chore(deps): update dependency wrangler to v4

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
wrangler (source)	3.114.17 → 4.102.0

---

Release Notes

cloudflare/workers-sdk (wrangler)

v4.102.0

Compare Source

Minor Changes

• #​14340 f6e49dd Thanks @​emily-shen! - Add cf-wrangler build delegate support

  The experimental cf-wrangler delegate binary now accepts build and emits the Build Output API directory through Wrangler's new-config build path. This lets parent tools invoke Wrangler's build-output implementation with cf-wrangler build instead of shelling out through the public Wrangler CLI.

• #​14324 36777db Thanks @​jamesopstad! - Add experimental --experimental-cf-build-output flag to wrangler build

  When used alongside --experimental-new-config, wrangler build now emits a self-contained Build Output API directory under .cloudflare/output/v0/ instead of delegating to wrangler deploy --dry-run.

Patch Changes

• #​14347 673b09e Thanks @​jamesopstad! - Update undici from 7.24.8 to 7.28.0

• #​14346 e930bd4 Thanks @​haidargit! - Bump ws from 8.20.1 to 8.21.0 to address GHSA-96hv-2xvq-fx4p

  GHSA-96hv-2xvq-fx4p / CVE-2026-48779 (high severity) reports a remote memory-exhaustion DoS in ws@<8.21.0: a peer sending a high volume of tiny fragments and data chunks over modest network traffic can crash a ws server or client via OOM. The fix shipped in ws@8.21.0 (commit 2b2abd45, released 2026-05-22), which also introduces the maxBufferedChunks and maxFragments options. This change bumps the workspace catalog entry so that miniflare, wrangler, and @cloudflare/vite-plugin all pick up the patched release.

• #​14314 5c3bb11 Thanks @​harryzcy! - Bump esbuild to 0.28.1

  This update includes several bug fixes from esbuild versions 0.27.3 through 0.28.1. See the esbuild changelog for details.

• #​14331 296ad65 Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260616.1	1.20260617.1

• #​14275 594544d Thanks @​alsuren! - Resolve auto-provisioned D1 bindings via the API in remote subcommands

  Remote D1 subcommands (d1 execute --remote, d1 export --remote, d1 info, d1 insights, d1 delete, d1 migrations apply --remote, d1 migrations list --remote, d1 time-travel) previously failed with:

  Found a database with name or binding DB but it is missing a database_id, which is needed for operations on remote resources.

  when the [[d1_databases]] config entry only had binding and database_name (the shape wrangler deploy writes for automatically-provisioned bindings). They now resolve the real database UUID via GET /accounts/:accountId/d1/database/:name?fields=uuid and proceed as if database_id had been set in config.

  If the config entry only has a binding (no database_name, no database_id), the lookup uses the same name wrangler deploy would create via auto provisioning (<worker name>-<binding-lowercased-with-dashes>).

  Non-404 API failures (auth, rate-limit, server errors) now propagate verbatim instead of being masked as "database not found".

• #​14315 a79b899 Thanks @​matingathani! - Respect find_additional_modules = false when no_bundle is set

  When using no_bundle = true, wrangler was always scanning for and attaching additional modules even if find_additional_modules was explicitly set to false in the config. Additional modules are now only collected when find_additional_modules is not false, consistent with the bundled code path.

• #​14269 5dfb788 Thanks @​mattjohnsonpint! - Support dev.plugin on typed services bindings

  Wrangler only honored dev.plugin on unsafe.bindings entries, so users authoring a service binding via services[] could not wire it to a local Miniflare plugin during wrangler dev — they had to fall back to unsafe.bindings and accept a "directly supported by wrangler" warning. Typed services bindings now accept the same dev: { plugin, options? } shape, route the binding through Miniflare's external-plugin pathway in wrangler dev, and strip the field at deploy time. Validation rejects malformed dev shapes.

