chore(monorepo): update pnpm.catalog.default wrangler to v4.59.1 [security]

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
wrangler (source)	4.33.0 → 4.59.1

GitHub Vulnerability Alerts

CVE-2026-0933

Summary

A command injection vulnerability (CWE-78) has been found to exist in the wrangler pages deploy command. The issue occurs because the --commit-hash parameter is passed directly to a shell command without proper validation or sanitization, allowing an attacker with control of --commit-hash to execute arbitrary commands on the system running Wrangler.

Root cause

The commitHash variable, derived from user input via the --commit-hash CLI argument, is interpolated directly into a shell command using template literals (e.g., execSync(`git show -s --format=%B ${commitHash}`)). Shell metacharacters are interpreted by the shell, enabling command execution.

Impact

This vulnerability is generally hard to exploit, as it requires --commit-hash to be attacker controlled. The vulnerability primarily affects CI/CD environments where wrangler pages deploy is used in automated pipelines and the --commit-hash parameter is populated from external, potentially untrusted sources. An attacker could exploit this to:

• Run any shell command.
• Exfiltrate environment variables.
• Compromise the CI runner to install backdoors or modify build artifacts.

Mitigation

• Wrangler v4 users are requested to upgrade to Wrangler v4.59.1 or higher.
• Wrangler v3 users are requested to upgrade to Wrangler v3.114.17 or higher.
• Users on Wrangler v2 (EOL) should upgrade to a supported major version.

Credits

Disclosed responsibly by kny4hacker.

---

Release Notes

cloudflare/workers-sdk (wrangler)

v4.59.1

Compare Source

Patch Changes

• #​11889 99b1f32 Thanks @​emily-shen! - Use argument array when executing git commands with wrangler pages deploy

  Pass user provided values from --commit-hash safely to underlying git command.

v4.59.0

Compare Source

Minor Changes

• #​11852 ad65efa Thanks @​NuroDev! - Add --check flag to wrangler types command

  The new --check flag allows you to verify that your generated types file is up-to-date without regenerating it. This is useful for CI/CD pipelines, pre-commit hooks, or any scenario where you want to ensure types have been committed after configuration changes.

  When types are up-to-date, the command exits with code 0:

  $ wrangler types --check
  ✨ Types at worker-configuration.d.ts are up to date.

  When types are out-of-date, the command exits with code 1:

  $ wrangler types --check
  ✘ [ERROR] Types at worker-configuration.d.ts are out of date. Run `wrangler types` to regenerate.

  You can also use it with a custom output path:

  $ wrangler types ./custom-types.d.ts --check

• #​11529 43d5363 Thanks @​matthewdavidrodgers! - Add ability to enable higher asset count limits for Pages deployments

  Wrangler can now read asset count limits from JWT claims during Pages deployments,
  allowing users to be enabled for higher limits (up to 100,000 assets) on a per-account
  basis. The default limit remains at 20,000 assets.

• #​11755 0f8d69d Thanks @​nikitassharma! - Users can now specify constraints.tiers for their container applications. tier is deprecated in favor of tiers.
  If left unset, we will default to tiers: [1, 2].
  Note that constraints is an experimental feature.

Patch Changes

• #​11820 b0e54b2 Thanks @​MattieTK! - Add AI agent detection to analytics events

  Wrangler now detects when commands are executed by AI coding agents (such as Claude Code, Cursor, GitHub Copilot, etc.) using the am-i-vibing library. This information is included as an agent property in all analytics events, helping Cloudflare understand how developers interact with Wrangler through AI assistants.

  The agent property will contain the agent ID (e.g., "claude-code", "cursor-agent") when detected, or null when running outside an agentic environment.

• #​11494 ed60c4f Thanks @​jalmonter! - Fix scheduled trigger warning showing undefined port

  When running wrangler dev with a worker that has cron triggers, the warning message displayed an invalid URL like curl "http://localhost:undefined/cdn-cgi/handler/scheduled" because the port wasn't yet determined when the warning was logged.

  Moved the warning to after the proxy server is fully ready, where the actual public URL and port are known.

