[pull] main from cloudflare:main

.github/dependabot.yml

@@ -10,6 +10,10 @@ updates:
       day: "sunday"
       time: "06:00"
     versioning-strategy: increase
+    # Match the 24h minimumReleaseAge enforced by pnpm in pnpm-workspace.yaml
+    # so Dependabot doesn't open PRs that CI will then reject.
+    cooldown:
+      default-days: 1
     # the following is used to add the [C3] prefix to the PR title,
     # we override the commit message but setting a prefix like this
     # makes it so that also the PR title gets such prefix

.github/workflows/dependabot-auto-merge.yml

@@ -45,13 +45,16 @@ jobs:
         if: steps.meta.outputs.dependency-group == 'workerd-and-workers-types'
         env:
           PR_NUMBER: ${{ github.event.pull_request.number }}
+          REPO: ${{ github.repository }}
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
           set -euo pipefail
 
-          # Pull commits and changed files via the GitHub API.
-          commits_json=$(gh pr view "$PR_NUMBER" --json commits)
-          files_json=$(gh pr view "$PR_NUMBER" --json files)
+          # Pull commits and changed files via the GitHub API. `--repo` is
+          # required because this workflow runs without `actions/checkout`,
+          # so `gh` has no git remote to infer the repo from.
+          commits_json=$(gh pr view --repo "$REPO" "$PR_NUMBER" --json commits)
+          files_json=$(gh pr view --repo "$REPO" "$PR_NUMBER" --json files)
 
           fail() {
             echo "verified=false" >> "$GITHUB_OUTPUT"
@@ -83,7 +86,7 @@ jobs:
 
           # `gh pr view --json commits` doesn't expose signature info, so look
           # it up via the REST commit endpoint.
-          first_verified=$(gh api "repos/${{ github.repository }}/commits/$first_oid" --jq '.commit.verification.verified')
+          first_verified=$(gh api "repos/$REPO/commits/$first_oid" --jq '.commit.verification.verified')
           if [ "$first_verified" != "true" ]; then
             fail "first commit (Dependabot) does not have a verified signature"
           fi

packages/cli/CHANGELOG.md

@@ -1,5 +1,12 @@
 # @cloudflare/cli
 
+## 0.1.4
+
+### Patch Changes
+
+- Updated dependencies [[`90092c0`](https://github.com/cloudflare/workers-sdk/commit/90092c0bca526e2e08a25fe7969534426eb6fd9f)]:
+  - @cloudflare/workers-utils@0.21.1
+
 ## 0.1.3
 
 ### Patch Changes

packages/cli/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "@cloudflare/cli-shared-helpers",
-	"version": "0.1.3",
+	"version": "0.1.4",
 	"description": "Internal shared CLI helpers for workers-sdk. Not intended for external use — APIs may change without notice.",
 	"keywords": [
 		"cli",

packages/miniflare/CHANGELOG.md

@@ -1,5 +1,21 @@
 # miniflare
 
+## 4.20260521.0
+
+### Patch Changes
+
+- [#13993](https://github.com/cloudflare/workers-sdk/pull/13993) [`0733688`](https://github.com/cloudflare/workers-sdk/commit/07336888e0bc82925e4023f5b72a0062f10d77b8) Thanks [@dependabot](https://github.com/apps/dependabot)! - Update dependencies of "miniflare", "wrangler"
+
+  The following dependency versions have been updated:
+
+  | Dependency | From         | To           |
+  | ---------- | ------------ | ------------ |
+  | workerd    | 1.20260520.1 | 1.20260521.1 |
+
+- [#13999](https://github.com/cloudflare/workers-sdk/pull/13999) [`30657e1`](https://github.com/cloudflare/workers-sdk/commit/30657e1db097135d97209c3ae0cc623fc66827b9) Thanks [@edmundhung](https://github.com/edmundhung)! - Fix TCP requests failing when `outboundService` is configured
+
+  Workers using `outboundService` can now open TCP connections with `cloudflare:sockets`. Previously, TCP requests could throw an error when a custom outbound service was configured.
+
 ## 4.20260520.0
 
