fix(deps): update external fixes

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
@cloudflare/workers-types	4.20260529.1 → 4.20260611.1
esmock	2.7.5 → 2.7.6
lib0	0.2.114 → 0.2.117
lint-staged	17.0.5 → 17.0.7
mocha (source)	11.7.5 → 11.7.6
semantic-release	25.0.3 → 25.0.5
wrangler (source)	4.95.0 → 4.99.0
y-protocols	1.0.6 → 1.0.7
yjs (source)	13.6.29 → 13.6.31

---

Release Notes

cloudflare/workerd (@​cloudflare/workers-types)

v4.20260611.1

Compare Source

v4.20260610.1

Compare Source

v4.20260609.1

Compare Source

v4.20260608.1

Compare Source

v4.20260607.1

Compare Source

v4.20260606.1

Compare Source

v4.20260605.1

Compare Source

v4.20260604.1

Compare Source

v4.20260603.1

Compare Source

v4.20260602.1

Compare Source

v4.20260601.1

Compare Source

v4.20260531.1

Compare Source

v4.20260530.1

Compare Source

iambumblehead/esmock (esmock)

v2.7.6: wildcard-issue resolved

Compare Source

mostly resolves a recently-discovered issue resolving certain wildcard-pattern export keys

• update test-coverage badge to reference "main" branch,
• specify node v24 at build+publish ci-job
• increment eslint and lint-related
• increment resolvewithplus, resolves wildcard-export-related issue. see iambumblehead/resolvewithplus#76 thanks @​AdaptivChris

dmonad/lib0 (lib0)

v0.2.117

Compare Source

• fix diff issue fbb06f6

---

v0.2.116

Compare Source

• [object] fixed #​99 - equalFlat bug a7a5b7a

---

v0.2.115

Compare Source

lint-staged/lint-staged (lint-staged)

v17.0.7

Compare Source

Patch Changes

• #​1806 e692e58 - Update dependency tinyexec@^1.2.4.

v17.0.6

Compare Source

Patch Changes

• #​1803 bdf2770 - Run all tests with Deno, in addition to Node.js and Bun.

• #​1796 7508272 - Fix performance regression of lint-staged v17 by going back to using git add to stage task modifications. This was changed to git update-index --again in v17 for less manual work, but unfortunately the update-index command gets slower in very large Git repos.

• #​1797 7b2505a - This version of lint-staged uses the new staged publishing for npm packages feature. Releases are already published from GitHub Actions with trusted publishing, but now an additional approval with two-factor authentication is also required.

• #​1802 321b0a9 - Downgrade dependency tinyexec@1.2.2 to avoid issues in version 1.2.3.

mochajs/mocha (mocha)

v11.7.6

Compare Source

🩹 Fixes

• make describe().timeout() work (aafe6fd)
• test: replace wmic usage with native Windows API (#​5694) (73ebdfa)

🧹 Chores

• format all code (#​5629) (0696784)
• remove Netlify (#​5630) (8d01d33)

semantic-release/semantic-release (semantic-release)

v25.0.5

Compare Source

Bug Fixes

• revert: next (#​4200) (db8ffaa)

v25.0.4

Compare Source

Bug Fixes

• code-quality: add missing comma in context object for consistency (493d6cd)

cloudflare/workers-sdk (wrangler)

v4.99.0

Compare Source

Minor Changes

• #​14169 0706fbf Thanks @​edmundhung! - Introduce createTestHarness() for integration testing Workers

  It runs Workers in a local preview environment using production build output and works with both Wrangler projects and Workers built by the Cloudflare Vite plugin.

  Use it from any Node.js test runner to send requests to individual Workers, trigger scheduled events, reset the server between tests, and mock outbound requests with libraries that intercept globalThis.fetch(), such as MSW.

