Update dependency wrangler to v2.20.2 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
wrangler (source)	2.13.0 -> 2.20.2

GitHub Vulnerability Alerts

CVE-2023-3348

Impact

The Wrangler command line tool (<=wrangler@3.1.0 or <=wrangler@2.20.1) was affected by a directory traversal vulnerability when running a local development server for Pages (wrangler pages dev command). This vulnerability enabled an attacker in the same network as the victim to connect to the local development server and access the victim's files present outside of the directory for the development server.

Patches

Wrangler2: Upgrade to v2.20.1 or higher.
Wrangler3: Upgrade to v3.1.1 or higher.

References

Workers SDK on Github
Wrangler docs
CVE-2023-3348

CVE-2023-7080

Impact

The V8 inspector intentionally allows arbitrary code execution within the Workers sandbox for debugging. wrangler dev would previously start an inspector server listening on all network interfaces. This would allow an attacker on the local network to connect to the inspector and run arbitrary code. Additionally, the inspector server did not validate Origin/Host headers, granting an attacker that can trick any user on the local network into opening a malicious website the ability to run code. If wrangler dev --remote was being used, an attacker could access production resources if they were bound to the worker.

Patches

This issue was fixed in wrangler@3.19.0 and wrangler@2.20.2. Whilst wrangler dev's inspector server listens on local interfaces by default as of wrangler@3.16.0, an SSRF vulnerability in miniflare allowed access from the local network until wrangler@3.18.0. wrangler@3.19.0 and wrangler@2.20.2 introduced validation for the Origin/Host headers.

Workarounds

Unfortunately, Wrangler doesn't provide any configuration for which host that inspector server should listen on. Please upgrade to at least wrangler@3.16.0, and configure Wrangler to listen on local interfaces instead with wrangler dev --ip 127.0.0.1 to prevent SSRF. This removes the local network as an attack vector, but does not prevent an attack from visiting a malicious website.

References

• https://github.com/cloudflare/workers-sdk/issues/4430
• https://github.com/cloudflare/workers-sdk/pull/4437
• https://github.com/cloudflare/workers-sdk/pull/4535
• https://github.com/cloudflare/workers-sdk/pull/4550

---

Release Notes

cloudflare/workers-sdk (wrangler)

v2.20.2

Compare Source

Patch Changes

• #​4609 c228c912 Thanks @​mrbbot! - fix: pin workerd to 1.20230404.0

• #​4587 49a46960 Thanks @​mrbbot! - Change dev registry and inspector server to listen on 127.0.0.1 instead of all interfaces

• #​4587 49a46960 Thanks @​mrbbot! - fix: validate Host and Orgin headers where appropriate

  Host and Origin headers are now checked when connecting to the inspector proxy. If these don't match what's expected, the request will fail.

v2.20.1

Compare Source

Patch Changes

• #​3820 546c2319 Thanks @​GregBrimble! - fix: Prevent wrangler pages dev from serving asset files outside of the build output directory

v2.20.0

Compare Source

Minor Changes

• #​2966 e351afcf Thanks @​GregBrimble! - feat: Add support for the undocumented _worker.js/ directory in Pages

• #​3095 133c0423 Thanks @​zebp! - feat: add support for placement in wrangler config

  Allows a placement object in the wrangler config with a mode of off or smart to configure Smart placement. Enabling Smart Placement can be done in your wrangler.toml like:

  [placement]
  mode = "smart"

• #​3140 5fd080c8 Thanks @​penalosa! - feat: Support sourcemaps in DevTools

  Intercept requests from DevTools in Wrangler to inject sourcemaps and enable folders in the Sources Panel of DevTools. When errors are thrown in your Worker, DevTools should now show your source file in the Sources panel, rather than Wrangler's bundled output.

