Skip to content

build(deps): bump undici and wrangler#6

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/multi-9466f6b544
Open

build(deps): bump undici and wrangler#6
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/multi-9466f6b544

Conversation

@dependabot
Copy link
Copy Markdown

@dependabot dependabot Bot commented on behalf of github May 18, 2026

Bumps undici to 7.24.8 and updates ancestor dependency wrangler. These dependencies need to be updated together.

Updates undici from 5.5.1 to 7.24.8

Release notes

Sourced from undici's releases.

v7.24.8

What's Changed

Full Changelog: nodejs/undici@v7.24.7...v7.24.8

v7.24.7

What's Changed

New Contributors

Full Changelog: nodejs/undici@v7.24.6...v7.24.7

v7.24.6

What's Changed

New Contributors

Full Changelog: nodejs/undici@v7.24.5...v7.24.6

v7.24.5

What's Changed

... (truncated)

Commits
  • 7a6f7fe Bumped v7.24.8 (#5020)
  • 1f85ae4 fix: avoid 401 failures for stream-backed request bodies (#4941) (#5006)
  • c661067 chore: update v7.x maintenance release flow
  • 84f23e2 Bumped v7.24.7 (#4947)
  • a770b10 ignore AGENTS.md (#4942)
  • 6acd19b fix: correctly handle multi-value rawHeaders in fetch (#4938)
  • 1da1c74 test: skip IPv6 tests when IPv6 is not available (#4939)
  • 04cb773 fix(types): Fix clone method type declaration to be an instance method rather...
  • 5145a7c fix(types): align Response with DOM fetch types (#4867)
  • ec23620 test: skip flaky macOS Node 20 cookie fetch cases
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for undici since your current version.

Install script changes

This version modifies prepare script that runs during installation. Review the package contents before updating.


Updates wrangler from 2.0.14 to 4.92.0

Release notes

Sourced from wrangler's releases.

wrangler@4.92.0

Minor Changes

  • #13670 506aa02 Thanks @​elithrar! - Add wrangler artifacts commands for managing Artifacts repos and repo tokens.

    This adds CLI support for the Artifacts control-plane workflows that were previously only available through the API. You can now list and inspect namespaces, create, list, inspect, and delete repos, and issue repo-scoped tokens when you need to authenticate git access.

    The new commands support both human-readable output and --json output so they fit existing Wrangler automation patterns.

  • #13916 be8a98c Thanks @​emily-shen! - Add --keep-vars flag to wrangler versions upload, matching the existing behavior in wrangler deploy. When set, environment variables configured via the dashboard are preserved rather than being deleted before the upload.

Patch Changes

  • #13926 19ed49a Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

    The following dependency versions have been updated:

    Dependency From To
    workerd 1.20260511.1 1.20260515.1

  • #11471 3ff0a50 Thanks @​HW13! - Improve wrangler types --env-interface for multi-worker projects.

    Custom env interfaces generated by wrangler types no longer expand from Cloudflare.Env, avoiding some unintended type expansion when multiple workers' generated types are used together.

  • #13910 bf688f7 Thanks @​timoconnellaus! - Fix Failed to fetch auth token: 401 Unauthorized from sibling-rotated refresh tokens

    refreshToken previously used the refresh token from module-level localState, which is populated once at startup and never re-read. OAuth refresh tokens are single-use, so when a sibling wrangler process (in another repo, another shell, or a parallel script) refreshes first, it rotates the token server-side and writes the new value to the shared config file (~/Library/Preferences/.wrangler/config/default.toml on macOS). The long-lived process — typically wrangler dev — then sends its stale in-memory token on the next refresh and gets 401 Unauthorized from https://dash.cloudflare.com/oauth2/token, falling through to interactive login and timing out unattended.

    refreshToken now calls reinitialiseAuthTokens() before exchanging, picking up the latest refresh token written by any sibling process. The previously empty catch {} also now logs the underlying error at debug level so future refresh failures are diagnosable without source-diving.

  • #13843 2e72c83 Thanks @​nzws! - Fix wrangler versions secret put/delete/bulk to preserve the existing version's placement settings

    When creating a new version via wrangler versions secret, the previous code only re-emitted a bare { mode: "smart" } placement when the API reported placement_mode === "smart", dropping any other placement entirely. The new version is now created with the placement settings returned by the API, so placement settings survive a secret put/delete/bulk round-trip.

  • #13908 802eaf4 Thanks @​shiminshen! - fix: stop rewriting query strings that happen to contain the request Host

    wrangler dev previously rewrote occurrences of the outer host inside request.url's query string. For example, a request to ?echo=https%3A%2F%2Fdevelopment.test%2Fpath with Host: development.test would be seen by the user worker as ?echo=https%3A%2F%2Fproduction.test%2Fpath, silently mutating opaque application data such as redirect_uri values in OAuth flows.

    The proxy worker now sets the internal MF-Original-URL header after its blanket host-rewriting pass over request headers, so the URL passed to the user worker preserves the original query string.

  • #13827 8f5cdb1 Thanks @​greyvugrin! - Fix multi-environment warning when CLOUDFLARE_ENV is set

    Commands that warn when multiple environments are configured but none is specified (e.g. wrangler deploy, wrangler secret put) were not accounting for the CLOUDFLARE_ENV environment variable when deciding whether to show the warning. This caused a misleading warning to appear even when the target environment was correctly specified via CLOUDFLARE_ENV.

  • Updated dependencies [19ed49a]:

    • miniflare@4.20260515.0

wrangler@4.91.0

Minor Changes

... (truncated)

Commits
  • a3fa623 Version Packages (#13918)
  • 802eaf4 fix(wrangler): stop rewriting query strings that contain the request Host (#1...
  • 2e72c83 [wrangler] Preserve placement on versions secret commands (#13843)
  • 19ed49a build(deps): bump the workerd-and-workers-types group with 2 updates (#13926)
  • 3ff0a50 fix: wrangler types decouple env-interface from namespace (#11471)
  • 506aa02 [wrangler] Add artifacts CLI commands (#13670)
  • 8f5cdb1 fix(wrangler): hide multi-env warning when env is set via CLOUDFLARE_ENV (#13...
  • be8a98c refactor deploy/versions upload (part 1) (#13916)
  • bf688f7 [wrangler] fix: re-read refresh_token from disk to avoid 401 from sibling-pro...
  • adbf8cb Version Packages (#13895)
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for wrangler since your current version.


Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
build(deps): bump undici and wrangler
95bdd8c 
Bumps [undici](https://github.com/nodejs/undici) to 7.24.8 and updates ancestor dependency [wrangler](https://github.com/cloudflare/workers-sdk/tree/HEAD/packages/wrangler). These dependencies need to be updated together.


Updates `undici` from 5.5.1 to 7.24.8
- [Release notes](https://github.com/nodejs/undici/releases)
- [Commits](nodejs/undici@v5.5.1...v7.24.8)

Updates `wrangler` from 2.0.14 to 4.92.0
- [Release notes](https://github.com/cloudflare/workers-sdk/releases)
- [Commits](https://github.com/cloudflare/workers-sdk/commits/wrangler@4.92.0/packages/wrangler)

---
updated-dependencies:
- dependency-name: undici
  dependency-version: 7.24.8
  dependency-type: indirect
- dependency-name: wrangler
  dependency-version: 4.92.0
  dependency-type: direct:development
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels May 18, 2026
@socket-security
Copy link
Copy Markdown

socket-security Bot commented May 18, 2026

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Updatedwrangler@​2.0.14 ⏵ 4.92.099100 +759296 +46100

View full report

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants