Skip to content

build(deps-dev): bump miniflare from 4.20260526.0 to 4.20260601.0#55

Closed
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/bun/miniflare-4.20260601.0
Closed

build(deps-dev): bump miniflare from 4.20260526.0 to 4.20260601.0#55
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/bun/miniflare-4.20260601.0

Conversation

@dependabot
Copy link
Copy Markdown

@dependabot dependabot Bot commented on behalf of github Jun 4, 2026
edited by greptile-apps Bot
Loading

Bumps miniflare from 4.20260526.0 to 4.20260601.0.

Release notes

Sourced from miniflare's releases.

miniflare@4.20260601.0

Patch Changes

  • #14147 e06cbb7 Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

    The following dependency versions have been updated:

    Dependency From To
    workerd 1.20260529.1 1.20260601.1

  • #14086 4ef790b Thanks @​dario-piotrowicz! - Use 127.0.0.1 instead of localhost for the runtime inspector address

    On systems where getaddrinfo("localhost") returns ::1 but IPv6 is disabled at the kernel level, workerd fails to bind the inspector socket and silently continues without emitting the listen-inspector event to the control FD. This caused wrangler dev to hang indefinitely at "Starting local server..." with no error output.

    Using 127.0.0.1 explicitly is consistent with DEFAULT_HOST, --debug-port, and resolveLocalhost() already in the codebase.

  • #14105 337e912 Thanks @​dario-piotrowicz! - Remove trailing periods from URLs in terminal output

    URLs printed to the terminal with a sentence-ending period (e.g. https://example.com/path.) would include the period when clicked in some terminal emulators, causing 404 errors. This removes trailing periods from all URLs displayed in CLI output across wrangler, miniflare, vitest-pool-workers, and workers-utils.

  • #14112 3a746ac Thanks @​penalosa! - Pin non-bundled runtime dependencies to exact versions

    Dependencies that are not bundled into a package's published output are installed directly into consumers' dependency trees, so they are now pinned to exact versions instead of semver ranges. This closes a supply-chain gap where an unpinned external dependency could resolve to a compromised upstream release on a fresh install. A new pnpm check:pinned-deps lint enforces this for all published packages (and for the shared pnpm catalog) going forward.

miniflare@4.20260529.0

Minor Changes

  • #13955 a2ef1a3 Thanks @​G4brym! - Add support for the new web_search binding kind.

    Cloudflare Web Search is a managed, zero-setup web discovery primitive for agents and Workers. Declare the binding as a single object in wrangler.jsonc:

    {
	"web_search": { "binding": "WEBSEARCH" },
}

    There is exactly one shared web corpus, so there is no namespace, instance, or other field to specify -- only the variable name. The binding exposes a single search() method that returns URLs and catalog metadata for a query. Web Search is discovery-only -- to read a result's content the caller invokes the global fetch() API against the result's url.

    The binding is always remote in local development: Miniflare proxies to the production Web Search service via the remote-bindings transport. Adds the websearch.run OAuth scope to wrangler login.

    Also adds a wrangler websearch search command for running ad-hoc queries from the CLI:

    npx wrangler websearch search "cloudflare workers"
npx wrangler websearch search "cloudflare workers" --limit 5
npx wrangler websearch search "cloudflare workers" --json

... (truncated)

Changelog

Sourced from miniflare's changelog.

4.20260601.0

Patch Changes

  • #14147 e06cbb7 Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

    The following dependency versions have been updated:

    Dependency From To
    workerd 1.20260529.1 1.20260601.1

  • #14086 4ef790b Thanks @​dario-piotrowicz! - Use 127.0.0.1 instead of localhost for the runtime inspector address

    On systems where getaddrinfo("localhost") returns ::1 but IPv6 is disabled at the kernel level, workerd fails to bind the inspector socket and silently continues without emitting the listen-inspector event to the control FD. This caused wrangler dev to hang indefinitely at "Starting local server..." with no error output.

    Using 127.0.0.1 explicitly is consistent with DEFAULT_HOST, --debug-port, and resolveLocalhost() already in the codebase.

  • #14105 337e912 Thanks @​dario-piotrowicz! - Remove trailing periods from URLs in terminal output

    URLs printed to the terminal with a sentence-ending period (e.g. https://example.com/path.) would include the period when clicked in some terminal emulators, causing 404 errors. This removes trailing periods from all URLs displayed in CLI output across wrangler, miniflare, vitest-pool-workers, and workers-utils.

