fix(deps): update external fixes

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
@aws-sdk/s3-request-presigner (source)	3.958.0 → 3.992.0
@cloudflare/workers-types	4.20260101.0 → 4.20260218.0
@redocly/cli	2.14.2 → 2.18.2
dotenv	17.2.3 → 17.3.1
semantic-release	25.0.2 → 25.0.3
wrangler (source)	4.54.0 → 4.66.0

---

Release Notes

aws/aws-sdk-js-v3 (@​aws-sdk/s3-request-presigner)

v3.992.0

Compare Source

Note: Version bump only for package @​aws-sdk/s3-request-presigner

v3.991.0

Compare Source

Note: Version bump only for package @​aws-sdk/s3-request-presigner

v3.990.0

Compare Source

Note: Version bump only for package @​aws-sdk/s3-request-presigner

v3.989.0

Compare Source

Note: Version bump only for package @​aws-sdk/s3-request-presigner

v3.988.0

Compare Source

Note: Version bump only for package @​aws-sdk/s3-request-presigner

v3.987.0

Compare Source

Note: Version bump only for package @​aws-sdk/s3-request-presigner

v3.986.0

Compare Source

Note: Version bump only for package @​aws-sdk/s3-request-presigner

v3.985.0

Compare Source

Note: Version bump only for package @​aws-sdk/s3-request-presigner

v3.984.0

Compare Source

Note: Version bump only for package @​aws-sdk/s3-request-presigner

v3.983.0

Compare Source

Note: Version bump only for package @​aws-sdk/s3-request-presigner

v3.982.0

Compare Source

Note: Version bump only for package @​aws-sdk/s3-request-presigner

v3.981.0

Compare Source

Note: Version bump only for package @​aws-sdk/s3-request-presigner

v3.980.0

Compare Source

Note: Version bump only for package @​aws-sdk/s3-request-presigner

v3.978.0

Compare Source

Note: Version bump only for package @​aws-sdk/s3-request-presigner

v3.975.0

Compare Source

Note: Version bump only for package @​aws-sdk/s3-request-presigner

v3.974.0

Compare Source

Note: Version bump only for package @​aws-sdk/s3-request-presigner

v3.972.0

Compare Source

Note: Version bump only for package @​aws-sdk/s3-request-presigner

v3.971.0

Compare Source

Note: Version bump only for package @​aws-sdk/s3-request-presigner

v3.970.0

Compare Source

Note: Version bump only for package @​aws-sdk/s3-request-presigner

v3.969.0

Compare Source

Note: Version bump only for package @​aws-sdk/s3-request-presigner

v3.968.0

Compare Source

Note: Version bump only for package @​aws-sdk/s3-request-presigner

v3.967.0

Compare Source

Note: Version bump only for package @​aws-sdk/s3-request-presigner

v3.966.0

Compare Source

Note: Version bump only for package @​aws-sdk/s3-request-presigner

v3.965.0

Compare Source

Note: Version bump only for package @​aws-sdk/s3-request-presigner

v3.964.0

Compare Source

Note: Version bump only for package @​aws-sdk/s3-request-presigner

v3.962.0

Compare Source

Note: Version bump only for package @​aws-sdk/s3-request-presigner

cloudflare/workerd (@​cloudflare/workers-types)

v4.20260218.0

Compare Source

v4.20260217.0

Compare Source

v4.20260214.0

Compare Source

v4.20260213.0

Compare Source

v4.20260212.0

Compare Source

v4.20260210.0

Compare Source

v4.20260207.0

Compare Source

v4.20260206.0

Compare Source

v4.20260205.0

Compare Source

v4.20260203.0

Compare Source

v4.20260131.0

Compare Source

v4.20260130.0

Compare Source

v4.20260129.0

Compare Source

v4.20260128.0

Compare Source

v4.20260127.0

Compare Source

v4.20260124.0

Compare Source

v4.20260123.0

Compare Source

v4.20260122.0

Compare Source

v4.20260120.0

Compare Source

v4.20260118.0

Compare Source

v4.20260117.0

Compare Source

v4.20260116.0

Compare Source

v4.20260115.0

Compare Source

v4.20260114.0

Compare Source

v4.20260113.0

Compare Source

v4.20260111.0

Compare Source

v4.20260109.0

Compare Source

v4.20260108.0

Compare Source

v4.20260107.1

Compare Source

v4.20260103.0

Compare Source

Redocly/redocly-cli (@​redocly/cli)

v2.18.2

Compare Source

Patch Changes

• Fixed false positive errors in example validation for OpenAPI 3.0.x and OpenAPI 2.x.
• Updated @​redocly/openapi-core to v2.18.2.

v2.18.1

Compare Source

Patch Changes

• Fixed validation of examples where combining required with readOnly or writeOnly properties would incorrectly generate warnings.
• Updated @​redocly/respect-core to v2.18.1.

v2.18.0

Compare Source

Minor Changes

• Added lintEntityWithScorecardLevel function to validate entity files against scorecard level configurations and lintSchema function to lint individual schemas from API description files.

