chore(deps): update devdependency wrangler to v4.59.1 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
wrangler (source)	4.54.0 → 4.59.1

GitHub Vulnerability Alerts

CVE-2026-0933

Summary

A command injection vulnerability (CWE-78) has been found to exist in the wrangler pages deploy command. The issue occurs because the --commit-hash parameter is passed directly to a shell command without proper validation or sanitization, allowing an attacker with control of --commit-hash to execute arbitrary commands on the system running Wrangler.

Root cause

The commitHash variable, derived from user input via the --commit-hash CLI argument, is interpolated directly into a shell command using template literals (e.g., execSync(`git show -s --format=%B ${commitHash}`)). Shell metacharacters are interpreted by the shell, enabling command execution.

Impact

This vulnerability is generally hard to exploit, as it requires --commit-hash to be attacker controlled. The vulnerability primarily affects CI/CD environments where wrangler pages deploy is used in automated pipelines and the --commit-hash parameter is populated from external, potentially untrusted sources. An attacker could exploit this to:

• Run any shell command.
• Exfiltrate environment variables.
• Compromise the CI runner to install backdoors or modify build artifacts.

Mitigation

• Wrangler v4 users are requested to upgrade to Wrangler v4.59.1 or higher.
• Wrangler v3 users are requested to upgrade to Wrangler v3.114.17 or higher.
• Users on Wrangler v2 (EOL) should upgrade to a supported major version.

Credits

Disclosed responsibly by kny4hacker.

---

Release Notes

cloudflare/workers-sdk (wrangler)

v4.59.1

Compare Source

Patch Changes

• #​11889 99b1f32 Thanks @​emily-shen! - Use argument array when executing git commands with wrangler pages deploy

  Pass user provided values from --commit-hash safely to underlying git command.

v4.59.0

Compare Source

Minor Changes

• #​11852 ad65efa Thanks @​NuroDev! - Add --check flag to wrangler types command

  The new --check flag allows you to verify that your generated types file is up-to-date without regenerating it. This is useful for CI/CD pipelines, pre-commit hooks, or any scenario where you want to ensure types have been committed after configuration changes.

  When types are up-to-date, the command exits with code 0:

  $ wrangler types --check
  ✨ Types at worker-configuration.d.ts are up to date.

  When types are out-of-date, the command exits with code 1:

  $ wrangler types --check
  ✘ [ERROR] Types at worker-configuration.d.ts are out of date. Run `wrangler types` to regenerate.

  You can also use it with a custom output path:

  $ wrangler types ./custom-types.d.ts --check

• #​11529 43d5363 Thanks @​matthewdavidrodgers! - Add ability to enable higher asset count limits for Pages deployments

  Wrangler can now read asset count limits from JWT claims during Pages deployments,
  allowing users to be enabled for higher limits (up to 100,000 assets) on a per-account
  basis. The default limit remains at 20,000 assets.

• #​11755 0f8d69d Thanks @​nikitassharma! - Users can now specify constraints.tiers for their container applications. tier is deprecated in favor of tiers.
  If left unset, we will default to tiers: [1, 2].
  Note that constraints is an experimental feature.

Patch Changes

• #​11820 b0e54b2 Thanks @​MattieTK! - Add AI agent detection to analytics events

  Wrangler now detects when commands are executed by AI coding agents (such as Claude Code, Cursor, GitHub Copilot, etc.) using the am-i-vibing library. This information is included as an agent property in all analytics events, helping Cloudflare understand how developers interact with Wrangler through AI assistants.

  The agent property will contain the agent ID (e.g., "claude-code", "cursor-agent") when detected, or null when running outside an agentic environment.

• #​11494 ed60c4f Thanks @​jalmonter! - Fix scheduled trigger warning showing undefined port

  When running wrangler dev with a worker that has cron triggers, the warning message displayed an invalid URL like curl "http://localhost:undefined/cdn-cgi/handler/scheduled" because the port wasn't yet determined when the warning was logged.

  Moved the warning to after the proxy server is fully ready, where the actual public URL and port are known.

