chore(deps): update all non-major dependencies

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
httpxy	^0.3.1 → ^0.5.0
miniflare (source)	^4.20260312.1 → ^4.20260317.2
pnpm (source)	10.32.1 → 10.33.0
srvx (source)	^0.11.12 → ^0.11.13

---

Release Notes

unjs/httpxy (httpxy)

v0.5.0

Compare Source

compare changes

🔥 Performance

• ⚠️ Keep-alive, request body stream and faster proxyFetch (#​124)

🏡 Chore

• Apply automated updates (04aaaba)

⚠️ Breaking Changes

• ⚠️ Keep-alive, request body stream and faster proxyFetch (#​124)

❤️ Contributors

• Pooya Parsa (@​pi0)

v0.4.0

Compare Source

compare changes

🚀 Enhancements

• Http/2 listener support (#​102)
• fetch: Add proxyFetch options for timeout, xfwd, changeOrigin, agent, followRedirects, HTTPS, and path merging (efa9711)

🩹 Fixes

• web-incoming: Close downstream stream when upstream SSE aborts (#​103)
• Handle relative Location URLs in redirect rewriting (#​20, #​104)
• web-outgoing: Handle invalid response header characters gracefully (#​106)
• web-incoming: Remove deprecated req.abort() and req.on("aborted") (#​107)
• web-outgoing: Handle object target in redirect host rewrite (#​108)
• web-incoming: Remove deprecated req.on('aborted') listener (#​110)
• ws: Skip writing to closed socket on non-upgrade response (#​114)
• web-incoming: Guard req.socket access in error handler (#​112)
• web-incoming: Defer pipe until socket connects (#​111)
• server: Catch synchronous exceptions in middleware passes (#​109)
• web-incoming: Emit econnreset on client disconnect (#​115)
• ws: Handle response stream errors on failed WS upgrade (#​116)
• web-outgoing: Include HTTP 303 in redirect location rewriting (#​119)
• web-outgoing: Skip empty header names (#​121)
• ssl: Prevent undefined target values from overwriting ssl options (#​118)
• utils: Preserve target URL query string in path merging (#​117)
• middleware: Do not append duplicate x-forwarded-* header values (#​120)
• web-outgoing: Strip transfer-encoding on 204/304 (#​122)
• web-incoming: Use isSSL regex for consistent https/wss protocol checks (#​123)
• ws: Preserve wss:// protocol and fix error handling in proxyUpgrade (cb01605)

📦 Build

• ⚠️ Esm-only (d65b3f7)

🏡 Chore

• Update deps (743098d)

⚠️ Breaking Changes

• ⚠️ Esm-only (d65b3f7)

❤️ Contributors

• Pooya Parsa (@​pi0)
• Guoyangzhen upgyz@qq.com
• Sukka isukkaw@gmail.com
• Gabor Koos gabor.koos@gmail.com

cloudflare/workers-sdk (miniflare)

v4.20260317.2

Compare Source

Patch Changes

• #​11753 b8f3309 Thanks @​ruifigueira! - Added the following improvements to local Browser Rendering binding in Miniflare:

  • Local Chrome version upgraded to 126.0.6478.182
  • Reciprocate browser websocket close events

• #​12986 5aaaab2 Thanks @​petebacondarwin! - fix: allow mixed d1Databases records containing both string and object entries

  Previously, passing a d1Databases config that mixed plain string values and object entries (e.g. { MY_DB: "db-name", OTHER_DB: { id: "...", remoteProxyConnectionString: ... } }) would cause Miniflare to throw an error. Both forms are now accepted and normalised correctly.

• #​12986 5aaaab2 Thanks @​petebacondarwin! - fix: allow mixed kvNamespaces records containing both string and object entries

  Previously, passing a kvNamespaces config that mixed plain string values and object entries (e.g. { MY_NS: "ns-name", OTHER_NS: { id: "...", remoteProxyConnectionString: ... } }) would cause Miniflare to throw an error. Both forms are now accepted and normalised correctly.

• #​12987 f8516dd Thanks @​petebacondarwin! - fix: allow mixed pipelines records containing both string and object entries

  Previously, passing a pipelines config that mixed plain string values and object entries (e.g. { MY_PIPELINE: "pipeline-name", OTHER_PIPELINE: { pipeline: "...", remoteProxyConnectionString: ... } }) would cause Miniflare to throw an error. Both forms are now accepted and normalised correctly.

