chore(deps): update dependency @cloudflare/vite-plugin to v1.43.0#8548
Open
renovate[bot] wants to merge 1 commit into
Open
chore(deps): update dependency @cloudflare/vite-plugin to v1.43.0#8548renovate[bot] wants to merge 1 commit into
renovate[bot] wants to merge 1 commit into
Conversation
4dcacb9 to
1dacacb
Compare
724bb7d to
fcd45dc
Compare
e07ef10 to
4c22fc4
Compare
4c22fc4 to
97e7242
Compare
97e7242 to
1c3e57e
Compare
1c3e57e to
1a8c308
Compare
1a8c308 to
e4a1273
Compare
e4a1273 to
2e2147c
Compare
2e2147c to
3594972
Compare
3594972 to
1393858
Compare
1393858 to
5b6eaec
Compare
5b6eaec to
fcad7e3
Compare
fcad7e3 to
5cf0ad2
Compare
5cf0ad2 to
e1b0498
Compare
e1b0498 to
9d81334
Compare
9d81334 to
345f798
Compare
345f798 to
bda467c
Compare
bda467c to
d9437e4
Compare
d9437e4 to
627f2ae
Compare
627f2ae to
6efd6e0
Compare
6efd6e0 to
d66ca01
Compare
d66ca01 to
0e643b6
Compare
0e643b6 to
affee52
Compare
affee52 to
7aec253
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
1.29.1→1.43.0Release Notes
cloudflare/workers-sdk (@cloudflare/vite-plugin)
v1.43.0Compare Source
Minor Changes
#14382
fd92d56Thanks @petebacondarwin! - Add support for declarative Durable Object exportswrangler deploynow accepts anexportsmap inwrangler.jsonas a declarative alternative to the legacymigrationsarray.Each entry in
exportsis keyed by Durable Object class name.typecarries the export kind (currently always"durable-object"); thestatefield carries the lifecycle and defaults to"created"(live) when omitted:{ "exports": { // Provision a new Durable Object class (`MyDO`) "MyDO": { "type": "durable-object", "storage": "sqlite" }, // Delete Durable Object class (`OldGone`) "OldGone": { "type": "durable-object", "state": "deleted" }, // Rename a Durable Object class (from `OldName` to `NewName`) "OldName": { "type": "durable-object", "state": "renamed", "renamed_to": "NewName" }, "NewName": { "type": "durable-object", "storage": "sqlite" }, // Transfer a Durable Object (`Outgoing`) to a new Worker (`target-worker`) "Outgoing": { "type": "durable-object", "state": "transferred", "transferred_to": "target-worker" }, // Prepare to receive the transfer of a Durable Object (`Incoming`) from another Worker (`source-worker`) "Incoming": { "type": "durable-object", "state": "expecting-transfer", "storage": "sqlite", "transfer_from": "source-worker" } } }When a Worker declares Durable Object class bindings but no lifecycle for them (neither a
migrationsarray nor anexportsmap), wrangler warns and now suggests a declarativeexportsentry for each class (previously it suggested a legacymigrationsblock).The deployment response now surfaces the server's reconciliation result — created namespaces, applied tombstones, structured per-scenario info entries, and a
removable_entrieshint for stale tombstones that are safe to delete from the config. Blocking errors return the structured per-class detail with scenario tags, suggested remediation, and any referencing-script context.wrangler versions uploadalso forwardsexports. Declarativeexportslifecycle changes are reconciled when the version is deployed (wrangler versions deployorwrangler deploy), so aversions uploadpayload can declare new classes inexportswithout immediately provisioning them. An actor binding (durable_objects.bindings) to a class declared only inexportson the sameversions uploadis rejected with a clear error (code 100406) — the binding cannot be resolved until the namespace is provisioned. Either stage the new class viactx.exports.X(no binding required) onversions uploadand add the binding at deploy time, or usewrangler deployto provision and bind in one step (the same constraint applies to themigrationsflow).Multi-version deploys (
wrangler versions deploy A@50% B@50%) where the selected versions disagree on declarativeexportsare rejected server-side with a clear message: deploy the version that changesexportsat 100% first, then run the percentage-split deploy. This prevents traffic on one branch routing to code that references unprovisioned or just-deleted DO namespaces. Single-version (100%) deploys are unaffected.Local development (
wrangler dev,vite devandunstable_startWorker) reads Durable Object SQLite storage settings from the newexportsfield, so applications using the declarative flow get correct local-dev storage without needing to also declare amigrationsblock.@cloudflare/vitest-pool-workersalso picks up Durable Object configuration fromexports, so tests against anexports-only Worker run with the correct local SQLite storage and can reach unbound Durable Object classes viactx.exports.X.wrangler typesis also aware ofexports. Live entries (includingexpecting-transfer, the receiving side of a two-phase transfer) are added toCloudflare.GlobalProps.durableNamespaces, which typesctx.exports.Xfor unbound Durable Objects declared only viaexports.Patch Changes
aa5d580,6b0ce98,fd92d56,bfe48db,be3f792,0277bfa,98793d8,e1532eb]:v1.42.4Compare Source
Patch Changes
#14490
75d8cb0Thanks @petebacondarwin! - Preserve D1 migration paths in generated Worker configsWhen a Worker config with a D1 binding is built by the Vite plugin, the generated
wrangler.jsonnow pointsmigrations_dirback to the source migration directory. This lets tools that read the generated config, such ascreateTestHarness(), find the same D1 migrations as the source Worker config.Updated dependencies [
75d8cb0,75d8cb0,75d8cb0,75d8cb0,75d8cb0,f10d4ad,75d8cb0,75d8cb0,75d8cb0,75d8cb0,d292046,75d8cb0,75d8cb0,75d8cb0,75d8cb0,75d8cb0,75d8cb0,e0cc2cb,75d8cb0,75d8cb0,75d8cb0]:v1.42.3Compare Source
Patch Changes
5f40dd5,34e0cef,3b743c1,daa5389,8a5cf8c]:v1.42.2Compare Source
Patch Changes
#14358
4ef872fThanks @gabivlj! - Fix container egress interception on arm64 Docker runtimesBoth
wrangler devand the Cloudflare Vite plugin no longer force theproxy-everythingsidecar image to pull aslinux/amd64, allowing Docker to select the native image from the multi-platform manifest. SetMINIFLARE_CONTAINER_EGRESS_IMAGE_PLATFORMto force a specific platform when needed.Updated dependencies [
a085dec,9a0de8f,fab565f,3f02864,4ef872f,2a02858,e312dec]:v1.42.1Compare Source
Patch Changes
#14366
c6579d3Thanks @jamesopstad! - Resolve relativecf-workerentrypoint imports relative to the importing moduleWhen loading the experimental
cloudflare.config.ts, a relative entrypoint imported withimport ... with { type: "cf-worker" }(e.g../src/index.ts) is now anchored to the module where the import is written, rather than being passed through verbatim and later resolved against the top-level config file. This fixes incorrect resolution when the import lives in a file other than the entry config — for example a config that re-exports from a nested file.Bare specifiers (such as
@scope/pkg) and virtual modules (such asvirtual:foo) are still left unresolved so that consumers can apply their own resolution.Updated dependencies [
c6579d3,444b75e,b38823f,cfd6205,cfd6205]:v1.42.0Compare Source
Minor Changes
#14339
aa49856Thanks @jamesopstad! - Add abuildcommand to the experimental, internalcf-vitedelegate binarycf-vite buildruns Vite's full multi-environment app build (via the Builder API) and enables the experimental Build Output API by default, emitting a self-contained.cloudflare/output/v0/directory. It forcesexperimental.newConfigandexperimental.newConfig.cfBuildOutputon, so acloudflare.config.tsis required at the project root.Patch Changes
#14346
e930bd4Thanks @haidargit! - Bumpwsfrom 8.20.1 to 8.21.0 to address GHSA-96hv-2xvq-fx4pGHSA-96hv-2xvq-fx4p / CVE-2026-48779 (high severity) reports a remote memory-exhaustion DoS in
ws@<8.21.0: a peer sending a high volume of tiny fragments and data chunks over modest network traffic can crash awsserver or client via OOM. The fix shipped in ws@8.21.0 (commit2b2abd45, released 2026-05-22), which also introduces themaxBufferedChunksandmaxFragmentsoptions. This change bumps the workspace catalog entry so thatminiflare,wrangler, and@cloudflare/vite-pluginall pick up the patched release.#14351