• #​11831 faa5753 Thanks @​dependabot! - chore: update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260107.1	1.20260108.0

• #​11844 e574ef3 Thanks @​dependabot! - chore: update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260108.0	1.20260109.0

• #​11872 b6148ed Thanks @​dependabot! - chore: update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260109.0	1.20260111.0

• #​11843 ab3859c Thanks @​dario-piotrowicz! - Update the Wrangler autoconfig logic to work with the latest version of Waku

  The latest version of Waku (0.12.5-1.0.0-alpha.1-0) requires a src/waku.server.tsx file instead of a src/server-entry.tsx one, so the Wrangler autoconfig logic (the logic being run as part of wrangler setup and wrangler deploy --x-autoconfig that configures a project to be deployable on Cloudflare) has been updated accordingly.

  Also the way the worker needs to handle static assets has been updated as recommended from the Waku team.

• #​11848 0eb973d Thanks @​petebacondarwin! - Fix incorrect warning about multiple environments when using redirected config

  Previously, when using a redirected config (via configPath in another config file) that originated from a config with multiple environments, wrangler would incorrectly warn about missing environment specification. This fix ensures the warning is only shown when the actual config being used has multiple environments defined, not when the original config did.

• Updated dependencies [ed60c4f, 5c59217, faa5753, e574ef3, b6148ed, beb96af, 5c59217, fc96e5f]:

  • miniflare@​4.20260111.0
  • @​cloudflare/unenv-preset@​2.9.0

v4.58.0

Compare Source

Minor Changes

• #​11728 7d63fa5 Thanks @​NuroDev! - Add command categories to wrangler help menu

  The help output now groups commands by product category (Account, Compute & AI, Storage & Databases, Networking & Security) to match the Cloudflare dashboard organization:

  $ wrangler --help
  
  COMMANDS
    wrangler docs [search..]  📚 Open Wrangler's command documentation in your browser
  
  ACCOUNT
    wrangler auth    🔓 Manage authentication
    wrangler login   🔑 Login to Cloudflare
    ...
  
  COMPUTE & AI
    wrangler ai          🤖 Manage AI models
    wrangler containers  📦 Manage Containers [open beta]
    ...
  

  This improves discoverability by organizing the 20+ wrangler commands into logical groups.

Patch Changes

• #​11822 97e67b9 Thanks @​dependabot! - chore: update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260103.0	1.20260107.1

• Updated dependencies [97e67b9]:

  • miniflare@​4.20260107.0

v4.57.0

Compare Source

Minor Changes

• #​11682 b993d95 Thanks @​ascorbic! - Add wrangler auth token command to retrieve your current authentication credentials.

  You can now retrieve your authentication token for use with other tools and scripts:

  wrangler auth token

  The command returns whichever authentication method is currently configured:

  • OAuth token from wrangler login (automatically refreshed if expired)
  • API token from CLOUDFLARE_API_TOKEN environment variable

  Use --json to get structured output including the token type, which also supports API key/email authentication:

  wrangler auth token --json

  This is similar to gh auth token in the GitHub CLI.

• #​11702 f612b46 Thanks @​gpanders! - Add support for trusted_user_ca_keys in Wrangler

  You can now configure SSH trusted user CA keys for containers. Add the following to your wrangler.toml:

  [[containers.trusted_user_ca_keys]]
  public_key = "ssh-ed25519 AAAAC3..."

  This allows you to specify CA public keys that can be used to verify SSH user certificates.

• #​11437 9e360f6 Thanks @​ichernetsky-cf! - Drop deprecated containers observability.logging field

• #​11616 fc95831 Thanks @​NuroDev! - Add type generation support to wrangler dev

  You can now have your worker configuration types be automatically generated when the local Wrangler development server starts.

  To use it you can either:

  1. Add the --types flag when running wrangler dev.
  2. Update your Wrangler configuration file to add the new dev.generate_types boolean property.