• #​11831 faa5753 Thanks @​dependabot! - chore: update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260107.1	1.20260108.0

• #​11844 e574ef3 Thanks @​dependabot! - chore: update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260108.0	1.20260109.0

• #​11872 b6148ed Thanks @​dependabot! - chore: update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260109.0	1.20260111.0

• #​11843 ab3859c Thanks @​dario-piotrowicz! - Update the Wrangler autoconfig logic to work with the latest version of Waku

  The latest version of Waku (0.12.5-1.0.0-alpha.1-0) requires a src/waku.server.tsx file instead of a src/server-entry.tsx one, so the Wrangler autoconfig logic (the logic being run as part of wrangler setup and wrangler deploy --x-autoconfig that configures a project to be deployable on Cloudflare) has been updated accordingly.

  Also the way the worker needs to handle static assets has been updated as recommended from the Waku team.

• #​11848 0eb973d Thanks @​petebacondarwin! - Fix incorrect warning about multiple environments when using redirected config

  Previously, when using a redirected config (via configPath in another config file) that originated from a config with multiple environments, wrangler would incorrectly warn about missing environment specification. This fix ensures the warning is only shown when the actual config being used has multiple environments defined, not when the original config did.

• Updated dependencies [ed60c4f, 5c59217, faa5753, e574ef3, b6148ed, beb96af, 5c59217, fc96e5f]:

  • miniflare@​4.20260111.0
  • @​cloudflare/unenv-preset@​2.9.0

v4.58.0

Compare Source

Minor Changes

• #​11728 7d63fa5 Thanks @​NuroDev! - Add command categories to wrangler help menu

  The help output now groups commands by product category (Account, Compute & AI, Storage & Databases, Networking & Security) to match the Cloudflare dashboard organization:

  $ wrangler --help
  
  COMMANDS
    wrangler docs [search..]  📚 Open Wrangler's command documentation in your browser
  
  ACCOUNT
    wrangler auth    🔓 Manage authentication
    wrangler login   🔑 Login to Cloudflare
    ...
  
  COMPUTE & AI
    wrangler ai          🤖 Manage AI models
    wrangler containers  📦 Manage Containers [open beta]
    ...
  

  This improves discoverability by organizing the 20+ wrangler commands into logical groups.

Patch Changes

• #​11822 97e67b9 Thanks @​dependabot! - chore: update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260103.0	1.20260107.1

• Updated dependencies [97e67b9]:

  • miniflare@​4.20260107.0

v4.57.0

Compare Source

Minor Changes

• #​11682 b993d95 Thanks @​ascorbic! - Add wrangler auth token command to retrieve your current authentication credentials.

  You can now retrieve your authentication token for use with other tools and scripts:

  wrangler auth token

  The command returns whichever authentication method is currently configured:

  • OAuth token from wrangler login (automatically refreshed if expired)
  • API token from CLOUDFLARE_API_TOKEN environment variable

  Use --json to get structured output including the token type, which also supports API key/email authentication:

  wrangler auth token --json

  This is similar to gh auth token in the GitHub CLI.

• #​11702 f612b46 Thanks @​gpanders! - Add support for trusted_user_ca_keys in Wrangler

  You can now configure SSH trusted user CA keys for containers. Add the following to your wrangler.toml:

  [[containers.trusted_user_ca_keys]]
  public_key = "ssh-ed25519 AAAAC3..."

  This allows you to specify CA public keys that can be used to verify SSH user certificates.

• #​11437 9e360f6 Thanks @​ichernetsky-cf! - Drop deprecated containers observability.logging field

• #​11616 fc95831 Thanks @​NuroDev! - Add type generation support to wrangler dev

  You can now have your worker configuration types be automatically generated when the local Wrangler development server starts.

  To use it you can either:

  1. Add the --types flag when running wrangler dev.
  2. Update your Wrangler configuration file to add the new dev.generate_types boolean property.

  {
  	"$schema": "node_modules/wrangler/config-schema.json",
  	"name": "example",
  	"main": "src/index.ts",
  	"compatibility_date": "2025-12-12",
  	"dev": {
  		"generate_types": true
  	}
  }

• #​11524 b0dbf1a Thanks @​penalosa! - Add hidden CLI flags to wrangler setup for suppressing output

  Two new hidden flags have been added to wrangler setup:

  • --no-completion-message: Suppresses the deployment details message after setup completes
  • --no-install-wrangler: Skips Wrangler installation during project setup

• #​11777 69979a3 Thanks @​MattieTK! - Add analytics properties to secret commands for better usage insights

  Secret commands (wrangler secret put, wrangler secret bulk, and their Pages/versions equivalents) now include additional analytics properties to help understand how secrets are being managed:

  • secretOperation: Whether this is a "single" or "bulk" secret operation
  • secretSource: How the secret was provided ("interactive", "stdin", or "file")
  • secretFormat: For bulk operations, the format used ("json" or "dotenv")
  • hasEnvironment: Whether an environment was specified

  These properties help improve the developer experience by understanding common usage patterns. No sensitive information (secret names, values, or counts) is tracked.

