chore(deps): update minor and patch updates

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
@babel/preset-env (source)	7.29.2 → 7.29.5
@types/node (source)	22.19.17 → 22.19.18
@typescript-eslint/parser (source)	8.58.2 → 8.59.2
babel-jest (source)	30.3.0 → 30.4.1
eslint (source)	10.1.0 → 10.3.0
eslint-plugin-jest	29.15.1 → 29.15.2
jest (source)	30.3.0 → 30.4.2
jose	6.2.2 → 6.2.3
miniflare (source)	4.20260317.2 → 4.20260507.1
prettier (source)	3.8.1 → 3.8.3
publint (source)	0.3.18 → 0.3.20
tsdown (source)	^0.21.0 → ^0.22.0
typescript-eslint (source)	8.58.2 → 8.59.2

---

Warning

Some dependencies could not be looked up. Check the warning logs for more information.

---

Release Notes

babel/babel (@​babel/preset-env)

v7.29.5

Compare Source

v7.29.3

Compare Source

typescript-eslint/typescript-eslint (@​typescript-eslint/parser)

v8.59.2

Compare Source

This was a version bump only for parser to align it with other projects, there were no code changes.

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

v8.59.1

Compare Source

This was a version bump only for parser to align it with other projects, there were no code changes.

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

v8.59.0

Compare Source

This was a version bump only for parser to align it with other projects, there were no code changes.

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

jestjs/jest (babel-jest)

v30.4.1

Compare Source

Features

• [jest-config, jest-core, jest-runner, jest-schemas, jest-types] Allow custom runner configuration options via tuple format ['runner-path', {options}] (#​16141)

Fixes

• [jest-runtime] Align CJS-from-ESM default export with Node: module.exports is always the ESM default, __esModule unwrapping is no longer applied (#​16143)

v30.4.0

Compare Source

Features

• [babel-jest] Support collecting coverage from .mts, .cts (and other) files (#​15994)
• [jest-circus, jest-cli, jest-config, jest-core, jest-jasmine2, jest-types] Add --collect-tests flag to discover and list tests without executing them (#​16006)
• [jest-config, jest-runner, jest-worker] Add workerGracefulExitTimeout config option to control how long workers are given to exit before being force-killed (#​15984)
• [jest-config] Add support for jest.config.mts as a valid configuration file (#​16005)
• [jest-config, jest-core, jest-reporters, jest-runner] verbose and silent can now be set per-project; the project-level value overrides the global value for that project's tests (#​16133)
• [@jest/fake-timers] Accept Temporal.Duration in jest.advanceTimersByTime() and jest.advanceTimersByTimeAsync() (#​16128)
• [@jest/fake-timers] Accept Temporal.Instant and Temporal.ZonedDateTime in jest.setSystemTime() and useFakeTimers({now}) (#​16128)
• [@jest/fake-timers] Support faking Temporal.Now.* (#​16131)
• [jest-mock] Add clearMocksOnScope(scope) on ModuleMocker for clearing every mock function exposed on a scope object (#​16088)
• [jest-resolve] Add canResolveSync() on Resolver so callers can detect when a user-configured resolver only exports an async hook (#​16064)
• [jest-runtime] Use synchronous evaluate() for ES modules without top-level await on Node versions that support it (v24.9+), and prefer the synchronous transform path when a sync transformer is configured (#​16062)
• [jest-runtime] Support require() of ES modules on Node v24.9+ (#​16074)
• [jest-runtime] Validate TC39 import attributes (with { type: 'json' }) on ESM imports (#​16127)
• [@jest/transform] Add canTransformSync(filename) on ScriptTransformer so callers can pick the sync vs async transform path (#​16062)
• [jest-util] Add isError helper (#​16076)
• [pretty-format] Support React 19 (#​16123)