  {
  	"$schema": "node_modules/wrangler/config-schema.json",
  	"name": "example",
  	"main": "src/index.ts",
  	"compatibility_date": "2025-12-12",
  	"dev": {
  		"generate_types": true
  	}
  }

• #​11524 b0dbf1a Thanks @​penalosa! - Add hidden CLI flags to wrangler setup for suppressing output

  Two new hidden flags have been added to wrangler setup:

  • --no-completion-message: Suppresses the deployment details message after setup completes
  • --no-install-wrangler: Skips Wrangler installation during project setup

• #​11777 69979a3 Thanks @​MattieTK! - Add analytics properties to secret commands for better usage insights

  Secret commands (wrangler secret put, wrangler secret bulk, and their Pages/versions equivalents) now include additional analytics properties to help understand how secrets are being managed:

  • secretOperation: Whether this is a "single" or "bulk" secret operation
  • secretSource: How the secret was provided ("interactive", "stdin", or "file")
  • secretFormat: For bulk operations, the format used ("json" or "dotenv")
  • hasEnvironment: Whether an environment was specified

  These properties help improve the developer experience by understanding common usage patterns. No sensitive information (secret names, values, or counts) is tracked.

• #​11738 c54f8da Thanks @​jamesopstad! - Add default Text module rule for .sql files.

  This enables importing .sql files directly in Wrangler and the Cloudflare Vite plugin without extra configuration.

• #​11692 df1f9c9 Thanks @​dario-piotrowicz! - Support Waku in autoconfig

• #​11549 d059f69 Thanks @​dario-piotrowicz! - Support Vike in autoconfig

Patch Changes

• #​11683 02fbd22 Thanks @​ascorbic! - Display a warning when authentication errors occur and the account_id in your Wrangler configuration does not match any of your authenticated accounts. This helps identify configuration issues where you may have the wrong account ID set in your wrangler.toml or wrangler.jsonc file.

• #​11704 77078ef Thanks @​dario-piotrowicz! - Fix autoconfig handling of Next.js apps with CJS config files and incompatible Next.js versions

  Previously, wrangler setup and wrangler deploy --x-autoconfig would fail when working with Next.js applications that use CommonJS config files (next.config.cjs) or have versions of Next.js that don't match the required peer dependencies. The autoconfig process now uses dynamic imports and forced installation to handle these scenarios gracefully.

• #​11796 2510723 Thanks @​dario-piotrowicz! - wrangler deploy delegates to opennextjs-cloudflare deploy only when the --x-autoconfig flag is used

  The wrangler deploy command has been updated to delegate to the opennextjs-cloudflare deploy command when run in an open-next project. Once this behavior had been introduced it caused a few issues. So it's been decided to enable it for the time being only when the --x-autoconfig flag is set (since this behavior, although generally valid, is only strictly necessary for the wrangler deploy's autoconfig flow).

• #​11764 9f6dd71 Thanks @​terakoya76! - Fix R2 Data Catalog snapshot-expiration API field names

  The wrangler r2 bucket catalog snapshot-expiration enable command was sending incorrect field names
  to the Cloudflare API, resulting in a 422 Unprocessable Entity error. This fix updates the API request
  body to use the correct field names:

  • olderThanDays -> max_snapshot_age (as duration string, e.g., "30d")
  • retainLast -> min_snapshots_to_keep

  The CLI options (--older-than-days and --retain-last) remain unchanged.

• #​11651 d123ad0 Thanks @​dario-piotrowicz! - Surface a more helpful error message for TOML Date, Date-Time, and Time values in vars

  TOML parses unquoted date/time values like DATE = 2024-01-01 as objects. Previously this would cause an unhelpful error message further down the stack. Now wrangler surfaces a more helpful error message earlier, telling you to quote the value as a string, e.g. DATE = "2024-01-01".

• #​11711 5121b23 Thanks @​southpolesteve! - Show an error when D1 migration commands are run without a configuration file

  Previously, running wrangler d1 migrations apply, wrangler d1 migrations list, or wrangler d1 migrations create in a directory without a Wrangler configuration file would silently exit with no feedback. Now these commands display a clear error message:

  "No configuration file found. Create a wrangler.jsonc file to define your D1 database."

• #​11710 82e7e90 Thanks @​dario-piotrowicz! - Fix arguments passed to wrangler deploy not being forwarded to opennextjs-cloudflare deploy

  wrangler deploy run in an open-next project delegates to opennextjs-cloudflare deploy, as part of this all the arguments passed to wrangler deploy need be forwarded to opennextjs-cloudflare deploy, before the arguments would be lost, now they will be successfully forwarded (for example wrangler deploy --keep-vars will call opennextjs-cloudflare deploy --keep-vars)

• #​10750 4688f59 Thanks @​jacoblearned! - Notify user on local dev server reload.

