Bump the security group across 1 directory with 7 updates

[dependabot]

Bumps the security group with 6 updates in the / directory:

Package	From	To
devalue	4.3.3	5.3.2
@cloudflare/vitest-pool-workers	0.7.4	0.8.70
esbuild	0.17.19	0.25.4
wrangler	3.111.0	4.34.0
form-data	4.0.2	4.0.4
vite	6.2.4	6.3.5

Updates devalue from 4.3.3 to 5.3.2

Release notes

Sourced from devalue's releases.

v5.3.2

Patch Changes

• 0623a47: fix: disallow array method access when parsing
• 0623a47: fix: disallow __proto__ properties on objects

v5.3.1

Patch Changes

• ae904c5: fix: correctly differentiate between +0 and -0

v5.3.0

Minor Changes

• 2896e7b: feat: support Temporal
• fec694d: feat: support URL and URLSearchParams objects

Changelog

Sourced from devalue's changelog.

5.3.2

Patch Changes

• 0623a47: fix: disallow array method access when parsing
• 0623a47: fix: disallow __proto__ properties on objects

5.3.1

Patch Changes

• ae904c5: fix: correctly differentiate between +0 and -0

5.3.0

Minor Changes

• 2896e7b: feat: support Temporal
• fec694d: feat: support URL and URLSearchParams objects

5.2.1

Patch Changes

• e46f4c8: fix: handle repeated array buffers and subarrays
• 2dfa504: fix: handle custom classes with null proto as pojo

5.2.0

• Handle custom classes with null proto as pojo (#95)

5.1.1

• Only iterate over own properties of reducers (#80)

5.1.0

• Handle typed arrays and array buffers (#69)
• Add sideEffects: false to package.json (#81)
• Better errors when keys are invalid identifiers (#82)

5.0.0

• Ignore non-enumerable symbolic keys (#78)

Commits

• 86a6a66 Version Packages (#109)
• 0623a47 Merge commit from fork
• 02d20e8 Version Packages (#108)
• ae904c5 fix stringify not picking up negative zero if a normal zero has appeared befo...
• e95b87a fix pkg.repository
• 8300172 fix changeset config
• 434d8ae Version Packages (#106)
• 67c8334 mention support for URL/URLSearchParams/Temporal in README
• fec694d feat: support URL and URLSearchParams (#92)
• 2896e7b Add support for Temporal objects (#98)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by svelte-admin, a new releaser for devalue since your current version.

Updates @cloudflare/vitest-pool-workers from 0.7.4 to 0.8.70

Release notes

Sourced from @​cloudflare/vitest-pool-workers's releases.

@​cloudflare/vitest-pool-workers@​0.8.70

Patch Changes

• Updated dependencies [6e8dd80, 4cb3370, 7211609, 818ce22, 5d69df4, 5d69df4, c22acc6, cc47b51, c0fad5f, c6a39f5]:
  • wrangler@4.34.0
  • miniflare@4.20250902.0

@​cloudflare/vitest-pool-workers@​0.8.69

Patch Changes

• #10471 38bdb78 Thanks @​clintonsteiner! - chore: bump devalue version to 5.3.2

• Updated dependencies [22c8ae6, 3c15bbb, dc81221, 38bdb78, 4492eb0]:

  • miniflare@4.20250829.0
  • wrangler@4.33.2

@​cloudflare/vitest-pool-workers@​0.8.68

Patch Changes

• Updated dependencies [85be2b6, 452ad0b]:
  • wrangler@4.33.1
  • miniflare@4.20250823.1

@​cloudflare/vitest-pool-workers@​0.8.67

Patch Changes

• Updated dependencies [c4fd176, 19e2aab, c4fd176, e81c2cf]:
  • wrangler@4.33.0
  • miniflare@4.20250823.0

@​cloudflare/vitest-pool-workers@​0.8.66

Patch Changes

• Updated dependencies [d304055, f534c0d, da40571, 0a96e69, f9f7519, 4728c68]:
  • wrangler@4.32.0
  • miniflare@4.20250816.1