Fixes

• [expect-utils] Fix toStrictEqual failing on structuredClone results due to cross-realm constructor mismatch (#​15959)
• [@jest/expect-utils] Prevent toMatchObject/subset matching from throwing when encountering exotic iterables (#​15952)
• [fake-timers] Convert Date to milliseconds before passing to @sinonjs/fake-timers (#​16029)
• [jest] Export GlobalConfig and ProjectConfig TypeScript types (#​16132)
• [jest-circus] Prevent crash when asyncError is undefined for non-Error throws (#​16003)
• [jest-circus, jest-jasmine2] Include Error.cause in JSON failureMessages output (#​15967)
• [jest-config] Fix preset path resolution on Windows when the preset uses subpath exports (#​15961)
• [jest-config] Allow collectCoverage and coverageProvider in project config without a validation warning (#​16132)
• [jest-config] Project config validator now emits "is not supported in an individual project configuration" instead of "probably a typing mistake" for known global-only options (#​16132)
• [jest-environment-node] Fix --localstorage-file warning on Node 25+ (#​16086)
• [jest-reporters] Apply global coverage threshold to unmatched pattern files in addition to glob/path thresholds (#​16137)
• [jest-reporters, jest-runner, jest-runtime, jest-transform] Fix coverage report not showing correct code coverage when using projects config option (#​16140)
• [jest-runtime] Resolve expect and @jest/expect from the internal module registry so test-file imports share the same JestAssertionError as the global expect (#​16130)
• [jest-runtime] Improve CJS-from-ESM interop: __esModule/Babel default unwrap, broader named-export coverage, and shared CJS singleton across importers (#​16050)
• [jest-runtime] Load .js files with ESM syntax but no "type":"module" marker as native ESM (#​16050)
• [jest-runtime] Extend the .js-with-ESM-syntax fallback to require() on Node v24.9+ - falls back to require(esm) when the CJS parser rejects ESM syntax (#​16078)
• [jest-runtime] Fix deadlocks and double-evaluation in concurrent ESM and wasm imports (#​16050)
• [jest-runtime] Fix error when require() is called after the Jest environment has been torn down (#​15951)
• [jest-runtime] Fix missing error when import() is called after the Jest environment has been torn down (#​16080)
• [jest-runtime] Fix virtual unstable_mockModule registrations not respected in ESM (#​16081)
• [jest-runtime] Apply moduleNameMapper when resolving modules with require.resolve() and the paths option (#​16135)

Chore & Maintenance

• [@jest/fake-timers] Upgrade @sinonjs/fake-timers (#​16139)
• [jest-runtime] Use synchronous linkRequests / instantiate for ESM linking on Node v24.9+ (#​16063)

eslint/eslint (eslint)

v10.3.0

Compare Source

v10.2.1

Compare Source

v10.2.0

Compare Source

Features

• 586ec2f feat: Add meta.languages support to rules (#​20571) (Copilot)
• 14207de feat: add Temporal to no-obj-calls (#​20675) (Pixel998)
• bbb2c93 feat: add Temporal to ES2026 globals (#​20672) (Pixel998)

Bug Fixes

• 542cb3e fix: update first-party dependencies (#​20714) (Francesco Trotta)

Documentation

• a2af743 docs: add language to configuration objects (#​20712) (Francesco Trotta)
• 845f23f docs: Update README (GitHub Actions Bot)
• 5fbcf59 docs: remove sourceType from ts playground link (#​20477) (Tanuj Kanti)
• 8702a47 docs: Update README (GitHub Actions Bot)
• ddeaded docs: Update README (GitHub Actions Bot)
• 2b44966 docs: add Major Releases section to Manage Releases (#​20269) (Milos Djermanovic)
• eab65c7 docs: update eslint versions in examples (#​20664) (루밀LuMir)
• 3e4a299 docs: update ESM Dependencies policies with note for own-usage packages (#​20660) (Milos Djermanovic)

Chores

• 8120e30 refactor: extract no unmodified loop condition (#​20679) (kuldeep kumar)
• 46e8469 chore: update dependency markdownlint-cli2 to ^0.22.0 (#​20697) (renovate[bot])
• 01ed3aa test: add unit tests for unicode utilities (#​20622) (Manish chaudhary)
• 811f493 ci: remove --legacy-peer-deps from types integration tests (#​20667) (Milos Djermanovic)
• 6b86fcf chore: update dependency npm-run-all2 to v8 (#​20663) (renovate[bot])
• 632c4f8 chore: add prettier update commit to .git-blame-ignore-revs (#​20662) (루밀LuMir)
• b0b0f21 chore: update dependency eslint-plugin-regexp to ^3.1.0 (#​20659) (Milos Djermanovic)
• 228a2dd chore: update dependency eslint-plugin-eslint-plugin to ^7.3.2 (#​20661) (Milos Djermanovic)
• 3ab4d7e test: Add tests for eslintrc-style keys (#​20645) (kuldeep kumar)

jest-community/eslint-plugin-jest (eslint-plugin-jest)

v29.15.2

Compare Source

Bug Fixes

• valid-mock-module-path: don't report virtual mocks (#​1946) (a1916d1)

panva/jose (jose)

v6.2.3

Compare Source

Refactor

• cleanly reject invalid PBES2 p2c (0cdb851)

cloudflare/workers-sdk (miniflare)

v4.20260507.1

Compare Source

Patch Changes

• #​13348 5cf6f81 Thanks @​mglewis! - Improve variant URLs returned by the hosted images mock for local development