  When running wrangler dev, the local server suppresses Miniflare's reload messages to prevent duplicate log entries from the proxy and user workers. This update adds a reload complete message so users know their changes were applied, instead of only seeing "Reloading local server...".

• #​11673 b827893 Thanks @​MattieTK! - Breaks out version numbers into sortable number types for analytics logging

• Updated dependencies [65d1850, 1615fce, b2769bf, 554a4df, 8eede3f, 6a05b1c, 62fd118, a7e9f80, eac5cf7]:

  • miniflare@​4.20260103.0
  • @​cloudflare/unenv-preset@​2.8.0

v4.56.0

Compare Source

Minor Changes

• #​11196 171cfd9 Thanks @​emily-shen! - For containers being created in a FedRAMP high environment, registry credentials are encrypted by the container platform.
  Update wrangler to correctly send a request to configure a registry for FedRAMP containers.

• #​11646 472cf72 Thanks @​vovacf201! - feat: add R2 Data Catalog snapshot expiration commands

  Adds new commands to manage automatic snapshot expiration for R2 Data Catalog tables:

  • wrangler r2 bucket catalog snapshot-expiration enable - Enable automatic snapshot expiration
  • wrangler r2 bucket catalog snapshot-expiration disable - Disable automatic snapshot expiration

  Snapshot expiration helps manage storage costs by automatically removing old table snapshots while keeping a minimum number of recent snapshots for recovery purposes.

  Example usage:

  # Enable snapshot expiration for entire catalog (keep 10 snapshots, expire after 5 days)
  wrangler r2 bucket catalog snapshot-expiration enable my-bucket --token $R2_CATALOG_TOKEN --max-age 7200 --min-count 10
  
  # Enable for specific table
  wrangler r2 bucket catalog snapshot-expiration enable my-bucket my-namespace my-table --token $R2_CATALOG_TOKEN --max-age 2880 --min-count 5
  
  # Disable snapshot expiration
  wrangler r2 bucket catalog snapshot-expiration disable my-bucket

Patch Changes

• #​11649 428ae9e Thanks @​ascorbic! - fix: respect TypeScript path aliases when resolving non-JS modules with module rules

  When importing non-JavaScript files (like .graphql, .txt, etc.) using TypeScript path aliases defined in tsconfig.json, Wrangler's module-collection plugin now correctly resolves these imports. Previously, path aliases were only respected for JavaScript/TypeScript files, causing imports like import schema from '~lib/schema.graphql' to fail when using module rules.

• #​11647 c0e249e Thanks @​dario-piotrowicz! - The auto-configuration logic present in wrangler setup and wrangler deploy --x-autoconfig cannot reliably handle Hono projects, so in these cases make sure to properly error saying that automatically configuring such projects is not supported.

• #​11694 3853200 Thanks @​dario-piotrowicz! - fix: improve the open-next detection that wrangler deploy performs to eliminate false positives for non open-next projects

• Updated dependencies [ae1ad22, 737c0f4]:

  • miniflare@​4.20251217.0

v4.55.0

Compare Source

Minor Changes

• #​11301 6c590a0 Thanks @​dario-piotrowicz! - Make wrangler deploy run opennextjs-cloudflare deploy when executed in an open-next project

• #​11045 12a63ef Thanks @​edmundhung! - Add an internal unstable_printBindings API for vite plugin integration

• #​11590 7d8d4a6 Thanks @​pombosilva! - Add Workflows send-event to wrangler commands.

• #​11301 6c590a0 Thanks @​dario-piotrowicz! - Support Next.js (via OpenNext) projects in autoconfig

Patch Changes

• #​11615 ed42010 Thanks @​elithrar! - Add helpful warning when SSL certificate errors occur due to corporate proxies or VPNs intercepting HTTPS traffic. When errors like "self-signed certificate in certificate chain" are detected, wrangler now displays guidance about installing missing system roots from your corporate proxy vendor.

• #​11641 6b28de1 Thanks @​petebacondarwin! - update command status text and formatting

• #​11578 4201472 Thanks @​gpanders! - Fixup UX papercuts in containers SSH

• #​11550 95d81e1 Thanks @​hiendv! - Fix "TypeError: Body is unusable: Body has already been read" when failing to exchange oauth code because of double response.text().