@​cloudflare/vitest-pool-workers@​0.8.65

Patch Changes

• Updated dependencies [565c3a3, ddadb93, 9b09751, cadf19a, 20520fa, 875197a]:
  • miniflare@4.20250816.0
  • wrangler@4.31.0

@​cloudflare/vitest-pool-workers@​0.8.64

Patch Changes

• Updated dependencies [76a6701, d54d8b7, 979984b, 80e964c, a5a1426, ae0c806, 0c04da9, b524a6f, eb32a3a, 4288a61]:
  • wrangler@4.30.0
  • miniflare@4.20250813.1

... (truncated)

Changelog

Sourced from @​cloudflare/vitest-pool-workers's changelog.

0.8.70

Patch Changes

• Updated dependencies [6e8dd80, 4cb3370, 7211609, 818ce22, 5d69df4, 5d69df4, c22acc6, cc47b51, c0fad5f, c6a39f5]:
  • wrangler@4.34.0
  • miniflare@4.20250902.0

0.8.69

Patch Changes

• #10471 38bdb78 Thanks @​clintonsteiner! - chore: bump devalue version to 5.3.2

• Updated dependencies [22c8ae6, 3c15bbb, dc81221, 38bdb78, 4492eb0]:

  • miniflare@4.20250829.0
  • wrangler@4.33.2

0.8.68

Patch Changes

• Updated dependencies [85be2b6, 452ad0b]:
  • wrangler@4.33.1
  • miniflare@4.20250823.1

0.8.67

Patch Changes

• Updated dependencies [c4fd176, 19e2aab, c4fd176, e81c2cf]:
  • wrangler@4.33.0
  • miniflare@4.20250823.0

0.8.66

Patch Changes

• Updated dependencies [d304055, f534c0d, da40571, 0a96e69, f9f7519, 4728c68]:
  • wrangler@4.32.0
  • miniflare@4.20250816.1

0.8.65

Patch Changes

• Updated dependencies [565c3a3, ddadb93, 9b09751, cadf19a, 20520fa, 875197a]:
  • miniflare@4.20250816.0
  • wrangler@4.31.0

... (truncated)

Commits

• dfce01f Version Packages (#10532)
• 2e2b788 Version Packages (#10486)
• 38bdb78 chore: bump devalue to 5.3.2 (#10471)
• 25ef29d Version Packages (#10467)
• c4fde06 Version Packages (#10428)
• e329195 Version Packages (#10406)
• 18701d1 Version Packages (#10372)
• 8287f46 Version Packages (#10352)
• 53cabb4 Use pnpm catalog for workerd & workers-types (#10359)
• 20da05e Version Packages (#10351)
• Additional commits viewable in compare view

Updates esbuild from 0.17.19 to 0.25.4

Release notes

Sourced from esbuild's releases.

v0.25.4

• Add simple support for CORS to esbuild's development server (#4125)

  Starting with version 0.25.0, esbuild's development server is no longer configured to serve cross-origin requests. This was a deliberate change to prevent any website you visit from accessing your running esbuild development server. However, this change prevented (by design) certain use cases such as "debugging in production" by having your production website load code from localhost where the esbuild development server is running.

  To enable this use case, esbuild is adding a feature to allow Cross-Origin Resource Sharing (a.k.a. CORS) for simple requests. Specifically, passing your origin to the new cors option will now set the Access-Control-Allow-Origin response header when the request has a matching Origin header. Note that this currently only works for requests that don't send a preflight OPTIONS request, as esbuild's development server doesn't currently support OPTIONS requests.

  Some examples:

  • CLI:

    esbuild --servedir=. --cors-origin=https://example.com
    

  • JS:

    const ctx = await esbuild.context({})
    await ctx.serve({
      servedir: '.',
      cors: {
        origin: 'https://example.com',
      },
    })

  • Go:

    ctx, _ := api.Context(api.BuildOptions{})
    ctx.Serve(api.ServeOptions{
      Servedir: ".",
      CORS: api.CORSOptions{
        Origin: []string{"https://example.com"},
      },
    })

  The special origin * can be used to allow any origin to access esbuild's development server. Note that this means any website you visit will be able to read everything served by esbuild.

