Bump the npm_and_yarn group across 10 directories with 12 updates

[dependabot]

Bumps the npm_and_yarn group with 3 updates in the /examples/agents/claude-agent-descope-gmail directory: @modelcontextprotocol/sdk, hono and qs.
Bumps the npm_and_yarn group with 5 updates in the /examples/brave-search-mcp-server directory:

Package	From	To
@modelcontextprotocol/sdk	1.9.0	1.26.0
hono	4.11.4	4.11.7
agents	0.0.43	0.3.10
wrangler	4.10.0	4.59.1
markdown-it	14.1.0	14.1.1

Bumps the npm_and_yarn group with 2 updates in the /examples/express-mcp-server directory: @modelcontextprotocol/sdk and lodash.
Bumps the npm_and_yarn group with 2 updates in the /examples/express-netlify-mcp-server directory: @modelcontextprotocol/sdk and lodash.
Bumps the npm_and_yarn group with 5 updates in the /examples/integrations/skyflow-descope-mcp-server directory:

Package	From	To
@modelcontextprotocol/sdk	1.20.0	1.26.0
qs	6.14.0	6.15.0
tar	7.5.1	7.5.9
ai	4.3.19	5.0.52
next	15.4.10	15.5.10

Bumps the npm_and_yarn group with 2 updates in the /examples/mcp-server-cloudrun directory: @modelcontextprotocol/sdk and lodash.
Bumps the npm_and_yarn group with 4 updates in the /examples/nextjs-vercel-mcp-server directory: @modelcontextprotocol/sdk, tar, ai and next.
Bumps the npm_and_yarn group with 2 updates in the /examples/remote-mcp-server-express-fly directory: @modelcontextprotocol/sdk and lodash.
Bumps the npm_and_yarn group with 5 updates in the /examples/remote-mcp-server-hono-cloudflare directory:

Package	From	To
@modelcontextprotocol/sdk	1.8.0	1.26.0
agents	0.0.43	0.3.10
wrangler	4.6.0	4.59.1
lodash	4.17.21	4.17.23
markdown-it	14.1.0	14.1.1

Bumps the npm_and_yarn group with 5 updates in the /examples/weather-mcp-server directory:

Package	From	To
@modelcontextprotocol/sdk	1.9.0	1.26.0
hono	4.7.6	4.11.7
agents	0.0.43	0.3.10
wrangler	4.10.0	4.59.1
markdown-it	14.1.0	14.1.1

Updates @modelcontextprotocol/sdk from 1.25.3 to 1.26.0

Release notes

Sourced from @​modelcontextprotocol/sdk's releases.

v1.26.0

Addresses "Sharing server/transport instances can leak cross-client response data" in this GHSA GHSA-345p-7cg4-v4c7

What's Changed

• chore: bump v1.25.3 for backport fixes by @​pcarleton in modelcontextprotocol/typescript-sdk#1412
• fix(deps): resolve npm audit vulnerabilities and bump dependencies (v1.x backport) by @​samuv in modelcontextprotocol/typescript-sdk#1382
• Fix #1430: Client Credentials providers scopes support (backported) by @​NSeydoux in modelcontextprotocol/typescript-sdk#1442
• chore: bump version to 1.26.0 by @​pcarleton in modelcontextprotocol/typescript-sdk#1479

New Contributors

• @​samuv made their first contribution in modelcontextprotocol/typescript-sdk#1382
• @​NSeydoux made their first contribution in modelcontextprotocol/typescript-sdk#1442

Full Changelog: modelcontextprotocol/typescript-sdk@v1.25.3...v1.26.0

Commits

• fe9c07b chore: bump version to 1.26.0 (#1479)
• 4f01e7e fix: add non-null assertions for optional setupServer fields in stateful test
• a05be17 Merge commit from fork
• 50d9fa3 Fix #1430: Client Credentials providers scopes support (backported) (#1442)
• aa81a66 fix(deps): resolve npm audit vulnerabilities and bump dependencies (v1.x back...
• 6aba065 chore: bump v1.25.3 for backport fixes (#1412)
• See full diff in compare view

Updates hono from 4.11.5 to 4.12.0

Release notes

Sourced from hono's releases.

v4.12.0

Release Notes

Hono v4.12.0 is now available!

This release includes new features for the Hono client, middleware improvements, adapter enhancements, and significant performance improvements to the router and context.