  The miniflare hosted images mock previously returned bare variant names (e.g. "public") in the variants field of ImageMetadata. In production, this field contains full delivery URLs. The bare names were not usable as image sources, causing applications that render images from variant URLs to fail during local development.

  Variant URLs now point to a new local delivery endpoint at /cdn-cgi/imagedelivery/<image_id>/<variant> which serves image bytes directly from the local KV store with content-type detection via Sharp.

v4.20260507.0

Compare Source

Minor Changes

• #​13836 039bada Thanks @​Skye-31! - Support named recipients in the Email Sending API MessageBuilder

  The send_email binding's MessageBuilder now accepts EmailAddress objects for to, cc, and bcc in addition to plain strings. You can mix named and plain addresses in the same array:

  await env.SEND_EMAIL.send({
    from: "sender@example.com",
    to: [
      "plain@example.com",
      '"Name" <address@example.com>',
      { name: "Jane Doe", email: "jane@example.com" },
    ],
    cc: [{ name: "CC Person", email: "cc@example.com" }],
    subject: "Hello",
    text: "...",
  });

  Additionally, addresses in "Name" <address> format are now correctly parsed when checking allowed_destination_addresses and allowed_sender_addresses restrictions.

• #​13776 1a54ac5 Thanks @​petebacondarwin! - Default the workerd runtime subprocess to TZ=UTC to match the production Cloudflare runtime

  Previously, Miniflare inherited the host machine's timezone, so Date and Intl APIs inside a Worker observed the developer's local timezone during local development but UTC in production. This caused dev/prod drift that was hard to debug.

  Miniflare now sets TZ=UTC on the spawned workerd subprocess by default. A new unsafeRuntimeEnv option (a Record<string, string>) is available on the Miniflare constructor for advanced cases that need to override the default — for example, to test timezone-dependent behaviour:

  new Miniflare({
    modules: true,
    script: "...",
    unsafeRuntimeEnv: { TZ: "Europe/London" },
  });

Patch Changes

• #​13829 2284f20 Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260504.1	1.20260506.1

• #​13841 332f527 Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260506.1	1.20260507.1

v4.20260504.0

Compare Source

Patch Changes

• #​13765 3020214 Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260430.1	1.20260501.1

• #​13800 0099265 Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260501.1	1.20260504.1

• #​13737 bb27219 Thanks @​ruifigueira! - Fix race condition that broke Browser Run on Windows when Chrome had not yet started accepting connections

  When Miniflare launched Chrome for Browser Run bindings, it returned the WebSocket endpoint as soon as Chrome printed its DevTools listening on ws://... banner. On Windows the underlying listening socket is occasionally not yet accepting connections at that point, causing the first request from workerd to Chrome to fail with ConnectEx (#​1225) The remote computer refused the network connection. and the user worker to receive an error response from /v1/acquire.

  Miniflare now probes Chrome's /json/version HTTP endpoint with retry/backoff after the banner is logged, only declaring the browser ready once the socket actually accepts connections. As an additional safety net, the browser binding worker also retries transient ConnectEx/WSARecv failures when establishing connections to Chrome.

• #​13767 12fb5db Thanks @​edmundhung! - Fix local explorer startup in Yarn Plug'n'Play projects by copying the explorer UI assets to a real temporary directory before registering the workerd disk service.

v4.20260430.0

Compare Source

Minor Changes

• #​13726 b5ac54b Thanks @​penalosa! - Hard fail on Node.js < 22

  Wrangler no longer supports Node.js 20.x, as it reached end-of-life on 2026-04-30. The minimum supported Node.js version is now 22.0.0. See https://github.com/nodejs/release?tab=readme-ov-file#end-of-life-releases.