• Pass through invalid URLs in source maps unmodified (#4169)

  This fixes a regression in version 0.25.0 where sources in source maps that form invalid URLs were not being passed through to the output. Version 0.25.0 changed the interpretation of sources from file paths to URLs, which means that URL parsing can now fail. Previously URLs that couldn't be parsed were replaced with the empty string. With this release, invalid URLs in sources should now be passed through unmodified.

• Handle exports named __proto__ in ES modules (#4162, #4163)

  In JavaScript, the special property name __proto__ sets the prototype when used inside an object literal. Previously esbuild's ESM-to-CommonJS conversion didn't special-case the property name of exports named __proto__ so the exported getter accidentally became the prototype of the object literal. It's unclear what this affects, if anything, but it's better practice to avoid this by using a computed property name in this case.

  This fix was contributed by @​magic-akari.

... (truncated)

Changelog

Sourced from esbuild's changelog.

Changelog: 2023

This changelog documents all esbuild versions published in the year 2023 (versions 0.16.13 through 0.19.11).

0.19.11

• Fix TypeScript-specific class transform edge case (#3559)

  The previous release introduced an optimization that avoided transforming super() in the class constructor for TypeScript code compiled with useDefineForClassFields set to false if all class instance fields have no initializers. The rationale was that in this case, all class instance fields are omitted in the output so no changes to the constructor are needed. However, if all of this is the case and there are #private instance fields with initializers, those private instance field initializers were still being moved into the constructor. This was problematic because they were being inserted before the call to super() (since super() is now no longer transformed in that case). This release introduces an additional optimization that avoids moving the private instance field initializers into the constructor in this edge case, which generates smaller code, matches the TypeScript compiler's output more closely, and avoids this bug:

  // Original code
  class Foo extends Bar {
    #private = 1;
    public: any;
    constructor() {
      super();
    }
  }
  // Old output (with esbuild v0.19.9)
  class Foo extends Bar {
  constructor() {
  super();
  this.#private = 1;
  }
  #private;
  }
  // Old output (with esbuild v0.19.10)
  class Foo extends Bar {
  constructor() {
  this.#private = 1;
  super();
  }
  #private;
  }
  // New output
  class Foo extends Bar {
  #private = 1;
  constructor() {
  super();
  }
  }

• Minifier: allow reording a primitive past a side-effect (#3568)

  The minifier previously allowed reordering a side-effect past a primitive, but didn't handle the case of reordering a primitive past a side-effect. This additional case is now handled:

... (truncated)

Commits

• 218d29e publish 0.25.4 to npm
• e66cd0b dev server: simple support for CORS requests (#4171)
• 8bf3368 js api: validate some options as arrays of strings
• 1e7375a js api: simplify comma-separated array validation
• 5f5964d release notes for #4163
• adb5284 fix: handle __proto__ as a computed property in exports and add tests for s...
• 0aa9f7b fix #4169: keep invalid source map URLs unmodified
• 5959289 add additional guards for #4114 when using :is()
• 677910b publish 0.25.3 to npm
• a41040e fix #4110: support custom non-IP host values
• Additional commits viewable in compare view

Updates wrangler from 3.111.0 to 4.34.0

Release notes

Sourced from wrangler's releases.

wrangler@4.34.0

Minor Changes

• #10478 cc47b51 Thanks @​danielrs! - Beta feature preview_urls is now disabled by default.

  This change makes preview_urls disabled by default when it's not provided, making the feature opt-in instead of opt-out.

Patch Changes

• #10489 6e8dd80 Thanks @​WalshyDev! - Allow Wrangler to upload 100,000 assets inline with the newly increased Workers Paid limit.