$path for Hono Client

The Hono client now has a $path() method that returns the path string instead of a full URL. This is useful when you need just the path portion for routing or key-based operations:

const client = hc<typeof app>('http://localhost:8787')
// Get the path string
const path = client.api.posts.$path()
// => '/api/posts'
// With path parameters
const postPath = client.api.posts[':id'].$path({
param: { id: '123' },
})
// => '/api/posts/123'
// With query parameters
const searchPath = client.api.posts.$path({
query: { filter: 'test' },
})
// => '/api/posts?filter=test'

Unlike $url() which returns a URL object, $path() returns a plain path string, making it convenient for use with routers or as cache keys.

Thanks @​ShaMan123!

ApplyGlobalResponse Type Helper for RPC Client

The new ApplyGlobalResponse type helper allows you to add global error response types to all routes in the RPC client. This is useful for typing common error responses from app.onError() or global middlewares:

const app = new Hono()
  .get('/api/users', (c) => c.json({ users: ['alice', 'bob'] }, 200))
  .onError((err, c) => c.json({ error: err.message }, 500))
type AppWithErrors = ApplyGlobalResponse<
typeof app,
{
401: { json: { error: string; message: string } }
500: { json: { error: string; message: string } }
}
</tr></table>

... (truncated)

Commits

• d2ed2e9 4.12.0
• 01e78ad Merge pull request #4735 from honojs/next
• a340a25 perf(context): use createResponseInstance for new Response (#4733)
• bd26c31 perf(trie-router): improve performance (1.5x ~ 2.0x) (#4724)
• b85c1e0 feat(types): Add exports field to ExecutionContext (#4719)
• 02346c6 feat(language): add progressive locale code truncation to normalizeLanguage (...
• 7438ab9 perf(context): add fast path to c.json() matching c.text() optimization (#4707)
• 034223f feat(trailing-slash): add alwaysRedirect option to support wildcard routes ...
• 16321af feat(adapter): add getConnInfo for AWS Lambda, Cloudflare Pages, and Netlify ...
• bf37828 feat(basic-auth): add context key and callback options (#4645)
• Additional commits viewable in compare view

Updates qs from 6.14.1 to 6.15.0

Changelog

Sourced from qs's changelog.

6.15.0

• [New] parse: add strictMerge option to wrap object/primitive conflicts in an array (#425, #122)
• [Fix] duplicates option should not apply to bracket notation keys (#514)

6.14.2

• [Fix] parse: mark overflow objects for indexed notation exceeding arrayLimit (#546)
• [Fix] arrayLimit means max count, not max index, in combine/merge/parseArrayValue
• [Fix] parse: throw on arrayLimit exceeded with indexed notation when throwOnLimitExceeded is true (#529)
• [Fix] parse: enforce arrayLimit on comma-parsed values
• [Fix] parse: fix error message to reflect arrayLimit as max index; remove extraneous comments (#545)
• [Robustness] avoid .push, use void
• [readme] document that addQueryPrefix does not add ? to empty output (#418)
• [readme] clarify parseArrays and arrayLimit documentation (#543)
• [readme] replace runkit CI badge with shields.io check-runs badge
• [meta] fix changelog typo (arrayLength → arrayLimit)
• [actions] fix rebase workflow permissions

Commits

• d9b4c66 v6.15.0
• cb41a54 [New] parse: add strictMerge option to wrap object/primitive conflicts in...
• 88e1563 [Fix] duplicates option should not apply to bracket notation keys
• 9d441d2 Merge backport release tags v6.0.6–v6.13.3 into main
• 85cc8ca v6.12.5
• ffc12aa v6.11.4
• 0506b11 [actions] update reusable workflows
• 6a37faf [actions] update reusable workflows
• 8e8df5a [Fix] fix regressions from robustness refactor
• d60bab3 v6.10.7
• Additional commits viewable in compare view

Updates @modelcontextprotocol/sdk from 1.9.0 to 1.26.0

Release notes

Sourced from @​modelcontextprotocol/sdk's releases.

v1.26.0

Addresses "Sharing server/transport instances can leak cross-client response data" in this GHSA GHSA-345p-7cg4-v4c7

What's Changed

• chore: bump v1.25.3 for backport fixes by @​pcarleton in modelcontextprotocol/typescript-sdk#1412
• fix(deps): resolve npm audit vulnerabilities and bump dependencies (v1.x backport) by @​samuv in modelcontextprotocol/typescript-sdk#1382
• Fix #1430: Client Credentials providers scopes support (backported) by @​NSeydoux in modelcontextprotocol/typescript-sdk#1442
• chore: bump version to 1.26.0 by @​pcarleton in modelcontextprotocol/typescript-sdk#1479

New Contributors

• @​samuv made their first contribution in modelcontextprotocol/typescript-sdk#1382
• @​NSeydoux made their first contribution in modelcontextprotocol/typescript-sdk#1442

Full Changelog: modelcontextprotocol/typescript-sdk@v1.25.3...v1.26.0

Commits

• fe9c07b chore: bump version to 1.26.0 (#1479)
• 4f01e7e fix: add non-null assertions for optional setupServer fields in stateful test
• a05be17 Merge commit from fork
• 50d9fa3 Fix #1430: Client Credentials providers scopes support (backported) (#1442)
• aa81a66 fix(deps): resolve npm audit vulnerabilities and bump dependencies (v1.x back...
• 6aba065 chore: bump v1.25.3 for backport fixes (#1412)
• See full diff in compare view

Updates body-parser from 2.2.0 to 2.2.2

Release notes

Sourced from body-parser's releases.

v2.2.2

What's Changed

• docs: update README links by @​efekrskl in expressjs/body-parser#673
• docs: release notes for the v1.20.4 release by @​Phillip9587 in expressjs/body-parser#674
• docs: update URL-encoded parser description to include ISO-8859-1 encoding support by @​Phillip9587 in expressjs/body-parser#679
• docs: use standard jsdoc tags everywhere by @​Phillip9587 in expressjs/body-parser#677
• deps: qs@^6.14.1 by @​UlisesGascon in expressjs/body-parser#689
• refactor(json): simplify strict mode error string construction by @​jonchurch in expressjs/body-parser#693
• Release: 2.2.2 by @​UlisesGascon in expressjs/body-parser#691

New Contributors

• @​efekrskl made their first contribution in expressjs/body-parser#673

Full Changelog: expressjs/body-parser@v2.2.1...v2.2.2

v2.2.1

Important: Security

• Security fix for CVE-2025-13466 (GHSA-wqch-xfxh-vrr4)

What's Changed

• ci: add dependabot by @​Phillip9587 in expressjs/body-parser#593
• ci: use full SHAs for github action versions by @​Phillip9587 in expressjs/body-parser#594
• deps: type-is@^2.0.1 by @​Phillip9587 in expressjs/body-parser#599
• build(deps): bump actions/setup-node from 4.3.0 to 4.4.0 by @​dependabot[bot] in expressjs/body-parser#609
• build(deps): bump github/codeql-action from 3.28.13 to 3.28.15 by @​dependabot[bot] in expressjs/body-parser#610
• build(deps-dev): bump eslint-plugin-promise from 6.1.1 to 6.6.0 by @​dependabot[bot] in expressjs/body-parser#611
• build(deps-dev): bump eslint-plugin-import from 2.27.5 to 2.31.0 by @​dependabot[bot] in expressjs/body-parser#613
• build(deps-dev): bump eslint-plugin-markdown from 3.0.0 to 3.0.1 by @​dependabot[bot] in expressjs/body-parser#612
• ci: add codeql github workflows scanning by @​Phillip9587 in expressjs/body-parser#614
• ci: update CodeQL config to ignore the test directory by @​Phillip9587 in expressjs/body-parser#615
• build(deps): bump actions/download-artifact from 4.2.1 to 4.3.0 by @​dependabot[bot] in expressjs/body-parser#620
• build(deps): bump github/codeql-action from 3.28.15 to 3.28.16 by @​dependabot[bot] in expressjs/body-parser#619
• chore(deps): unpin devDependencies by @​Phillip9587 in expressjs/body-parser#616
• ci: add node.js 24 to test matrix by @​Phillip9587 in expressjs/body-parser#621
• build(deps): bump github/codeql-action from 3.28.16 to 3.28.18 by @​dependabot[bot] in expressjs/body-parser#623
• build(deps): bump ossf/scorecard-action from 2.4.1 to 2.4.2 by @​dependabot[bot] in expressjs/body-parser#624
• chore: add funding to package.json by @​Phillip9587 in expressjs/body-parser#617
• build(deps): bump github/codeql-action from 3.28.18 to 3.29.2 by @​dependabot[bot] in expressjs/body-parser#625
• build(deps): bump github/codeql-action from 3.29.2 to 3.29.5 by @​dependabot[bot] in expressjs/body-parser#630
• refactor: move common request validation to read function by @​Phillip9587 in expressjs/body-parser#600
• deps: bump iconv-lite by @​bjohansebas in expressjs/body-parser#631
• doc: pull beta changelog forward into 2.0.0 by @​jonchurch in expressjs/body-parser#629
• refactor: optimize raw and text parsers with shared passthrough function by @​Phillip9587 in expressjs/body-parser#634
• build(deps): bump actions/checkout from 4.2.2 to 5.0.0 by @​dependabot[bot] in expressjs/body-parser#640
• build(deps): bump ossf/scorecard-action from 2.4.2 to 2.4.3 by @​dependabot[bot] in expressjs/body-parser#639
• build(deps): bump actions/setup-node from 4.4.0 to 5.0.0 by @​dependabot[bot] in expressjs/body-parser#636
• build(deps): bump actions/download-artifact from 4.3.0 to 5.0.0 by @​dependabot[bot] in expressjs/body-parser#637
• build(deps): bump github/codeql-action from 3.29.7 to 3.30.5 by @​dependabot[bot] in expressjs/body-parser#638
• deps: raw-body@^3.0.1 by @​Phillip9587 in expressjs/body-parser#641

... (truncated)

Changelog

Sourced from body-parser's changelog.

2.2.2 / 2026-01-07

• deps: qs@^6.14.1
• refactor(json): simplify strict mode error string construction

2.2.1 / 2025-11-24

• Security fix for GHSA-wqch-xfxh-vrr4
• deps:
  • type-is@^2.0.1
  • iconv-lite@^0.7.0
    • Handle split surrogate pairs when encoding UTF-8
    • Avoid false positives in encodingExists by using prototype-less objects
  • raw-body@^3.0.1
  • debug@^4.4.3

Commits

• 3d24866 2.2.2 (#691)
• 8474a98 refactor(json): simplify strict mode error string construction (#693)
• 03f17c2 deps: qs@^6.14.1 (#689)
• ea1f25e docs: use standard jsdoc tags everywhere (#677)
• d7deef8 docs: update URL-encoded parser description to include ISO-8859-1 encoding su...
• b6f52aa docs: release notes for the v1.20.4 release (#674)
• 2965ca4 docs: update links (#673)
• d96b63d 2.2.1 (#659)
• b204886 sec: security patch for CVE-2025-13466
• e20e351 feat: remove history.md from being packaged on publish (#660)
• Additional commits viewable in compare view

Updates hono from 4.11.4 to 4.11.7

Release notes

Sourced from hono's releases.

v4.12.0

Release Notes

Hono v4.12.0 is now available!

This release includes new features for the Hono client, middleware improvements, adapter enhancements, and significant performance improvements to the router and context.

$path for Hono Client

The Hono client now has a $path() method that returns the path string instead of a full URL. This is useful when you need just the path portion for routing or key-based operations:

const client = hc<typeof app>('http://localhost:8787')
// Get the path string
const path = client.api.posts.$path()
// => '/api/posts'
// With path parameters
const postPath = client.api.posts[':id'].$path({
param: { id: '123' },
})
// => '/api/posts/123'
// With query parameters
const searchPath = client.api.posts.$path({
query: { filter: 'test' },
})
// => '/api/posts?filter=test'

Unlike $url() which returns a URL object, $path() returns a plain path string, making it convenient for use with routers or as cache keys.

Thanks @​ShaMan123!

ApplyGlobalResponse Type Helper for RPC Client

The new ApplyGlobalResponse type helper allows you to add global error response types to all routes in the RPC client. This is useful for typing common error responses from app.onError() or global middlewares:

const app = new Hono()
  .get('/api/users', (c) => c.json({ users: ['alice', 'bob'] }, 200))
  .onError((err, c) => c.json({ error: err.message }, 500))
type AppWithErrors = ApplyGlobalResponse<
typeof app,
{
401: { json: { error: string; message: string } }
500: { json: { error: string; message: string } }
}
</tr></table>

... (truncated)

Commits

• d2ed2e9 4.12.0
• 01e78ad Merge pull request #4735 from honojs/next
• a340a25 perf(context): use createResponseInstance for new Response (#4733)
• bd26c31 perf(trie-router): improve performance (1.5x ~ 2.0x) (#4724)
• b85c1e0 feat(types): Add exports field to ExecutionContext (#4719)
• 02346c6 feat(language): add progressive locale code truncation to normalizeLanguage (...
• 7438ab9 perf(context): add fast path to c.json() matching c.text() optimization (#4707)
• 034223f feat(trailing-slash): add alwaysRedirect option to support wildcard routes ...
• 16321af feat(adapter): add getConnInfo for AWS Lambda, Cloudflare Pages, and Netlify ...
• bf37828 feat(basic-auth): add context key and callback options (#4645)
• Additional commits viewable in compare view

Updates qs from 6.14.0 to 6.15.0

Changelog

Sourced from qs's changelog.