• #​11738 c54f8da Thanks @​jamesopstad! - Add default Text module rule for .sql files.

  This enables importing .sql files directly in Wrangler and the Cloudflare Vite plugin without extra configuration.

• #​11692 df1f9c9 Thanks @​dario-piotrowicz! - Support Waku in autoconfig

• #​11549 d059f69 Thanks @​dario-piotrowicz! - Support Vike in autoconfig

Patch Changes

• #​11683 02fbd22 Thanks @​ascorbic! - Display a warning when authentication errors occur and the account_id in your Wrangler configuration does not match any of your authenticated accounts. This helps identify configuration issues where you may have the wrong account ID set in your wrangler.toml or wrangler.jsonc file.

• #​11704 77078ef Thanks @​dario-piotrowicz! - Fix autoconfig handling of Next.js apps with CJS config files and incompatible Next.js versions

  Previously, wrangler setup and wrangler deploy --x-autoconfig would fail when working with Next.js applications that use CommonJS config files (next.config.cjs) or have versions of Next.js that don't match the required peer dependencies. The autoconfig process now uses dynamic imports and forced installation to handle these scenarios gracefully.

• #​11796 2510723 Thanks @​dario-piotrowicz! - wrangler deploy delegates to opennextjs-cloudflare deploy only when the --x-autoconfig flag is used

  The wrangler deploy command has been updated to delegate to the opennextjs-cloudflare deploy command when run in an open-next project. Once this behavior had been introduced it caused a few issues. So it's been decided to enable it for the time being only when the --x-autoconfig flag is set (since this behavior, although generally valid, is only strictly necessary for the wrangler deploy's autoconfig flow).

• #​11764 9f6dd71 Thanks @​terakoya76! - Fix R2 Data Catalog snapshot-expiration API field names

  The wrangler r2 bucket catalog snapshot-expiration enable command was sending incorrect field names
  to the Cloudflare API, resulting in a 422 Unprocessable Entity error. This fix updates the API request
  body to use the correct field names:

  • olderThanDays -> max_snapshot_age (as duration string, e.g., "30d")
  • retainLast -> min_snapshots_to_keep

  The CLI options (--older-than-days and --retain-last) remain unchanged.

• #​11651 d123ad0 Thanks @​dario-piotrowicz! - Surface a more helpful error message for TOML Date, Date-Time, and Time values in vars

  TOML parses unquoted date/time values like DATE = 2024-01-01 as objects. Previously this would cause an unhelpful error message further down the stack. Now wrangler surfaces a more helpful error message earlier, telling you to quote the value as a string, e.g. DATE = "2024-01-01".

• #​11711 5121b23 Thanks @​southpolesteve! - Show an error when D1 migration commands are run without a configuration file

  Previously, running wrangler d1 migrations apply, wrangler d1 migrations list, or wrangler d1 migrations create in a directory without a Wrangler configuration file would silently exit with no feedback. Now these commands display a clear error message:

  "No configuration file found. Create a wrangler.jsonc file to define your D1 database."

• #​11710 82e7e90 Thanks @​dario-piotrowicz! - Fix arguments passed to wrangler deploy not being forwarded to opennextjs-cloudflare deploy

  wrangler deploy run in an open-next project delegates to opennextjs-cloudflare deploy, as part of this all the arguments passed to wrangler deploy need be forwarded to opennextjs-cloudflare deploy, before the arguments would be lost, now they will be successfully forwarded (for example wrangler deploy --keep-vars will call opennextjs-cloudflare deploy --keep-vars)

• #​10750 4688f59 Thanks @​jacoblearned! - Notify user on local dev server reload.

  When running wrangler dev, the local server suppresses Miniflare's reload messages to prevent duplicate log entries from the proxy and user workers. This update adds a reload complete message so users know their changes were applied, instead of only seeing "Reloading local server...".