• #​13390 0bf64a7 Thanks @​Ltadrian! - Fix Hyperdrive binding issue where some customers are unable to connect to local databases using wrangler dev

  • Skips creating a local TCP proxy server for Hyperdrive bindings when SSL is not enabled, connecting directly to the database instead. This avoids connection refused errors caused by firewall rules or proxy port binding issues on Windows/macOS.

• #​13565 b04eedf Thanks @​vaishnav-mk! - Add restart from step support for local Workflows development

  Workflow instances can now be restarted from a specific step in local development. When restarting from a step, all earlier steps preserve their cached results and replay instantly, while the target step and everything after it re-execute.

  The WorkflowInstance.restart() method now accepts an optional { from: { name, count?, type? } } parameter to specify which step to restart from.

• #​13618 c07d0cb Thanks @​jamesopstad! - Support V2 protocol for module fallback service

  When the new_module_registry compatibility flag is set, requests sent to unsafeModuleFallbackService() use a different protocol. Miniflare now supports both protocols and exports a parseModuleFallbackRequest() utility to ease handling.

Patch Changes

• #​13732 22e1a61 Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260426.1	1.20260429.1

• #​13754 00523c8 Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260429.1	1.20260430.1

• #​13723 e653edf Thanks @​edmundhung! - Expose send_email bindings from getPlatformProxy()

  Projects developing in Node can now access send_email bindings from the platform proxy. This supports the plain-object MessageBuilder API locally, so calls like env.EMAIL.send({ from, to, subject, text }) no longer fail because the binding is missing.

• #​12514 e1eff94 Thanks @​ascorbic! - fix: normalise typed array subclasses in devalue serialization

  Node.js Buffer extends Uint8Array but isn't available in all runtimes. When a Buffer was passed through the proxy serialization bridge (e.g. as a D1 bind parameter via getPlatformProxy()), the reviver would fail because "Buffer" isn't in the allowed constructor list and may not exist on globalThis in workerd.

  The reducer now normalises subclass constructor names to the nearest standard typed array parent before serialization, matching structured clone behaviour.

• #​13116 e539008 Thanks @​dario-piotrowicz! - Gracefully handle a missing assets directory by starting with zero assets

  Previously, configuring Miniflare with an assets.directory that did not exist on disk would cause the asset services to fail to start. This is a common situation during wrangler dev when the assets directory is a build output that hasn't been generated yet.

  Now, when the configured assets directory does not exist, Miniflare creates an empty temporary directory and starts the asset services with zero assets. Once the real directory is created and setOptions() is called (e.g. triggered by the file watcher), Miniflare reloads and begins serving the actual assets.

• #​13363 6457fb3 Thanks @​courtney-sims! - Prepares router-worker for a more gradual rollout by refactoring and separating out the invocation from the business logic. In the future, this will provide space for us to route requests to new versions of router-worker based on their plan, but should make no functional difference today.

v4.20260426.0

Compare Source

Minor Changes

• #​13599 21b87b2 Thanks @​Ltadrian! - Add extended sslmode support for Hyperdrive local dev. This adds support for sslmodes verify-full / verify-ca for Postgres and VERIFY_IDENTITY / VERIFY_CA for MySQL

• #​13617 118027d Thanks @​roerohan! - Force Flagship bindings to always use remote mode in local dev

  Flagship bindings now always access the remote Flagship service during local development, matching the behavior of AI bindings. Previously, Flagship supported both local and remote modes, but the local stub only returned default values, providing no real functionality and creating a dual source of truth for flag evaluations.

  The remote config field is retained for backward compatibility but only controls whether a warning is displayed. Setting remote: true suppresses the warning that Flagship bindings always access remote resources and may incur usage charges in local dev.

Patch Changes

• #​13696 62e9f2a Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260424.1	1.20260426.1

• #​13652 033d6ec Thanks @​emily-shen! - fix: allow multiple workers with browser bindings in dev

  You can now run multiple workers with multiple browser bindings in miniflare. Previously, this would crash with kj/table.c++:49: failed: inserted row already exists in table.

• #​13649 ae8eae3 Thanks @​petebacondarwin! - Fix service binding and tail consumer props being dropped between workers in different local dev instances

  When a service binding or tail consumer configured with props targeted a worker running in a separate wrangler dev instance (via the dev registry), the props were silently dropped and the remote entrypoint saw an empty ctx.props. Props are now forwarded correctly across the dev registry boundary, matching the behavior users get when all workers run in a single instance.