Patch Changes

• Updated @​redocly/config to v0.43.0.

v2.17.0

Compare Source

Minor Changes

• Added support for Media Types in the Components model.
• Added new outputs-defined Arazzo rule, ensuring outputs are defined before use.

v2.16.0

Compare Source

Minor Changes

• Added a new --component-renaming-conflicts-severity option for the bundle command to control how naming conflicts are reported when bundling API descriptions with external references.

Patch Changes

• Redirected bundling problems (such as lint errors and warnings) to stderr instead of stdout to avoid interfering with the bundled output.

v2.15.2

Compare Source

Patch Changes

• Fixed an issue where improperly structured OpenAPI examples caused the linter to fail.

v2.15.1

Compare Source

Patch Changes

• Updated @​redocly/config to v0.41.4.
• Added description and documentationLink properties to NodeTypes.
  Renamed Redocly configuration types to better reflect their purpose and relations.
• Updated @​redocly/config to v0.41.3.

v2.15.0

Compare Source

Patch Changes

• Removed unused chokidar dependency.
• Updated @​redocly/openapi-core to v2.15.0.

v2.14.9

Compare Source

Patch Changes

• Updated @​redocly/openapi-core to v2.14.9.

v2.14.8

Compare Source

Patch Changes

• Fixed an issue where multi-line lint error messages could break Markdown formatting.
• Updated @​redocly/openapi-core to v2.14.8.

v2.14.7

Compare Source

Patch Changes

• Updated @​redocly/openapi-core to v2.14.7.

v2.14.6

Compare Source

Patch Changes

• Updated @​redocly/openapi-core to v2.14.6.

v2.14.5

Compare Source

Patch Changes

• Added an ajv npm alias dependency to satisfy peer dependency requirements and prevent installation warnings.
• Updated @​redocly/openapi-core to v2.14.5.

v2.14.4

Compare Source

Patch Changes

• Corrected an issue where Respect did not properly JSON-encode request bodies for custom content-types containing numbers.
• Updated @​redocly/respect-core to v2.14.4.

v2.14.3

Compare Source

Patch Changes

• Fixed the split command to properly handle root-level paths.
  Previously, the root path / was converted to an empty string as a filename, leading to incorrect file structure and broken links.
  Now, it correctly maps to the specified path separator.
• Updated @​redocly/openapi-core to v2.14.3.

motdotla/dotenv (dotenv)

v17.3.1

Compare Source

Changed

• Fix as2 example command in README and update spanish README

v17.3.0

Compare Source

Added

• Add a new README section on dotenv’s approach to the agentic future.

Changed

• Rewrite README to get humans started more quickly with less noise while simultaneously making more accessible for llms and agents to go deeper into details.

v17.2.4

Compare Source

Changed

• Make DotenvPopulateInput accept NodeJS.ProcessEnv type (#​915)

• Give back to dotenv by checking out my newest project vestauth. It is auth for agents. Thank you for using my software.

semantic-release/semantic-release (semantic-release)

v25.0.3

Compare Source

Bug Fixes

• deps: remove deprecated semver-diff (#​3980) (f404124)

cloudflare/workers-sdk (wrangler)

v4.66.0

Compare Source

Minor Changes

• #​12466 caf9b11 Thanks @​petebacondarwin! - Add WRANGLER_CACHE_DIR environment variable and smart cache directory detection

  Wrangler now intelligently detects where to store cache files:

  1. Use WRANGLER_CACHE_DIR env var if set
  2. Use existing cache directory if found (node_modules/.cache/wrangler or .wrangler/cache)
  3. Create cache in node_modules/.cache/wrangler if node_modules exists
  4. Otherwise use .wrangler/cache

  This improves compatibility with Yarn PnP, pnpm, and other package managers that don't use traditional node_modules directories, without requiring any configuration.

