Version Packages

[workers-devprod]

This PR was opened by the Changesets release GitHub action. When you're ready to do a release, you can merge this and the packages will be published to npm automatically. If you're not ready to do a release yet, that's fine, whenever you add more changesets to main, this PR will be updated.

Releases

miniflare@4.20260307.0

Minor Changes

• #12754 e4d9510 Thanks @emily-shen! - Add cross-process support to the local explorer

  When running multiple miniflare processes, the local explorer will now be able to view and edit resources that are bound to workers in other miniflare instances.

Patch Changes

• #12790 5451a7f Thanks @petebacondarwin! - Bump hono to ^4.12.5 and devalue to ^5.6.3 to address security vulnerabilities

  Hono had multiple advisories including arbitrary file access via serveStatic, JWT algorithm confusion, and XSS through ErrorBoundary. Devalue had denial of service vulnerabilities in devalue.parse. These are bundled dependencies so the fix is delivered via this patch.

• #12795 82cc2a8 Thanks @dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260301.1	1.20260306.1

• #12811 3c67c2a Thanks @dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260306.1	1.20260307.1

• #12786 a7c87d1 Thanks @emily-shen! - local explorer: validate origin and host headers

  The local explorer is a WIP experimental feature.

wrangler@4.72.0

Minor Changes

• #12746 211d75d Thanks @NuroDev! - Add support for inheritable bindings in type generation

  When using wrangler types with multiple environments, bindings from inheritable config properties (like assets) are now correctly inherited from the top-level config in all named environments. Previously, if you defined assets.binding at the top level with named environments, the binding would be marked as optional in the generated Env type because the type generation didn't account for inheritance.

  Example:

  {
  	"assets": {
  		"binding": "ASSETS",
  		"directory": "./public"
  	},
  	"env": {
  		"staging": {},
  		"production": {}
  	}
  }

  Before this change, ASSETS would be typed as ASSETS?: Fetcher (optional). Now, ASSETS is correctly typed as ASSETS: Fetcher (required). This fix currently applies to the assets binding, with an extensible mechanism to support additional inheritable bindings in the future.

Patch Changes

• #12790 5451a7f Thanks @petebacondarwin! - Bump node-forge to ^1.3.2 to address security vulnerabilities

  node-forge had ASN.1 unbounded recursion, OID integer truncation, and ASN.1 validator desynchronization vulnerabilities. This is a bundled dependency used for local HTTPS certificate handling.

• #12795 82cc2a8 Thanks @dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260301.1	1.20260306.1

• #12811 3c67c2a Thanks @dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260306.1	1.20260307.1

• #12808 6ed249b Thanks @MaxwellCalkin! - Fix wrangler d1 execute --json returning "null" (string) instead of null (JSON null) for SQL NULL values

  When using wrangler d1 execute --json with local execution, SQL NULL values were incorrectly serialized as the string "null" instead of JSON null. This produced invalid JSON output that violated RFC 4627. The fix removes the explicit null-to-string conversion so NULL values are preserved as proper JSON null in the output.

• Updated dependencies [5451a7f, 82cc2a8, 3c67c2a, a7c87d1, e4d9510]:

  • miniflare@4.20260307.0

create-cloudflare@2.64.6

Patch Changes

• #12790 5451a7f Thanks @petebacondarwin! - Bump glob to ^10.5.0 to address command injection vulnerability in glob CLI

• #12787 d6d75a7 Thanks @petebacondarwin! - Bump create-qwik from 1.19.0 to 1.19.1

  This update fixes an upstream issue where create-qwik installed @eslint/js at "latest", which resolved to v10 and conflicted with the project's eslint 9.x.

@cloudflare/pages-shared@0.13.113

Patch Changes

• #12790 5451a7f Thanks @petebacondarwin! - Bump glob to ^10.5.0 to address command injection vulnerability in glob CLI

• Updated dependencies [5451a7f, 82cc2a8, 3c67c2a, a7c87d1, e4d9510]:

  • miniflare@4.20260307.0

@cloudflare/vite-plugin@1.26.2

Patch Changes

• Updated dependencies [5451a7f, 5451a7f, 82cc2a8, 3c67c2a, 211d75d, 6ed249b, a7c87d1, e4d9510]:
  • miniflare@4.20260307.0
  • wrangler@4.72.0

@cloudflare/vitest-pool-workers@0.12.21

Patch Changes

• #12790 5451a7f Thanks @petebacondarwin! - Bump devalue to ^5.6.3 to address security vulnerabilities

  Devalue had denial of service and prototype pollution vulnerabilities. This is a bundled dependency.

• Updated dependencies [5451a7f, 5451a7f, 82cc2a8, 3c67c2a, 211d75d, 6ed249b, a7c87d1, e4d9510]:

  • miniflare@4.20260307.0
  • wrangler@4.72.0

@cloudflare/local-explorer-ui@0.8.0

Minor Changes

• #12754 e4d9510 Thanks @emily-shen! - Add cross-process support to the local explorer

  When running multiple miniflare processes, the local explorer will now be able to view and edit resources that are bound to workers in other miniflare instances.