  You can also capture structured logs from your Workers with getLogs(), or dump out a diagnostic timeline with debug() when tests fail:

  import { createTestHarness } from "wrangler";
  
  const server = createTestHarness({
    workers: [
      { configPath: "./dist/web_worker/wrangler.json" },
      { configPath: "./dist/api_worker/wrangler.json" },
    ],
  });
  
  await server.listen();
  await server.fetch("http://example.com");
  
  const apiWorker = server.getWorker("api-worker");
  await apiWorker.fetch("http://example.com/users/123");
  await apiWorker.scheduled({ cron: "0 0 * * *" });
  
  server.getLogs();
  
  if (testFailed) {
    server.debug();
  }
  
  await server.reset();
  await server.close();

• #​14174 8cf8c61 Thanks @​oliy! - Surface pipeline status and failure reasons in wrangler pipelines list and wrangler pipelines get

  wrangler pipelines list now includes a Status column, and when any pipelines are in a failed state it prints a summary of each failing pipeline along with the reason reported by the API.

  wrangler pipelines get now shows the pipeline Status in the general details and, for failed pipelines, highlights the failure with the reason returned by the server so it is clear why a pipeline is not running.

• #​14211 a61ac29 Thanks @​james-elicx! - Add --version-tag support to wrangler versions deploy to deploy a version by its tag

  You can now roll out or roll back a version by the tag it was uploaded with (e.g. a commit SHA passed to --tag at upload time) instead of first looking up its Version ID:

  wrangler versions deploy --version-tag <sha>@&#8203;100%

  The tag is resolved to a Version ID against the worker's deployable versions, and the <version-tag>@&#8203;<percentage> shorthand works just like the existing <version-id>@&#8203;<percentage> notation, including splitting traffic across multiple --version-tag values. If a tag matches no deployable version, or matches more than one, the command errors and asks you to deploy by Version ID directly. Note that tags can only be resolved against recent (deployable) versions — older versions that have aged out of that window must still be deployed by Version ID.

Patch Changes

• #​14163 23aecac Thanks @​emily-shen! - Print deploy warnings even in non-interactive contexts when strict mode is off

  Currently, wrangler deploy checks whether the incoming deploy configuration has destructive conflicts with the current configuration. Previously, we only performed this check in interactive contexts, or if the --strict flag was passed in. Now this warning is always printed, and it remains non-blocking in non-interactive contexts.

• #​14173 b932e47 Thanks @​gpanders! - Handle API validation errors from wrangler containers ssh

  Wrangler now lets the Containers API validate SSH instance IDs and preserves raw API error bodies such as INVALID_INSTANCE_ID when reporting validation failures.

• #​14192 d076bcc Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260603.1	1.20260605.1

• #​14217 24497d0 Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260605.1	1.20260608.1

• #​14231 4bb572f Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260608.1	1.20260609.1

• #​14195 165adb2 Thanks @​dario-piotrowicz! - Show actionable error message when authentication fails during remote dev

  When wrangler dev with remote bindings encountered an authentication error (expired token, revoked OAuth, or invalid API token), the user saw a generic "A request to the Cloudflare API failed" message with no indication that authentication was the problem.

  Now, authentication failures during remote dev display a clear error message with actionable steps.

• #​14034 776098c Thanks @​matingathani! - Fix wrangler types --check reporting types as out of date in multi-worker setups

  Previously, running wrangler types --check -c primary/wrangler.jsonc in a multi-worker project would incorrectly report types as out of date, even when they were current. This happened because the secondary worker config paths (passed via additional -c flags during generation) were not stored in the generated types file header, so --check had no way to resolve the secondary workers' service bindings when verifying the hash.

  The fix stores secondary config paths in the generated file's header comment so that --check can recover them automatically. Users no longer need to re-pass every -c flag when running --check — only the primary config is required.

• #​14053 7993711 Thanks @​fallintoplace! - Prevent delete-only wrangler secret bulk input from creating a new Worker

  Previously, wrangler secret bulk could create a draft Worker when the input only deleted secrets and the target Worker name did not exist. Delete-only bulk secret operations now leave Worker-not-found as an error instead of creating a new Worker.

• #​14055 8923f97 Thanks @​dario-piotrowicz! - Preserve all deployment-affecting CLI flags in the interactive deploy config flow

  When running wrangler deploy without a config file and going through the interactive setup flow, CLI flags beyond --compatibility-flags (such as --routes/--route, --domains/--domain, --triggers, --var, --define, --alias, --jsx-factory, --jsx-fragment, --tsconfig, --minify, --upload-source-maps, --no-bundle, --logpush, --keep-vars, --legacy-env, and --dispatch-namespace) were silently dropped. These flags are now persisted to the generated wrangler.jsonc config file (where a config field equivalent exists) and included in the suggested CLI command when the user declines config file generation.