6c7df19Thanks @jamesopstad! - Force the experimental new config on by default in thecf-vite devdelegate#14218
4eed569Thanks @matingathani! - Allowresolve.externalcontaining only Node.js built-ins in Worker environmentsVitest 4 automatically sets
resolve.externalto the full list of Node.js built-in modules for non-standard Vite environments via its internalrunnerTransformplugin. Previously, the Cloudflare Vite plugin rejected any non-emptyresolve.externalarray, throwing an incompatibility error on startup when used alongside Vitest 4.The validation check now allows
resolve.externalarrays that contain only Node.js built-in module names (both barefsandnode:fsforms). The error is only thrown whenresolve.externalistrueor contains non-built-in package names that would prevent user code from being bundled into the Worker.Updated dependencies [
673b09e,e930bd4,f6e49dd,5c3bb11,296ad65,594544d,a79b899,5dfb788,ca61558,36777db]:v1.41.0Compare Source
Minor Changes
#14279
e6e4b07Thanks @jamesopstad! - Addexperimental.newConfig.cfBuildOutputoption to support future deployments via thecfCLIPatch Changes
0e055d3,27db82c,2a6a26b,9a424ed,ecfdd5a,604be26,1fb7ba5,208b3bb,41f391f,32f9307,8b2ce41,3578919,ee82c76,41f391f,21dbc12,7e63948,035917f]:v1.40.2Compare Source
Patch Changes
#14184
e305126Thanks @penalosa! - Drop the--configflag from the experimental internalcf-vitedelegate binary.The wrangler config file is now discovered by
cloudflare()itself rather than being passed through, keepingcf-vite's flag surface (--mode,--port,--host,--local) in sync with the siblingcf-wranglerdelegate.cf-viteis an internal integration point spawned by Cloudflare tooling and is not intended to be run directly by users.Updated dependencies [
98c9afe,e305126,f3990b2,4597f08,25722ac,41f75c0,10b5538,818c105,2ae6099,2047a32,2047a32,e8561c2]:v1.40.1Compare Source
Patch Changes
23aecac,b932e47,d076bcc,24497d0,4bb572f,165adb2,776098c,0706fbf,7993711,48c4ff0,8cf8c61,8923f97,b205fb7,a61ac29]:v1.40.0Compare Source
Minor Changes
#14013
3cf9d0eThanks @jamesopstad! - Add experimentalexperimental.newConfigoption to load the entry Worker's configuration fromcloudflare.config.tsThis is an experimental, opt-in feature. When enabled, the plugin loads the entry Worker's configuration from a
cloudflare.config.tsfile instead of the usualwrangler.json/wrangler.jsonc/wrangler.toml.Pass
trueto enable with defaults, or an object to customise behaviour. Currently the only sub-option istypes.generate(defaults totrue), which writes aworker-configuration.d.tsfile next to the config. This enables typedenvandexportsfor your Worker and currently assumes that you have@cloudflare/workers-typesinstalled.A few limitations apply while the feature is experimental:
configPathcannot be combined withexperimental.newConfig. The entry Worker is always loaded fromcloudflare.config.tsat the project root.auxiliaryWorkersare not yet supported withexperimental.newConfig.Because this is experimental, the option, the
cloudflare.config.tsschema, and the@cloudflare/vite-plugin/experimental-configexports may change in any release.Patch Changes
c6c61b5,c6c61b5,a3eea27,7a6b1a4,7539a9b,1fdd8de,3b8b80a,0bb2d55,8400fb9,b502d54,7949f81,d462013,c2280cd,3b8b80a,ea12b58,acf7817]:v1.39.2Compare Source
Patch Changes
#13893
d8a16e7Thanks @penalosa! - Add an experimental, internalcf-vitedelegate binaryThis adds an experimental
bin/cf-vitebinary that is spawned by Cloudflare's own parent tooling to drive the plugin as a long-running dev-server subprocess. It is not part of the plugin's public API surface, is not intended to be invoked directly, and its contract may change at any time without notice.#14117
3c86121Thanks @aicayzer! - Forward response headers from the Worker on WebSocket upgrade responsesHeaders set on a
new Response(null, { status: 101, webSocket, headers })returned from the Worker are now propagated to the upgrade response sent to the browser duringvite dev. Previously the headers were dropped, so cookies (Set-Cookie) and custom headers (X-*) on WebSocket handshake responses were invisible client-side — even though they were delivered correctly bywrangler dev.Updated dependencies [