  // wrangler.json
  {
    "services": [
      {
        "binding": "AUTH",
        "service": "auth-worker", // may be in a separate `wrangler dev` process
        "entrypoint": "SessionEntry",
        "props": { "tenant": "acme" }
      }
    ]
  }

  The target worker's SessionEntry entrypoint now correctly receives { tenant: "acme" } on ctx.props regardless of which local dev instance it runs in.

• #​13668 ef24ff2 Thanks @​for-the-kidz! - Fix TypeError: rules is not iterable in the router-worker when static_routing is configured without user_worker rules

  The router-worker's static-routing include-rule evaluation passed config.static_routing.user_worker directly to the matcher, which iterates with for...of. When static_routing was set but user_worker was omitted, the matcher threw TypeError: rules is not iterable and failed the request. The adjacent asset_worker branch already falls back to [] in this case; the user_worker branch now does the same.

• #​13654 6d27479 Thanks @​pombosilva! - fix: Preserve internal counter suffix on workflow step names in local explorer API

  Stop stripping the -N suffix from step names in the API response so the UI can distinguish duplicate step names. The suffix is now stripped only visually in the UI.

v4.20260424.0

Compare Source

Minor Changes

• #​13234 7fc50c1 Thanks @​natewong1313! - Support serving videos locally, add publicUrl option for stable stream preview URLs, and add caption upload support via ReadableStream

  Videos uploaded while in local mode are now served at /cdn-cgi/mf/stream/<video-id>/watch. The preview field in StreamVideo is now directly fetchable during development.

  A new publicUrl option on MiniflareOptions allows callers (e.g. Wrangler, the Vite plugin) to advertise a stable, externally-reachable URL for the Miniflare instance. When set, Stream preview URLs use this value instead of the runtime entry URL, so they remain valid across runtime restarts and port changes. The same value is also exposed as a mutable miniflare.publicUrl property.

  The helper functions buildPublicUrl and getLocallyAccessibleHost are now exported from miniflare, enabling consumers to construct client-reachable URLs that correctly handle IPv6 addresses (bracketing) and wildcard listen addresses (0.0.0.0, ::, * → 127.0.0.1).

  Caption uploads via ReadableStream are now supported in local mode. They no longer throw a "not supported in local mode" error.

Patch Changes

• #​13633 3494842 Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260421.1	1.20260422.1

• #​13645 7d728fb Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260422.1	1.20260423.1

• #​13657 df9319d Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260423.1	1.20260424.1

• #​13659 3ceeec3 Thanks @​petebacondarwin! - Make the dev registry watcher reliable on Windows

  The filesystem-based dev registry used chokidar with default settings, which on Windows backs onto fs.watch (ReadDirectoryChangesW). That API is known to drop or delay create events for files added shortly after the watcher attaches, which is especially common under CI virtualization. When this happened, a process that had attached its watcher before another process registered its worker would never be notified of the new entry until the next 30-second heartbeat — long enough to time out cross-process service-binding calls.

  Switch to chokidar's polling mode on Windows so the dev registry observes cross-process worker registrations reliably. The registry directory is small and a 100ms poll interval has negligible cost. Non-Windows platforms continue to use the more efficient native filesystem-event backend.

• #​13560 7567ef7 Thanks @​vaishnav-mk! - Preserve NonRetryableError message and name when the workflows_preserve_non_retryable_error_message compatibility flag is enabled, instead of replacing it with a generic error message.

• #​13644 377715d Thanks @​MattieTK! - Update @clack/core and @clack/prompts to v1.2.0

  Bumps the bundled @clack/core dependency used internally by @cloudflare/cli from 0.3.x to 1.2.0, and the @clack/prompts dependency in create-cloudflare from 0.6.x to 1.2.0. Clack v1 includes a number of API changes, but no user-facing prompt behaviour changes are expected.

v4.20260421.0

Compare Source

Patch Changes

• #​13615 8fec8b8 Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260420.1	1.20260421.1

• #​13613 2f3d7b9 Thanks @​dario-piotrowicz! - Fix sourcemap warnings caused by references to files outside the package boundary

  miniflare's bundled sourcemap contained sources entries pointing into node_modules dependencies (zod, capnp-es, chokidar, etc.), which produced dozens of warnings in pnpm monorepos when tools like Vite or Vitest validated the sourcemaps at runtime. The build now inlines sourcesContent and patches any null entries left by upstream dependencies that don't publish their original source files

v4.20260420.0

Compare Source

Minor Changes

• #​13326 4a9ba90 Thanks @​mattzcarey! - Add Artifacts binding support to wrangler