• #​14328 ca61558 Thanks @​edevil! - Mention temporary preview accounts in wrangler whoami output when unauthenticated

  When you run wrangler whoami without being logged in, Wrangler now also tells you that you can deploy without logging in by running a command like wrangler deploy --temporary to use a temporary preview account.

• Updated dependencies [673b09e, e930bd4, 5c3bb11, 296ad65]:

  • miniflare@​4.20260617.0

v4.101.0

Compare Source

Minor Changes

• #​14276 32f9307 Thanks @​dario-piotrowicz! - Graduate autoconfig from experimental to stable

  The --experimental-autoconfig and --x-autoconfig deploy CLI flags have been replaced with --autoconfig.

  Note that the --autoconfig flag defaults to true and that it can be used to disable Wrangler's auto-configuration logic by setting it to false via --autoconfig=false or --no-autoconfig

• #​14287 41f391f Thanks @​edmundhung! - Add per-Worker resource accessors to createTestHarness()

  createTestHarness() now provides methods for accessing configured KV namespaces, R2 buckets, D1 databases, and Durable Object namespaces. Use server.getWorker(name) to access resources scoped to that specific Worker:

  const worker = server.getWorker("api-worker");
  const bucket = await worker.getR2Bucket("BUCKET");
  const db = await worker.getD1Database("DB");

• #​14264 21dbc12 Thanks @​dario-piotrowicz! - Suggest Cloudflare skills installation after commands instead of before

  The automatic prompt to install Cloudflare skills for detected AI coding agents no longer runs before every Wrangler command. Instead, Wrangler now suggests installing skills, when appropriate, after some commands complete successfully. Commands that output JSON suppress the suggestion to keep their output clean. The --install-skills flag remains available on all commands to explicitly run the skills installation flow before the command executes, without prompting.

  As before, Wrangler asks the skills installation question at most once. The skills install metadata file is now written before the confirmation prompt is shown, so even if the user interrupts the process (e.g. CTRL+C, closing the terminal) during the prompt, the question is recorded as unanswered and will not reappear on subsequent runs.

• #​14042 7e63948 Thanks @​edevil! - Add a --temporary flag that creates and uses a temporary Cloudflare preview account when you have no credentials, instead of starting the OAuth login flow.

  It's registered only on the commands the short-lived account token can serve — Workers (deploy, versions upload, and related commands), KV, D1, Hyperdrive, Queues, and certificate commands — and is for unauthenticated use only: passing it while already authenticated (OAuth, CLOUDFLARE_API_TOKEN, or a global API key) errors rather than silently ignoring the flag. Before provisioning, Wrangler handles Cloudflare's Terms of Service and Privacy Policy (interactive terminals prompt for yes; non-interactive shells print a notice and continue). Wrangler then runs with the short-lived token and prints a claim URL so the account can be claimed before it expires. The cached account is cleared on successful login or logout.

• #​14299 035917f Thanks @​petebacondarwin! - Send the login user telemetry event when wrangler login --scopes ... succeeds

  wrangler login was already reporting the login user event when called without --scopes, but the scoped login path returned early before the event could be sent. Both paths now report the event, so successful scoped logins are counted alongside unscoped ones.

Patch Changes

• #​14271 27db82c Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260611.1	1.20260612.1

• #​14298 2a6a26b Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260612.1	1.20260615.1

• #​14317 9a424ed Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260615.1	1.20260616.1

• #​14282 ecfdd5a Thanks @​edmundhung! - Fix wrangler dev asset fallback with custom routes

  wrangler dev now applies Workers Assets fallback behavior consistently when routes are configured, including SPA fallback and 404-page handling.

• #​13763 604be26 Thanks @​matingathani! - Show a clear error when deploying a service-worker format Worker with Durable Object migrations or bindings instead of an opaque API error

• #​14240 1fb7ba5 Thanks @​ttoino! - Fix wrangler email sending commands

  The email sending commands previously failed against the Cloudflare API. They now work as expected:

  • email sending enable <domain> enables Email Sending for a domain
  • email sending disable <domain> disables Email Sending for a domain
  • email sending settings <domain> shows the Email Sending configuration for a domain
  • email sending dns get <domain> shows the DNS records to set up for a domain
  • email sending list previously listed zones. It now lists the domains that have Email Sending enabled — every enabled domain across your account by default, or just those under a specific domain when you pass a domain (or --zone-id).