• Updated dependencies [5d085fb, b75b710, 1e9be12]:

  • miniflare@​4.20251213.0

v4.54.0

Compare Source

Minor Changes

• #​11512 c15e99e Thanks @​emily-shen! - Enable using ctx.exports with containers

  You can now use containers with Durable Objects that are accessed via ctx.exports.

  Now your config file can look something like this:

  {
  	"name": "container-app",
  	"main": "src/index.ts",
  	"compatibility_date": "2025-12-01",
  	"compatibility_flags": ["enable_ctx_exports"], // compat flag needed for now.
  	"containers": [
  		{
  			"image": "./Dockerfile",
  			"class_name": "MyDOClassname",
  			"name": "my-container"
  		},
  	],
  	"migrations": [
  		{
  			"tag": "v1",
  			"new_sqlite_classes": ["MyDOClassname"],
  		},
  	],
  	// no need to declare your durable object binding here
  }
  

  Note that when using ctx.exports, where you previously accessed a Durable Object via something like env.DO, you should now access with ctx.exports.MyDOClassname.

  Refer to the docs for more information on using ctx.exports.

• #​11508 b17797c Thanks @​dario-piotrowicz! - Wrangler will no longer try to add additional configuration to projects using @cloudflare/vite-plugin when deploying or running wrangler setup

• #​11508 b17797c Thanks @​dario-piotrowicz! - When a Vite project is detected, install @cloudflare/vite-plugin

• #​11576 bb47e20 Thanks @​dario-piotrowicz! - Support Analog projects in autoconfig

• #​10582 991760d Thanks @​flakey5! - Add containers ssh command

Patch Changes

• #​11467 235d325 Thanks @​edmundhung! - fix: prevent reporting SQLite error from wrangler d1 execute to Sentry

• #​11414 41103f5 Thanks @​petebacondarwin! - add extra logging to user log-in flow for diagnosing failed login requests

• #​11559 ea6fbec Thanks @​nikitassharma! - Remove image validation for containers on wrangler deploy.

  Internal customers are able to use additional image registries and will run into failures with this validation. Image registry validation will now be handled by the API.

• Updated dependencies [31c162a, bd5f087, c6dd86f]:

  • miniflare@​4.20251210.0

v4.53.0

Compare Source

Minor Changes

• #​11500 af54c63 Thanks @​dario-piotrowicz! - Add new autoconfig_summary field to the deploy output entry

  This change augments wrangler deploy output being printed to WRANGLER_OUTPUT_FILE_DIRECTORY or WRANGLER_OUTPUT_FILE_PATH to also include a new autoconfig_summary field containing the possible summary details for the autoconfig process (the field is undefined if autoconfig didn't run).

  Note: the field is experimental and could change while autoconfig is not GA

• #​11477 9988cc9 Thanks @​ascorbic! - Support Nuxt in autoconfig

• #​11472 ce295bf Thanks @​dario-piotrowicz! - Support Qwik projects in autoconfig

• #​10937 9514c9a Thanks @​ReppCodes! - Add support for "targeted" placement mode with region, host, and hostname fields

  This change adds a new mode to placement configuration. You can specify one of the following fields to target specific external resources for Worker placement:

  • region: Specify a region identifier (e.g., "aws:us-east-1") to target a region from another cloud service provider
  • host: Specify a host with (required) port (e.g., "example.com:8123") to target a TCP service
  • hostname: Specify a hostname (e.g., "example.com") to target an HTTP resource

  These fields are mutually exclusive - only one can be specified at a time.