  • #14112 3a746ac Thanks @​penalosa! - Pin non-bundled runtime dependencies to exact versions

    Dependencies that are not bundled into a package's published output are installed directly into consumers' dependency trees, so they are now pinned to exact versions instead of semver ranges. This closes a supply-chain gap where an unpinned external dependency could resolve to a compromised upstream release on a fresh install. A new pnpm check:pinned-deps lint enforces this for all published packages (and for the shared pnpm catalog) going forward.

4.20260529.0

Minor Changes

  • #14087 e3c862a Thanks @​edmundhung! - Add support for the new web_search binding kind.

    Cloudflare Web Search is a managed, zero-setup web discovery primitive for agents and Workers. Declare the binding as a single object in wrangler.jsonc:

    {
  "web_search": { "binding": "WEBSEARCH" }
}

    There is exactly one shared web corpus, so there is no namespace, instance, or other field to specify -- only the variable name. The binding exposes a single search() method that returns URLs and catalog metadata for a query. Web Search is discovery-only -- to read a result's content the caller invokes the global fetch() API against the result's url.

    The binding is always remote in local development: Miniflare proxies to the production Web Search service via the remote-bindings transport. Adds the websearch.run OAuth scope to wrangler login.

    Also adds a wrangler websearch search command for running ad-hoc queries from the CLI:

    npx wrangler websearch search "cloudflare workers"
npx wrangler websearch search "cloudflare workers" --limit 5
npx wrangler websearch search "cloudflare workers" --json

... (truncated)

Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

View with Codesmith Autofix with Codesmith
Need help on this PR? Tag /codesmith with what you need. Autofix is disabled.

Summary by cubic

Upgrade miniflare dev dependency to 4.20260601.0. Improves local dev stability (inspector binds to 127.0.0.1), fixes clickable CLI URLs, and updates transitive workerd to 1.20260601.1.

Written for commit 146bd5f. Summary will update on new commits.

Review in cubic

Greptile Summary

Bumps miniflare (dev dependency used for local Cloudflare Workers testing) from 4.20260526.0 to 4.20260601.0, pulling in workerd 1.20260601.1 and its platform binaries. The lockfile regeneration also surfaces three workspace packages (core, opencode, pi) whose versions were already bumped to 1.5.0 in their individual package.json files but whose lock entries were stale at 1.4.1.

  • package.json: miniflare devDependency version specifier updated; no other root-level changes.
  • bun.lock: miniflare, workerd, and all @cloudflare/workerd-* platform binaries bumped; sharp moved from a semver range (^0.34.5) to an exact pin (0.34.5) per the upstream supply-chain hardening change; workspace package lock entries corrected from 1.4.1 to 1.5.0.

Confidence Score: 4/5

Safe to merge for the miniflare bump itself; the lockfile residual inconsistency for the pi workspace dependency is worth verifying does not break frozen-lockfile CI checks.

The miniflare upgrade is a routine patch-level dev dependency bump with well-described upstream changes. The lockfile regeneration also corrects stale workspace version entries, but leaves the pi workspace's @cortexkit/anthropic-auth-core specifier at 1.1.3 while packages/pi/package.json declares 1.5.0 — this mismatch could cause a frozen-lockfile install to fail on CI or fresh checkouts.

bun.lock — specifically the packages/pi workspace entry and its @cortexkit/anthropic-auth-core dependency specifier.

Important Files Changed
Filename Overview
package.json Single-line change: miniflare devDependency bumped from ^4.20260526.0 to ^4.20260601.0. No other changes.
bun.lock Lockfile updated for miniflare/workerd bump; also corrects stale workspace version entries (1.4.1 → 1.5.0) and pins sharp to an exact version. The pi workspace entry still records @cortexkit/anthropic-auth-core at 1.1.3 while packages/pi/package.json declares 1.5.0 — a residual inconsistency.