• #​13838 208b3bb Thanks @​matingathani! - Fix unhandled promise rejection when the worker entry point is deleted or moved during wrangler dev hot-reload — now logs a warning and skips the update instead of crashing

• #​14241 8b2ce41 Thanks @​dario-piotrowicz! - Improve error messages for CLI flags, type generation, auth scopes, dev server tunnels, and compatibility flags

  Error messages across several areas now name the exact flags or values involved and suggest how to fix the problem:

  • KV commands (kv key put, kv key get, kv key delete): error messages now include -- prefixes and clear "Missing required option" / "Conflicting options" phrasing instead of the vague "Exactly one of the arguments ... is required".
  • wrangler types --include-env=false --include-runtime=false: the error now names both flags and explains what each does.
  • wrangler login --scopes: invalid scopes are individually identified instead of dumping the entire array.
  • wrangler dev --tunnel --remote: the error now explains why tunnels require local mode and suggests two concrete fixes.
  • Conflicting compatibility flags (nodejs_compat_populate_process_env / nodejs_compat_do_not_populate_process_env, global_navigator / no_global_navigator): errors now name the specific conflicting flags.

• #​14228 3578919 Thanks @​dario-piotrowicz! - Improve Hyperdrive error messages for missing required options

  Error messages thrown when creating or updating a Hyperdrive config with missing individual parameters (e.g. --origin-host, --origin-port, --database, --origin-user, --origin-password, --origin-scheme, --access-client-id/--access-client-secret) now clearly state which option is missing, provide a usage example, and suggest --connection-string as an alternative where applicable.

• #​14304 ee82c76 Thanks @​emily-shen! - Skip resource provisioning for asset-only deployments

  Previously, asset-only deployments would provision resources even when there was no user Worker script. On a subsequent deploy, we would re-attempt provisioning as the previous asset-only upload would/could not be bound to the previously provisioned resource. Provisioning would then error as the resource had already been created, blocking the deploy.

• Updated dependencies [0e055d3, 27db82c, 2a6a26b, 9a424ed, 41f391f]:

  • miniflare@​4.20260616.0

v4.100.0

Compare Source

Minor Changes

• #​14119 2047a32 Thanks @​tahmid-23! - Serve local R2 bucket objects publicly via the dev server

  When running wrangler dev locally, objects in each local R2 binding are now reachable under /cdn-cgi/local/r2/public/<bucket-id>/<key> on the existing dev server, simulating a public bucket. The <bucket-id> is the bucket's bucket_name when set, otherwise its binding. Bindings configured with remote: true are not exposed.

• #​14202 e8561c2 Thanks @​jamesopstad! - Add experimental --x-new-config flag for authoring config in TypeScript

  This is an experimental, opt-in feature. When enabled, wrangler dev, wrangler build, wrangler deploy, wrangler versions upload, and wrangler versions deploy load the Worker's configuration from a cloudflare.config.ts file instead of wrangler.json / wrangler.jsonc / wrangler.toml. Additionally, an optional wrangler.config.ts file can be provided for Wrangler-specific dev/build configuration.

  • cloudflare.config.ts (required) — Worker runtime configuration (bindings, triggers, observability, placement, limits, compatibility, routes, etc.). Authored via defineWorker from wrangler/experimental-config.
  • wrangler.config.ts (optional) — Tooling / bundling / dev-server configuration (noBundle, minify, alias, define, rules, tsconfig, build, dev, assetsDirectory, etc.). Authored via defineWranglerConfig from wrangler/experimental-config.

  Per-environment configuration is via ctx.mode branching inside the function form of either file.