6.15.0

• [New] parse: add strictMerge option to wrap object/primitive conflicts in an array (#425, #122)
• [Fix] duplicates option should not apply to bracket notation keys (#514)

6.14.2

• [Fix] parse: mark overflow objects for indexed notation exceeding arrayLimit (#546)
• [Fix] arrayLimit means max count, not max index, in combine/merge/parseArrayValue
• [Fix] parse: throw on arrayLimit exceeded with indexed notation when throwOnLimitExceeded is true (#529)
• [Fix] parse: enforce arrayLimit on comma-parsed values
• [Fix] parse: fix error message to reflect arrayLimit as max index; remove extraneous comments (#545)
• [Robustness] avoid .push, use void
• [readme] document that addQueryPrefix does not add ? to empty output (#418)
• [readme] clarify parseArrays and arrayLimit documentation (#543)
• [readme] replace runkit CI badge with shields.io check-runs badge
• [meta] fix changelog typo (arrayLength → arrayLimit)
• [actions] fix rebase workflow permissions

Commits

• d9b4c66 v6.15.0
• cb41a54 [New] parse: add strictMerge option to wrap object/primitive conflicts in...
• 88e1563 [Fix] duplicates option should not apply to bracket notation keys
• 9d441d2 Merge backport release tags v6.0.6–v6.13.3 into main
• 85cc8ca v6.12.5
• ffc12aa v6.11.4
• 0506b11 [actions] update reusable workflows
• 6a37faf [actions] update reusable workflows
• 8e8df5a [Fix] fix regressions from robustness refactor
• d60bab3 v6.10.7
• Additional commits viewable in compare view

Updates agents from 0.0.43 to 0.3.10

Release notes

Sourced from agents's releases.

agents@0.3.10

Patch Changes

• #839 68916bf Thanks @​whoiskatrin! - Invalidate query cache on disconnect to fix stale auth tokens

• #841 3f490d0 Thanks @​mattzcarey! - Escape authError to prevent XSS attacks and store it in the connection state to avoid needing script tags to display error.

• Updated dependencies [83f137f]:

  • @​cloudflare/ai-chat@​0.0.6

agents@0.3.9

Patch Changes

• #837 b11b9dd Thanks @​threepointone! - Fix AgentWorkflow run() method not being called in production

  The run() method wrapper was being set as an instance property in the constructor, but Cloudflare's RPC system invokes methods from the prototype chain. This caused the initialization wrapper to be bypassed in production, resulting in _initAgent never being called.

  Changed to wrap the subclass prototype's run method directly with proper safeguards:

  • Uses Object.hasOwn() to only wrap prototypes that define their own run method (prevents double-wrapping inherited methods)
  • Uses a WeakSet to track wrapped prototypes (prevents re-wrapping on subsequent instantiations)
  • Uses an instance-level __agentInitCalled flag to prevent double initialization if super.run() is called from a subclass

agents@0.3.8

Patch Changes

• #833 6c80022 Thanks @​tarushnagpal! - On invalid OAuth state, clear auth_url in storage and set the MCP connection state to FAILED ready for reconnection.

• #834 2b4aecd Thanks @​threepointone! - Fix AgentClient.close() to immediately reject pending RPC calls instead of waiting for WebSocket close handshake timeout.