• #10517 7211609 Thanks @​edmundhung! - fix: wrangler vectorize list-vectors --json now output valid json without an extra log line

• #10527 818ce22 Thanks @​vicb! - Bump unenv to 2.0.0-rc.20

  The latest release include a fix for node:tty default export. See the changelog for full details.

• #10519 5d69df4 Thanks @​dario-piotrowicz! - Slightly improve wrangler init --from-dash error message

• #10519 5d69df4 Thanks @​dario-piotrowicz! - Internally refactor diffing and wrangler init --from-dash logic

• #10533 c22acc6 Thanks @​emily-shen! - If unset, containers.max_instances should default to 1 instead of 0.

• #10503 c0fad5f Thanks @​ichernetsky-cf! - Support setting container affinities

• #10515 c6a39f5 Thanks @​emily-shen! - fix: script should be accepted as a positional arg in the versions upload command

• Updated dependencies [4cb3370, 818ce22, cb22f5f, a565291]:

  • miniflare@4.20250902.0
  • @​cloudflare/unenv-preset@​2.7.2

wrangler@4.33.2

Patch Changes

• #10401 3c15bbb Thanks @​dario-piotrowicz! - improve diff lines ordering in remote deploy config diffing logic

• #10520 dc81221 Thanks @​emily-shen! - fix: wrangler deploy dry run should not require you to be logged in

  Fixes a bug where if you had a container where the image was an image registry link, dry run would require you to be logged in. Also fixes a bug where container deployments were not respecting account_id set in Wrangler config.

• #10393 4492eb0 Thanks @​dario-piotrowicz! - Use resolved local config for remote deploy config diffing logic

• Updated dependencies [31ecfeb, f656d1a, 22c8ae6, bd21fc5, 38bdb78, 4851955]:

  • @​cloudflare/unenv-preset@​2.7.1
  • miniflare@4.20250829.0

wrangler@4.33.1

... (truncated)

Changelog

Sourced from wrangler's changelog.

4.34.0

Minor Changes

• #10478 cc47b51 Thanks @​danielrs! - Beta feature preview_urls is now disabled by default.

  This change makes preview_urls disabled by default when it's not provided, making the feature opt-in instead of opt-out.

Patch Changes

• #10489 6e8dd80 Thanks @​WalshyDev! - Allow Wrangler to upload 100,000 assets inline with the newly increased Workers Paid limit.

• #10517 7211609 Thanks @​edmundhung! - fix: wrangler vectorize list-vectors --json now output valid json without an extra log line

• #10527 818ce22 Thanks @​vicb! - Bump unenv to 2.0.0-rc.20

  The latest release include a fix for node:tty default export. See the changelog for full details.

• #10519 5d69df4 Thanks @​dario-piotrowicz! - Slightly improve wrangler init --from-dash error message

• #10519 5d69df4 Thanks @​dario-piotrowicz! - Internally refactor diffing and wrangler init --from-dash logic

• #10533 c22acc6 Thanks @​emily-shen! - If unset, containers.max_instances should default to 1 instead of 0.

• #10503 c0fad5f Thanks @​ichernetsky-cf! - Support setting container affinities

• #10515 c6a39f5 Thanks @​emily-shen! - fix: script should be accepted as a positional arg in the versions upload command

• Updated dependencies [4cb3370, 818ce22, cb22f5f, a565291]:

  • miniflare@4.20250902.0
  • @​cloudflare/unenv-preset@​2.7.2

4.33.2

Patch Changes

• #10401 3c15bbb Thanks @​dario-piotrowicz! - improve diff lines ordering in remote deploy config diffing logic

• #10520 dc81221 Thanks @​emily-shen! - fix: wrangler deploy dry run should not require you to be logged in

  Fixes a bug where if you had a container where the image was an image registry link, dry run would require you to be logged in. Also fixes a bug where container deployments were not respecting account_id set in Wrangler config.

• #10393 4492eb0 Thanks @​dario-piotrowicz! - Use resolved local config for remote deploy config diffing logic

• Updated dependencies [31ecfeb, f656d1a, 22c8ae6, bd21fc5, 38bdb78, 4851955]:

  • @​cloudflare/unenv-preset@​2.7.1
  • miniflare@4.20250829.0

... (truncated)

Commits

• dfce01f Version Packages (#10532)
• 653f796 chore: fix version upload e2e test (#10547)
• cc47b51 Wrangler preview urls default to disabled (#10478)
• 6e8dd80 Up max asset count to 100k (#10489)
• 7cb05f5 fix: update start script to use build instead of bundle (#10526)
• c6a39f5 fix versions upload positional arg (#10515)
• c22acc6 default max_instances to 1 (#10533)
• a565291 use the native node:http2 when available (#10536)
• c71d59e refactor unenv e2e tests now that workerd >= 20250901 (#10537)
• 7211609 fix(wrangler): vectorize list-vectors should output valid json (#10517)
• Additional commits viewable in compare view

Updates form-data from 4.0.2 to 4.0.4

Release notes

Sourced from form-data's releases.

v4.0.4

v4.0.4 - 2025-07-16

Commits

• [meta] add auto-changelog 811f682
• [Tests] handle predict-v8-randomness failures in node < 17 and node > 23 1d11a76
• [Fix] Switch to using crypto random for boundary values 3d17230
• [Tests] fix linting errors 5e34080
• [meta] actually ensure the readme backup isn’t published 316c82b
• [Dev Deps] update @ljharb/eslint-config 58c25d7
• [meta] fix readme capitalization 2300ca1

v4.0.3

v4.0.3 - 2025-06-05

Fixed

• [Fix] append: avoid a crash on nullish values [#577](https://github.com/form-data/form-data/issues/577)

Commits

• [eslint] use a shared config 426ba9a
• [eslint] fix some spacing issues 2094191
• [Refactor] use hasown 81ab41b
• [Fix] validate boundary type in setBoundary() method 8d8e469
• [Tests] add tests to check the behavior of getBoundary with non-strings 837b8a1
• [Dev Deps] remove unused deps 870e4e6
• [meta] remove local commit hooks e6e83cc
• [Dev Deps] update eslint 4066fd6
• [meta] fix scripts to use prepublishOnly c4bbb13

Changelog

Sourced from form-data's changelog.

v4.0.4 - 2025-07-16

Commits

• [meta] add auto-changelog 811f682
• [Tests] handle predict-v8-randomness failures in node < 17 and node > 23 1d11a76
• [Fix] Switch to using crypto random for boundary values 3d17230
• [Tests] fix linting errors 5e34080
• [meta] actually ensure the readme backup isn’t published 316c82b
• [Dev Deps] update @ljharb/eslint-config 58c25d7
• [meta] fix readme capitalization 2300ca1

v4.0.3 - 2025-06-05

Fixed

• [Fix] append: avoid a crash on nullish values [#577](https://github.com/form-data/form-data/issues/577)

Commits

• [eslint] use a shared config 426ba9a
• [eslint] fix some spacing issues 2094191
• [Refactor] use hasown 81ab41b
• [Fix] validate boundary type in setBoundary() method 8d8e469
• [Tests] add tests to check the behavior of getBoundary with non-strings 837b8a1
• [Dev Deps] remove unused deps 870e4e6
• [meta] remove local commit hooks e6e83cc
• [Dev Deps] update eslint 4066fd6
• [meta] fix scripts to use prepublishOnly c4bbb13

Commits

• 41996f5 v4.0.4
• 316c82b [meta] actually ensure the readme backup isn’t published
• 2300ca1 [meta] fix readme capitalization
• 811f682 [meta] add auto-changelog
• 5e34080 [Tests] fix linting errors
• 1d11a76 [Tests] handle predict-v8-randomness failures in node < 17 and node > 23
• 58c25d7 [Dev Deps] update @ljharb/eslint-config
• 3d17230 [Fix] Switch to using crypto random for boundary values
• d8d67dc v4.0.3
• e6e83cc [meta] remove local commit hooks
• Additional commits viewable in compare view

