fix(deps): update all dependencies

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence	Type	Update
@cloudflare/workers-types	4.20260329.1 → 4.20260515.1			devDependencies	minor
@vitest/coverage-v8 (source)	4.1.2 → 4.1.6			devDependencies	patch
cloudflare	5.2.0 → 6.2.0			dependencies	major
davelosert/vitest-coverage-report-action (changelog)	bd52af5 → 02f3c2e			action	digest
googleapis/release-please-action	v4 → v5			action	major
typescript (source)	6.0.2 → 6.0.3			devDependencies	patch
vitest (source)	4.1.2 → 4.1.6			devDependencies	patch
wrangler (source)	4.78.0 → 4.91.0			devDependencies	minor

---

Release Notes

cloudflare/workerd (@​cloudflare/workers-types)

v4.20260515.1

Compare Source

v4.20260514.1

Compare Source

v4.20260511.1

Compare Source

v4.20260510.1

Compare Source

v4.20260509.1

Compare Source

v4.20260508.1

Compare Source

v4.20260507.1

Compare Source

v4.20260506.1

Compare Source

v4.20260505.1

Compare Source

v4.20260504.1

Compare Source

v4.20260503.1

Compare Source

v4.20260502.1

Compare Source

v4.20260501.1

Compare Source

v4.20260430.1

Compare Source

v4.20260429.1

Compare Source

v4.20260426.1

Compare Source

v4.20260425.1

Compare Source

v4.20260424.1

Compare Source

v4.20260423.1

Compare Source

v4.20260422.2

Compare Source

v4.20260422.1

Compare Source

v4.20260421.1

Compare Source

v4.20260420.1

Compare Source

v4.20260418.1

Compare Source

v4.20260417.1

Compare Source

v4.20260416.2

Compare Source

v4.20260416.1

Compare Source

v4.20260415.1

Compare Source

v4.20260414.1

Compare Source

v4.20260413.1

Compare Source

v4.20260412.2

Compare Source

v4.20260412.1

Compare Source

v4.20260411.1

Compare Source

v4.20260410.1

Compare Source

v4.20260409.1

Compare Source

v4.20260408.1

Compare Source

v4.20260405.1

Compare Source

v4.20260404.1

Compare Source

v4.20260403.1

Compare Source

v4.20260402.1

Compare Source

v4.20260401.1

Compare Source

v4.20260331.1

Compare Source

vitest-dev/vitest (@​vitest/coverage-v8)

v4.1.6

Compare Source

   🐞 Bug Fixes

• browser: Provide project reference in ToMatchScreenshotResolvePath  -  by @​macarie and @​sheremet-va in #​10138 (31882)
• Global sequence.concurrent: true with top-level test(..., { concurrent: false }) + depreacte sequential test API and options  -  by @​hi-ogawa, Codex and @​sheremet-va in #​10196 (2847d)
• browser: Simplify orchestrator otel carrier  -  by @​hi-ogawa in #​10285 (18af9)

   🏎 Performance

• Stringify diff objects only once  -  by @​sheremet-va in #​10276 (9f7b1)

    View changes on GitHub

v4.1.5

Compare Source

   🚀 Experimental Features

• coverage: Istanbul to support instrumenter option  -  by @​BartWaardenburg and @​AriPerkkio in #​10119 (0e0ff)

   🐞 Bug Fixes

• --project negation excludes browser instances  -  by @​felamaslen in #​10131 (9423d)
• Project color label on html reporter  -  by @​hi-ogawa in #​10142 (596f7)
• Fix vi.defineHelper called as object method  -  by @​hi-ogawa in #​10163 (122c2)
• Alias agent reporter to minimal  -  by @​sheremet-va in #​10157 (663b9)
• Respect diff config options in soft assertions  -  by @​Copilot, sheremet-va and @​sheremet-va in #​8696 (9787d)
• Respect diff config options in soft assertions "  -  by @​sheremet-va in #​8696 (7dc6d)
• ast-collect: Recognize _vi_import prefix in static test discovery  -  by @​Yejneshwar in #​10129 (32546)
• coverage: Descriptive error message when reports directory is removed during test run  -  by @​DaveT1991 and @​AriPerkkio in #​10117 (14133)
• snapshot: Increase default snapshot max output length  -  by @​hi-ogawa and Codex in #​10150 (21e66)
• ui: Fix jsx/tsx syntax highlight  -  by @​hi-ogawa in #​10152 (f1b1f)
• web-worker: Support MessagePort objects referenced inside postMessage data  -  by @​whitphx and Claude Opus 4.6 (1M context) in #​9927 and #​10124 (7ad7d)
• api: Make test-specification options writable  -  by @​sheremet-va in #​10154 (6abd5)