b210c5e,aec1bb8,e06cbb7,9a26191,5565823,4ef790b,890fca7,6fc9777,337e912,8e7b74f,e86489a,42288d4,65b5f9e,3a746ac,64ef9fd,94b29f7]:v1.39.1Compare Source
Patch Changes
#14087
e3c862aThanks @edmundhung! - Filter compatibility date fallback warning when no update is availableThe compatibility date warning from workerd (e.g., "The latest compatibility date supported by the installed Cloudflare Workers Runtime is...") is now only shown when a newer version of
@cloudflare/vite-pluginis available. This matches the behavior in Wrangler and reduces noise when the user is already on the latest version.The update-check logic has been extracted to
@cloudflare/workers-utilsso it can be shared across packages.#14080
ec70cf1Thanks @edmundhung! - FixTunnel closedbeing logged when no tunnel was openedPreviously, the Vite plugin printed
Tunnel closedduring cleanup even when tunnel startup had never begun. This message is now only shown after tunnel startup begins, including when the tunnel is still starting or has already expired.Updated dependencies [
e3c862a,cbb39bd,cbb39bd,408432a,1103c07,7bb5c7a,5b5cbd3,e3c862a,e3c862a,97d7d81,c647ccc,e3c862a,e3c862a,e3c862a,e3c862a,e3c862a,b64b7e4,e3c862a,e3c862a,e4c8fd9,2dffeeb,e3c862a,e3c862a,4c0da7b,972d13d,13cbadb,59e43e4]:v1.39.0Compare Source
Minor Changes
#13985
c809d30Thanks @jamesopstad! - AddassetsOnly(entry Worker) anddevOnly(auxiliary Workers) options to the plugin configBoth options accept a
booleanor a function that returns aboolean. The function is evaluated lazily at build time, allowing frameworks to provide the value after initialization.Use
assetsOnlyon the entry Worker to skip building the Worker and instead emit an assets-only Wrangler config to the client output directory. This enables frameworks such as Astro to use thessrenvironment during development but produce a fully static app for deployment.Use
devOnlyon an auxiliary Worker to include it duringvite devbut skip it at build time.Patch Changes
ca5b604,c1fd2fd,49c1a59,fee1ce4,b3962ff,d042705,420e457,8b1467e]:v1.38.0Compare Source
Minor Changes
#13989
f598eacThanks @MattieTK! - Print a QR code alongside the tunnel URL when sharing via Cloudflare TunnelWhen a tunnel is started (via
wrangler dev --tunnelor the Vite plugin withtunnel: true), a scannable QR code is now printed to the terminal beneath the tunnel URL. This makes it easy to open the tunnel on a mobile device without manually copying the URL.The QR code uses Unicode block characters for a compact representation and is generated best-effort -- if generation fails for any reason, the tunnel URL is still displayed as before.
Patch Changes
52e9082,0733688,fc1f7b9,30657e1,8c569c6,f598eac,3a1fbed]:v1.37.3Compare Source
Patch Changes
#13978
fa1f61fThanks @sassyconsultingllc! - Bumpwsfrom 8.18.0 to 8.20.1 to address GHSA-58qx-3vcg-4xpxGHSA-58qx-3vcg-4xpx / CVE-2026-45736 reports an uninitialized-memory disclosure in
ws@<8.20.1when aTypedArrayis passed as the reason argument toWebSocket.close(). The fix shipped in ws@8.20.1 on 2026-05-12. This change bumps the workspace catalog entry so thatminiflare,wrangler, and@cloudflare/vite-pluginall pick up the patched release.#13912
d803737Thanks @petebacondarwin! - Fix/cdn-cgi/*host validation incorrectly accepting subdomains of exact configured routesMiniflare's
/cdn-cgi/*host/origin validator was treating exact configured routes the same as wildcard configured routes, so a request whoseHostorOriginhostname was a subdomain of an exact route (e.g.sub.my-custom-site.comfor amy-custom-site.com/*route) was incorrectly accepted. Exact configured routes and the configuredupstreamhostname are now required to match the request hostname exactly. Subdomain matching is only applied to wildcard routes such as*.example.com/*. Localhost hostnames continue to be allowed as before.This affects