Updates undici from 5.28.5 to 7.15.0

Release notes

Sourced from undici's releases.

v7.15.0

What's Changed

• feat: extract sri from fetch, upgrade to latest spec by @​Uzlopak in nodejs/undici#4307
• Update WPT by @​github-actions[bot] in nodejs/undici#4422
• build(deps-dev): bump @​fastify/busboy from 3.1.1 to 3.2.0 by @​dependabot[bot] in nodejs/undici#4428
• fix: memory leak in Agent by @​hexchain in nodejs/undici#4425
• chore: remove lib/api/util.js by @​Uzlopak in nodejs/undici#3578
• ci: reenable shared builtin CI tests by @​richardlau in nodejs/undici#4426
• Decompression Interceptor by @​FelixVaughan in nodejs/undici#4317
• chore: update llhttp by @​Uzlopak in nodejs/undici#4431
• chore: remove unused exceptions in try catch blocks by @​Uzlopak in nodejs/undici#4440
• types: remove type Error = unknown for diagnostic-channels by @​Uzlopak in nodejs/undici#4438
• chore: avoid overriding global escape and unescape by @​Uzlopak in nodejs/undici#4437
• cache : serialize Query only if needed, avoid throwing error by @​Uzlopak in nodejs/undici#4441
• types: add SnapshotRecorderMode by @​Uzlopak in nodejs/undici#4442

New Contributors

• @​hexchain made their first contribution in nodejs/undici#4425

Full Changelog: nodejs/undici@v7.14.0...v7.15.0

v7.14.0

What's Changed

• Fix flaky snapshot-testing by @​mcollina in nodejs/undici#4367
• Actually flush the file in lib/mock/snapshot-recorder.js by @​mcollina in nodejs/undici#4378
• docs: clarify Node.js version support in LTS table by @​mcollina in nodejs/undici#4375
• cache: fix excessive caching and some other lack of caching by @​fredericDelaporte in nodejs/undici#4335
• feat(websocket): add handshake response info to undici:websocket:open diagnostic event by @​tawseefnabi in nodejs/undici#4396
• feat: add install() function to type definitions by @​jsaguet in nodejs/undici#4384
• build(deps): bump github/codeql-action from 3.29.2 to 3.29.5 by @​dependabot[bot] in nodejs/undici#4380
• build(deps): bump cronometro from 4.0.3 to 5.3.0 in /benchmarks by @​dependabot[bot] in nodejs/undici#4171
• build(deps): bump step-security/harden-runner from 2.12.0 to 2.13.0 by @​dependabot[bot] in nodejs/undici#4379
• fix: h2 CI by @​metcoder95 in nodejs/undici#4395
• feat: EventSource can be configured with reconnectionTime by @​Uzlopak in nodejs/undici#4260
• build(deps-dev): bump tsd from 0.32.0 to 0.33.0 by @​dependabot[bot] in nodejs/undici#4404
• eventsource: deflake reconnectionTime tests by @​Uzlopak in nodejs/undici#4406
• cache: change normaliseHeaders to normalizeHeaders by @​Uzlopak in nodejs/undici#4408
• build(deps-dev): bump jest from 29.7.0 to 30.0.5 by @​dependabot[bot] in nodejs/undici#4387
• build(deps-dev): bump cross-env from 7.0.3 to 10.0.0 by @​dependabot[bot] in nodejs/undici#4386
• cache-control: no-cache: use quoted-string form by @​alxndrsn in nodejs/undici#4177
• test: fix snapshot testing flaky test by @​Uzlopak in nodejs/undici#4410
• fix formdata constructor args mark optional by @​tsctx in nodejs/undici#4411
• Update WPT by @​github-actions[bot] in nodejs/undici#4358
• Update Cache Tests by @​github-actions[bot] in nodejs/undici#4096
• chore: improve imports and requires by @​UzlopakDescription has been truncated