Minimize the number of the Miniflare package dependencies (#11897)

dario-piotrowicz · petebacondarwin · web-flow · commit bbd8a5e98cbe · 2026-01-23T09:36:02.000Z
* Minimize the number of the Miniflare package dependencies

* Bundle zod dependency in miniflare and vitest-pool-workers

Refine the approach to bundling dependencies: only bundle zod (pure JS
library with no native dependencies) while keeping other dependencies
external for technical reasons:

- sharp: Native binary with platform-specific builds
- undici: Dynamically required at runtime in worker threads (fetch-sync.ts)
- ws: Has optional native bindings for performance optimization
- workerd: Native binary (Cloudflare's JS runtime)
- @cspotcode/source-map-support: Uses require.cache manipulation
- youch: Dynamically required for lazy loading

Also updated deps.ts comments to accurately document why each
dependency must remain external.

* fix workerd version

---------

Co-authored-by: Pete Bacon Darwin &lt;pbacondarwin@cloudflare.com&gt;
diff --git a/.changeset/warm-numbers-smell.md b/.changeset/warm-numbers-smell.md
@@ -0,0 +1,22 @@
+---
+"miniflare": patch
+"@cloudflare/vitest-pool-workers": patch
+---
+
+Bundle the `zod` dependency to reduce supply chain attack surface
+
+In order to prevent possible npm vulnerability attacks, the team's policy is to bundle
+dependencies in our packages where possible. This helps ensure that only trusted code
+runs on the user's system, even if compromised packages are later published to npm.
+
+This change bundles `zod` (a pure JavaScript validation library with no native dependencies)
+into miniflare and @cloudflare/vitest-pool-workers.
+
+Other dependencies remain external for technical reasons:
+
+- `sharp`: Native binary with platform-specific builds
+- `undici`: Dynamically required at runtime in worker threads
+- `ws`: Has optional native bindings for performance
+- `workerd`: Native binary (Cloudflare's JavaScript runtime)
+- `@cspotcode/source-map-support`: Uses require.cache manipulation at runtime
+- `youch`: Dynamically required for lazy loading
diff --git a/packages/miniflare/package.json b/packages/miniflare/package.json
@@ -48,8 +48,7 @@
 		"undici": "catalog:default",
 		"workerd": "1.20260123.0",
 		"ws": "catalog:default",
-		"youch": "4.1.0-beta.10",
-		"zod": "^3.25.76"
+		"youch": "4.1.0-beta.10"
 	},
 	"devDependencies": {
 		"@cloudflare/cli": "workspace:*",
@@ -100,7 +99,8 @@
 		"typescript": "catalog:default",
 		"vitest": "catalog:default",
 		"which": "^2.0.2",
-		"xdg-app-paths": "^8.3.0"
+		"xdg-app-paths": "^8.3.0",
+		"zod": "^3.25.76"
 	},
 	"engines": {
 		"node": ">=18.0.0"
diff --git a/packages/miniflare/scripts/deps.ts b/packages/miniflare/scripts/deps.ts
@@ -12,22 +12,18 @@ export const EXTERNAL_DEPENDENCIES = [
 	// Native binary with platform-specific builds - cannot be bundled
 	"sharp",
 
-	// Large HTTP client with optional native dependencies; commonly shared
-	// with other packages to avoid version conflicts and duplication
+	// Must be external - dynamically required at runtime in worker threads via
+	// require("undici") for synchronous fetch operations (see fetch-sync.ts)
 	"undici",
 
 	// Native binary - Cloudflare's JavaScript runtime cannot be bundled
 	"workerd",
 
 	// Has optional native bindings (bufferutil, utf-8-validate) for performance;
-	// commonly shared with other packages to avoid duplication
+	// bundling would lose these optimizations and fall back to JS implementations
 	"ws",
 
 	// Must be external - dynamically required at runtime via require("youch")
 	// for lazy loading of pretty error pages
 	"youch",
-
-	// Large validation library; commonly shared as a dependency
-	// to avoid version conflicts and bundle size duplication
-	"zod",
 ];
diff --git a/packages/vitest-pool-workers/package.json b/packages/vitest-pool-workers/package.json
@@ -56,8 +56,7 @@
 		"cjs-module-lexer": "^1.2.3",
 		"esbuild": "catalog:default",
 		"miniflare": "workspace:*",
-		"wrangler": "workspace:*",
-		"zod": "^3.25.76"
+		"wrangler": "workspace:*"
 	},
 	"devDependencies": {
 		"@cloudflare/eslint-config-shared": "workspace:*",
@@ -78,7 +77,8 @@
 		"ts-dedent": "^2.2.0",
 		"typescript": "catalog:default",
 		"undici": "catalog:default",
-		"vitest": "catalog:default"
+		"vitest": "catalog:default",
+		"zod": "^3.25.76"
 	},
 	"peerDependencies": {
 		"@vitest/runner": "2.0.x - 3.2.x",
diff --git a/packages/vitest-pool-workers/scripts/bundle.mjs b/packages/vitest-pool-workers/scripts/bundle.mjs
@@ -100,7 +100,6 @@ const commonOptions = {
 		// External dependencies (see scripts/deps.ts for rationale)
 		"cjs-module-lexer",
 		"esbuild",
-		"zod",
 		// Workspace dependencies
 		"miniflare",
 		"wrangler",
diff --git a/packages/vitest-pool-workers/scripts/deps.ts b/packages/vitest-pool-workers/scripts/deps.ts
@@ -10,8 +10,4 @@ export const EXTERNAL_DEPENDENCIES = [
 
 	// Native binary - cannot be bundled, used to bundle test files at runtime
 	"esbuild",
-
-	// Large validation library; commonly shared as a dependency
-	// to avoid version conflicts and bundle size duplication
-	"zod",
 ];
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