  Previously, calling client.close() would not reject pending RPC calls until the WebSocket close handshake completed (which could take 15+ seconds in some environments). Now pending calls are rejected immediately when close() is called, providing faster feedback on intentional disconnects.

agents@0.3.7 Release Notes

This release introduces Cloudflare Workflows integration for durable multi-step processing, secure email reply routing with HMAC-SHA256 signatures, 15+ new documentation files, and significant improvements to state management, the callable RPC system, and scheduling.

agents@0.3.6

Patch Changes

• #786 395f461 Thanks @​deathbyknowledge! - fix: allow callable methods to return this.state

• #783 f27e62c Thanks @​Muhammad-Bin-Ali! - fix saving initialize params for stateless MCP server (effects eliciations and other optional features)

• Updated dependencies [93c613e]:

  • @​cloudflare/codemode@​0.0.5

agents@0.3.5

Patch Changes

• #752 473e53c Thanks @​mattzcarey! - bump mcp sdk version to 1.25.2. changes error handling for not found see: cloudflare/agents#752

... (truncated)

Changelog

Sourced from agents's changelog.

0.3.10

Patch Changes

• #839 68916bf Thanks @​whoiskatrin! - Invalidate query cache on disconnect to fix stale auth tokens

• #841 3f490d0 Thanks @​mattzcarey! - Escape authError to prevent XSS attacks and store it in the connection state to avoid needing script tags to display error.

• Updated dependencies [83f137f]:

  • @​cloudflare/ai-chat@​0.0.6

0.3.9

Patch Changes

• #837 b11b9dd Thanks @​threepointone! - Fix AgentWorkflow run() method not being called in production

  The run() method wrapper was being set as an instance property in the constructor, but Cloudflare's RPC system invokes methods from the prototype chain. This caused the initialization wrapper to be bypassed in production, resulting in _initAgent never being called.

  Changed to wrap the subclass prototype's run method directly with proper safeguards:

  • Uses Object.hasOwn() to only wrap prototypes that define their own run method (prevents double-wrapping inherited methods)
  • Uses a WeakSet to track wrapped prototypes (prevents re-wrapping on subsequent instantiations)
  • Uses an instance-level __agentInitCalled flag to prevent double initialization if super.run() is called from a subclass

0.3.8

Patch Changes

• #833 6c80022 Thanks @​tarushnagpal! - On invalid OAuth state, clear auth_url in storage and set the MCP connection state to FAILED ready for reconnection.

• #834 2b4aecd Thanks @​threepointone! - Fix AgentClient.close() to immediately reject pending RPC calls instead of waiting for WebSocket close handshake timeout.

  Previously, calling client.close() would not reject pending RPC calls until the WebSocket close handshake completed (which could take 15+ seconds in some environments). Now pending calls are rejected immediately when close() is called, providing faster feedback on intentional disconnects.

0.3.7

agents@0.3.7 Release Notes

This release introduces Cloudflare Workflows integration for durable multi-step processing, secure email reply routing with HMAC-SHA256 signatures, 15+ new documentation files, and significant improvements to state management, the callable RPC system, and scheduling.

Highlights

• Workflows Integration - Seamless integration between Cloudflare Agents and Cloudflare Workflows for durable, multi-step background processing
• Secure Email Routing - HMAC-SHA256 signed email headers prevent unauthorized routing of emails to agent instances
• Comprehensive Documentation - 15+ new docs covering getting started, state, routing, HTTP/WebSocket lifecycle, callable methods, MCP, and scheduling
• Synchronous setState() - State updates are now synchronous with a new validateStateChange() validation hook
• scheduleEvery() Method - Fixed-interval recurring tasks with overlap prevention
• Callable System Improvements - Client-side RPC timeouts, streaming error signaling, introspection API
• 100+ New Tests - Comprehensive test coverage across state, routing, callable, and email utilities

... (truncated)

Commits

• 069c584 Version Packages (#840)
• 3f490d0 fix: escape html in external oauth error message (#841)
• 68916bf Invalidate query cache on disconnect to fix stale auth tokens (#839)
• e69eae5 Version Packages (#838)
• b11b9dd Fix AgentWorkflow run() method not being called in production (#837)
• 72b4406 Version Packages (#835)
• 6c80022 Handle invalid OAUth state (#833)
• 2b4aecd Fix slow RPC rejection on close; add browser integration tests (#834)
• 9647577 Version Packages (#802)
• 6218541 docs/tests/enhancements (#812)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for agents since your current version.

Updates wrangler from 4.10.0 to 4.59.1

Release notes

Sourced from wrangler's releases.

wrangler@4.59.1

Patch Changes

• #11889 99b1f32 Thanks @​emily-shen! - Use argument array when executing git commands with wrangler pages deploy

  Pass user provided values from --commit-hash safely to underlying git command.

wrangler@4.59.0

Minor Changes

• #11852 ad65efa Thanks @​NuroDev! - Add --check flag to wrangler types command

  The new --check flag allows you to verify that your generated types file is up-to-date without regenerating it. This is useful for CI/CD pipelines, pre-commit hooks, or any scenario where you want to ensure types have been committed after configuration changes.