• #​14196 b205fb7 Thanks @​odiak! - Validate JSON stdin values for wrangler secret bulk

  JSON input piped through stdin now validates that secret values are strings or null before sending them to the API, matching the existing behavior for file input.

• Updated dependencies [d076bcc, 24497d0, 4bb572f, 48c4ff0]:

  • miniflare@​4.20260609.0

v4.98.0

Compare Source

Minor Changes

• #​14089 c6c61b5 Thanks @​alsuren! - Add migrations_pattern to D1 database bindings

  The D1 binding now accepts an optional migrations_pattern field, allowing you to point wrangler d1 migrations apply and wrangler d1 migrations list at migration files in nested layouts (e.g. ORM-generated folders like migrations/0000_init/migration.sql).

  migrations_pattern is a glob (relative to the wrangler config file) and defaults to ${migrations_dir}/*.sql, which preserves today's behaviour. Files that do not match the pattern are not executed.

  {
    "d1_databases": [
      {
        "binding": "DB",
        "database_name": "my-db",
        "database_id": "...",
        "migrations_dir": "migrations",
        "migrations_pattern": "migrations/*/migration.sql"
      }
    ]
  }

  When no migrations match the configured pattern but files matching the common migrations/*/migration.sql (drizzle-style) layout do exist, Wrangler logs a hint suggesting migrations_pattern as an opt-in.

  wrangler d1 migrations create now returns an actionable error if the generated migration filename would not match the configured pattern.

• #​14153 7a6b1a4 Thanks @​dario-piotrowicz! - Generalize wrangler deploy and wrangler versions upload positional argument from [script] to [path]

  Both wrangler deploy and wrangler versions upload now accept a generic [path] positional argument that can point to either a Worker entry-point file or a directory of static assets. The type is auto-detected. For example:

  • File: wrangler deploy ./src/index.ts deploys a Worker (same as before)
  • Directory: wrangler deploy ./public deploys a static assets site (no interactive confirmation prompt)

  The --script named option is now hidden and deprecated for both commands. It continues to work for backwards compatibility but only accepts file paths. Passing a directory to --script now produces a clear error message suggesting the positional path argument or --assets flag instead.

• #​13863 3b8b80a Thanks @​aslakhellesoy! - getPlatformProxy() now passes through workflow bindings that have a script_name

  Workflows without a script_name are still stripped (and warned about) because the engine for an internal workflow can't run inside the empty proxy worker that backs getPlatformProxy(). Workflows with a script_name are handed to miniflare unchanged; miniflare reroutes the engine's USER_WORKFLOW binding through the dev-registry-proxy when the target worker is running in another Miniflare instance — the same mechanism Durable Objects already use.

  This means SvelteKit/Remix (and similar split-process setups) can call platform.env.MY_WORKFLOW.create({ ... }) directly from their server-side request handlers in dev, as long as the workflow class is exposed by another worker registered in the dev registry.

  Closes #​7459.

• #​14164 b502d54 Thanks @​G4brym! - Rename the web_search binding kind to websearch

  Pre-launch rename of the public binding type from web_search to websearch so the on-the-wire shape matches the product name (Web Search). The wrangler config key, the binding-type string sent to the Cloudflare API, and the miniflare option key all move from web_search / webSearch to websearch.

  Update your wrangler config:

  - "web_search": { "binding": "WEBSEARCH" }
  + "websearch": { "binding": "WEBSEARCH" }

  The runtime WebSearch type exposed on env.WEBSEARCH is unchanged.

Patch Changes

• #​14089 c6c61b5 Thanks @​alsuren! - Restore the D1 executeSql logger level via try/finally

  wrangler d1 execute --json and the internal executeSql helper temporarily lower the global logger to "error" to keep human-readable output out of the JSON payload. Previously the level was restored only on the happy path, so any early return or thrown error left the singleton logger muted, silencing later logger.warn/logger.log output (notably from migration helpers that wrap executeSql and are commonly mocked in tests).

  The level swap is now wrapped in try/finally so it is always restored.

• #​14175 a3eea27 Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260601.1	1.20260603.1

• #​14121 7539a9b Thanks @​petebacondarwin! - Extract the OAuth 2.0 + PKCE flow into a new @cloudflare/workers-auth package.

