had denial of service vulnerabilities in devalue.parse. These are bundled dependencies so the fix is delivered via this patch.

• #12795 82cc2a8 Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260301.1	1.20260306.1

• #12811 3c67c2a Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

... (truncated)

Changelog

Sourced from miniflare's changelog.

4.20260312.0

Patch Changes

• #12861 f7de0fd Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260310.1	1.20260312.1

• #12864 ecc7f79 Thanks @​NuroDev! - Fix local explorer route matching to be more precise

  Previously, the route matching used startsWith("/cdn-cgi/explorer") which would incorrectly match paths like /cdn-cgi/explorerfoo or /cdn-cgi/explorereeeeee, causing unexpected behavior. The route matching has been improved to only match:

  • /cdn-cgi/explorer (exact match)
  • /cdn-cgi/explorer/ and any sub-paths (e.g., /cdn-cgi/explorer/api/*)

  Paths that merely start with /cdn-cgi/explorer but aren't actually the explorer (like /cdn-cgi/explorerfoo) will now correctly fall through to the user worker.

• #12775 1dda1c8 Thanks @​fhanau! - Add support for worker connect handler in miniflare

4.20260310.0

Minor Changes

• #12826 de65c58 Thanks @​gabivlj! - Enable container egress interception in local dev without the experimental compatibility flag

  Container local development now always prepares the egress interceptor sidecar image needed for interceptOutboundHttp(). This makes container-to-Worker interception available by default in Wrangler, Miniflare, and the Cloudflare Vite plugin.

• #12754 e4d9510 Thanks @​emily-shen! - Add cross-process support to the local explorer

  When running multiple miniflare processes, the local explorer will now be able to view and edit resources that are bound to workers in other miniflare instances.

Patch Changes

• #12790 5451a7f Thanks @​petebacondarwin! - Bump hono to ^4.12.5 and devalue to ^5.6.3 to address security vulnerabilities

  Hono had multiple advisories including arbitrary file access via serveStatic, JWT algorithm confusion, and XSS through ErrorBoundary. Devalue had denial of service vulnerabilities in devalue.parse. These are bundled dependencies so the fix is delivered via this patch.

• #12795 82cc2a8 Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260301.1	1.20260306.1

• #12811 3c67c2a Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

... (truncated)

Commits

• 25b090a Version Packages (#12840)
• 22b51cd Revert "[Workflows] Implement Workflows instance methods" (#12872)
• 8d4ef78 [Workflows] Implement Workflows instance methods (#12814)
• ecc7f79 feat(local-explorer-ui): Fix index route path matching (#12864)
• f7de0fd Bump the workerd-and-workers-types group with 2 updates (#12861)
• 1dda1c8 Add support for worker connect handler in miniflare (#12775)
• a6ddbdb Support Vitest 4 in @cloudflare/vitest-pool-workers (#11632)
• 24f807b Version Packages (#12789)
• de65c58 containers: Remove experimental flag from enabling egress interception for co...
• cb14820 Update @hey-api/openapi-ts and move to pnpm catalog (#12828)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	miniflare@​4.20260312.0

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Obfuscated code: npm miniflare is 98.0% likely obfuscated Confidence: 0.98 Location: Package overview From: package.json → npm/miniflare@4.20260312.0 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/miniflare@4.20260312.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[dependabot]

Superseded by #583.