  Example cloudflare.config.ts:

  import { defineWorker, bindings } from "wrangler/experimental-config";
  import * as entrypoint from "./src/index.ts" with { type: "cf-worker" };
  
  export default defineWorker((ctx) => ({
  	name: "my-worker",
  	entrypoint,
  	compatibilityDate: "2026-05-18",
  	env: {
  		MY_KV: bindings.kv(),
  		MY_TEXT: bindings.text(`The mode is ${ctx.mode}`),
  	},
  }));

  Example wrangler.config.ts:

  import { defineWranglerConfig } from "wrangler/experimental-config";
  
  export default defineWranglerConfig({
    minify: true,
    assetsDirectory: "./public",
  });

  Because this is experimental, the flag, the config formats, and the wrangler/experimental-config exports may change in any release.

Patch Changes

• #​14185 98c9afe Thanks @​penalosa! - Use the shared env-credential resolver from @cloudflare/workers-auth

  No user-facing behaviour change. Credential resolution order (global API key + email → CLOUDFLARE_API_TOKEN → stored OAuth token) is preserved.

• #​14184 e305126 Thanks @​penalosa! - Add an experimental cf-wrangler delegate entrypoint for projects that can't use @cloudflare/vite-plugin (service workers, old compatibility dates, Python, Rust, etc.).

  cf-wrangler dev starts the same local dev server as wrangler dev — it sits directly on wrangler's internal dev server, so the bundling and runtime behaviour are identical — but exposes a deliberately narrow CLI surface (--mode, --port, --host, --local) for a parent CLI to delegate to, and other dev server config options are read from the wrangler config file.

  This replaces the separate @cloudflare/wrangler-bundler package. This is an internal integration point and is not intended to be run directly by users.

• #​14246 f3990b2 Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260609.1	1.20260610.1

• #​14256 4597f08 Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260610.1	1.20260611.1

• #​14243 25722ac Thanks @​com6056! - Fix a memory leak that could make long-running headless wrangler dev sessions unresponsive

  Long-running wrangler dev sessions with no DevTools attached (for example using the containers feature under sustained traffic) could gradually consume unbounded memory and eventually stop accepting connections. The inspector proxy now only enables network tracking while a DevTools client is connected, so the buildup no longer happens. Interactive debugging is unaffected. Fixes #​14191.

• #​14230 41f75c0 Thanks @​dario-piotrowicz! - Improve D1 error messages for missing or conflicting options

  Error messages for d1 execute, d1 export, d1 time-travel restore, and d1 insights now clearly state which option is missing or conflicting, explain why the combination is invalid, and suggest how to fix the issue.

  Additionally, duration validation errors in d1 insights are now thrown as UserError instead of plain Error, ensuring they are displayed cleanly to users rather than as unexpected crashes.

• #​14213 10b5538 Thanks @​dario-piotrowicz! - Improve authentication error messages with specific failure reasons

  When authentication fails (e.g. during wrangler dev --remote or when using remote bindings), the error message now explains exactly what went wrong -- whether no credentials were found, the token expired, or the environment is non-interactive -- and lists actionable steps to fix it, including a wrangler whoami tip.

  Previously, auth failures could produce multiple confusing errors (e.g. "Failed to fetch auth token: 400 Bad Request" followed by "Failed to start the remote proxy session"). Now a single, clear error is shown.

• #​14233 818c105 Thanks @​dario-piotrowicz! - Improve R2 Sippy error messages

  Now error messages in wrangler r2 bucket sippy follow a consistent pattern: they describe what is missing, name the exact --flag to use, and provide context (e.g. example values, links to the dashboard). Previously, many errors said only "Error: must provide --flag." with no guidance on what the flag does or how to obtain the value.