Flowchart

 
%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A["package.json\nminiflare 4.20260601.0"] --> B["miniflare 4.20260601.0"]
    B --> C["workerd 1.20260601.1"]
    B --> D["sharp 0.34.5 exact pin"]
    B --> E["undici 7.24.8"]
    C --> F["workerd-darwin-64 1.20260601.1"]
    C --> G["workerd-darwin-arm64 1.20260601.1"]
    C --> H["workerd-linux-64 1.20260601.1"]
    C --> I["workerd-linux-arm64 1.20260601.1"]
    C --> J["workerd-windows-64 1.20260601.1"]
    K["bun.lock workspace corrections"] --> L["packages/core 1.4.1 to 1.5.0"]
    K --> M["packages/opencode 1.4.1 to 1.5.0"]
    K --> N["packages/pi 1.4.1 to 1.5.0"]
Loading

Reviews (1): Last reviewed commit: "build(deps-dev): bump miniflare from 4.2..." | Re-trigger Greptile

Greptile also left 2 inline comments on this PR.

@dependabot
build(deps-dev): bump miniflare from 4.20260526.0 to 4.20260601.0
146bd5f 
Bumps [miniflare](https://github.com/cloudflare/workers-sdk/tree/HEAD/packages/miniflare) from 4.20260526.0 to 4.20260601.0.
- [Release notes](https://github.com/cloudflare/workers-sdk/releases)
- [Changelog](https://github.com/cloudflare/workers-sdk/blob/main/packages/miniflare/CHANGELOG.md)
- [Commits](https://github.com/cloudflare/workers-sdk/commits/miniflare@4.20260601.0/packages/miniflare)

---
updated-dependencies:
- dependency-name: miniflare
  dependency-version: 4.20260601.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jun 4, 2026
@socket-security
Copy link
Copy Markdown

socket-security Bot commented Jun 4, 2026

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Updatedminiflare@​4.20260526.0 ⏵ 4.20260601.09910010096 +1100

View full report

greptile-apps[bot]
greptile-apps Bot reviewed Jun 4, 2026
View reviewed changes
Comment thread bun.lock
Comment on lines 49 to 55
},
"packages/pi": {
"name": "@cortexkit/pi-anthropic-auth",
"version": "1.4.1",
"version": "1.5.0",
"dependencies": {
"@cortexkit/anthropic-auth-core": "1.1.3",
},
Copy link
Copy Markdown

@greptile-apps greptile-apps Bot Jun 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Lockfile workspace version entries out of sync with source

The lockfile entries for all three workspace packages (packages/core, packages/opencode, packages/pi) were corrected from 1.4.1 to 1.5.0 by this PR's lockfile regeneration — but those packages' own package.json files already declare 1.5.0. This means the previous bun.lock was stale and wasn't regenerated when those versions were bumped. This is not a functional problem (the lockfile is now correct), but it means this dependabot PR bundles an unrelated workspace version correction alongside the miniflare bump, which may make future bisecting harder.

Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!

Comment thread bun.lock
Comment on lines 49 to 55
},
"packages/pi": {
"name": "@cortexkit/pi-anthropic-auth",
"version": "1.4.1",
"version": "1.5.0",
"dependencies": {
"@cortexkit/anthropic-auth-core": "1.1.3",
},
Copy link
Copy Markdown

@greptile-apps greptile-apps Bot Jun 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Residual lockfile inconsistency for pi workspace dependency

After this PR, the packages/pi workspace entry in bun.lock still records "@cortexkit/anthropic-auth-core": "1.1.3" in its dependencies, but packages/pi/package.json declares "@cortexkit/anthropic-auth-core": "1.5.0". Since @cortexkit/anthropic-auth-core resolves to workspace:packages/core regardless of the semver specifier, build behavior is unaffected — but the lockfile doesn't fully reflect the current package.json, so running bun install --frozen-lockfile on a clean checkout may produce a warning or fail depending on bun's strictness.

@ualtinok
Copy link
Copy Markdown
Contributor

ualtinok commented Jun 4, 2026

Closed as superseded by the combined dependency update in f5876fa, which applies these bumps together to avoid bun.lock conflicts.

@ualtinok ualtinok closed this Jun 4, 2026
@dependabot @github
Copy link
Copy Markdown
Author

dependabot Bot commented on behalf of github Jun 4, 2026

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.

@dependabot dependabot Bot deleted the dependabot/bun/miniflare-4.20260601.0 branch June 4, 2026 07:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@greptile-apps greptile-apps[bot] greptile-apps[bot] left review comments

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ualtinok