  You can now configure Artifacts bindings in your wrangler configuration:

  // wrangler.jsonc
  {
    "artifacts": [{ "binding": "MY_ARTIFACTS", "namespace": "default" }]
  }

  Type generation produces the correct Artifacts type reference from the workerd type definitions:

  interface Env {
    MY_ARTIFACTS: Artifacts;
  }

• #​12600 50bf819 Thanks @​penalosa! - Use workerd's debug port to power cross-process service bindings, Durable Objects, and tail workers via the dev registry. This enables Durable Object RPC via the dev registry, and is an overall stability improvement.

Patch Changes

• #​13515 b35617b Thanks @​petebacondarwin! - fix: close all open handles on dispose to prevent process hangs

  Several resources were not being properly cleaned up during Miniflare.dispose(), which could leave the Node.js event loop alive and cause processes (particularly tests using node --test) to hang instead of exiting cleanly:

  • The internal undici Pool used to dispatch fetch requests to the workerd runtime was not closed. Lingering TCP sockets from this pool could keep the event loop alive indefinitely.
  • WebSocketServer instances for live reload and WebSocket proxying were never closed, leaving connected clients' sockets open.
  • The InspectorProxy was not closing its runtime WebSocket connection, relying on process death to break the connection.
  • HyperdriveProxyController.dispose() had a missing return in a .map() callback, causing Promise.allSettled to resolve immediately without waiting for net.Server instances to close.
  • ProxyClientBridge was not clearing its finalization batch setTimeout during disposal.
  • InspectorProxyController.dispose() was not calling server.closeAllConnections() before server.close(), so active HTTP keep-alive or WebSocket connections could prevent the close callback from firing.

• #​13557 8ca78bb Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260415.1	1.20260416.2

• #​13579 b6e1351 Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260416.2	1.20260417.1

• #​13604 d8314c6 Thanks @​petebacondarwin! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260417.1	1.20260420.1

• #​12913 7f50300 Thanks @​Sigmabrogz! - fix(miniflare): use 127.0.0.1 for internal loopback when localhost is configured

  When localhost is configured as the host, Node.js may bind to [::1] (IPv6) while workerd resolves localhost to 127.0.0.1 (IPv4) first. This mismatch causes connection refused errors and 100% CPU spins.

  This fix ensures the internal loopback communication between Node.js and workerd always uses 127.0.0.1 when localhost is configured, while preserving the user-facing URL as localhost.

• #​13470 4fda685 Thanks @​penalosa! - fix: prevent remote binding sessions from expiring during long-running dev sessions

  Preview tokens for remote bindings expire after one hour. Previously, the first request after expiry would fail before a refresh was triggered. This change proactively refreshes the token at 50 minutes so no request ever sees an expired session.

  The reactive recovery path is also improved: error code: 1031 responses (returned by bindings such as Workers AI when their session times out) now correctly trigger a refresh, where previously only Invalid Workers Preview configuration HTML responses did.

  Auth credentials are now resolved lazily when a remote proxy session starts rather than at bundle-complete time. This means that if your OAuth access token has been refreshed since wrangler dev started, the new token is used rather than the one captured at startup.

• #​13586 be5e6a0 Thanks @​petebacondarwin! - Fix resource leaks during config updates

  Two follow-up fixes to the dispose cleanup in #​13515:

  • Only close and recreate the dev-registry dispatcher when its port actually changes, matching the existing runtimeDispatcher behavior. Previously, every config update unconditionally tore down and rebuilt the connection pool, which could cause brief request failures if a registry push was in-flight.
  • Dispose old InspectorProxy instances before replacing them during updateConnection(). Previously, stale proxies were silently discarded, leaking their runtime WebSocket connections and 10-second keepalive interval timers.

• #​13577 e456952 Thanks @​connyay! - Return EmailSendResult from the send_email binding's send() in local mode

  The binding's send() used to resolve to undefined. It now returns { messageId: string }, the same shape as the public SendEmail type in production. Workers that read the return value (for logging, or to

✂ Note

PR body was truncated to here.

---

Configuration

📅 Schedule: (in timezone UTC)

• Branch creation
  • "on the 15th day of the month before 12pm"
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.