wrangler devand local development through@cloudflare/vite-plugin, both of which use Miniflare under the hood.#13919
c7eab7fThanks @petebacondarwin! - Fix the outboundCF-Workerheader reflecting the route pattern hostname instead of the parent zone, and falling back to<worker-name>.example.comundervite dev,vitest-pool-workers, andgetPlatformProxyTwo related issues affected the
CF-Workerheader on outbound subrequests in local development:@cloudflare/vite-plugin,@cloudflare/vitest-pool-workers, andgetPlatformProxy, the header fell back to<worker-name>.example.comeven whenrouteswere configured, becauseunstable_getMiniflareWorkerOptionsand the equivalentgetPlatformProxyworker-options path did not propagate azonevalue to Miniflare. This broke local development against services that reject unknownCF-Workerhosts (for example, Apple WeatherKit returns403 Forbidden).wrangler dev --local, when a route used thezone_namefield (for example{ pattern: "foo.example.com/*", zone_name: "example.com" }), the header was set to the pattern's hostname (foo.example.com) rather than the zone name (example.com). Production setsCF-Workerto the zone name that owns the Worker, so this was inconsistent with deployed behaviour.Both bugs are fixed: the new
unstable_getMiniflareWorkerOptions/getPlatformProxypath now propagates azonederived from the first configured route, and all four local-dev paths now prefer a route's explicitzone_nameover the pattern hostname when computing that zone. Whenzone_nameisn't set, the existing best-effort behaviour is preserved — forwrangler devthis meansdev.hostis still honoured as a local override and the pattern hostname is used as a final fallback. Resolving the parent zone forzone_id-only,custom_domain, or plain-string routes would require an API lookup, so locally we still approximate it with the pattern hostname.Note:
dev.hostis intentionally not consulted by theunstable_getMiniflareWorkerOptions/getPlatformProxypaths — thedevconfig block is specific towrangler dev.Updated dependencies [
fa1f61f,2679e05,7e40d98,adc9221,735852d,d803737,c7eab7f,e04e180,59cd880,62abf97,e8c2031,e349fe0,da0fa8c,a5c9365]:v1.37.2Compare Source
Patch Changes
#13098
67a881aThanks @raashish1601! - fix: route WebSocket upgrade requests directly to the user worker in dev modeUpdated dependencies [
aac7ca0,b25dc0d,ae047ee,a4f22bc,f78d435,aac7ca0,c5c9e20,ebf4b24,b27eb18,895baf5,7bcdf45]:v1.37.1Compare Source
Patch Changes
#13922
23800f8Thanks @edmundhung! - Add a tunnel shortcut hint when CLI shortcuts are printedThe Cloudflare Vite plugin now includes a
t + entertunnel hint alongside the other CLI shortcuts it prints.#13920
f579e57Thanks @petebacondarwin! - HonorX-Forwarded-Protowhen constructing the Worker'srequest.urlWhen running the Vite dev server behind a TLS-terminating reverse proxy or tunnel, the Worker's
request.urlwas alwayshttp://...even though the client reached the server overhttps://.... This caused frameworks that perform Origin/Host checks (e.g. CSRF protection) to reject requests with403.The Vite plugin now reads the
X-Forwarded-Protoheader from the incoming request and uses it to set the protocol ofrequest.url. If the header is absent or invalid, the connection protocol is used as before. The same handling is applied to WebSocket upgrade URLs.Fixes #13801.
Updated dependencies [
19ed49a,3ff0a50,bf688f7,2e72c83,802eaf4,506aa02,8f5cdb1,be8a98c]:v1.37.0Compare Source
Minor Changes
#13903
7ce6f6fThanks @edmundhung! - Add named tunnel support to thecloudflare()Vite pluginYou can now expose your local dev server publicly with a stable hostname by configuring
tunnelwith a named Cloudflare Tunnel:If
autoStartis omitted or set tofalse, you can still start or close the tunnel by pressingt + enter.Patch Changes
d4794a8,58b4403,4352f87,a9e6741,da664d5,bdc398c,f781a2b,1420f10,c8be316]:[
v1.36.4](https://redirect.github.com/cloudflare/workers-sdk/blob/HEAD/packages/vite-plugin-cloudflare/Configuration
📅 Schedule: (UTC)
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.