  The OAuth login / logout / refresh logic, the auth-config TOML file IO, the OAuth token exchange + local callback server, and the Cloudflare Access detection helpers that previously lived in packages/wrangler/src/user/ have moved to the new internal-only @cloudflare/workers-auth package. Wrangler now wires the OAuth flow up via a small glue module that injects its logger, browser opener, interactivity detector, and config cache via a dependency- injection context.

  What stays in wrangler:

  • The yargs login / logout / whoami / auth token commands
  • Environment-based credential resolution (CLOUDFLARE_API_TOKEN, CLOUDFLARE_API_KEY / CLOUDFLARE_EMAIL, etc.)
  • Cloudflare account selection (requireAuth, getOrSelectAccountId)
  • The OAuth scope catalog (passed into the OAuth flow as a generic string[])
  • whoami / account fetching

  No behavior change for end users. The on-disk TOML format and location remain identical, and all telemetry message labels are preserved verbatim.

  @cloudflare/workers-auth is published with prerelease: true and is not intended for external use — its APIs may change without notice.

• #​14162 0bb2d55 Thanks @​dario-piotrowicz! - In non-interactive mode remove the skills installation message

  When Wrangler run in non interactive mode and it detected agents that it could install skills for, it would print a message such as:

  Cloudflare agent skills are available for: <DETECTED_AGENTS>. Run wrangler in an interactive terminal to install them, or use '--install-skills' to install without prompting.

  This message seems to be confusing and unhelpful so it has now been removed.

• #​14165 8400fb9 Thanks @​NuroDev! - Limit wrangler versions list to the 10 most recent deployable versions

  The versions API ignores pagination when filtering to deployable versions, so Wrangler now caps the command output client-side. This keeps the command aligned with its help text and avoids overwhelming terminal output for Workers with many versions.

• #​14151 7949f81 Thanks @​dario-piotrowicz! - Skip stale bundles during dev server reload to avoid redundant restarts

  When rapidly saving a wrangler config file with remote bindings, each save would trigger a full reload cycle (remote connection setup, miniflare restart), causing many sequential "Reloading local server... / Establishing remote connection..." messages (while blocking the user). The runtime controllers now check whether a newer bundle has been queued at each expensive async boundary and bail out early if the current bundle is stale. This ensures that only the latest config change triggers a reload, making wrangler dev much more responsive during repeated config edits.

• #​14072 d462013 Thanks @​himanshu-cf! - Update wrangler secret bulk command description to reflect create/update/delete capabilities

  The help text for wrangler secret bulk now accurately describes that the command can create, update, or delete multiple secrets in a single request, with up to 100 secrets per command. The file argument description also clarifies that setting a key to null in JSON will delete it, and that deletion is not supported with .env files.

• #​13979 c2280cd Thanks @​matingathani! - Warn when a named environment silently inherits custom_domain routes from the top-level config

  When an env.<name> block does not override routes, it inherits the top-level routes array. If that array contains entries with custom_domain: true, every deploy to the named environment will silently reassign the custom domain away from the top-level Worker and towards the env Worker, causing routing drift. Wrangler now emits a warning in this situation and suggests adding "routes": [] to the env block to prevent inheritance.

• #​14170 ea12b58 Thanks @​petebacondarwin! - Tighten on-disk permissions of the OAuth credentials file to 0600

  The user auth config file written by wrangler login (typically ~/.config/.wrangler/config/default.toml on Linux/macOS, or <environment>.toml for non-production Cloudflare API environments) is now written with mode 0600 and re-chmod-ed on every save. This prevents other local users on shared hosts from reading the stored OAuth tokens. Existing files with looser permissions written by older Wrangler versions are tightened the next time Wrangler refreshes the token or the user logs in again. The change is a no-op on Windows, which does not honour POSIX mode bits.

• #​14022 acf7817 Thanks @​petebacondarwin! - Show the actual OAuth error instead of hanging when wrangler login is rejected by the OAuth provider (for example with invalid_scope).

  Previously, if the OAuth callback returned with an error other than access_denied, Wrangler would never respond to the browser. Because server.close()'s callback only fires once all open connections have ended, the login command would hang until the 120 second OAuth timeout — at which point it would print a generic timeout message rather than the actual OAuth failure. The same gap existed for the case where the OAuth provider redirected back without an authorisation code, and for failures during the auth-code-to-access-token exchange.