    View changes on GitHub

v4.1.4

Compare Source

   🚀 Features

• coverage:
  • Default to text reporter skipFull if agent detected  -  by @​hi-ogawa in #​10018 (53757)
• experimental:
  • Expose assertion as a public field  -  by @​sheremet-va in #​10095 (a120e)
  • Support aria snapshot  -  by @​hi-ogawa, Claude Opus 4.6 (1M context), @​AriPerkkio, Codex and @​sheremet-va in #​9668 (d4fbb)
• reporter:
  • Add filterMeta option to json reporter  -  by @​nami8824 and @​sheremet-va in #​10078 (b77de)

   🐞 Bug Fixes

• Use "black" foreground for labeled terminal message to ensure contrast  -  by @​hi-ogawa in #​10076 (203f0)
• Make expect(..., message) consistent as error message prefix  -  by @​hi-ogawa and Codex in #​10068 (a1b5f)
• Do not hoist imports whose names match class properties .  -  by @​SunsetFi in #​10093 and #​10094 (0fc4b)
• browser: Spread user server options into browser Vite server in project  -  by @​GoldStrikeArch in #​10049 (65c9d)

    View changes on GitHub

v4.1.3

Compare Source

   🚀 Experimental Features

• Add experimental.preParse flag  -  by @​sheremet-va in #​10070 (78273)
• Support browser.locators.exact option  -  by @​sheremet-va in #​10013 (48799)
• Add TestAttachment.bodyEncoding  -  by @​hi-ogawa in #​9969 (89ca0)
• Support custom snapshot matcher  -  by @​hi-ogawa, Claude Sonnet 4.6 and Codex in #​9973 (59b0e)

   🐞 Bug Fixes

• Advance fake timers with expect.poll interval  -  by @​hi-ogawa and Claude Sonnet 4.6 in #​10022 (3f5bf)
• Add @vitest/coverage-v8 and @vitest/coverage-istanbul as optional dependency  -  by @​alan-agius4 in #​10025 (146d4)
• Fix defineHelper for webkit async stack trace + update playwright 1.59.0  -  by @​hi-ogawa in #​10036 (5a5fa)
• Fix suite hook throwing errors for unused auto test-scoped fixture  -  by @​hi-ogawa and Claude Sonnet 4.6 in #​10035 (39865)
• expect:
  • Remove JestExtendError.context from verbose error reporting  -  by @​hi-ogawa in #​9983 (66751)
  • Don't leak "runner" types  -  by @​sheremet-va in #​10004 (ec204)
• snapshot:
  • Fix flagging obsolete snapshots for snapshot properties mismatch  -  by @​hi-ogawa and Claude Sonnet 4.6 in #​9986 (6b869)
  • Export custom snapshot matcher helper from vitest  -  by @​hi-ogawa and Codex in #​10042 (691d3)
• ui:
  • Don't leak vite types  -  by @​sheremet-va in #​10005 (fdff1)
• vm:
  • Fix external module resolve error with deps optimizer query  -  by @​hi-ogawa and Claude Sonnet 4.6 in #​10024 (9dbf4)

    View changes on GitHub

cloudflare/cloudflare-typescript (cloudflare)

v6.2.0

Compare Source

Full Changelog: v6.1.0...v6.2.0

Features

New Resources

• api: add DDoS Protection resource with Advanced TCP Protection endpoints -- allowlist (CRUD + bulk delete), prefixes (CRUD + bulk create/delete), syn-protection filters/rules (CRUD + bulk delete), tcp-flow-protection filters/rules (CRUD + bulk delete), status (edit/get) (0cd6242)
• api: add AI Security resource with settings (update/get) and custom topics (update/get) endpoints (4959946)

New Sub-Resources

• ai-gateway: add billing sub-resource -- credit balance, invoice history, invoice preview, usage history, spending limit (create/delete/get), topup config (create/delete/get), topup (create/status) (6f4c052)
• ai-gateway: add guardrails configuration to all AI Gateway response and param types with prompt/response safety classification (P1, S1-S13 categories, FLAG/BLOCK actions) (6f4c052)
• ai-gateway: add is_valid field to dynamic routing response types (6f4c052)
• load-balancers: add monitor group references sub-resource (get) (00f63c7)
• radar: add BGP IPs top ASes sub-resource (9af4cde)
• radar: add BGP RPKI ROAs timeseries sub-resource (9af4cde)
• zero-trust: add resource library sub-resource -- applications (create/update/list/delete/get) and categories (list) (5e7609f)

