Skip to content

v1.33.1

Choose a tag to compare

@tpitre tpitre released this 03 Jul 03:14

Security-focused dependency sweep, same-day follow-up to v1.33.0. No code changes, no API changes, no plugin behavior changes.

Fixed

  • All runtime and critical security alerts resolved via in-range dependency bumps (npm audit fix, no --force): ws 8.21.0, hono 4.12.27, undici 7.28.0, handlebars 4.7.9 (the lone critical, a dev-only transitive of ts-jest), plus lodash, path-to-regexp, basic-ftp, fast-uri, vite, and friends. Every bump is within existing semver ranges — 1236 tests pass unchanged and the Cloudflare deploy dry-run is clean. Supersedes dependabot PRs #81, #82, and #84.
  • wrangler deliberately pinned at 4.72.0. Newer wrangler requires Node ≥22 and would break deploys on Node 20 toolchains. The only remaining audit findings are confined to wrangler/miniflare's bundled dev-time toolchain — they are not part of the published npm package or the deployed Worker bundle, and they clear whenever the Node 22 upgrade lands.
  • Release script no longer clobbers per-mode tool counts. The generic cloud-count regex was overwriting the Remote (9) and Local (106) counts in the mode-comparison bottom line and the docs setup cards on every release; anchored corrective rules now repair those slots automatically.

Plugin note: nothing in the plugin changed, but the v1.33.0 version handshake will show the plugin's update banner because the version stamp moved to 1.33.1. Re-import when convenient to clear it — nothing breaks if you don't.

Full Changelog: v1.33.0...v1.33.1