• #​12952 9c9fe30 Thanks @​petebacondarwin! - fix: allow mixed r2Buckets records containing both string and object entries

  Previously, passing an r2Buckets config that mixed plain string values and object entries (e.g. { MY_BUCKET: "bucket-name", OTHER_BUCKET: { ... } }) would cause Miniflare to throw an error. Both forms are now accepted and normalised correctly.

• #​13015 6a6449e Thanks @​petebacondarwin! - fix: disable undici Pool request timeouts for local dev

  Miniflare's undici Pool instances were using the default headersTimeout and bodyTimeout of 300 seconds (5 minutes). Any request taking longer than that — streaming responses, large uploads, long-polling, or compute-heavy Workers — would be silently killed with a "request failed" error.

  Setting both timeouts to 0 disables them entirely, which is the correct behaviour for a local development tool where there is no reason to enforce request timeouts.

v4.20260317.1

Compare Source

Minor Changes

• #​12972 cb71403 Thanks @​NuroDev! - Add worker filtering to the local explorer UI

  When multiple workers share a dev registry, all their bindings were previously shown together in a single flat list. The explorer now shows a worker selector dropdown, letting you inspect each worker's bindings independently.

  The selected worker is reflected in the URL as a ?worker= search param, so deep links work correctly. By default the explorer selects the worker that is hosting the dashboard itself.

• #​12888 3a1c149 Thanks @​emily-shen! - Add R2 support to the local explorer.

  The local explorer now supports the following:

  • Viewing, modifying & deleting objects
  • Uploading files
  • Creating directories / prefixes

  Note: The local explorer is an experimental WIP feature that is now enabled by default. This can still be opt-ed out of by using X_LOCAL_EXPLORER=false to disable it.

• #​12848 ce48b77 Thanks @​emily-shen! - Enable local explorer by default

  This ungates the local explorer, a UI that lets you inspect the state of D1, DO and KV resources locally by visiting /cdn-cgi/explorer during local development.

  Note: this feature is still experimental, and can be disabled by setting the env var X_LOCAL_EXPLORER=false.

• #​12881 8729f3d Thanks @​pombosilva! - Workflow instances now support pause, resume, restart, and terminate in local dev.

  const instance = await env.MY_WORKFLOW.create({
    id: "my-instance",
  });
  
  await instance.pause(); // pauses after the current step completes
  await instance.resume(); // resumes from where it left off
  await instance.restart(); // restarts the workflow from the beginning
  await instance.terminate(); // terminates the workflow immediately

Patch Changes

• #​12960 3c988e2 Thanks @​penalosa! - Exclude metadata.sqlite when listing Durable Object instances

  An upcoming version of workerd stores per-namespace alarm metadata in a metadata.sqlite file alongside per-actor .sqlite files. The local explorer's DO object listing was treating this file as a Durable Object instance, inflating counts and breaking pagination. This file is now filtered out.

v4.20260317.0

Compare Source

Patch Changes

• #​12927 c9b3184 Thanks @​penalosa! - Bump undici from 7.18.2 to 7.24.4

• #​12875 13df6c7 Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260312.1	1.20260316.1

• #​12935 df0d112 Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260316.1	1.20260317.1

• #​12928 81ee98e Thanks @​petebacondarwin! - Migrate chrome-devtools-patches deployment from Cloudflare Pages to Workers + Assets

  The DevTools frontend is now deployed as a Cloudflare Workers + Assets project instead of a Cloudflare Pages project. This uses wrangler deploy for production deployments and wrangler versions upload for PR preview deployments.

  The inspector proxy origin allowlists in both wrangler and miniflare have been updated to accept connections from the new workers.dev domain patterns, while retaining the legacy pages.dev patterns for backward compatibility.

pnpm/pnpm (pnpm)

v10.33.0

Compare Source

h3js/srvx (srvx)

v0.11.13

Compare Source

compare changes

🩹 Fixes

• url: Deopt absolute URIs in FastURL (de0d699)

🏡 Chore

• Update deps (4e6ace6)
• Update deps (6a72a00)
• Fix type issue (ed8cc2b)
• Apply automated updates (7375fed)
• Update deps (8f4bc4f)

❤️ Contributors

• Pooya Parsa (@​pi0)

---

Configuration

📅 Schedule: Branch creation - "after 2am and before 3am" (UTC), Automerge - "after 1am and before 2am" (UTC).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.