Version Packages

[workers-devprod]

This PR was opened by the Changesets release GitHub action. When you're ready to do a release, you can merge this and the packages will be published to npm automatically. If you're not ready to do a release yet, that's fine, whenever you add more changesets to main, this PR will be updated.

Releases

wrangler@4.92.0

Minor Changes

• #13670 506aa02 Thanks @elithrar! - Add wrangler artifacts commands for managing Artifacts repos and repo tokens.

  This adds CLI support for the Artifacts control-plane workflows that were previously only available through the API. You can now list and inspect namespaces, create, list, inspect, and delete repos, and issue repo-scoped tokens when you need to authenticate git access.

  The new commands support both human-readable output and --json output so they fit existing Wrangler automation patterns.

• #13916 be8a98c Thanks @emily-shen! - Add --keep-vars flag to wrangler versions upload, matching the existing behavior in wrangler deploy. When set, environment variables configured via the dashboard are preserved rather than being deleted before the upload.

Patch Changes

• #13926 19ed49a Thanks @dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260511.1	1.20260515.1

• #11471 3ff0a50 Thanks @HW13! - Improve wrangler types --env-interface for multi-worker projects.

  Custom env interfaces generated by wrangler types no longer expand from Cloudflare.Env, avoiding some unintended type expansion when multiple workers' generated types are used together.

• #13910 bf688f7 Thanks @timoconnellaus! - Fix Failed to fetch auth token: 401 Unauthorized from sibling-rotated refresh tokens

  refreshToken previously used the refresh token from module-level localState, which is populated once at startup and never re-read. OAuth refresh tokens are single-use, so when a sibling wrangler process (in another repo, another shell, or a parallel script) refreshes first, it rotates the token server-side and writes the new value to the shared config file (~/Library/Preferences/.wrangler/config/default.toml on macOS). The long-lived process — typically wrangler dev — then sends its stale in-memory token on the next refresh and gets 401 Unauthorized from https://dash.cloudflare.com/oauth2/token, falling through to interactive login and timing out unattended.

  refreshToken now calls reinitialiseAuthTokens() before exchanging, picking up the latest refresh token written by any sibling process. The previously empty catch {} also now logs the underlying error at debug level so future refresh failures are diagnosable without source-diving.

• #13843 2e72c83 Thanks @nzws! - Fix wrangler versions secret put/delete/bulk to preserve the existing version's placement settings

  When creating a new version via wrangler versions secret, the previous code only re-emitted a bare { mode: "smart" } placement when the API reported placement_mode === "smart", dropping any other placement entirely. The new version is now created with the placement settings returned by the API, so placement settings survive a secret put/delete/bulk round-trip.

• #13908 802eaf4 Thanks @shiminshen! - fix: stop rewriting query strings that happen to contain the request Host

  wrangler dev previously rewrote occurrences of the outer host inside request.url's query string. For example, a request to ?echo=https%3A%2F%2Fdevelopment.test%2Fpath with Host: development.test would be seen by the user worker as ?echo=https%3A%2F%2Fproduction.test%2Fpath, silently mutating opaque application data such as redirect_uri values in OAuth flows.

  The proxy worker now sets the internal MF-Original-URL header after its blanket host-rewriting pass over request headers, so the URL passed to the user worker preserves the original query string.

• #13827 8f5cdb1 Thanks @greyvugrin! - Fix multi-environment warning when CLOUDFLARE_ENV is set

  Commands that warn when multiple environments are configured but none is specified (e.g. wrangler deploy, wrangler secret put) were not accounting for the CLOUDFLARE_ENV environment variable when deciding whether to show the warning. This caused a misleading warning to appear even when the target environment was correctly specified via CLOUDFLARE_ENV.

• Updated dependencies [19ed49a]:

  • miniflare@4.20260515.0

miniflare@4.20260515.0

Patch Changes

• #13926 19ed49a Thanks @dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260511.1	1.20260515.1

@cloudflare/pages-shared@0.13.136

Patch Changes

• Updated dependencies [19ed49a]:
  • miniflare@4.20260515.0

@cloudflare/vite-plugin@1.37.1

Patch Changes

• #13922 23800f8 Thanks @edmundhung! - Add a tunnel shortcut hint when CLI shortcuts are printed

  The Cloudflare Vite plugin now includes a t + enter tunnel hint alongside the other CLI shortcuts it prints.

• #13920 f579e57 Thanks @petebacondarwin! - Honor X-Forwarded-Proto when constructing the Worker's request.url

  When running the Vite dev server behind a TLS-terminating reverse proxy or tunnel, the Worker's request.url was always http://... even though the client reached the server over https://.... This caused frameworks that perform Origin/Host checks (e.g. CSRF protection) to reject requests with 403.

  The Vite plugin now reads the X-Forwarded-Proto header from the incoming request and uses it to set the protocol of request.url. If the header is absent or invalid, the connection protocol is used as before. The same handling is applied to WebSocket upgrade URLs.

  Fixes #13801.

• Updated dependencies [19ed49a, 3ff0a50, bf688f7, 2e72c83, 802eaf4, 506aa02, 8f5cdb1, be8a98c]:

  • miniflare@4.20260515.0
  • wrangler@4.92.0

@cloudflare/vitest-pool-workers@0.16.6

Patch Changes

• #13833 0e4a830 Thanks @thegeekasteroid! - Filter benign disconnected: WebSocket peer disconnected workerd stderr noise during test runs.

  The ignoreMessages array in the pool already filters several benign workerd disconnect messages (e.g. disconnected: WebSocket was aborted). On recent workerd versions, tests that exercise the WebSocket API also surface disconnected: WebSocket peer disconnected warnings during normal teardown. These are not user-actionable and obscure real test failures. Add the message to the existing filter alongside the other disconnected: entries.

• Updated dependencies [19ed49a, 3ff0a50, bf688f7, 2e72c83, 802eaf4, 506aa02, 8f5cdb1, be8a98c]:

  • miniflare@4.20260515.0
  • wrangler@4.92.0

[ask-bonk]

LGTM

github run

[github-actions]

✅ All changesets look good

[devin-ai-integration]

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no bugs or issues to report.

[pkg-pr-new]

create-cloudflare

npm i https://pkg.pr.new/create-cloudflare@13918

@cloudflare/kv-asset-handler

npm i https://pkg.pr.new/@cloudflare/kv-asset-handler@13918

miniflare

npm i https://pkg.pr.new/miniflare@13918

@cloudflare/pages-shared

npm i https://pkg.pr.new/@cloudflare/pages-shared@13918

@cloudflare/unenv-preset

npm i https://pkg.pr.new/@cloudflare/unenv-preset@13918

@cloudflare/vite-plugin

npm i https://pkg.pr.new/@cloudflare/vite-plugin@13918

@cloudflare/vitest-pool-workers

npm i https://pkg.pr.new/@cloudflare/vitest-pool-workers@13918

@cloudflare/workers-editor-shared

npm i https://pkg.pr.new/@cloudflare/workers-editor-shared@13918

@cloudflare/workers-utils

npm i https://pkg.pr.new/@cloudflare/workers-utils@13918

wrangler

npm i https://pkg.pr.new/wrangler@13918

commit: c3c6b24