• #​12572 936187d Thanks @​dario-piotrowicz! - Ensure the nodejs_compat flag is always applied in autoconfig

  Previously, the autoconfig feature relied on individual framework configurations to specify Node.js compatibility flags, some could set nodejs_compat while others nodejs_als.

  Now instead nodejs_compat is always included as a compatibility flag, this is generally beneficial and the user can always remove the flag afterwards if they want to.

• #​12560 c4c86f8 Thanks @​taylorlee! - Support --tag and --message flags on wrangler deploy

  They have the same behavior that they do as during wrangler versions upload, as both
  are set on the version.

  The message is also reused for the deployment as well, with the same behavior as used
  during wrangler versions deploy.

Patch Changes

• #​12543 5a868a0 Thanks @​G4brym! - Fix AI Search binding failing in local dev

  Using AI Search bindings with wrangler dev would fail with "RPC stub points at a non-serializable type". AI Search bindings now work correctly in local development.

• #​12552 c58e81b Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260212.0	1.20260213.0

• #​12568 33a9a8f Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260213.0	1.20260214.0

• #​12576 8077c14 Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260214.0	1.20260217.0

• #​12466 caf9b11 Thanks @​petebacondarwin! - fix: exclude .wrangler directory from Pages uploads

  The .wrangler directory contains local cache and state files that should never be deployed. This aligns Pages upload behavior with Workers Assets, which already excludes .wrangler via .assetsignore.

• #​12556 7d2355e Thanks @​ascorbic! - Fix port availability check probing the wrong host when host changes

  memoizeGetPort correctly invalidated its cached port when called with a different host, but then still probed the original host for port availability. This could return a port that was free on the original host but already in use on the requested one, leading to bind failures at startup.

• #​12562 7ea69af Thanks @​MattieTK! - Support function-based Vite configs in autoconfig setup

  wrangler setup and wrangler deploy --x-autoconfig can now automatically add the Cloudflare Vite plugin to projects that use function-based defineConfig() patterns. Previously, autoconfig would fail with "Cannot modify Vite config: expected an object literal but found ArrowFunctionExpression" for configs like:

  export default defineConfig(({ isSsrBuild }) => ({
  	plugins: [reactRouter(), tsconfigPaths()],
  }));

  This pattern is used by several official framework templates, including React Router's node-postgres and node-custom-server templates. The following defineConfig() patterns are now supported:

  • defineConfig({ ... }) (object literal, already worked)
  • defineConfig(() => ({ ... })) (arrow function with expression body)
  • defineConfig(({ isSsrBuild }) => ({ ... })) (arrow function with destructured params)
  • defineConfig(() => { return { ... }; }) (arrow function with block body)
  • defineConfig(function() { return { ... }; }) (function expression)

• #​12548 5cc7158 Thanks @​dario-piotrowicz! - Fix .assetsignore formatting when autoconfig creates a new file

  Previously, when wrangler setup or wrangler deploy --x-autoconfig created a new .assetsignore file via autoconfig, it would add unnecessary leading empty lines before the wrangler-specific entries. Empty separator lines should only be added when appending to an existing .assetsignore file. This fix ensures newly created .assetsignore files start cleanly without leading blank lines.

• #​12556 7d2355e Thanks @​ascorbic! - Improve error message when port binding is blocked by a sandbox or security policy

  When running wrangler dev inside a restricted environment (such as an AI coding agent sandbox or locked-down container), the port availability check would fail with a raw EPERM error. This now provides a clear message explaining that a sandbox or security policy is blocking network access, rather than the generic permission error that previously pointed at the file system.

• #​12545 c9d0f9d Thanks @​dario-piotrowicz! - Improve framework detection when multiple frameworks are found

  When autoconfig detects multiple frameworks in a project, Wrangler now applies smarter logic to select the most appropriate one. Selecting the wrong one is acceptable locally where the user can change the detected framework, in CI an error is instead thrown.

• #​12548 5cc7158 Thanks @​dario-piotrowicz! - Add trailing newline to generated package.json and wrangler.jsonc files

• #​12548 5cc7158 Thanks @​dario-piotrowicz! - Fix .gitignore formatting when autoconfig creates a new file

  Previously, when wrangler setup or wrangler deploy created a new .gitignore file via autoconfig, it would add unnecessary leading empty lines before the wrangler-specific entries. Empty separator lines should only be added when appending to an existing .gitignore file. This fix ensures newly created .gitignore files start cleanly without leading blank lines.