New Fields and Parameters

• cloudforce-one: add taxii format option for threat event exports (1ff832a)
• d1: add read_replication configuration param to DatabaseCreateParams with mode: 'auto' | 'disabled' (450e0f0)
• email-security: add smtp_helo_server_ip, smtp_previous_hop_ip, x_originating_ip response fields; add delivery_status filter param (083fe7f)
• intel: add latest_upload_error field to indicator feed responses (a612880)
• radar: add apiTraffic filter param (API | NON_API) to HTTP summary, timeseries groups, and top endpoints (c3a2fb0)
• resource-sharing: add idp-federation-grant sharing type; add tag query param for filtering shares by key/value pairs (fd7d870)
• secrets-store: add force query param to store delete for cascade-deleting secrets (e046da9)
• url-scanner: add mpp (Malicious Payment Page) detection to commerce scan results with evidence, findings, request/response details (19ab611)
• workflows: add sensitive: 'output' option to step configuration for redacting step output from logs (069930b)
• zero-trust: add custom_prompt_topic DLP entry type with upload_status, profiles fields across DLP entry and profile types (5e7609f)
• zero-trust: add deprecated deviceRegistration field to fleet status responses (use registrationId instead) (5e7609f)
• zones: add total_pages field to zone listing pagination metadata (1c444a3)

Chores

• acm: update custom origin trust store documentation (root CA only, no intermediate/leaf) (cf1329e)
• ai-gateway: add page and per_page params to dynamic routing list (6f4c052)
• ci: restore breaking change detection and semgrep timeout (02f41cb)
• d1: update read replication mode documentation (450e0f0)
• intel: add documentation for rejected category IDs (169, 177) in indicator feed update params (a612880)
• aisearch: improve content selection and custom headers documentation for crawl instance config (f282d9b)
• radar: update post-quantum TLS support response documentation (c3a2fb0)

Breaking Changes

• load-balancers: id field removed from MonitorGroupCreateParams, MonitorGroupUpdateParams, and MonitorGroupEditParams. Code passing id in these params will fail type-check.
• radar: IQITimeseriesGroupsResponse.Serie0 replaced named fields p25, p50, p75 with an index signature [k: string]: Array<string> | undefined. Code accessing result.serie_0.p25 will now receive string[] | undefined instead of string[], and field names are no longer auto-completed by TypeScript.
• radar: TLSSupportResponse added new required field bugs: TLSSupportResponse.Bugs with hrrFailure, splitClientHello, and unknownKeyshare booleans. Code constructing this response type without bugs will fail type-check.
• user: UserEditResponse.id and UserGetResponse.id changed from optional to required (id?: string -> id: string). New required field email: string added to both types. Code constructing these types without id or email will fail type-check.
• zero-trust: DLP entry union types renumbered -- a new custom_prompt_topic variant was inserted into all DLP entry response unions (EntryListResponse, EntryGetResponse, CustomListResponse, CustomGetResponse, IntegrationListResponse, IntegrationGetResponse, PredefinedListResponse, PredefinedGetResponse). Previous UnionMember1 through UnionMember5 are now UnionMember2 through UnionMember6. Code referencing specific union member types by number (e.g., EntryListResponse.UnionMember1) will get a different type than before.

v6.1.0

Compare Source

Full Changelog: v6.0.0...v6.1.0

Features

• chore: skip failing deployment_groups tests (f4ce98e)
• feat(api): add zero_trust_device_deployment_groups resource (c05f6d6)
• feat(SCTR): add audit log, classification, and context endpoints to Security Center API (3791b84)

Chores

• api: update composite API spec (64244be)
• api: update composite API spec (7cb65d5)
• api: update composite API spec (8533ac8)
• api: update composite API spec (04ebcc4)
• api: update composite API spec (fb5ef8f)

v6.0.0

Compare Source

Full Changelog: v6.0.0...v6.1.0

Features

• chore: skip failing deployment_groups tests (f4ce98e)
• feat(api): add zero_trust_device_deployment_groups resource (c05f6d6)
• feat(SCTR): add audit log, classification, and context endpoints to Security Center API (3791b84)

Chores

• api: update composite API spec (64244be)
• api: update composite API spec (7cb65d5)
• api: update composite API spec (8533ac8)
• api: update composite API spec (04ebcc4)
• api: update composite API spec (fb5ef8f)

googleapis/release-please-action (googleapis/release-please-action)

v5.0.0

Compare Source

⚠ BREAKING CHANGES

• upgrade to node24 (#​1188)

Features

• upgrade to node24 (#​1188) (46dfc01)

Bug Fixes

• bump release-please from 17.3.0 to 17.6.0 (#​1199) (f533c26)

v5.0

Compare Source

v5

Compare Source

v4.4.1

Compare Source

v4.4.0

Compare Source

Features

• add ability to select versioning-strategy and release-as (#​1121) (ee0f5ba)