• #​14259 2ae6099 Thanks @​emily-shen! - Move worker build step earlier in deploy/upload step, before upload specific config validation

• Updated dependencies [f3990b2, 4597f08, 2047a32]:

  • miniflare@​4.20260611.0

v4.99.0

Compare Source

Minor Changes

• #​14169 0706fbf Thanks @​edmundhung! - Introduce createTestHarness() for integration testing Workers

  It runs Workers in a local preview environment using production build output and works with both Wrangler projects and Workers built by the Cloudflare Vite plugin.

  Use it from any Node.js test runner to send requests to individual Workers, trigger scheduled events, reset the server between tests, and mock outbound requests with libraries that intercept globalThis.fetch(), such as MSW.

  You can also capture structured logs from your Workers with getLogs(), or dump out a diagnostic timeline with debug() when tests fail:

  import { createTestHarness } from "wrangler";
  
  const server = createTestHarness({
    workers: [
      { configPath: "./dist/web_worker/wrangler.json" },
      { configPath: "./dist/api_worker/wrangler.json" },
    ],
  });
  
  await server.listen();
  await server.fetch("http://example.com");
  
  const apiWorker = server.getWorker("api-worker");
  await apiWorker.fetch("http://example.com/users/123");
  await apiWorker.scheduled({ cron: "0 0 * * *" });
  
  server.getLogs();
  
  if (testFailed) {
    server.debug();
  }
  
  await server.reset();
  await server.close();

• #​14174 8cf8c61 Thanks @​oliy! - Surface pipeline status and failure reasons in wrangler pipelines list and wrangler pipelines get

  wrangler pipelines list now includes a Status column, and when any pipelines are in a failed state it prints a summary of each failing pipeline along with the reason reported by the API.

  wrangler pipelines get now shows the pipeline Status in the general details and, for failed pipelines, highlights the failure with the reason returned by the server so it is clear why a pipeline is not running.

• #​14211 a61ac29 Thanks @​james-elicx! - Add --version-tag support to wrangler versions deploy to deploy a version by its tag

  You can now roll out or roll back a version by the tag it was uploaded with (e.g. a commit SHA passed to --tag at upload time) instead of first looking up its Version ID:

  wrangler versions deploy --version-tag <sha>@&#8203;100%

  The tag is resolved to a Version ID against the worker's deployable versions, and the <version-tag>@&#8203;<percentage> shorthand works just like the existing <version-id>@&#8203;<percentage> notation, including splitting traffic across multiple --version-tag values. If a tag matches no deployable version, or matches more than one, the command errors and asks you to deploy by Version ID directly. Note that tags can only be resolved against recent (deployable) versions — older versions that have aged out of that window must still be deployed by Version ID.

Patch Changes

• #​14163 23aecac Thanks @​emily-shen! - Print deploy warnings even in non-interactive contexts when strict mode is off

  Currently, wrangler deploy checks whether the incoming deploy configuration has destructive conflicts with the current configuration. Previously, we only performed this check in interactive contexts, or if the --strict flag was passed in. Now this warning is always printed, and it remains non-blocking in non-interactive contexts.

• #​14173 b932e47 Thanks @​gpanders! - Handle API validation errors from wrangler containers ssh

  Wrangler now lets the Containers API validate SSH instance IDs and preserves raw API error bodies such as INVALID_INSTANCE_ID when reporting validation failures.

• #​14192 d076bcc Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260603.1	1.20260605.1

• #​14217 24497d0 Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260605.1	1.20260608.1

• #​14231 4bb572f Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260608.1	1.20260609.1

• #​14195 165adb2 Thanks @​dario-piotrowicz! - Show actionable error message when authentication fails during remote dev

  When wrangler dev with remote bindings encountered an authentication error (expired token, revoked OAuth, or invalid API token), the user saw a generic "A request to the Cloudflare API failed" message with no indication that authentication was the problem.

  Now, authentication failures during remote dev display a clear error message with actionable steps.