• #​12545 c9d0f9d Thanks @​dario-piotrowicz! - Throw actionable error when autoconfig is run in the root of a workspace

  When running Wrangler commands that trigger auto-configuration (like wrangler dev or wrangler deploy) in the root directory of a monorepo workspace, a helpful error is now shown directing users to run the command in a specific project's directory instead.

• Updated dependencies [5a868a0, c58e81b, 33a9a8f, 8077c14, caf9b11, 9a565d5, 7f18183, 39491f9, 43c462a]:

  • miniflare@​4.20260217.0
  • @​cloudflare/unenv-preset@​2.13.0

v4.65.0

Compare Source

Minor Changes

• #​12473 b900c5a Thanks @​petebacondarwin! - Add CF_PAGES environment variables to wrangler pages dev

  wrangler pages dev now automatically injects Pages-specific environment variables (CF_PAGES, CF_PAGES_BRANCH, CF_PAGES_COMMIT_SHA, CF_PAGES_URL) for improved dev/prod parity. This enables frameworks like SvelteKit to auto-detect the Pages environment during local development.

  • CF_PAGES is set to "1" to indicate the Pages environment
  • CF_PAGES_BRANCH defaults to the current git branch (or "local" if not in a git repo)
  • CF_PAGES_COMMIT_SHA defaults to the current git commit SHA (or a placeholder if not in a git repo)
  • CF_PAGES_URL is set to a simulated commit preview URL (e.g., https://<sha>.<project-name>.pages.dev)

  These variables are displayed with their actual values in the bindings table during startup, making it easy to verify what branch and commit SHA were detected.

  These variables can be overridden by user-defined vars in the Wrangler configuration, .env, .dev.vars, or via CLI flags.

• #​12464 10a1c4a Thanks @​petebacondarwin! - Allow deleting KV namespaces by name

  You can now delete a KV namespace by providing its name as a positional argument:

  wrangler kv namespace delete my-namespace

  This aligns the delete command with the create command, which also accepts a namespace name.
  The existing --namespace-id and --binding flags continue to work as before.

• #​12382 d7b492c Thanks @​dario-piotrowicz! - Add Pages detection to autoconfig flows

  When running the autoconfig logic (via wrangler setup, wrangler deploy --x-autoconfig, or the programmatic autoconfig API), Wrangler now detects when a project appears to be a Pages project and handles it appropriately:

  • For wrangler deploy, it warns the user but still allows them to proceed
  • For wrangler setup and the programmatic autoconfig API, it throws a fatal error

• #​12461 8809411 Thanks @​penalosa! - Support type: inherit bindings when using startWorker()

  This is an internal binding type that should not be used by external users of the API

• #​12515 1a9eddd Thanks @​ascorbic! - Add --json flag to wrangler whoami for machine-readable output

  wrangler whoami --json now outputs structured JSON containing authentication status, auth type, email, accounts, and token permissions. When the user is not authenticated, the command exits with a non-zero status code and outputs {"loggedIn":false}, making it easy to check auth status in shell scripts without parsing text output.

  # Parse the JSON output
  wrangler whoami --json | jq '.accounts'
  
  # Check if authenticated in a script. Returns 0 if authenticated, non-zero if not.
  if wrangler whoami --json > /dev/null 2>&1; then
    echo "Authenticated"
  else
    echo "Not authenticated"
  fi
  

Patch Changes

• #​12437 ad817dd Thanks @​MattieTK! - fix: use project's package manager in wranger autoconfig

  wrangler setup now correctly detects and uses the project's package manager based on lockfiles (pnpm-lock.yaml, yarn.lock, bun.lockb, package-lock.json) and the packageManager field in package.json. Previously, it would fall back to the package manager used to execute the command when run directly from the terminal, causing failures in pnpm and yarn workspace projects if the wrong manager was used in this step due to the workspace: protocol not being supported by npm.

  This change leverages the package manager detection already performed by @netlify/build-info during framework detection, ensuring consistent behaviour across the autoconfig process.

• #​12541 f7fa326 Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260210.0	1.20260212.0

• #​12498 734792a Thanks @​dario-piotrowicz! - Fix: make sure that remote proxy sessions's logs can be silenced when the wrangler log level is set to "none"

• #​12135 cc5ac22 Thanks @​edmundhung! - Fix spurious config diffs when bindings from local and remote config are shown in different order

  When comparing local and remote Worker configurations, binding arrays like kv_namespaces would incorrectly show additions and removals if the elements were in a different order. The diff now correctly recognizes these as equivalent by reordering remote arrays to match the local config's order before comparison.

