chore(deps): update dependency miniflare to v4

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
miniflare (source)	^3.20250718.3 → ^4.0.0

---

Release Notes

cloudflare/workers-sdk (miniflare)

v4.20260603.0

Compare Source

Minor Changes

• #​14164 b502d54 Thanks @​G4brym! - Rename the web_search binding kind to websearch

  Pre-launch rename of the public binding type from web_search to websearch so the on-the-wire shape matches the product name (Web Search). The wrangler config key, the binding-type string sent to the Cloudflare API, and the miniflare option key all move from web_search / webSearch to websearch.

  Update your wrangler config:

  - "web_search": { "binding": "WEBSEARCH" }
  + "websearch": { "binding": "WEBSEARCH" }

  The runtime WebSearch type exposed on env.WEBSEARCH is unchanged.

• #​13863 3b8b80a Thanks @​aslakhellesoy! - Support cross-worker workflow bindings via the dev registry

  When a workflow binding has a scriptName that refers to a worker registered in another Miniflare instance (via unsafeDevRegistryPath), miniflare now reroutes the engine's USER_WORKFLOW binding through the dev-registry-proxy worker — the same mechanism Durable Objects already use for cross-worker scriptName bindings.

  Previously the workflow engine was bound directly to a local service core:user:<scriptName>, so workerd refused to start when that script lived in a different process.

  This unblocks getPlatformProxy() (and any other split-Miniflare setup) for users whose workflow class is defined in a separate worker — for example SvelteKit/Remix on Cloudflare, where adapter-cloudflare's dev integration runs the user's worker in a sidecar.

  See #​7459.

Patch Changes

• #​14175 a3eea27 Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260601.1	1.20260603.1

• #​14081 1fdd8de Thanks @​dario-piotrowicz! - Detect early workerd exit instead of hanging indefinitely

  When workerd exits during startup before writing all expected listen events to the control file descriptor (e.g. due to an IPv6 bind failure, permission error, or missing library), Miniflare's waitForPorts() would block forever. This caused wrangler dev to stall at "Starting local server..." with no error and no timeout.

  The fix races waitForPorts() against the child process exit event so that any unexpected workerd termination is detected immediately. When workerd exits early, Miniflare now throws ERR_RUNTIME_FAILURE with the runtime's stderr output included in the error message, making the root cause diagnosable without external tools.

v4.20260601.0

Compare Source

Patch Changes

• #​14147 e06cbb7 Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260529.1	1.20260601.1

• #​14086 4ef790b Thanks @​dario-piotrowicz! - Use 127.0.0.1 instead of localhost for the runtime inspector address

  On systems where getaddrinfo("localhost") returns ::1 but IPv6 is disabled at the kernel level, workerd fails to bind the inspector socket and silently continues without emitting the listen-inspector event to the control FD. This caused wrangler dev to hang indefinitely at "Starting local server..." with no error output.

  Using 127.0.0.1 explicitly is consistent with DEFAULT_HOST, --debug-port, and resolveLocalhost() already in the codebase.

• #​14105 337e912 Thanks @​dario-piotrowicz! - Remove trailing periods from URLs in terminal output

  URLs printed to the terminal with a sentence-ending period (e.g. https://example.com/path.) would include the period when clicked in some terminal emulators, causing 404 errors. This removes trailing periods from all URLs displayed in CLI output across wrangler, miniflare, vitest-pool-workers, and workers-utils.

• #​14112 3a746ac Thanks @​penalosa! - Pin non-bundled runtime dependencies to exact versions

  Dependencies that are not bundled into a package's published output are installed directly into consumers' dependency trees, so they are now pinned to exact versions instead of semver ranges. This closes a supply-chain gap where an unpinned external dependency could resolve to a compromised upstream release on a fresh install. A new pnpm check:pinned-deps lint enforces this for all published packages (and for the shared pnpm catalog) going forward.

v4.20260529.0

Compare Source

Minor Changes

• #​14087 e3c862a Thanks @​edmundhung! - Add support for the new web_search binding kind.

  Cloudflare Web Search is a managed, zero-setup web discovery primitive for agents and Workers. Declare the binding as a single object in wrangler.jsonc:

  {
    "web_search": { "binding": "WEBSEARCH" }
  }

  There is exactly one shared web corpus, so there is no namespace, instance, or other field to specify -- only the variable name. The binding exposes a single search() method that returns URLs and catalog metadata for a query. Web Search is discovery-only -- to read a result's content the caller invokes the global fetch() API against the result's url.

  The binding is always remote in local development: Miniflare proxies to the production Web Search service via the remote-bindings transport. Adds the websearch.run OAuth scope to wrangler login.

  Also adds a wrangler websearch search command for running ad-hoc queries from the CLI:

  npx wrangler websearch search "cloudflare workers"
  npx wrangler websearch search "cloudflare workers" --limit 5
  npx wrangler websearch search "cloudflare workers" --json

  --limit is optional (defaults to 10, capped at 20). --json prints the raw response; without it the results render as a pretty table.

• #​13610 cbb39bd Thanks @​petebacondarwin! - Add support for agent_memory bindings

  Agent Memory bindings allow Workers to connect to Cloudflare's Agent Memory service for storing and retrieving agent conversation state. This binding is remote-only, meaning it always connects to the Cloudflare API during wrangler dev rather than using a local simulation.

  To configure an agent_memory binding, add the following to your wrangler.json:

  {
    "agent_memory": [
      {
        "binding": "MY_MEMORY",
        "namespace": "my-namespace"
      }
    ]
  }

  Wrangler will automatically provision the namespace during deployment if it does not already exist. Type generation via wrangler types is also supported.

  This change also adds the agent-memory:write OAuth scope to Wrangler's default login scopes, so wrangler login can request the permissions needed to provision and manage Agent Memory namespaces.

• #​14087 e3c862a Thanks @​edmundhung! - Rename pipeline field to stream in pipeline bindings configuration

  The pipeline field inside pipelines bindings has been renamed to stream to align with the updated API wire format. The old pipeline field is still accepted but deprecated and will emit a warning.

  Before:

  // wrangler.json
  {
    "pipelines": [
      {
        "binding": "MY_PIPELINE",
        "pipeline": "my-stream-name"
      }
    ]
  }

  After:

  // wrangler.json
  {
    "pipelines": [
      {
        "binding": "MY_PIPELINE",
        "stream": "my-stream-name"
      }
    ]
  }

• #​14079 972d13d Thanks @​edmundhung! - Add JSON output to /cdn-cgi/handler/scheduled

  The /cdn-cgi/handler/scheduled endpoint now accepts ?format=json to return the scheduled handler result as JSON, including whether the handler called controller.noRetry(). Requests without format=json still return the existing text outcome for backward compatibility.

Patch Changes

• #​14106 7bb5c7a Thanks @​dario-piotrowicz! - Add timeout to browser-rendering browser launch to prevent infinite hangs

  The browser-rendering plugin's launchBrowser() function now passes a 5-minute timeout to waitForLineOutput() when waiting for Chrome to print its DevTools WebSocket URL. Previously, if Chrome failed to start or crashed before printing the URL, the promise would hang forever. This could cause CI pipelines and local dev sessions to get stuck indefinitely.

• #​14087 e3c862a Thanks @​edmundhung! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260526.1	1.20260527.1

• #​14076 97d7d81 Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260527.1	1.20260528.1

• #​14100 c647ccc Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260528.1	1.20260529.1

• #​14087 e3c862a Thanks @​edmundhung! - Fix wrangler dev crash under Yarn PnP when the worker emits a structured log or the inspector forwards a stack trace.

  getFreshSourceMapSupport was unconditionally indexing require.cache, but when miniflare is imported from ESM under Yarn PnP, Node's ESM->CJS bridge (loadCJSModule in node:internal/modules/esm/translators) hands the wrapped CJS module a re-invented require that only carries .resolve and .main, with no .cache. Fall back to createRequire(__filename) in that case so the fresh-load cache-swap keeps working.