• #​14034 776098c Thanks @​matingathani! - Fix wrangler types --check reporting types as out of date in multi-worker setups

  Previously, running wrangler types --check -c primary/wrangler.jsonc in a multi-worker project would incorrectly report types as out of date, even when they were current. This happened because the secondary worker config paths (passed via additional -c flags during generation) were not stored in the generated types file header, so --check had no way to resolve the secondary workers' service bindings when verifying the hash.

  The fix stores secondary config paths in the generated file's header comment so that --check can recover them automatically. Users no longer need to re-pass every -c flag when running --check — only the primary config is required.

• #​14053 7993711 Thanks @​fallintoplace! - Prevent delete-only wrangler secret bulk input from creating a new Worker

  Previously, wrangler secret bulk could create a draft Worker when the input only deleted secrets and the target Worker name did not exist. Delete-only bulk secret operations now leave Worker-not-found as an error instead of creating a new Worker.

• #​14055 8923f97 Thanks @​dario-piotrowicz! - Preserve all deployment-affecting CLI flags in the interactive deploy config flow

  When running wrangler deploy without a config file and going through the interactive setup flow, CLI flags beyond --compatibility-flags (such as --routes/--route, --domains/--domain, --triggers, --var, --define, --alias, --jsx-factory, --jsx-fragment, --tsconfig, --minify, --upload-source-maps, --no-bundle, --logpush, --keep-vars, --legacy-env, and --dispatch-namespace) were silently dropped. These flags are now persisted to the generated wrangler.jsonc config file (where a config field equivalent exists) and included in the suggested CLI command when the user declines config file generation.

• #​14196 b205fb7 Thanks @​odiak! - Validate JSON stdin values for wrangler secret bulk

  JSON input piped through stdin now validates that secret values are strings or null before sending them to the API, matching the existing behavior for file input.

• Updated dependencies [d076bcc, 24497d0, 4bb572f, 48c4ff0]:

  • miniflare@​4.20260609.0

v4.98.0

Compare Source

Minor Changes

• #​14089 c6c61b5 Thanks @​alsuren! - Add migrations_pattern to D1 database bindings

  The D1 binding now accepts an optional migrations_pattern field, allowing you to point wrangler d1 migrations apply and wrangler d1 migrations list at migration files in nested layouts (e.g. ORM-generated folders like migrations/0000_init/migration.sql).

  migrations_pattern is a glob (relative to the wrangler config file) and defaults to ${migrations_dir}/*.sql, which preserves today's behaviour. Files that do not match the pattern are not executed.

  {
    "d1_databases": [
      {
        "binding": "DB",
        "database_name": "my-db",
        "database_id": "...",
        "migrations_dir": "migrations",
        "migrations_pattern": "migrations/*/migration.sql"
      }
    ]
  }

  When no migrations match the configured pattern but files matching the common migrations/*/migration.sql (drizzle-style) layout do exist, Wrangler logs a hint suggesting migrations_pattern as an opt-in.

  wrangler d1 migrations create now returns an actionable error if the generated migration filename would not match the configured pattern.

• #​14153 7a6b1a4 Thanks @​dario-piotrowicz! - Generalize wrangler deploy and wrangler versions upload positional argument from [script] to [path]

  Both wrangler deploy and wrangler versions upload now accept a generic [path] positional argument that can point to either a Worker entry-point file or a directory of static assets. The type is auto-detected. For example:

  • File: wrangler deploy ./src/index.ts deploys a Worker (same as before)
  • Directory: wrangler deploy ./public deploys a static assets site (no interactive confirmation prompt)

  The --script named option is now hidden and deprecated for both commands. It continues to work for backwards compatibility but only accepts file paths. Passing a directory to --script now produces a clear error message suggesting the positional path argument or --assets flag instead.

• #​13863 3b8b80a Thanks @​aslakhellesoy! - getPlatformProxy() now passes through workflow bindings that have a script_name

  Workflows without a script_name are still stripped (and warned about) because the engine for an internal workflow can't run inside the empty proxy worker that backs getPlatformProxy(). Workflows with a script_name are handed to miniflare unchanged; miniflare reroutes the engine's USER_WORKFLOW binding through the dev-registry-proxy when the target worker is running in another Miniflare instance — the same mechanism Durable Objects already use.