• #​12476 62a8d48 Thanks @​MattieTK! - fix: use unscoped binary name for OpenNext autoconfig command overrides

  The build, deploy, and version command overrides in the Next.js (OpenNext) autoconfig handler used the scoped package name @opennextjs/cloudflare, which pnpm interprets as a workspace filter rather than a binary name. This caused wrangler deploy --x-autoconfig to fail for pnpm-based Next.js projects with ERR_PNPM_RECURSIVE_EXEC_FIRST_FAIL. Changed to use the unscoped binary name opennextjs-cloudflare, which resolves correctly across all package managers.

• #​12516 84252b7 Thanks @​edmundhung! - Stop proxying localhost requests when proxy environment variables are set

  When HTTP_PROXY or HTTPS_PROXY is configured, all fetch requests including ones to localhost were routed through the proxy. This caused wrangler dev and the Vite plugin to fail with "TypeError: fetch failed" because the proxy can't reach local addresses.

  This switches from ProxyAgent to undici's EnvHttpProxyAgent, which supports the NO_PROXY environment variable. When NO_PROXY is not set, it defaults to localhost,127.0.0.1,::1 so local requests are never proxied.

  The NO_PROXY config only applies to the request destination, not the proxy server address. So a proxy running on localhost (e.g. HTTP_PROXY=http://127.0.0.1:11451) still works for outbound API calls.

• #​12506 e5efa5d Thanks @​sesteves! - Fix wrangler r2 sql query displaying [object Object] for nested values

  SQL functions that return complex types such as arrays of objects (e.g. approx_top_k) were rendered as [object Object] in the table output because String() was called directly on non-primitive values. These values are now serialized with JSON.stringify so they display as readable JSON strings.

• #​11725 be9745f Thanks @​dario-piotrowicz! - Fix incorrect logic during autoconfiguration (when running wrangler setup or wrangler deploy --x-autoconfig) that caused parts of the project's package.json file, removed during the process, to incorrectly be added back

• #​12458 122791d Thanks @​jkoe-cf! - Remove default values for delivery delay and message retention and update messaging on limits

  Fixes the issue of the default maximum message retention (365400 seconds) being longer than the maximum allowed retention period for free tier users (86400 seconds).

  Previous:

  • Wrangler set a default value of 365400 seconds max message retention if the setting was not explicitly provided in the Wrangler configuration.
  • The maximum retention period was documented as 1209600 seconds for all queues users because it was required to be on paid tier.
  • Wrangler also set a default value of 0 seconds for delivery delay if the setting was not explicitly provided in the Wrangler configuration.

  Updated:

  • Wrangler no longer sets a default value for max message retention so that the default can be applied at the API.
  • The maximum retention period is now documented as 86400 seconds for free tier queues and 1209600 seconds for paid tier queues
  • Wrangler also no longer sets a default value for delivery delay so that the default can be applied at the API.

• #​12513 41e18aa Thanks @​pombosilva! - Add confirmation prompt when deploying workflows with names that belong to different workers.

  When deploying a workflow with a name that already exists and is currently associated with a different worker script, Wrangler will now display a warning and prompt for confirmation before proceeding. This helps prevent accidentally overriding workflows.

  In non-interactive environments this check is skipped by default. Use the --strict flag to enable the check in non-interactive environments, which will cause the deployment to fail if workflow conflicts are detected.

• Updated dependencies [f7fa326, 7aaa2a5, d06ad09]:

  • miniflare@​4.20260212.0

v4.64.0

Compare Source

Minor Changes

• #​12433 2acb277 Thanks @​martinezjandrew! - Updated registries delete subcommand to handle new API response that now returns a secrets store secret reference after deletion. Wrangler will now prompt the user if they want to delete the associated secret. If so, added new logic to retrieve a secret by its name. The subcommand will then delete the secret.

• #​12307 e02b5f5 Thanks @​dario-piotrowicz! - Improve autoconfig telemetry with granular event tracking

  Adds detailed telemetry events to track the autoconfig workflow, including process start/end, detection, and configuration phases. Each event includes a unique session ID (appId), CI detection, framework information, and success/error status to help diagnose issues and understand usage patterns.

• #​12474 8ba1d11 Thanks @​petebacondarwin! - Add `wrangler pages deployment delet

---

Configuration

📅 Schedule: Branch creation - "after 2pm on Monday" in timezone Europe/Zurich, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!