  The OAuth provider's error_description (RFC 6749 §4.1.2.1) is now also surfaced, so the message includes the specific reason for the failure rather than just the bare error code. For example, a misconfigured staging scope now surfaces as:

  OAuth error: invalid_scope
    The OAuth 2.0 Client is not allowed to request scope 'browser:write'.
  

  instead of hanging silently.

• Updated dependencies [a3eea27, 1fdd8de, b502d54, 3b8b80a]:

  • miniflare@​4.20260603.0

v4.97.0

Compare Source

Minor Changes

• #​13996 94b29f7 Thanks @​vaishnav-mk! - Add restart-from-step options to wrangler workflows instances restart

  You can now restart a Workflow instance from a specific step using --from-step-name, with optional --from-step-count and --from-step-type disambiguation. These options work for both remote Workflow instances and local wrangler dev --local sessions.

Patch Changes

• #​14141 b210c5e Thanks @​MattieTK! - Add re-authentication hint to account fetch error messages

  When Wrangler fails to automatically retrieve account IDs, the error messages now suggest running wrangler login as a troubleshooting step. This addresses confusion for users who encounter these errors after OAuth system changes or other authentication issues.

• #​14078 aec1bb8 Thanks @​MattieTK! - Bump am-i-vibing from 0.1.1 to 0.4.0

  This updates the agentic environment detection library to the latest version, which includes improved detection coverage for newer AI coding agents.

• #​14147 e06cbb7 Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260529.1	1.20260601.1

• #​14027 9a26191 Thanks @​matingathani! - Gracefully handle EMFILE error when assets directory exceeds OS watcher limit

  Previously, when wrangler dev was pointed at an assets directory with more than ~4,096 subdirectories, the chokidar file watcher threw an EMFILE: too many open files error that was not caught, causing an infinite error loop that made the dev server unresponsive.

  Now the error is caught and wrangler:

  1. Logs a clear warning explaining the platform watcher limit was hit
  2. Recommends reducing the number of subdirectories by flattening or restructuring the assets directory
  3. Disables the assets watcher gracefully so the dev server continues working without hot-reload

• #​14041 5565823 Thanks @​matingathani! - Fix wrangler complete printing the AI skills prompt into shell completion output

  Previously, running eval "$(wrangler complete zsh)" (or any other shell) would fail with errors like zsh: command not found: --install-skills because the interactive AI agent skills installation prompt was included in the completion script output.

  The skills prompt is now skipped when running wrangler complete, so the generated completion script is clean and can be sourced correctly.

• #​13881 890fca7 Thanks @​matingathani! - Show a clear error when --metadata is not valid JSON instead of silently ignoring the value

• #​14149 6fc9777 Thanks @​mattjohnsonpint! - Fix wrangler deploy --upload-source-maps silently skipping source maps when the entry file ends with magic comments after //# sourceMappingURL=

  Wrangler previously assumed the //# sourceMappingURL= comment was the last non-empty line of a module. Tools like sentry-cli sourcemaps inject append a //# debugId= comment after it, which silently caused source maps to be omitted from the upload form, most commonly when deploying with --no-bundle --upload-source-maps. Wrangler now scans trailing magic comments (lines starting with //# or //@​) and detects the //# sourceMappingURL= comment regardless of which other magic comments follow it.

• #​14105 337e912 Thanks @​dario-piotrowicz! - Remove trailing periods from URLs in terminal output

  URLs printed to the terminal with a sentence-ending period (e.g. https://example.com/path.) would include the period when clicked in some terminal emulators, causing 404 errors. This removes trailing periods from all URLs displayed in CLI output across wrangler, miniflare, vitest-pool-workers, and workers-utils.

• #​14150 8e7b74f Thanks @​avenceslau! - Fix Workflows schedules deploy payload to match the control plane API

  When deploying a Workflow with a schedules binding property, Wrangler sent the cron expressions as a list of strings. The Workflows API expects a list of objects of the form { cron: string }, so the request was rejected. Wrangler now maps each configured cron expression to { cron } (normalizing a single string or an array) when building the request. The user-facing config still accepts a string or an array of strings.