  When types are up-to-date, the command exits with code 0:

  $ wrangler types --check
  ✨ Types at worker-configuration.d.ts are up to date.

  When types are out-of-date, the command exits with code 1:

  $ wrangler types --check
  ✘ [ERROR] Types at worker-configuration.d.ts are out of date. Run `wrangler types` to regenerate.

  You can also use it with a custom output path:

  $ wrangler types ./custom-types.d.ts --check

• #11529 43d5363 Thanks @​matthewdavidrodgers! - Add ability to enable higher asset count limits for Pages deployments

  Wrangler can now read asset count limits from JWT claims during Pages deployments, allowing users to be enabled for higher limits (up to 100,000 assets) on a per-account basis. The default limit remains at 20,000 assets.

• #11755 0f8d69d Thanks @​nikitassharma! - Users can now specify constraints.tiers for their container applications. tier is deprecated in favor of tiers. If left unset, we will default to tiers: [1, 2]. Note that constraints is an experimental feature.

Patch Changes

• #11820 b0e54b2 Thanks @​MattieTK! - Add AI agent detection to analytics events

  Wrangler now detects when commands are executed by AI coding agents (such as Claude Code, Cursor, GitHub Copilot, etc.) using the am-i-vibing library. This information is included as an agent property in all analytics events, helping Cloudflare understand how developers interact with Wrangler through AI assistants.

... (truncated)

Commits

• 37a8607 Version Packages (#11890)
• 99b1f32 fix: execute git commands in pages deploy safely (#11889)
• e98c95a Version Packages (#11836)
• ad65efa Add --check flag to wrangler types (#11852)
• beb96af feat(unenv-preset): add support for native node:sqlite module (#11841)
• b0e54b2 [wrangler] Add AI agent detection to analytics events (#11820)
• 2203af4 Add Node.js 24 and 25 compatibility to the test suites for Miniflare, Wrangle...
• b6148ed chore(deps): bump the workerd-and-workers-types group with 2 updates (#11872)
• 0eb973d Do not warn user when using a redirected config that came from a config with ...
• 0f8d69d containers: users can set multiple tiers for constraints (#11755)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for wrangler since your current version.

Updates lodash from 4.17.21 to 4.17.23

Commits

• dec55b7 Bump main to v4.17.23 (#6088)
• 19c9251 fix: setCacheHas JSDoc return type should be boolean (#6071)
• b5e6729 jsdoc: Add -0 and BigInt zeros to _.compact falsey values list (#6062)
• edadd45 Prevent prototype pollution on baseUnset function
• 4879a7a doc: fix autoLink function, conversion of source links (#6056)
• 9648f69 chore: remove yarn.lock file (Description has been truncated

[netlify]

✅ Deploy Preview for express-mcp-server ready!

Name	Link
🔨 Latest commit	698608e
🔍 Latest deploy log	https://app.netlify.com/projects/express-mcp-server/deploys/6997569b6f38e80008182463
😎 Deploy Preview	https://deploy-preview-75--express-mcp-server.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
ai	Ready	Preview, Comment	Feb 19, 2026 6:30pm
nextjs-descope-mcp-server	Ready	Preview, Comment	Feb 19, 2026 6:30pm

[cloudflare-workers-and-pages]

Deploying with    Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status	Name	Latest Commit	Updated (UTC)
🔵 In progress View logs	remote-mcp-server-bearer-auth	698608e	Feb 19 2026, 06:29 PM

[cloudflare-workers-and-pages]

Deploying with    Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status	Name	Latest Commit	Updated (UTC)
🔵 In progress View logs	weather-mcp-server	698608e	Feb 19 2026, 06:29 PM

[cloudflare-workers-and-pages]

Deploying with    Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status	Name	Latest Commit	Updated (UTC)
❌ Deployment failed View logs	brave-search-mcp-server	698608e	Feb 19 2026, 06:30 PM

[netlify]

✅ Deploy Preview for mcp-example-oauth ready!

Name	Link
🔨 Latest commit	698608e
🔍 Latest deploy log	https://app.netlify.com/projects/mcp-example-oauth/deploys/6997569bff91860008cd5ef3
😎 Deploy Preview	https://deploy-preview-75--mcp-example-oauth.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.