 ### Patch Changes

packages/miniflare/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "miniflare",
-	"version": "4.20260520.0",
+	"version": "4.20260521.0",
 	"description": "Fun, full-featured, fully-local simulator for Cloudflare Workers",
 	"keywords": [
 		"cloudflare",

packages/mock-npm-registry/src/index.ts

@@ -76,6 +76,24 @@ export async function startMockNpmRegistry(...targetPackages: string[]) {
 		"npm_config_registry",
 		`http://localhost:${registryPort}`
 	);
+	// `pnpm run` exports `npm_config_minimum_release_age` from the workspace
+	// pnpm-workspace.yaml to subprocess env vars, but does NOT export the
+	// matching `minimumReleaseAgeExclude` array. Tests using this mock registry
+	// install freshly-published first-party packages, so the 24h cooldown would
+	// reject them. Set the exclude list as a comma-separated env var so the
+	// constraint still applies to other (third-party) deps pulled via uplinks.
+	const revert_npm_config_minimum_release_age_exclude = overrideProcessEnv(
+		"npm_config_minimum_release_age_exclude",
+		[
+			...pkgs.keys(),
+			// workerd and @cloudflare/workers-types are pulled in transitively
+			// (e.g. via miniflare) and may have been bumped same-day. Keep this
+			// list in sync with `minimumReleaseAgeExclude` in pnpm-workspace.yaml.
+			"workerd",
+			"@cloudflare/workerd-*",
+			"@cloudflare/workers-types",
+		].join(",")
+	);
 
 	if (debugLog.enabled) {
 		debugLog("Updated");
@@ -105,6 +123,7 @@ export async function startMockNpmRegistry(...targetPackages: string[]) {
 		revert_NPM_CONFIG_USERCONFIG();
 		revert_npm_config_registry();
 		revert_npm_config_userconfig();
+		revert_npm_config_minimum_release_age_exclude();
 		if (debugLog.enabled) {
 			debugLog("After");
 			debugLog(execSync("pnpm config list", { encoding: "utf8" }));

packages/pages-shared/CHANGELOG.md

@@ -1,5 +1,12 @@
 # @cloudflare/pages-shared
 
+## 0.13.139
+
+### Patch Changes
+
+- Updated dependencies [[`0733688`](https://github.com/cloudflare/workers-sdk/commit/07336888e0bc82925e4023f5b72a0062f10d77b8), [`30657e1`](https://github.com/cloudflare/workers-sdk/commit/30657e1db097135d97209c3ae0cc623fc66827b9)]:
+  - miniflare@4.20260521.0
+
 ## 0.13.138
 
 ### Patch Changes

packages/pages-shared/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "@cloudflare/pages-shared",
-	"version": "0.13.138",
+	"version": "0.13.139",
 	"repository": {
 		"type": "git",
 		"url": "https://github.com/cloudflare/workers-sdk.git",