• #​14084 e86489a Thanks @​dario-piotrowicz! - Fix JSON variable bindings in wrangler init --from-dash and remote config diff

  When fetching a remote Worker's configuration, JSON variable bindings (e.g. {"my_value": 5}) were incorrectly serialized as { "name": "MY_JSON", "json": {"my_value": 5} } instead of { "MY_JSON": {"my_value": 5} }. This affected two areas:

  • wrangler init --from-dash would generate a wrangler.json with broken vars entries
  • Remote config diff checks would always report JSON bindings as changed, since the malformed remote representation could never match the local config

  Both issues are now fixed and remote JSON bindings are now correctly mapped.

• #​14155 42288d4 Thanks @​dario-piotrowicz! - Include agent skill installation status in all telemetry events

  The agent skill installation status is now consistently included in all telemetry events, not just a subset of them.

• #​14063 65b5f9e Thanks @​emily-shen! - Move fetch helpers into @cloudflare/workers-utils

  Shared Cloudflare API fetch helper types and plumbing now live in @cloudflare/workers-utils so Wrangler and other clients can use the same implementation.

• #​14112 3a746ac Thanks @​penalosa! - Pin non-bundled runtime dependencies to exact versions

  Dependencies that are not bundled into a package's published output are installed directly into consumers' dependency trees, so they are now pinned to exact versions instead of semver ranges. This closes a supply-chain gap where an unpinned external dependency could resolve to a compromised upstream release on a fresh install. A new pnpm check:pinned-deps lint enforces this for all published packages (and for the shared pnpm catalog) going forward.

• #​14124 64ef9fd Thanks @​odiak! - Fix wrangler secret bulk dropping newlines from .env input read from stdin

  Previously, .env input piped through stdin was concatenated without line breaks, so only the first secret could be parsed correctly. Stdin input now preserves line separators before parsing.

• Updated dependencies [e06cbb7, 4ef790b, 337e912, 3a746ac]:

  • miniflare@​4.20260601.0

v4.96.0

Compare Source

Minor Changes

• #​14087 e3c862a Thanks @​edmundhung! - Add support for the new web_search binding kind.

  Cloudflare Web Search is a managed, zero-setup web discovery primitive for agents and Workers. Declare the binding as a single object in wrangler.jsonc:

  {
    "web_search": { "binding": "WEBSEARCH" }
  }

  There is exactly one shared web corpus, so there is no namespace, instance, or other field to specify -- only the variable name. The binding exposes a single search() method that returns URLs and catalog metadata for a query. Web Search is discovery-only -- to read a result's content the caller invokes the global fetch() API against the result's url.

  The binding is always remote in local development: Miniflare proxies to the production Web Search service via the remote-bindings transport. Adds the websearch.run OAuth scope to wrangler login.

  Also adds a wrangler websearch search command for running ad-hoc queries from the CLI:

  npx wrangler websearch search "cloudflare workers"
  npx wrangler websearch search "cloudflare workers" --limit 5
  npx wrangler websearch search "cloudflare workers" --json

  --limit is optional (defaults to 10, capped at 20). --json prints the raw response; without it the results render as a pretty table.

• #​13610 cbb39bd Thanks @​petebacondarwin! - Add support for agent_memory bindings

  Agent Memory bindings allow Workers to connect to Cloudflare's Agent Memory service for storing and retrieving agent conversation state. This binding is remote-only, meaning it always connects to the Cloudflare API during wrangler dev rather than using a local simulation.

  To configure an agent_memory binding, add the following to your wrangler.json:

  {
    "agent_memory": [
      {
        "binding": "MY_MEMORY",
        "namespace": "my-namespace"
      }
    ]
  }

  Wrangler will automatically provision the namespace during deployment if it does not already exist. Type generation via wrangler types is also supported.

  This change also adds the agent-memory:write OAuth scope to Wrangler's default login scopes, so wrangler login can request the permissions needed to provision and manage Agent Memory namespaces.

• #​13610 cbb39bd Thanks @​petebacondarwin! - Add wrangler agent-memory namespace commands

  The following commands have been added for managing Agent Memory namespaces:

  wrangler agent-memory namespace create <namespace>
  wrangler agent-memory namespace list [--json]
  wrangler agent-memory namespace get <namespace_name> [--json]
  wrangler agent-memory namespace delete <namespace_name> [--force]

• #​14087 e3c862a Thanks @​edmundhung! - Add confirmation prompt to wrangler containers images delete

  Previously, running wrangler containers images delete IMAGE:TAG would delete the image immediately with no confirmation. The command now prompts for confirmation before deleting. Use -y or --skip-confirmation to bypass the prompt in non-interactive or scripted environments.