Bug Fixes

• changelog-host parameter ignored when using manifest configuration (#​1151) (535c413)
• bump mocha from 11.7.1 to 11.7.2 in the npm_and_yarn group across 1 directory (#​1149) (3612a99)
• bump release-please from 17.1.2 to 17.1.3 (#​1158) (66fbfe9)

v4.4

Compare Source

v4.3.0

Compare Source

Features

• deps: update release-please to 17.1.2 (f07192c)

v4.3

Compare Source

v4.2.0

Compare Source

Features

• support for skip-labeling parameter for GitHub action (#​1066) (fb7f385)

v4.2

Compare Source

v4.1.5

Compare Source

Bug Fixes

• deps: update release-please to 16.18.0 (#​1083) (aeb7f8d)

v4.1.4

Compare Source

Bug Fixes

• bump braces from 3.0.2 to 3.0.3 in the npm_and_yarn group (#​1015) (5ec1cbd)
• bump release-please from 16.12.0 to 16.13.0 (#​1030) (caa0464)
• bump release-please from 16.13.0 to 16.14.0 (#​1032) (b2a986c)
• deps: update release-please to 16.14.1 (#​1036) (2942e51)

v4.1.3

Compare Source

Bug Fixes

• correct log output when creating releases (#​933) (2725132)

v4.1.2

Compare Source

Bug Fixes

• bump release-please from 16.10.2 to 16.12.0 (#​1005) (cb03961)

v4.1.1

Compare Source

Bug Fixes

• bump release-please from 16.10.0 to 16.10.2 (#​969) (aa764e0)
• bump the npm_and_yarn group with 1 update (#​967) (ce529d4)

v4.1.0

Compare Source

Features

• add changelog-host input to action.yml (#​948) (863b06f)

v4.1

Compare Source

v4.0.3

Compare Source

Bug Fixes

• bump release-please from 16.5.0 to 16.10.0 (#​953) (d7e88e0)

v4.0.2

Compare Source

Bug Fixes

• bump release-please from 16.4.0 to 16.5.0 (#​905) (df71963)
• log release-please version (#​910) (2a496d1), closes #​325

v4.0.1

Compare Source

Bug Fixes

• bump release-please from 16.3.1 to 16.4.0 (#​897) (2463dad)

microsoft/TypeScript (typescript)

v6.0.3

Compare Source

cloudflare/workers-sdk (wrangler)

v4.91.0

Compare Source

Minor Changes

• #​13822 c8be316 Thanks @​edmundhung! - Add named tunnel support and tunnel shortcuts to wrangler dev

  You can now use wrangler dev --tunnel --tunnel-name <name> to start a dev session with an existing named Cloudflare Tunnel, or set --tunnel-name ahead of time and start it later by pressing t to start or close the tunnel. This gives you a stable public hostname for local development instead of the temporary trycloudflare.com URL used by Quick Tunnels.

Patch Changes

• #​13848 d4794a8 Thanks @​MattieTK! - Condense repeated environment configuration warnings

  Wrangler now summarises repeated missing vars and define entries in environment configuration warnings. Experimental unsafe warnings are also only emitted once when the field appears at both the top level and in the active environment.

• #​13894 58b4403 Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260508.1	1.20260511.1

• #​13780 4352f87 Thanks @​matingathani! - Normalize legacy instance type aliases (standard → standard-1, dev → lite) to prevent phantom EDIT diffs on every deploy

• #​13834 a9e6741 Thanks @​matingathani! - fix: hotkeys now work with Caps Lock enabled

  Wrangler's dev server hotkeys (e.g. b to open browser and x to exit) did not respond when Caps Lock was enabled. These hotkeys now work consistently whether or not Caps Lock is on.

• #​13750 da664d5 Thanks @​matingathani! - fix: automatically delete log files older than 30 days and add WRANGLER_WRITE_LOGS=false to disable disk logging

  Wrangler previously accumulated log files in ~/.wrangler/logs/ indefinitely, causing some users to accumulate gigabytes of logs over time.

  Log files older than 30 days are now automatically cleaned up on the first log write. Disk logging can be disabled entirely by setting WRANGLER_WRITE_LOGS=false.

• #​13914 bdc398c Thanks @​Maximo-Guk! - preserve native shape of non-string vars in worker previews

  wrangler preview previously coerced every non-string entry in previews.vars (arrays, objects, numbers, booleans) into a plain_text binding via JSON.stringify, so at runtime the worker saw a literal string instead of the value declared

✂ Note

PR body was truncated to here.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

Coverage Report

Status	Category	Percentage	Covered / Total
🔵	Lines	98.57%	69 / 70
🔵	Statements	98.59%	70 / 71
🔵	Functions	100%	6 / 6
🔵	Branches	98.07%	51 / 52

File Coverage

No changed files found.

Generated in workflow #204 for commit 48a7951 by the Vitest Coverage Report Action