packages/vite-plugin-cloudflare/CHANGELOG.md

@@ -1,5 +1,21 @@
 # @cloudflare/vite-plugin
 
+## 1.38.0
+
+### Minor Changes
+
+- [#13989](https://github.com/cloudflare/workers-sdk/pull/13989) [`f598eac`](https://github.com/cloudflare/workers-sdk/commit/f598eac72bcdf838ba890bcbd100e99ee8fac17f) Thanks [@MattieTK](https://github.com/MattieTK)! - Print a QR code alongside the tunnel URL when sharing via Cloudflare Tunnel
+
+  When a tunnel is started (via `wrangler dev --tunnel` or the Vite plugin with `tunnel: true`), a scannable QR code is now printed to the terminal beneath the tunnel URL. This makes it easy to open the tunnel on a mobile device without manually copying the URL.
+
+  The QR code uses Unicode block characters for a compact representation and is generated best-effort -- if generation fails for any reason, the tunnel URL is still displayed as before.
+
+### Patch Changes
+
+- Updated dependencies [[`52e9082`](https://github.com/cloudflare/workers-sdk/commit/52e9082e32d7bffaeca92f27ab472b56964ba2bb), [`0733688`](https://github.com/cloudflare/workers-sdk/commit/07336888e0bc82925e4023f5b72a0062f10d77b8), [`fc1f7b9`](https://github.com/cloudflare/workers-sdk/commit/fc1f7b977908b78a4379d1d7b261ca7c69022ba3), [`30657e1`](https://github.com/cloudflare/workers-sdk/commit/30657e1db097135d97209c3ae0cc623fc66827b9), [`8c569c6`](https://github.com/cloudflare/workers-sdk/commit/8c569c6232588594e7a48219bbd020955f5fd5a4), [`f598eac`](https://github.com/cloudflare/workers-sdk/commit/f598eac72bcdf838ba890bcbd100e99ee8fac17f), [`3a1fbed`](https://github.com/cloudflare/workers-sdk/commit/3a1fbed5988efe03ae50cc502eff6a4785728396)]:
+  - wrangler@4.94.0
+  - miniflare@4.20260521.0
+
 ## 1.37.3
 
 ### Patch Changes

packages/vite-plugin-cloudflare/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "@cloudflare/vite-plugin",
-	"version": "1.37.3",
+	"version": "1.38.0",
 	"description": "Cloudflare plugin for Vite",
 	"keywords": [
 		"cloudflare",
@@ -68,6 +68,7 @@
 		"mlly": "^1.7.4",
 		"open": "catalog:default",
 		"picocolors": "^1.1.1",
+		"qr": "^0.6.0",
 		"semver": "^7.7.1",
 		"tinyglobby": "catalog:default",
 		"tree-kill": "catalog:default",

packages/vite-plugin-cloudflare/src/plugins/tunnel.ts

@@ -2,6 +2,7 @@ import { startTunnel } from "@cloudflare/workers-utils";
 import getPort from "get-port";
 import { buildPublicUrl } from "miniflare";
 import colors from "picocolors";
+import encodeQR from "qr";
 import * as wrangler from "wrangler";
 import { assertIsNotPreview, assertIsPreview } from "../context";
 import { debuglog, createPlugin } from "../utils";
@@ -539,6 +540,17 @@ function patchPrintUrls(server: vite.ViteDevServer | vite.PreviewServer) {
 			}
 		}
 
+		// Print a QR code for the first tunnel URL so it can be scanned from a mobile device
+		const primaryUrl = publicUrls[0];
+		if (primaryUrl) {
+			try {
+				const qrCode = encodeQR(primaryUrl, "ascii", { border: 1 });
+				server.config.logger.info(`\n${qrCode}`);
+			} catch {
+				// QR generation is best-effort; don't disrupt the dev session if it fails
+			}
+		}
+
 		// Add an extra newline after the URLs to improve readability
 		server.config.logger.info("");
 	};