• #​14087 e3c862a Thanks @​edmundhung! - Rename pipeline field to stream in pipeline bindings configuration

  The pipeline field inside pipelines bindings has been renamed to stream to align with the updated API wire format. The old pipeline field is still accepted but deprecated and will emit a warning.

  Before:

  // wrangler.json
  {
    "pipelines": [
      {
        "binding": "MY_PIPELINE",
        "pipeline": "my-stream-name"
      }
    ]
  }

  After:

  // wrangler.json
  {
    "pipelines": [
      {
        "binding": "MY_PIPELINE",
        "stream": "my-stream-name"
      }
    ]
  }

• #​14087 e3c862a Thanks @​edmundhung! - Allow pipeline, stream, and sink commands to resolve resources by name with pagination-aware lookups.

• #​14087 e3c862a Thanks @​edmundhung! - Support deleting secrets via wrangler secret bulk

  You can now delete secrets in bulk by setting their value to null in the JSON input file:

  { "SECRET_TO_DELETE": null, "SECRET_TO_UPDATE": "new-value" }

• #​14091 4c0da7b Thanks @​gpanders! - Add ProxyCommand support for wrangler containers ssh

  wrangler containers ssh now automatically switches to a stdio proxy when invoked by OpenSSH's ProxyCommand, and --stdio can force this mode. This lets users connect with ssh <instance_id> when their SSH config uses Wrangler as the proxy command.

• #​13892 13cbadb Thanks @​penalosa! - Remove the deprecated experimental.testMode option from unstable_dev

  experimental.testMode previously only affected the default logLevel (warn when testMode: true, log otherwise) and has been flagged for removal in its type-definition comment since it landed. It is now removed, and unstable_dev's default log level matches wrangler dev's (log).

  Callers that explicitly passed testMode: true to get quieter logs should now set logLevel: "warn" directly.

Patch Changes

• #​14016 408432a Thanks [@​petebacondarwin](https://re

✂ Note

PR body was truncated to here.

---

Configuration

📅 Schedule: (in timezone Europe/Zurich)

• Branch creation
  • "after 2pm on Monday"
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[kptdobe]

This one has been open for a long time. I feel scared to update the y-protocols dependency...
@bosschaert WDYT ?

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: package-lock.json

npm warn Unknown env config "store". This will stop working in the next major version of npm. See `npm help npmrc` for supported config options.
npm error code ERESOLVE
npm error ERESOLVE could not resolve
npm error
npm error While resolving: @da-tools/da-parser@1.2.1
npm error Found: yjs@13.6.31
npm error node_modules/yjs
npm error   yjs@"13.6.31" from the root project
npm error   peer yjs@"^13.5.38" from y-prosemirror@1.3.7
npm error   node_modules/y-prosemirror
npm error     y-prosemirror@"1.3.7" from @da-tools/da-parser@1.2.1
npm error     node_modules/@da-tools/da-parser
npm error       @da-tools/da-parser@"^1.2.1" from the root project
npm error   1 more (y-protocols)
npm error
npm error Could not resolve dependency:
npm error peer yjs@"13.6.29" from @da-tools/da-parser@1.2.1
npm error node_modules/@da-tools/da-parser
npm error   @da-tools/da-parser@"^1.2.1" from the root project
npm error
npm error Conflicting peer dependency: yjs@13.6.29
npm error node_modules/yjs
npm error   peer yjs@"13.6.29" from @da-tools/da-parser@1.2.1
npm error   node_modules/@da-tools/da-parser
npm error     @da-tools/da-parser@"^1.2.1" from the root project
npm error
npm error Fix the upstream dependency conflict, or retry this command with --force or --legacy-peer-deps to accept an incorrect (and potentially broken) dependency resolution.
npm error
npm error
npm error For a full report see:
npm error /runner/cache/others/npm/_logs/2026-06-25T03_47_01_018Z-eresolve-report.txt
npm error A complete log of this run can be found in: /runner/cache/others/npm/_logs/2026-06-25T03_47_01_018Z-debug-0.log

[bosschaert]

This one has been open for a long time. I feel scared to update the y-protocols dependency... @bosschaert WDYT ?

It's only a micro version update so in the semver theory it should be all fine. We should test it locally first and then the Playwright test should give us some confidence that it's all ok.