Patch Changes

• #12779 b2f8b47 Thanks @NuroDev! - Refactors KV & sidebar to use route loaders.

  This change improves the user experience of the Local Explorer dashboard by ensuring that the data used for the initial render is fetched server-side and passed down to the client. This avoids the initial flicker when loading in. Both D1 & Durable Object routes already incorporate this system.

@cloudflare/format-errors@0.0.7

Patch Changes

• #12756 c7d0d18 Thanks @petebacondarwin! - Fix error formatting to reliably return fallback responses on failure

  Previously, if something went wrong while formatting a pretty error page, the failure could go unhandled, resulting in no response being returned to the user. Now, errors during formatting are properly caught, ensuring users always receive a 500 JSON fallback response.

[devin-ai-integration]

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no bugs or issues to report.

[github-actions]

⚠️ Issues found

Changeset Review

Reviewed files

File	Package(s)	Type	Status
bump-vulnerable-deps-create-cloudflare.md	create-cloudflare	patch	✅ (skipped per rules)
bump-vulnerable-deps-miniflare.md	miniflare	patch	✅
bump-vulnerable-deps-pages-shared.md	@cloudflare/pages-shared	patch	✅
bump-vulnerable-deps-vitest-pool-workers.md	@cloudflare/vitest-pool-workers	patch	✅
bump-vulnerable-deps-wrangler.md	wrangler	patch	✅
dependabot-update-12795.md	miniflare, wrangler	patch	✅
dependabot-update-12811.md	miniflare, wrangler	patch	✅
evil-rivers-draw.md	wrangler	minor	✅
fix-d1-json-null-values.md	wrangler	patch	✅
fix-format-errors-missing-await.md	@cloudflare/format-errors	patch	✅
local-explorer-cors.md	miniflare	patch	⚠️
reenable-qwik-tests.md	create-cloudflare	patch	✅ (skipped per rules)
thirty-mammals-live.md	@cloudflare/local-explorer-ui	patch	✅
tidy-hairs-notice.md	@cloudflare/local-explorer-ui, miniflare	minor	⚠️

---

Issues

local-explorer-cors.md — Insufficient description

The changeset body only says "The local explorer is a WIP experimental feature." This does not describe what changed or why. The title ("local explorer: validate origin and host headers") contains the actual change but the body adds no meaningful context: what vulnerability or bug prompted origin/host validation? What is the user impact? Per the README, a body should explain the reason for the change and anything notable about the approach.

Additionally, since this is described as an experimental feature, the changeset should note how users can opt in (per the guidelines: "When adding or changing experimental features, call this out explicitly in the changeset description").

Suggested fix: Expand the body to explain what problem origin/host header validation addresses (e.g., CORS security hardening), and include a note on how to enable the local explorer if it is opt-in.

---

tidy-hairs-notice.md — Missing opt-in information for experimental feature

This changeset adds cross-process support to the local explorer, which is a WIP/experimental feature (as acknowledged in local-explorer-cors.md). Per the guidelines:

When adding or changing experimental features, call this out explicitly in the changeset description.

The changeset does not mention that the local explorer is experimental, nor does it explain how users can opt in to this feature.

Suggested fix: Add a note that the local explorer is an experimental feature and describe how users enable it.

[pkg-pr-new]

create-cloudflare

npm i https://pkg.pr.new/create-cloudflare@12789

@cloudflare/kv-asset-handler

npm i https://pkg.pr.new/@cloudflare/kv-asset-handler@12789

miniflare

npm i https://pkg.pr.new/miniflare@12789

@cloudflare/pages-shared

npm i https://pkg.pr.new/@cloudflare/pages-shared@12789

@cloudflare/unenv-preset

npm i https://pkg.pr.new/@cloudflare/unenv-preset@12789

@cloudflare/vite-plugin

npm i https://pkg.pr.new/@cloudflare/vite-plugin@12789

@cloudflare/vitest-pool-workers

npm i https://pkg.pr.new/@cloudflare/vitest-pool-workers@12789

@cloudflare/workers-editor-shared

npm i https://pkg.pr.new/@cloudflare/workers-editor-shared@12789

wrangler

npm i https://pkg.pr.new/wrangler@12789

commit: 3cb77ce

[emily-shen]

/bonk hello

[ask-bonk]

This is a "Version Packages" PR automatically generated by the Changesets release GitHub action. There's a review comment noting a minor wording issue in one changeset (thirty-mammals-live.md) where the title uses "Refactors" (non-imperative) instead of "Refactor" (imperative). However, since this changeset has already been consumed and deleted as part of the version bump, and the wording has been propagated into the CHANGELOG, the issue is cosmetic and already baked into the release notes.

No code changes to make here -- this PR is purely automated version bumps and changelog entries. Everything looks correct.

github run