Patch Changes

• #​2912 5079f476 Thanks @​petebacondarwin! - fix: do not render "value of stdout.lastframe() is undefined" if the output is an empty string

  Fixes #​2907

• #​3133 d0788008 Thanks @​dario-piotrowicz! - fix pages building not taking into account the nodejs_compat flag (and improve the related error message)

• #​3146 5b234cfd Thanks @​jspspike! - Added output for tail being in "sampling mode"

v2.19.0

Compare Source

Minor Changes

• #​3091 c32f514c Thanks @​edevil! - Added initial commands for integrating with Constellation AI.

v2.18.0

Compare Source

Minor Changes

• #​3098 8818f551 Thanks @​mrbbot! - fix: improve Workers Sites asset upload reliability

  • Wrangler no longer buffers all assets into memory before uploading. This should prevent out-of-memory errors when publishing sites with many large files.
  • Wrangler now limits the number of in-flight asset upload requests to 5, fixing the Too many bulk operations already in progress error.
  • Wrangler now correctly logs upload progress. Previously, the reported percentage was per upload request group, not across all assets.
  • Wrangler no longer logs all assets to the console by default. Instead, it will just log the first 100. The rest can be shown by setting the WRANGLER_LOG=debug environment variable. A splash of colour has also been added.

v2.17.0

Compare Source

Minor Changes

• #​3004 6d5000a7 Thanks @​rozenmd! - feat: teach wrangler docs to use algolia search index

  This PR lets you search Cloudflare's entire docs via wrangler docs [search term here].

  By default, if the search fails to find what you're looking for, you'll get an error like this:

  ✘ [ERROR] Could not find docs for: <search term goes here>. Please try again with another search term.
  

  If you provide the --yes or -y flag, wrangler will open the docs to https://developers.cloudflare.com/workers/wrangler/commands/, even if the search fails.

v2.16.0

Compare Source

Minor Changes

• #​3058 1bd50f56 Thanks @​mrbbot! - chore: upgrade miniflare@3 to 3.0.0-next.13

  Notably, this adds native support for Windows to wrangler dev --experimental-local, logging for incoming requests, and support for a bunch of newer R2 features.

Patch Changes

• #​3058 1bd50f56 Thanks @​mrbbot! - fix: disable persistence without --persist in --experimental-local

  This ensures --experimental-local doesn't persist data on the file-system, unless the --persist flag is set.
  Data is still always persisted between reloads.

• #​3055 5f48c405 Thanks @​rozenmd! - fix: Teach D1 commands to read auth configuration from wrangler.toml

  This PR fixes a bug in how D1 handles a user's accounts. We've updated the D1 commands to read from config (typically via wrangler.toml) before trying to run commands. This means if an account_id is defined in config, we'll use that instead of erroring out when there are multiple accounts to pick from.

  Fixes #​3046

• #​3058 1bd50f56 Thanks @​mrbbot! - fix: disable route validation when using --experimental-local

  This ensures wrangler dev --experimental-local doesn't require a login or an internet connection if a route is configured.

v2.15.1

Compare Source

Patch Changes

• #​2783 4c55baf9 Thanks @​GregBrimble! - feat: Add **/*.wasm?module as default module rule (alias of **/*.wasm)

• #​2989 86e942bb Thanks @​GregBrimble! - fix: Durable Object proxying websockets over local dev registry

v2.15.0

Compare Source

Minor Changes

• #​2769 0a779904 Thanks @​penalosa! - feature: Support modules with --no-bundle

  When the --no-bundle flag is set, Wrangler now has support for uploading additional modules alongside the entrypoint. This will allow modules to be imported at runtime on Cloudflare's Edge. This respects Wrangler's module rules configuration, which means that only imports of non-JS modules will trigger an upload by default. For instance, the following code will now work with --no-bundle (assuming the example.wasm file exists at the correct path):

  // index.js
  import wasm from './example.wasm'
  
  export default {
    async fetch() {
      await WebAssembly.instantiate(wasm, ...)
      ...
    }
  }

  For JS modules, it's necessary to specify an additional module rule (or rules) in your wrangler.toml to configure your modules as ES modules or Common JS modules. For instance, to upload additional JavaScript files as ES modules, add the following module rule to your wrangler.toml, which tells Wrangler that all **/*.js files are ES modules.

  rules = [
    { type = "ESModule", globs = ["**/*.js"]},
  ]

  If you have Common JS modules, you'd configure Wrangler with a CommonJS rule (the following rule tells Wrangler that all .cjs files are Common JS modules):

  rules = [
    { type = "CommonJS", globs = ["**/*.cjs"]},
  ]

  In most projects, adding a single rule will be sufficient. However, for advanced usecases where you're mixing ES modules and Common JS modules, you'll need to use multiple rule definitions. For instance, the following set of rules will match all .mjs files as ES modules, all .cjs files as Common JS modules, and the nested/say-hello.js file as Common JS.