  This means SvelteKit/Remix (and similar split-process setups) can call platform.env.MY_WORKFLOW.create({ ... }) directly from their server-side request handlers in dev, as long as the workflow class is exposed by another worker registered in the dev registry.

  Closes #​7459.

• #​14164 b502d54 Thanks @​G4brym! - Rename the web_search binding kind to websearch

  Pre-launch rename of the public binding type from web_search to websearch so the on-the-wire shape matches the product name (Web Search). The wrangler config key, the binding-type string sent to the Cloudflare API, and the miniflare option key all move from web_search / webSearch to websearch.

  Update your wrangler config:

  - "web_search": { "binding": "WEBSEARCH" }
  + "websearch": { "binding": "WEBSEARCH" }

  The runtime WebSearch type exposed on env.WEBSEARCH is unchanged.

Patch Changes

• #​14089 c6c61b5 Thanks @​alsuren! - Restore the D1 executeSql logger level via try/finally

  wrangler d1 execute --json and the internal executeSql helper temporarily lower the global logger to "error" to keep human-readable output out of the JSON payload. Previously the level was restored only on the happy path, so any early return or thrown error left the singleton logger muted, silencing later logger.warn/logger.log output (notably from migration helpers that wrap executeSql and are commonly mocked in tests).

  The level swap is now wrapped in try/finally so it is always restored.

• #​14175 a3eea27 Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260601.1	1.20260603.1

• #​14121 7539a9b Thanks @​petebacondarwin! - Extract the OAuth 2.0 + PKCE flow into a new @cloudflare/workers-auth package.

  The OAuth login / logout / refresh logic, the auth-config TOML file IO, the OAuth token exchange + local callback server, and the Cloudflare Access detection helpers that previously lived in packages/wrangler/src/user/ have moved to the new internal-only @cloudflare/workers-auth package. Wrangler now wires the OAuth flow up via a small glue module that injects its logger, browser opener, interactivity detector, and config cache via a dependency- injection context.

  What stays in wrangler:

  • The yargs login / logout / whoami / auth token commands
  • Environment-based credential resolution (CLOUDFLARE_API_TOKEN, CLOUDFLARE_API_KEY / CLOUDFLARE_EMAIL, etc.)
  • Cloudflare account selection (requireAuth, getOrSelectAccountId)
  • The OAuth scope catalog (passed into the OAuth flow as a generic string[])
  • whoami / account fetching

  No behavior change for end users. The on-disk TOML format and location remain identical, and all telemetry message labels are preserved verbatim.

  @cloudflare/workers-auth is published with prerelease: true and is not intended for external use — its APIs may change without notice.

• #​14162 0bb2d55 Thanks @​dario-piotrowicz! - In non-interactive mode remove the skills installation message

  When Wrangler run in non interactive mode and it detected agents that it could install skills for, it would print a message such as:

  Cloudflare agent skills are available for: <DETECTED_AGENTS>. Run wrangler in an interactive terminal to install them, or use '--install-skills' to install without prompting.

  This message seems to be confusing and unhelpful so it has now been removed.

• #​14165 8400fb9 Thanks @​NuroDev! - Limit wrangler versions list to the 10 most recent deployable versions

  The versions API ignores pagination when filtering to deployable versions, so Wrangler now caps the command output client-side. This keeps the command aligned with its help text and avoids overwhelming terminal output for Workers with many versions.

• #​14151 7949f81 Thanks @​dario-piotrowicz! - Skip stale bundles during dev server reload to avoid redundant restarts

  When rapidly saving a wrangler config file with remote bindings, each save would trigger a full reload cycle (remote connection setup, miniflare restart), causing many sequential "Reloading local server... / Establishing remote connection..." messages (while blocking the user). The runtime controllers now check whether a newer bundle has been queued at each expensive async boundary and bail out early if the current bundle is stale. This ensures that only the latest config change triggers a reload, making wrangler dev much more responsive during repeated config edits.