• #​11673 b827893 Thanks @​MattieTK! - Breaks out version numbers into sortable number types for analytics logging

• Updated dependencies [65d1850, 1615fce, b2769bf, 554a4df, 8eede3f, 6a05b1c, 62fd118, a7e9f80, eac5cf7]:

  • miniflare@​4.20260103.0
  • @​cloudflare/unenv-preset@​2.8.0

v4.56.0

Compare Source

Minor Changes

• #​11196 171cfd9 Thanks @​emily-shen! - For containers being created in a FedRAMP high environment, registry credentials are encrypted by the container platform.
  Update wrangler to correctly send a request to configure a registry for FedRAMP containers.

• #​11646 472cf72 Thanks @​vovacf201! - feat: add R2 Data Catalog snapshot expiration commands

  Adds new commands to manage automatic snapshot expiration for R2 Data Catalog tables:

  • wrangler r2 bucket catalog snapshot-expiration enable - Enable automatic snapshot expiration
  • wrangler r2 bucket catalog snapshot-expiration disable - Disable automatic snapshot expiration

  Snapshot expiration helps manage storage costs by automatically removing old table snapshots while keeping a minimum number of recent snapshots for recovery purposes.

  Example usage:

  # Enable snapshot expiration for entire catalog (keep 10 snapshots, expire after 5 days)
  wrangler r2 bucket catalog snapshot-expiration enable my-bucket --token $R2_CATALOG_TOKEN --max-age 7200 --min-count 10
  
  # Enable for specific table
  wrangler r2 bucket catalog snapshot-expiration enable my-bucket my-namespace my-table --token $R2_CATALOG_TOKEN --max-age 2880 --min-count 5
  
  # Disable snapshot expiration
  wrangler r2 bucket catalog snapshot-expiration disable my-bucket

Patch Changes

• #​11649 428ae9e Thanks @​ascorbic! - fix: respect TypeScript path aliases when resolving non-JS modules with module rules

  When importing non-JavaScript files (like .graphql, .txt, etc.) using TypeScript path aliases defined in tsconfig.json, Wrangler's module-collection plugin now correctly resolves these imports. Previously, path aliases were only respected for JavaScript/TypeScript files, causing imports like import schema from '~lib/schema.graphql' to fail when using module rules.

• #​11647 c0e249e Thanks @​dario-piotrowicz! - The auto-configuration logic present in wrangler setup and wrangler deploy --x-autoconfig cannot reliably handle Hono projects, so in these cases make sure to properly error saying that automatically configuring such projects is not supported.

• #​11694 3853200 Thanks @​dario-piotrowicz! - fix: improve the open-next detection that wrangler deploy performs to eliminate false positives for non open-next projects

• Updated dependencies [ae1ad22, 737c0f4]:

  • miniflare@​4.20251217.0

v4.55.0

Compare Source

Minor Changes

• #​11301 6c590a0 Thanks @​dario-piotrowicz! - Make wrangler deploy run opennextjs-cloudflare deploy when executed in an open-next project

• #​11045 12a63ef Thanks @​edmundhung! - Add an internal unstable_printBindings API for vite plugin integration

• #​11590 7d8d4a6 Thanks @​pombosilva! - Add Workflows send-event to wrangler commands.

• #​11301 6c590a0 Thanks @​dario-piotrowicz! - Support Next.js (via OpenNext) projects in autoconfig

Patch Changes

• #​11615 ed42010 Thanks @​elithrar! - Add helpful warning when SSL certificate errors occur due to corporate proxies or VPNs intercepting HTTPS traffic. When errors like "self-signed certificate in certificate chain" are detected, wrangler now displays guidance about installing missing system roots from your corporate proxy vendor.

• #​11641 6b28de1 Thanks @​petebacondarwin! - update command status text and formatting

• #​11578 4201472 Thanks @​gpanders! - Fixup UX papercuts in containers SSH

• #​11550 95d81e1 Thanks @​hiendv! - Fix "TypeError: Body is unusable: Body has already been read" when failing to exchange oauth code because of double response.text().

• Updated dependencies [5d085fb, b75b710, 1e9be12]:

  • miniflare@​4.20251213.0

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Review	Updated (UTC)
nuxthub-starter	Ready	Preview	Jan 22, 2026 1:27am

[cloudflare-workers-and-pages]

Deploying with    Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status	Name	Latest Commit	Preview URL	Updated (UTC)
✅ Deployment successful! View logs	nuxt-hub-starter	388383a	Commit Preview URL Branch Preview URL	Jan 22 2026, 01:27 AM