  rules = [
    { type = "CommonJS", globs = ["nested/say-hello.js", "**/*.cjs"]},
    { type = "ESModule", globs = ["**/*.mjs"]}
  ]

  If multiple rules overlap, Wrangler will log a warning about the duplicate rules, and will discard additional rules that matches a module. For example, the following rule configuration classifies dep.js as both a Common JS module and an ES module:

  rules = [
    { type = "CommonJS", globs = ["dep.js"]},
    { type = "ESModule", globs = ["dep.js"]}
  ]

  Wrangler will treat dep.js as a Common JS module, since that was the first rule that matched, and will log the following warning:

  ▲ [WARNING] Ignoring duplicate module: dep.js (esm)
  

  This also adds a new configuration option to wrangler.toml: base_dir. Defaulting to the directory of your Worker's main entrypoint, this tells Wrangler where your additional modules are located, and determines the module paths against which your module rule globs are matched.

  For instance, given the following directory structure:

  - wrangler.toml
  - src/
    - index.html
    - vendor/
      - dependency.js
    - js/
      - index.js
  

  If your wrangler.toml had main = "src/js/index.js", you would need to set base_dir = "src" in order to be able to import src/vendor/dependency.js and src/index.html from src/js/index.js.

Patch Changes

• #​2957 084b2c58 Thanks @​esimons! - fix: Respect querystring params when calling .fetch on a worker instantiated with unstable_dev

  Previously, querystring params would be stripped, causing issues for test cases that depended on them. For example, given the following worker script:

  export default {
  	fetch(req) {
  		const url = new URL(req.url);
  		const name = url.searchParams.get("name");
  		return new Response("Hello, " + name);
  	},
  };

  would fail the following test case:

  const worker = await unstable_dev("script.js");
  const res = await worker.fetch("http://worker?name=Walshy");
  const text = await res.text();
  // Following fails, as returned text is 'Hello, null'
  expect(text).toBe("Hello, Walshy");

• #​2840 e311bbbf Thanks @​mrbbot! - fix: make WRANGLER_LOG case-insensitive, warn on unexpected values, and fallback to log if invalid

  Previously, levels set via the WRANGLER_LOG environment-variable were case-sensitive.
  If an unexpected level was set, Wrangler would fallback to none, hiding all logs.
  The fallback has now been switched to log, and lenient case-insensitive matching is used when setting the level.

• #​2044 eebad0d9 Thanks @​kuba-orlik! - fix: allow programmatic dev workers to be stopped and started in a single session

• #​2735 3f7a75cc Thanks @​JacobMGEvans! - Fix: Generate Remote URL
  Previous URL was pointing to the old cloudflare/templates repo,
  updated the URL to point to templates in the workers-sdk monorepo.

v2.14.0

Compare Source

Minor Changes

• #​2942 dc1465ea Thanks @​mrbbot! - chore: upgrade miniflare to 2.13.0

• #​2914 9af1a640 Thanks @​edevil! - feat: add support for send email bindings

  Support send email bindings in order to send emails from a worker. There
  are three types of bindings:

  • Unrestricted: can send email to any verified destination address.
  • Restricted: can only send email to the supplied destination address (which
    does not need to be specified when sending the email but also needs to be a
    verified destination address).
  • Allowlist: can only send email to the supplied list of verified destination
    addresses.

Patch Changes

• #​2931 5f6c4c0c Thanks @​Skye-31! - Fix: Pages Dev incorrectly allowing people to turn off local mode

  Local mode is not currently supported in Pages Dev, and errors when people attempt to use it. Previously, wrangler hid the "toggle local mode" button when using Pages dev, but this got broken somewhere along the line.

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[changeset-bot]

⚠️ No Changeset found

Latest commit: 91c3935

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

💥 An error occurred when fetching the changed packages and changesets in this PR

Some errors occurred when validating the changesets config:
The package or glob expression "api" is specified in the `ignore` option but it is not found in the project. You may have misspelled the package name or provided an invalid glob expression. Note that glob expressions must be defined according to https://www.npmjs.com/package/micromatch.

[socket-security]

Updated dependencies detected. Learn more about Socket for GitHub ↗︎

Packages	Version	New capabilities	Transitives	Size	Publisher
turbo	1.9.3...1.11.2	None	+0/-0	41.3 kB	turbobot
wrangler	2.13.0...2.20.2	None	+1/-1	9.1 MB	wrangler-publisher