Bump miniflare from 4.20260305.0 to 4.20260312.1

[dependabot]

Bumps miniflare from 4.20260305.0 to 4.20260312.1.

Release notes

Sourced from miniflare's releases.

miniflare@4.20260312.1

Patch Changes

• #12869 ade0aed Thanks @​emily-shen! - Local explorer: validate host and origin headers before Miniflare modifies them

  If routes are set, Miniflare will alter the host and origin headers to match, causing the local explorer to mistakenly identify and block same-origin requests.

  Note the local explorer is a WIP experimental feature.

miniflare@4.20260312.0

Patch Changes

• #12861 f7de0fd Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260310.1	1.20260312.1

• #12864 ecc7f79 Thanks @​NuroDev! - Fix local explorer route matching to be more precise

  Previously, the route matching used startsWith("/cdn-cgi/explorer") which would incorrectly match paths like /cdn-cgi/explorerfoo or /cdn-cgi/explorereeeeee, causing unexpected behavior. The route matching has been improved to only match:

  • /cdn-cgi/explorer (exact match)
  • /cdn-cgi/explorer/ and any sub-paths (e.g., /cdn-cgi/explorer/api/*)

  Paths that merely start with /cdn-cgi/explorer but aren't actually the explorer (like /cdn-cgi/explorerfoo) will now correctly fall through to the user worker.

• #12775 1dda1c8 Thanks @​fhanau! - Add support for worker connect handler in miniflare

miniflare@4.20260310.0

Minor Changes

• #12826 de65c58 Thanks @​gabivlj! - Enable container egress interception in local dev without the experimental compatibility flag

  Container local development now always prepares the egress interceptor sidecar image needed for interceptOutboundHttp(). This makes container-to-Worker interception available by default in Wrangler, Miniflare, and the Cloudflare Vite plugin.

• #12754 e4d9510 Thanks @​emily-shen! - Add cross-process support to the local explorer

  When running multiple miniflare processes, the local explorer will now be able to view and edit resources that are bound to workers in other miniflare instances.

Patch Changes

• #12790 5451a7f Thanks @​petebacondarwin! - Bump hono to ^4.12.5 and devalue to ^5.6.3 to address security vulnerabilities

  Hono had multiple advisories including arbitrary file access via serveStatic, JWT algorithm confusion, and XSS through ErrorBoundary. Devalue had denial of service vulnerabilities in devalue.parse. These are bundled dependencies so the fix is delivered via this patch.

• #12795 82cc2a8 Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

... (truncated)

Changelog

Sourced from miniflare's changelog.

4.20260312.1

Patch Changes

• #12869 ade0aed Thanks @​emily-shen! - Local explorer: validate host and origin headers before Miniflare modifies them

  If routes are set, Miniflare will alter the host and origin headers to match, causing the local explorer to mistakenly identify and block same-origin requests.

  Note the local explorer is a WIP experimental feature.

4.20260312.0

Patch Changes

• #12861 f7de0fd Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260310.1	1.20260312.1

• #12864 ecc7f79 Thanks @​NuroDev! - Fix local explorer route matching to be more precise

  Previously, the route matching used startsWith("/cdn-cgi/explorer") which would incorrectly match paths like /cdn-cgi/explorerfoo or /cdn-cgi/explorereeeeee, causing unexpected behavior. The route matching has been improved to only match:

  • /cdn-cgi/explorer (exact match)
  • /cdn-cgi/explorer/ and any sub-paths (e.g., /cdn-cgi/explorer/api/*)

  Paths that merely start with /cdn-cgi/explorer but aren't actually the explorer (like /cdn-cgi/explorerfoo) will now correctly fall through to the user worker.

• #12775 1dda1c8 Thanks @​fhanau! - Add support for worker connect handler in miniflare

4.20260310.0

Minor Changes

• #12826 de65c58 Thanks @​gabivlj! - Enable container egress interception in local dev without the experimental compatibility flag

  Container local development now always prepares the egress interceptor sidecar image needed for interceptOutboundHttp(). This makes container-to-Worker interception available by default in Wrangler, Miniflare, and the Cloudflare Vite plugin.

• #12754 e4d9510 Thanks @​emily-shen! - Add cross-process support to the local explorer

  When running multiple miniflare processes, the local explorer will now be able to view and edit resources that are bound to workers in other miniflare instances.

Patch Changes

• #12790 5451a7f Thanks @​petebacondarwin! - Bump hono to ^4.12.5 and devalue to ^5.6.3 to address security vulnerabilities

  Hono had multiple advisories including arbitrary file access via serveStatic, JWT algorithm confusion, and XSS through ErrorBoundary. Devalue had denial of service vulnerabilities in devalue.parse. These are bundled dependencies so the fix is delivered via this patch.

... (truncated)

Commits

• 2e6b4ab Version Packages (#12876)
• ade0aed fix host/origin header validation in local explorer (#12869)
• 25b090a Version Packages (#12840)
• 22b51cd Revert "[Workflows] Implement Workflows instance methods" (#12872)
• 8d4ef78 [Workflows] Implement Workflows instance methods (#12814)
• ecc7f79 feat(local-explorer-ui): Fix index route path matching (#12864)
• f7de0fd Bump the workerd-and-workers-types group with 2 updates (#12861)
• 1dda1c8 Add support for worker connect handler in miniflare (#12775)
• a6ddbdb Support Vitest 4 in @cloudflare/vitest-pool-workers (#11632)
• 24f807b Version Packages (#12789)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	miniflare@​4.20260312.1

View full report