v4.20260526.0

Compare Source

Patch Changes

• #​14003 c1fd2fd Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260521.1	1.20260526.1

• #​14011 420e457 Thanks @​petebacondarwin! - Warn when a remote-bindings request is blocked by Cloudflare Access

  When wrangler dev is used with remote bindings and a request from the local remote-bindings proxy client to the remote workers.dev proxy server is blocked by Cloudflare Access (HTTP 403 with the Cloudflare Access block page), Wrangler now:

  • Logs a single, visually striking warning per dev session explaining how to set CLOUDFLARE_ACCESS_CLIENT_ID / CLOUDFLARE_ACCESS_CLIENT_SECRET (Service Token credentials) or run cloudflared access login to authenticate.
  • Replaces the original Access HTML block page with a readable plain-text body containing the same guidance, so the message also reaches the user via binding error messages (e.g. InferenceUpstreamError from env.AI.run()) and any browser response piped back via a service binding .fetch().

  Previously the 403 was returned to user code with the full Access HTML, which both drowned out other logs and made it hard to tell that the failure was due to Cloudflare Access on workers.dev rather than a problem in the binding itself or the deployed proxy server. The detection runs inside the proxy client worker (which only ever talks to the remote-bindings proxy URL), so it does not trigger false positives on user-worker 403s.

v4.20260521.0

Compare Source

Patch Changes

• #​13993 0733688 Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260520.1	1.20260521.1

• #​13999 30657e1 Thanks @​edmundhung! - Fix TCP requests failing when outboundService is configured

  Workers using outboundService can now open TCP connections with cloudflare:sockets. Previously, TCP requests could throw an error when a custom outbound service was configured.

v4.20260520.0

Compare Source

Patch Changes

• #​13978 fa1f61f Thanks @​sassyconsultingllc! - Bump ws from 8.18.0 to 8.20.1 to address GHSA-58qx-3vcg-4xpx

  GHSA-58qx-3vcg-4xpx / CVE-2026-45736 reports an uninitialized-memory disclosure in ws@<8.20.1 when a TypedArray is passed as the reason argument to WebSocket.close(). The fix shipped in ws@8.20.1 on 2026-05-12. This change bumps the workspace catalog entry so that miniflare, wrangler, and @cloudflare/vite-plugin all pick up the patched release.

• #​13977 2679e05 Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260518.1	1.20260519.1

• #​13984 7e40d98 Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260519.1	1.20260520.1

• #​13912 d803737 Thanks @​petebacondarwin! - Fix /cdn-cgi/* host validation incorrectly accepting subdomains of exact configured routes

  Miniflare's /cdn-cgi/* host/origin validator was treating exact configured routes the same as wildcard configured routes, so a request whose Host or Origin hostname was a subdomain of an exact route (e.g. sub.my-custom-site.com for a my-custom-site.com/* route) was incorrectly accepted. Exact configured routes and the configured upstream hostname are now required to match the request hostname exactly. Subdomain matching is only applied to wildcard routes such as *.example.com/*. Localhost hostnames continue to be allowed as before.

  This affects wrangler dev and local development through @cloudflare/vite-plugin, both of which use Miniflare under the hood.

• #​13971 59cd880 Thanks @​petebacondarwin! - Improve error diagnostics in the Browser Run binding worker

  When the local Browser Run binding failed to reach an upstream — for example when Chrome failed to launch and miniflare's loopback /browser/launch endpoint returned a 500 with a stack-trace text body — the binding worker would call response.json() on the non-JSON body and throw an opaque SyntaxError: Unexpected token X, "..." is not valid JSON. The actual upstream error message (e.g. Chrome readiness probe at ... timed out after 5000ms) was discarded.

  The binding worker now reads the response body as text first, surfaces the HTTP status and body content in the thrown error, and chains the original SyntaxError via cause when the body was a 2xx response that didn't parse as JSON. This makes both local-dev failures and CI test flakes self-diagnosing.

• #​13980 e8c2031 Thanks @​petebacondarwin! - Recover from corrupted @puppeteer/browsers cache when launching a Browser Run session

  When Miniflare's local Browser Run binding launches Chrome, it calls @puppeteer/browsers' install() to ensure the binary is present. If a previous install() was interrupted mid-extraction (test timeout, process kill, antivirus quarantine), the cache directory can be left partially populated — the folder exists but the executable inside it is missing. install() then throws The browser folder (...) exists but the executable (...) is missing on every subsequent call within the same process and the entire test session, breaking every later Browser Run operation until the cache is manually cleared.

  launchBrowser now catches that specific error, removes the corrupted cache directory, and retries install() once. If the corruption persists after cleanup, the original error is rethrown with a clearer message.

  This complements #​13971, which surfaced the original error from inside the binding worker. With that diagnostic in place and this self-healing layer, the previously-intermittent "browser folder exists but executable missing" failure mode should no longer fail an entire CI run.

v4.20260518.0

Compare Source

Minor Changes

• #​13864 b27eb18 Thanks @​benjamincburns! - Bumped miniflare deps acorn to 8.16.0 and acorn-walk to 8.3.5 to add support for the using and await using keywords when miniflare parses scripts.

Patch Changes

• #​13948 b25dc0d Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260515.1	1.20260518.1

• #​13932 ebf4b24 Thanks @​zebp! - Fix local Workflow startup when compatibility flags include experimental

  Miniflare now deduplicates compatibility flags for the internal Workflow engine service. This prevents wrangler dev from failing with Compatibility flag specified multiple times: experimental when the user's Worker already enables that flag.

v4.20260515.0

Compare Source

Patch Changes

• #​13926 19ed49a Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260511.1	1.20260515.1

v4.20260511.0

Compare Source

Patch Changes

• #​13894 58b4403 Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260508.1	1.20260511.1

• #​13646 f781a2b Thanks @​emily-shen! - Propagate cf-trace-id header on remote binding proxy requests

  When the CF_TRACE_ID environment variable is set, its value is now forwarded as a cf-trace-id header on outgoing remote binding proxy requests. This makes it easier to correlate traces when debugging remote bindings in local development.

v4.20260508.0

Compare Source

Minor Changes

• #​8431 5d936c5 Thanks @​penalosa! - Support workerd autogates via the MINIFLARE_WORKERD_AUTOGATES environment variable.

Patch Changes

• #​13866 4e44ce6 Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260507.1	1.20260508.1

v4.20260507.1

Compare Source

Patch Changes

• #​13348 5cf6f81 Thanks @​mglewis! - Improve variant URLs returned by the hosted images mock for local development

  The miniflare hosted images mock previously returned bare variant names (e.g. "public") in the variants field of ImageMetadata. In production, this field contains full delivery URLs. The bare names were not usable as image sources, causing applications that render images from variant URLs to fail during local development.

  Variant URLs now point to a new local delivery endpoint at /cdn-cgi/imagedelivery/<image_id>/<variant> which serves image bytes directly from the local KV store with content-type detection via Sharp.

v4.20260507.0

Compare Source

Minor Changes

• #​13836 039bada Thanks @​Skye-31! - Support named recipients in the Email Sending API MessageBuilder

  The send_email binding's MessageBuilder now accepts EmailAddress objects for to, cc, and bcc in addition to plain strings. You can mix named and plain addresses in the same array:

  await env.SEND_EMAIL.send({
    from: "sender@example.com",
    to: [
      "plain@example.com",
      '"Name" <address@example.com>',
      { name: "Jane Doe", email: "jane@example.com" },
    ],
    cc: [{ name: "CC Person", email: "cc@example.com" }],
    subject: "Hello",
    text: "...",
  });

  Additionally, addresses in "Name" <address> format are now correctly parsed when checking allowed_destination_addresses and allowed_sender_addresses restrictions.

• #​13776 1a54ac5 Thanks @​petebacondarwin! - Default the workerd runtime subprocess to TZ=UTC to match the production Cloudflare runtime

  Previously, Miniflare inherited the host machine's timezone, so Date and Intl APIs inside a Worker observed the developer's local timezone during local development but UTC in production. This caused dev/prod drift that was hard to debug.

  Miniflare now sets TZ=UTC on the spawned workerd subprocess by default. A new unsafeRuntimeEnv option (a Record<string, string>) is available on the Miniflare constructor for advanced cases that need to override the default — for example, to test timezone-dependent behaviour:

  new Miniflare({
    modules: true,
    script: "...",
    unsafeRuntimeEnv: { TZ: "Europe/London" },
  });

Patch Changes

• #​13829 2284f20 Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260504.1	1.20260506.1

• #​13841 332f527 Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260506.1	1.20260507.1

v4.20260504.0

Compare Source

Patch Changes

• #​13765 3020214 Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260430.1	1.20260501.1

• #​13800 0099265 Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260501.1	1.20260504.1

• #​13737 bb27219 Thanks @​ruifigueira! - Fix race condition that broke Browser Run on Windows when Chrome had not yet started accepting connections

  When Miniflare launched Chrome for Browser Run bindings, it returned the WebSocket endpoint as soon as Chrome printed its DevTools listening on ws://... banner. On Windows the underlying listening socket is occasionally not yet accepting connections at that point, causing the first request from workerd to Chrome to fail with ConnectEx (#​1225) The remote computer refused the network connection. and the user worker to receive an error response from /v1/acquire.

  Miniflare now probes Chrome's /json/version HTTP endpoint with retry/backoff after the banner is logged, only declaring the browser ready once the socket actually accepts connections. As an additional safety net, the browser binding worker also retries transient ConnectEx/WSARecv failures when establishing connections to Chrome.

• #​13767 12fb5db Thanks @​edmundhung! - Fix local explorer startup in Yarn Plug'n'Play projects by copying the explorer UI assets to a real temporary directory before registering the workerd disk service.

v4.20260430.0

Compare Source

Minor Changes

• #​13726 b5ac54b Thanks @​penalosa! - Hard fail on Node.js < 22

  Wrangler no longer supports Node.js 20.x, as it reached end-of-life on 2026-04-30. The minimum supported Node.js version is now 22.0.0. See https://github.com/nodejs/release?tab=readme-ov-file#end-of-life-releases.

• #​13390 0bf64a7 Thanks @​Ltadrian! - Fix Hyperdrive binding issue where some customers are unable to connect to local databases using wrangler dev

  • Skips creating a local TCP proxy server for Hyperdrive bindings when SSL is not enabled, connecting directly to the database instead. This avoids connection refused errors caused by firewall rules or proxy port binding issues on Windows/macOS.

• #​13565 b04eedf Thanks @​vaishnav-mk! - Add restart from step support for local Workflows development

  Workflow instances can now be restarted from a specific step in local development. When restarting from a step, all earlier steps preserve their cached results and replay instantly, while the target step and everything after it re-execute.

  The WorkflowInstance.restart() method now accepts an optional { from: { name, count?, type? } } parameter to specify which step to restart from.

• #​13618 c07d0cb Thanks @​jamesopstad! - Support V2 protocol for module fallback service

  When the new_module_registry compatibility flag is set, requests sent to unsafeModuleFallbackService() use a different protocol. Miniflare now supports both protocols and exports a parseModuleFallbackRequest() utility to ease handling.

Patch Changes

• #​13732 22e1a61 Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260426.1	1.20260429.1

• #​13754 00523c8 Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260429.1	1.20260430.1

• #​13723 e653edf Thanks @​edmundhung! - Expose send_email bindings from getPlatformProxy()

  Projects developing in Node can now access send_email bindings from the platform proxy. This supports the plain-object MessageBuilder API locally, so calls like env.EMAIL.send({ from, to, subject, text }) no longer fail because the binding is missing.

• #​12514 e1eff94 Thanks @​ascorbic! - fix: normalise typed array subclasses in devalue serialization

  Node.js Buffer extends Uint8Array but isn't available in all runtimes. When a Buffer was passed through the proxy serialization bridge (e.g. as a D1 bind parameter via getPlatformProxy()), the reviver would fail because "Buffer" isn't in the allowed constructor list and may not exist on globalThis in workerd.

  The reducer now normalises subclass constructor names to the nearest standard typed array parent before serialization, matching structured clone behaviour.

• #​13116 e539008 Thanks @​dario-piotrowicz! - Gracefully handle a missing assets directory by starting with zero assets

  Previously, configuring Miniflare with an assets.directory that did not exist on disk would cause the asset services to fail to start. This is a common situation during wrangler dev when the assets directory is a build output that hasn't been generated yet.

  Now, when the configured assets directory does not exist, Miniflare creates an empty temporary directory and starts the asset services with zero assets. Once the real directory is created and setOptions() is called (e.g. triggered by the file watcher), Miniflare reloads and begins serving the actual assets.

• #​13363 6457fb3 Thanks @​courtney-sims! - Prepares router-worker for a more gradual rollout by refactoring and separating out the invocation from the business logic. In the future, this will provide space for us to route requests to new versions of router-worker based on their plan, but should make no functional difference today.

v4.20260426.0

Compare Source

Minor Changes

• #​13599 21b87b2 Thanks @​Ltadrian! - Add extended sslmode support for Hyperdrive local dev. This adds support for sslmodes verify-full / verify-ca for Postgres and VERIFY_IDENTITY / VERIFY_CA for MySQL

• #​13617 118027d Thanks @​roerohan! - Force Flagship bindings to always use remote mode in local dev

  Flagship bindings now always access the remote Flagship service during local development, matching the behavior of AI bindings. Previously, Flagship supported both local and remote modes, but the local stub only returned default values, providing no real functionality and creating a dual source of truth for flag evaluations.

  The remote config field is retained for backward compatibility but only controls whether a warning is displayed. Setting remote: true suppresses the warning that Flagship bindings always access remote resources and may incur usage charges in local dev.

Patch Changes

• #​13696 62e9f2a Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260424.1	1.20260426.1

• #​13652 033d6ec Thanks @​emily-shen! - fix: allow multiple workers with browser bindings in dev

  You can now run multiple workers with multiple browser bindings in miniflare. Previously, this would crash with kj/table.c++:49: failed: inserted row already exists in table.

• #​13649 ae8eae3 Thanks @​petebacondarwin! - Fix service binding and tail consumer props being dropped between workers in different local dev instances

  When a service binding or tail consumer configured with props targeted a worker running in a separate wrangler dev instance (via the dev registry), the props were silently dropped and the remote entrypoint saw an empty ctx.props. Props are now forwarded correctly across the dev registry boundary, matching the behavior users get when all workers run in a single instance.

  // wrangler.json
  {
    "services": [
      {
        "binding": "AUTH",
        "service": "auth-worker", // may be in a separate `wrangler dev` process
        "entrypoint": "SessionEntry",
        "props": { "tenant": "acme" }
      }
    ]
  }

  The target worker's SessionEntry entrypoint now correctly receives { tenant: "acme" } on ctx.props regardless of which local dev instance it runs in.

• #​13668 ef24ff2 Thanks @​for-the-kidz! - Fix TypeError: rules is not iterable in the router-worker when static_routing is configured without user_worker rules

  The router-worker's static-routing include-rule evaluation passed config.static_routing.user_worker directly to the matcher, which iterates with for...of. When static_routing was set but user_worker was omitted, the matcher threw TypeError: rules is not iterable and failed the request. The adjacent asset_worker branch already falls back to [] in this case; the user_worker branch now does the same.