packages/vitest-pool-workers/CHANGELOG.md

@@ -1,5 +1,21 @@
 # @cloudflare/vitest-pool-workers
 
+## 0.16.9
+
+### Patch Changes
+
+- [#13933](https://github.com/cloudflare/workers-sdk/pull/13933) [`90092c0`](https://github.com/cloudflare/workers-sdk/commit/90092c0bca526e2e08a25fe7969534426eb6fd9f) Thanks [@petebacondarwin](https://github.com/petebacondarwin)! - Derive bundler externals from `package.json` and shrink the published bundle
+
+  The bundler's `external` list was previously hand-maintained and out of sync with `package.json` — `undici` and `semver` were both listed as external despite being only `devDependencies`. The published `dist/pool/index.mjs` consequently contained a top-level `import { fetch } from "undici"` that was only resolvable because pnpm happened to hoist `undici` from other packages' devDependencies during local development.
+
+  The bundler now derives its `external` list from `dependencies` + `peerDependencies` in `package.json`, making it impossible for a `devDependency` to silently end up externalized.
+
+  Combined with the new `"sideEffects": false` declaration in `@cloudflare/workers-utils`, the unused `cloudflared` / `tunnel` exports (and their transitive `undici` import) are now tree-shaken out of the pool entirely. `dist/pool/index.mjs` no longer references `undici` at all, and shrinks from ~489 KB to ~125 KB.
+
+- Updated dependencies [[`52e9082`](https://github.com/cloudflare/workers-sdk/commit/52e9082e32d7bffaeca92f27ab472b56964ba2bb), [`0733688`](https://github.com/cloudflare/workers-sdk/commit/07336888e0bc82925e4023f5b72a0062f10d77b8), [`fc1f7b9`](https://github.com/cloudflare/workers-sdk/commit/fc1f7b977908b78a4379d1d7b261ca7c69022ba3), [`30657e1`](https://github.com/cloudflare/workers-sdk/commit/30657e1db097135d97209c3ae0cc623fc66827b9), [`8c569c6`](https://github.com/cloudflare/workers-sdk/commit/8c569c6232588594e7a48219bbd020955f5fd5a4), [`f598eac`](https://github.com/cloudflare/workers-sdk/commit/f598eac72bcdf838ba890bcbd100e99ee8fac17f), [`3a1fbed`](https://github.com/cloudflare/workers-sdk/commit/3a1fbed5988efe03ae50cc502eff6a4785728396)]:
+  - wrangler@4.94.0
+  - miniflare@4.20260521.0
+
 ## 0.16.8
 
 ### Patch Changes

packages/vitest-pool-workers/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "@cloudflare/vitest-pool-workers",
-	"version": "0.16.8",
+	"version": "0.16.9",
 	"description": "Workers Vitest integration for writing Vitest unit and integration tests that run inside the Workers runtime",
 	"keywords": [
 		"cloudflare",

packages/workers-utils/CHANGELOG.md

@@ -1,5 +1,17 @@
 # @cloudflare/workers-utils
 
+## 0.21.1
+
+### Patch Changes
+
+- [#13933](https://github.com/cloudflare/workers-sdk/pull/13933) [`90092c0`](https://github.com/cloudflare/workers-sdk/commit/90092c0bca526e2e08a25fe7969534426eb6fd9f) Thanks [@petebacondarwin](https://github.com/petebacondarwin)! - Mark `@cloudflare/workers-utils` as side-effect-free and properly declare `undici` as a runtime dependency
+
+  The package now declares `"sideEffects": false` in its `package.json` so that downstream bundlers can tree-shake unused exports. In particular, consumers that only use a subset of the package (for example, `getTodaysCompatDate` from the main entry) will no longer carry the `cloudflared` / `tunnel` exports — or their transitive dependencies — in their final bundle.
+
+  `undici` has been moved from `devDependencies` to `dependencies`. Previously it was incorrectly listed as a devDependency while the bundler config marked it as external, leaving the published `dist/index.mjs` with an unresolved `import { fetch } from "undici"` for anyone installing the package directly. `undici` is deliberately kept external (rather than bundled) so that downstream consumers don't end up with two copies of `undici` in their bundle — which would break `instanceof Request`/`Response`/`Headers` checks across the boundary and prevent `setGlobalDispatcher` / proxy configuration from applying to the bundled copy.
+
+  `vitest` has been added as an optional `peerDependency` because the `./test-helpers` sub-export uses `vitest`'s `vi`, `beforeEach`, and `afterEach` APIs at runtime; consumers that import from `./test-helpers` must have `vitest` installed themselves.
+
 ## 0.21.0
 
 ### Minor Changes

packages/workers-utils/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "@cloudflare/workers-utils",
-	"version": "0.21.0",
+	"version": "0.21.1",
 	"description": "Internal utility package for workers-sdk. Not intended for external use — APIs may change without notice.",
 	"homepage": "https://github.com/cloudflare/workers-sdk/tree/main/packages/workers-utils#readme",
 	"bugs": {