  Example configuration:

  [placement]
  host = "example.com:8123"

• #​11498 ac861f8 Thanks @​penalosa! - Add React Router support in autoconfig

• #​11506 79d30d4 Thanks @​vicb! - Set the target JS version to ES2024

Patch Changes

• #​11393 45480b1 Thanks @​alsuren! - improved --help text for wrangler d1 subcommands

• #​11523 94c67e8 Thanks @​jamesopstad! - fix: types from @​cloudflare/workers-utils not being exported correctly from Wrangler

• #​11483 f550b62 Thanks @​edmundhung! - stop running npm install with --legacy-peer-deps flag when setting up a project

• Updated dependencies [819e287, 56e78c8, 0aa959a]:

  • @​cloudflare/unenv-preset@​2.7.13
  • miniflare@​4.20251202.1

v4.52.1

Compare Source

Patch Changes

• #​11504 7e80340 Thanks @​dario-piotrowicz! - Fix wrangler deploy failing for new workers containing environment variables or bindings

• Updated dependencies [59534ba]:

  • miniflare@​4.20251202.0

v4.52.0

Compare Source

Minor Changes

• #​11416 abe49d8 Thanks @​dario-piotrowicz! - Remove the wrangler deploy's --x-remote-diff-check experimental flag

  The remote diffing feature has been enabled by default for a while and its functionality is stable, as a result the experimental flag (only available for option-out of the feature right now) has been removed.

• #​11408 f29e699 Thanks @​ascorbic! - Export unstable helpers useful for generating wrangler config

• #​11389 2342d2f Thanks @​dario-piotrowicz! - Improve the wrangler deploy flow to also check for potential overrides of secrets.

  Now when you run wrangler deploy Wrangler will check the remote secrets for your workers for conflicts with the names of the bindings you're about to deploy. If there are conflicts, Wrangler will warn you and ask you for your permission before proceeding.

• #​11375 9a1de61 Thanks @​penalosa! - Support TanStack Start in autoconfig

• #​11360 6b38532 Thanks @​emily-shen! - Containers: Allow users to directly authenticate external image registries in local dev

  Previously, we always queried the API for stored registry credentials and used those to pull images. This means that if you are using an external registry (ECR, dockerhub) then you have to configure registry credentials remotely before running local dev.

  Now you can directly authenticate with your external registry provider (using docker login etc.), and Wrangler or Vite will be able to pull the image specified in the containers.image field in your config file.

  The Cloudflare-managed registry (registry.cloudflare.com) currently still does not work with the Vite plugin.

• #​11009 e4ddbc2 Thanks @​dario-piotrowicz! - Allow users to provide an account_id as part of the WorkerConfigObject they pass to maybeStartOrUpdateRemoteProxySession

• #​11478 2aec2b4 Thanks @​dario-piotrowicz! - Support SolidStart in autoconfig

• #​11330 5a873bb Thanks @​dario-piotrowicz! - Support Angular projects in autoconfig

• #​11449 e7b690b Thanks @​penalosa! - Delegate generation of HTTPS certificates to Miniflare

• #​11448 2b4813b Thanks @​edmundhung! - Bumps esbuild version to 0.27.0

• #​11335 c47ad11 Thanks @​dario-piotrowicz! - Support internal-only undocumented cross_account_grant service binding property

• #​11346 a977701 Thanks @​penalosa! - We're soon going to make backend changes that mean that wrangler dev --remote sessions will no longer have an associated inspector connection. In advance of these backend changes, we've enabled a new wrangler tail-based logging strategy for wrangler dev --remote. For now, you can revert to the previous logging strategy with wrangler dev --remote --no-x-tail-logs, but in future it will not be possible to revert.

  The impact of this will be that logs that were previously available via devtools will now be provided directly to the Wrangler console and it will no longer be possible to interact with the remote Worker via the devtools console.

Patch Changes

• #​11397 b154de2 Thanks @​vicb! - Use more workerd native modules

  Node modules punycode, trace_events, cluster, wasi, and domains will be used when enabled
  via a compatibility flag or by default when the compatibility date is greater or equal to 2025-12-04.

• #​11452 76f0540 Thanks @​penalosa! - Remove uses of eval() from the Wrangler bundle

• #​11284 695fa25 Thanks @​dom96! - Removes duplicate module warnings when vendoring Python packages

• #​11249 504e258 Thanks @​dario-piotrowicz! - fix: Generalize autoconfig wording

  Generalize the autoconfig wording so that when it doesn't specifically mention "deployment" (since it can be run via wrangler setup or the autoconfig programmatic API)

• #​11455 d25f7e2 Thanks @​dario-piotrowicz! - Fix autoconfig using absolute paths for static projects

  Running the experimental autoconfig logic through wrangler setup and wrangler deploy --x-autoconfig on a static project results in absolute paths being used. This is incorrect, especially when such paths are being included in the generated wrangler.jsonc. The changes here fix the autoconfig logic to use paths relative to the project's root instead.