• #​14072 d462013 Thanks @​himanshu-cf! - Update wrangler secret bulk command description to reflect create/update/delete capabilities

  The help text for wrangler secret bulk now accurately describes that the command can create, update, or delete multiple secrets in a single request, with up to 100 secrets per command. The file argument description also clarifies that setting a key to null in JSON will delete it, and that deletion is not supported with .env files.

• #​13979 c2280cd Thanks @​matingathani! - Warn when a named environment silently inherits custom_domain routes from the top-level config

  When an env.<name> block does not override routes, it inherits the top-level routes array. If that array contains entries with custom_domain: true, every deploy to the named environment will silently reassign the custom domain away from the top-level Worker and towards the env Worker, causing routing drift. Wrangler now emits a warning in this situation and suggests adding "routes": [] to the env block to prevent inheritance.

• #​14170 ea12b58 Thanks @​petebacondarwin! - Tighten on-disk permissions of the OAuth credentials file to 0600

  The user auth config file written by wrangler login (typically ~/.config/.wrangler/config/default.toml on Linux/macOS, or <environment>.toml for non-production Cloudflare API environments) is now written with mode 0600 and re-chmod-ed on every save. This prevents other local users on shared hosts from reading the stored OAuth tokens. Existing files with looser permissions written by older Wrangler versions are tightened the next time Wrangler refreshes the token or the user logs in again. The change is a no-op on Windows, which does not honour POSIX mode bits.

• #​14022 acf7817 Thanks @​petebacondarwin! - Show the actual OAuth error instead of hanging when wrangler login is rejected by the OAuth provider (for example with invalid_scope).

  Previously, if the OAuth callback returned with an error other than access_denied, Wrangler would never respond to the browser. Because server.close()'s callback only fires once all open connections have ended, the login command would hang until the 120 second OAuth timeout — at which point it would print a generic timeout message rather than the actual OAuth failure. The same gap existed for the case where the OAuth provider redirected back without an authorisation code, and for failures during the auth-code-to-access-token exchange.

  The OAuth provider's error_description (RFC 6749 §4.1.2.1) is now also surfaced, so the message includes the specific reason for the failure rather than just the bare error code. For example, a misconfigured staging scope now surfaces as:

  OAuth error: invalid_scope
    The OAuth 2.0 Client is not allowed to request scope 'browser:write'.
  

  instead of hanging silently.

• Updated dependencies [a3eea27, 1fdd8de, b502d54, 3b8b80a]:

  • miniflare@​4.20260603.0

v4.97.0

Compare Source

Minor Changes

• #​13996 94b29f7 Thanks @​vaishnav-mk! - Add restart-from-step options to wrangler workflows instances restart

  You can now restart a Workflow instance from a specific step using --from-step-name, with optional --from-step-count and --from-step-type disambiguation. These options work for both remote Workflow instances and local wrangler dev --local sessions.

Patch Changes

• #​14141 b210c5e Thanks @​MattieTK! - Add re-authentication hint to account fetch error messages

  When Wrangler fails to automatically retrieve account IDs, the error messages now suggest running wrangler login as a troubleshooting step. This addresses confusion for users who encounter these errors after OAuth system changes or other authentication issues.

• #​14078 aec1bb8 Thanks @​MattieTK! - Bump am-i-vibing from 0.1.1 to 0.4.0

  This updates the agentic environment detection library to the latest version, which includes improved detection coverage for newer AI coding agents.

• #​14147 e06cbb7 Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260529.1	1.20260601.1

• #​14027 [9a26191](https://redirect.github.com/cloudflare/workers-sdk/commit/9a26191e1a8c424

✂ Note

PR body was truncated to here.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

size-limit report 📦

Path	Size
src/_worker.ts	6.73 KB (0%)