• #​13654 6d27479 Thanks @​pombosilva! - fix: Preserve internal counter suffix on workflow step names in local explorer API

  Stop stripping the -N suffix from step names in the API response so the UI can distinguish duplicate step names. The suffix is now stripped only visually in the UI.

v4.20260424.0

Compare Source

Minor Changes

• #​13234 7fc50c1 Thanks @​natewong1313! - Support serving videos locally, add publicUrl option for stable stream preview URLs, and add caption upload support via ReadableStream

  Videos uploaded while in local mode are now served at /cdn-cgi/mf/stream/<video-id>/watch. The preview field in StreamVideo is now directly fetchable during development.

  A new publicUrl option on MiniflareOptions allows callers (e.g. Wrangler, the Vite plugin) to advertise a stable, externally-reachable URL for the Miniflare instance. When set, Stream preview URLs use this value instead of the runtime entry URL, so they remain valid across runtime restarts and port changes. The same value is also exposed as a mutable miniflare.publicUrl property.

  The helper functions buildPublicUrl and getLocallyAccessibleHost are now exported from miniflare, enabling consumers to construct client-reachable URLs that correctly handle IPv6 addresses (bracketing) and wildcard listen addresses (0.0.0.0, ::, * → 127.0.0.1).

  Caption uploads via ReadableStream are now supported in local mode. They no longer throw a "not supported in local mode" error.

Patch Changes

• #​13633 3494842 Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260421.1	1.20260422.1

• #​13645 7d728fb Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260422.1	1.20260423.1

• #​13657 df9319d Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260423.1	1.20260424.1

• #​13659 3ceeec3 Thanks @​petebacondarwin! - Make the dev registry watcher reliable on Windows

  The filesystem-based dev registry used chokidar with default settings, which on Windows backs onto fs.watch (ReadDirectoryChangesW). That API is known to drop or delay create events for files added shortly after the watcher attaches, which is especially common under CI virtualization. When this happened, a process that had attached its watcher before another process registered its worker would never be notified of the new entry until the next 30-second heartbeat — long enough to time out cross-process service-binding calls.

  Switch to chokidar's polling mode on Windows so the dev registry observes cross-process worker registrations reliably. The registry directory is small and a 100ms poll interval has negligible cost. Non-Windows platforms continue to use the more efficient native filesystem-event backend.

• #​13560 7567ef7 Thanks @​vaishnav-mk! - Preserve NonRetryableError message and name when the workflows_preserve_non_retryable_error_message compatibility flag is enabled, instead of replacing it with a generic error message.

• #​13644 377715d Thanks @​MattieTK! - Update @clack/core and @clack/prompts to v1.2.0

  Bumps the bundled @clack/core dependency used internally by @cloudflare/cli from 0.3.x to 1.2.0, and the @clack/prompts dependency in create-cloudflare from 0.6.x to 1.2.0. Clack v1 includes a number of API changes, but no user-facing prompt behaviour changes are expected.

v4.20260421.0

Compare Source

Patch Changes

• #​13615 8fec8b8 Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260420.1	1.20260421.1

• #​13613 2f3d7b9 Thanks @​dario-piotrowicz! - Fix sourcemap warnings caused by references to files outside the package boundary

  miniflare's bundled sourcemap contained sources entries pointing into node_modules dependencies (zod, capnp-es, chokidar, etc.), which produced dozens of warnings in pnpm monorepos when tools like Vite or Vitest validated the sourcemaps at runtime. The build now inlines sourcesContent and patches any null entries left by upstream dependencies that don't publish their original source files

v4.20260420.0

Compare Source

Minor Changes

• #​13326 4a9ba90 Thanks @​mattzcarey! - Add Artifacts binding support to wrangler

  You can now configure Artifacts bindings in your wrangler configuration:

  // wrangler.jsonc
  {
    "artifacts": [{ "binding": "MY_ARTIFACTS", "namespace": "default" }]
  }

  Type generation produces the correct Artifacts type reference from the workerd type definitions:

  interface Env {
    MY_ARTIFACTS

✂ Note

PR body was truncated to here.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[coderabbitai]

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

• 🔍 Trigger a full review

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[pkg-pr-new]

Open in StackBlitz

npm i https://pkg.pr.new/@intlify/utils@63

commit: 7cbe72c