  For example given a project located in /Users/usr/projects/sites/my-static-site, before:

  // wrangler.jsonc at /Users/usr/projects/sites/my-static-site
    {
      "$schema": "node_modules/wrangler/config-schema.json",
      "name": "static",
      "compatibility_date": "2025-11-27",
      "observability": {
        "enabled": true
      },
      "assets": {
        "directory": "/Users/usr/projects/sites/my-static-site/public"
      }
    }

  and after:

  // wrangler.jsonc at /Users/usr/projects/sites/my-static-site
    {
      "$schema": "node_modules/wrangler/config-schema.json",
      "name": "static",
      "compatibility_date": "2025-11-27",
      "observability": {
        "enabled": true
      },
      "assets": {
        "directory": "public"
      }
    }

• #​11484 1cfae2d Thanks @​edmundhung! - Explicitly close FileHandle in wrangler d1 execute to support Node 25

• #​11383 1d685cb Thanks @​dario-piotrowicz! - Fix: ensure that when a remote proxy session creation fails a hard error is surfaced to the user (both in wrangler dev and in the programmatic API).

  When using remote bindings, either with wrangler dev or via startRemoteProxySession/maybeStartOrUpdateRemoteProxySession the remote proxy session necessary to connect to the remote resources can fail to be created, this might happen if for example you try to set a binding with some invalid values such as:

  MY_R2: {
  	type: "r2_bucket",
  	bucket_name: "non-existent", // No bucket called "non-existent" exists
  	remote: true,
  },

  Before this could go undetected and cause unwanted behaviors such as requests handling hanging indefinitely, now wrangler will instead crash (or throw a hard error ion the programmatic API), clearly indicating that something went wrong during the remote session's creation.

• #​11366 edf896d Thanks @​ascorbic! - Use correctly-formatted names when displaying detected framework details

• #​11461 9eaa9e2 Thanks @​dario-piotrowicz! - Update the structure of the configure method of autoconfig frameworks

  Update the signature of the configure function of autoconfig frameworks (AutoconfigDetails#Framework), before they would return a RawConfig object to use to update the project's wrangler config file, now they return an object that includes the RawConfig and that can potentially also hold additional data relevant to the configuration.

• Updated dependencies [2b4813b, b154de2, 5ee3780, 6e63b57, 71ab562, 5e937c1]:

  • miniflare@​4.20251128.0
  • @​cloudflare/unenv-preset@​2.7.12

v4.51.0

Compare Source

Minor Changes

• #​11345 d524e55 Thanks @​penalosa! - Enable experimental support for autoconfig-powered Astro projects

• #​11228 43903a3 Thanks @​petebacondarwin! - Support CLOUDFLARE_ENV environment variable for selecting the active environment

  This change enables users to select the environment for commands such as CLOUDFLARE_ENV=prod wrangler versions upload. The --env command line argument takes precedence.

  The CLOUDFLARE_ENV environment variable is mostly used with the @cloudflare/vite-plugin to select the environment for building the Worker to be deployed. This build also generates a "redirected deploy config" that is flattened to on

---

Configuration

📅 Schedule: Branch creation - "" in timezone America/New_York, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

Branch automerge failure

This PR was configured for branch automerge. However, this is not possible, so it has been raised as a PR instead.

---

• Branch has one or more failed status checks

[deepsource-io]

Here's the code health analysis summary for commits 242a5a8..9b1d8e0. View details on DeepSource ↗.

Analysis Summary

Analyzer	Status	Summary	Link
JavaScript	✅ Success		View Check ↗
Shell	✅ Success		View Check ↗

---

💡 If you’re a repository administrator, you can configure the quality gates from the settings.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​microsoft/​tsdoc-config@​0.18.0
	@​microsoft/​tsdoc@​0.16.0
	@​microsoft/​api-extractor@​7.52.13 ⏵ 7.56.0	-3		+1	+5

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Obfuscated code: npm vite is 91.0% likely obfuscated Confidence: 0.91 Location: Package overview From: pnpm-lock.yaml → npm/@nx/react@21.5.3 → npm/vite@7.1.5 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/vite@7.1.5. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report