Skip to content

build(deps-dev): bump miniflare from 4.20260611.0 to 4.20260617.1#561

Merged
github-actions[bot] merged 1 commit into
mainfrom
dependabot/npm_and_yarn/miniflare-4.20260617.1
Jun 22, 2026
Merged

build(deps-dev): bump miniflare from 4.20260611.0 to 4.20260617.1#561
github-actions[bot] merged 1 commit into
mainfrom
dependabot/npm_and_yarn/miniflare-4.20260617.1

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 22, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Bumps miniflare from 4.20260611.0 to 4.20260617.1.

Release notes

Sourced from miniflare's releases.

miniflare@4.20260617.1

Patch Changes

  • #14118 b38823f Thanks @​aicayzer! - Fix Uint8Array step outputs in local Workflows being persisted with the full backing ArrayBuffer

    A Uint8Array returned from a Workflows step under wrangler dev was serialised together with its full underlying ArrayBuffer, causing a raw SQLITE_TOOBIG error at view sizes well below the documented 1MiB step-output limit. For example, a 200KB view sliced from an 800KB buffer (a common pattern from crypto.getRandomValues or arr.slice(...) on a larger pool) would fail. The view's bytes are now copied to a tight buffer before persistence, bringing local behaviour in line with production. Fixes #14101.

miniflare@4.20260617.0

Patch Changes

  • #14347 673b09e Thanks @​jamesopstad! - Update undici from 7.24.8 to 7.28.0

  • #14346 e930bd4 Thanks @​haidargit! - Bump ws from 8.20.1 to 8.21.0 to address GHSA-96hv-2xvq-fx4p

    GHSA-96hv-2xvq-fx4p / CVE-2026-48779 (high severity) reports a remote memory-exhaustion DoS in ws@<8.21.0: a peer sending a high volume of tiny fragments and data chunks over modest network traffic can crash a ws server or client via OOM. The fix shipped in ws@8.21.0 (commit 2b2abd45, released 2026-05-22), which also introduces the maxBufferedChunks and maxFragments options. This change bumps the workspace catalog entry so that miniflare, wrangler, and @cloudflare/vite-plugin all pick up the patched release.

  • #14314 5c3bb11 Thanks @​harryzcy! - Bump esbuild to 0.28.1

    This update includes several bug fixes from esbuild versions 0.27.3 through 0.28.1. See the esbuild changelog for details.

  • #14331 296ad65 Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

    The following dependency versions have been updated:

    Dependency From To
    workerd 1.20260616.1 1.20260617.1

miniflare@4.20260616.0

Minor Changes

  • #14221 0e055d3 Thanks @​mglewis! - Support cf.image (transform via Workers) image transformations in local dev

    fetch(url, { cf: { image: { ... } } }) now transforms images locally via Sharp, instead of returning the original bytes unchanged. This mirrors the production "transform via Workers" feature, so Workers already using cf.image behave much more closely to production in wrangler dev.

    As with the Images binding, cf.image transforms require Sharp to be installed — transforms are silently skipped if Sharp is unavailable.

Patch Changes

  • #14271 27db82c Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

    The following dependency versions have been updated:

    Dependency From To
    workerd 1.20260611.1 1.20260612.1

  • #14298 2a6a26b Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

    The following dependency versions have been updated:

... (truncated)

Changelog

Sourced from miniflare's changelog.

4.20260617.1

Patch Changes

  • #14118 b38823f Thanks @​aicayzer! - Fix Uint8Array step outputs in local Workflows being persisted with the full backing ArrayBuffer

    A Uint8Array returned from a Workflows step under wrangler dev was serialised together with its full underlying ArrayBuffer, causing a raw SQLITE_TOOBIG error at view sizes well below the documented 1MiB step-output limit. For example, a 200KB view sliced from an 800KB buffer (a common pattern from crypto.getRandomValues or arr.slice(...) on a larger pool) would fail. The view's bytes are now copied to a tight buffer before persistence, bringing local behaviour in line with production. Fixes #14101.

4.20260617.0

Patch Changes

  • #14347 673b09e Thanks @​jamesopstad! - Update undici from 7.24.8 to 7.28.0

  • #14346 e930bd4 Thanks @​haidargit! - Bump ws from 8.20.1 to 8.21.0 to address GHSA-96hv-2xvq-fx4p

    GHSA-96hv-2xvq-fx4p / CVE-2026-48779 (high severity) reports a remote memory-exhaustion DoS in ws@<8.21.0: a peer sending a high volume of tiny fragments and data chunks over modest network traffic can crash a ws server or client via OOM. The fix shipped in ws@8.21.0 (commit 2b2abd45, released 2026-05-22), which also introduces the maxBufferedChunks and maxFragments options. This change bumps the workspace catalog entry so that miniflare, wrangler, and @cloudflare/vite-plugin all pick up the patched release.

  • #14314 5c3bb11 Thanks @​harryzcy! - Bump esbuild to 0.28.1

    This update includes several bug fixes from esbuild versions 0.27.3 through 0.28.1. See the esbuild changelog for details.

  • #14331 296ad65 Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

    The following dependency versions have been updated:

    Dependency From To
    workerd 1.20260616.1 1.20260617.1

4.20260616.0

Minor Changes

  • #14221 0e055d3 Thanks @​mglewis! - Support cf.image (transform via Workers) image transformations in local dev

    fetch(url, { cf: { image: { ... } } }) now transforms images locally via Sharp, instead of returning the original bytes unchanged. This mirrors the production "transform via Workers" feature, so Workers already using cf.image behave much more closely to production in wrangler dev.

    As with the Images binding, cf.image transforms require Sharp to be installed — transforms are silently skipped if Sharp is unavailable.

Patch Changes

  • #14271 27db82c Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

    The following dependency versions have been updated:

    Dependency From To
    workerd 1.20260611.1 1.20260612.1

... (truncated)

Commits

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jun 22, 2026
@github-actions github-actions Bot enabled auto-merge June 22, 2026 19:04
@dependabot
build(deps-dev): bump miniflare from 4.20260611.0 to 4.20260617.1
bac88bb 
Bumps [miniflare](https://github.com/cloudflare/workers-sdk/tree/HEAD/packages/miniflare) from 4.20260611.0 to 4.20260617.1.
- [Release notes](https://github.com/cloudflare/workers-sdk/releases)
- [Changelog](https://github.com/cloudflare/workers-sdk/blob/main/packages/miniflare/CHANGELOG.md)
- [Commits](https://github.com/cloudflare/workers-sdk/commits/miniflare@4.20260617.1/packages/miniflare)

---
updated-dependencies:
- dependency-name: miniflare
  dependency-version: 4.20260617.1
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/miniflare-4.20260617.1 branch from 7763e4b to bac88bb Compare June 22, 2026 19:06
@github-actions github-actions Bot merged commit 69a9623 into main Jun 22, 2026
2 checks passed
@github-actions github-actions Bot deleted the dependabot/npm_and_yarn/miniflare-4.20260617.1 branch June 22, 2026 19:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants