Bumps the npm_and_yarn group with 4 updates in the / directory: axios, vite, follow-redirects and ip.
Bumps the npm_and_yarn group with 2 updates in the /cf-tsdocs-worker directory: ip and wrangler.
#454786c81ff0 Thanks @mrbbot! - fix: listen on IPv4 loopback only by default on Windows
Due to a known issue, workerd will only listen on the IPv4 loopback address 127.0.0.1 when it's asked to listen on localhost. On Node.js > 17, localhost will resolve to the IPv6 loopback address, meaning requests to workerd would fail. This change switches to using the IPv4 loopback address throughout Wrangler on Windows, while workerd#1408 gets fixed.
#453529df8e17 Thanks @mrbbot! - Reintroduces some internal refactorings of wrangler dev servers (including wrangler dev, wrangler dev --remote, and unstable_dev()).
These changes were released in 3.13.0 and reverted in 3.13.1 -- we believe the changes are now more stable and ready for release again.
There are no changes required for developers to opt-in. Improvements include:
fewer 'address in use' errors upon reloads
upon config/source file changes, requests are buffered to guarantee the response is from the new version of the Worker
Patch Changes
#45216c5bc704 Thanks @zebp! - fix: init from dash specifying explicit usage model in wrangler.toml for standard users
#455063708a94 Thanks @mrbbot! - fix: validate Host and Orgin headers where appropriate
Host and Origin headers are now checked when connecting to the inspector and Miniflare's magic proxy. If these don't match what's expected, the request will fail.
#4532311ffbd5 Thanks @mrbbot! - fix: change wrangler (pages) dev to listen on localhost by default
Previously, Wrangler listened on all interfaces (*) by default. This change switches wrangler (pages) dev to just listen on local interfaces. Whilst this is technically a breaking change, we've decided the security benefits outweigh the potential disruption caused. If you need to access your dev server from another device on your network, you can use wrangler (pages) dev --ip * to restore the previous behaviour.
#4474382ef8f5 Thanks @mrbbot! - fix: open browser to correct url pressing b in --remote mode
This change ensures Wrangler doesn't try to open http://* when * is used as the dev server's hostname. Instead, Wrangler will now open http://127.0.0.1.
#44883bd57238 Thanks @RamIdeas! - Changes the default directory for log files to workaround frameworks that are watching the entire .wrangler directory in the project root for changes
#454786c81ff0 Thanks @mrbbot! - fix: listen on IPv4 loopback only by default on Windows
Due to a known issue, workerd will only listen on the IPv4 loopback address 127.0.0.1 when it's asked to listen on localhost. On Node.js > 17, localhost will resolve to the IPv6 loopback address, meaning requests to workerd would fail. This change switches to using the IPv4 loopback address throughout Wrangler on Windows, while workerd#1408 gets fixed.
#453529df8e17 Thanks @mrbbot! - Reintroduces some internal refactorings of wrangler dev servers (including wrangler dev, wrangler dev --remote, and unstable_dev()).
These changes were released in 3.13.0 and reverted in 3.13.1 -- we believe the changes are now more stable and ready for release again.
There are no changes required for developers to opt-in. Improvements include:
fewer 'address in use' errors upon reloads
upon config/source file changes, requests are buffered to guarantee the response is from the new version of the Worker
Patch Changes
#45216c5bc704 Thanks @zebp! - fix: init from dash specifying explicit usage model in wrangler.toml for standard users
#455063708a94 Thanks @mrbbot! - fix: validate Host and Orgin headers where appropriate
Host and Origin headers are now checked when connecting to the inspector and Miniflare's magic proxy. If these don't match what's expected, the request will fail.
#4532311ffbd5 Thanks @mrbbot! - fix: change wrangler (pages) dev to listen on localhost by default
Previously, Wrangler listened on all interfaces (*) by default. This change switches wrangler (pages) dev to just listen on local interfaces. Whilst this is technically a breaking change, we've decided the security benefits outweigh the potential disruption caused. If you need to access your dev server from another device on your network, you can use wrangler (pages) dev --ip * to restore the previous behaviour.
#4474382ef8f5 Thanks @mrbbot! - fix: open browser to correct url pressing b in --remote mode
This change ensures Wrangler doesn't try to open http://* when * is used as the dev server's hostname. Instead, Wrangler will now open http://127.0.0.1.
#44883bd57238 Thanks @RamIdeas! - Changes the default directory for log files to workaround frameworks that are watching the entire .wrangler directory in the project root for changes
When storing data in KV, Cache and R2, Miniflare uses both an SQL database and separate blob store. When writing a key/value pair, a blob is created for the new value and the old blob for the previous value (if any) is deleted. A few months ago, we introduced a change that prevented old blobs being deleted for KV and Cache. R2 was unaffected. This shouldn't have caused any problems, but could lead to persistence directories growing unnecessarily as they filled up with garbage blobs. This change ensures garbage blobs are deleted.
Note existing garbage will not be cleaned up. If you'd like to do this, download this Node script (https://gist.github.com/mrbbot/68787e19dcde511bd99aa94997b39076). If you're using the default Wrangler persistence directory, run node gc.mjs kv .wrangler/state/v3/kv <namespace_id_1> <namespace_id_2> ... and node gc.mjs cache .wrangler/state/v3/cache default named:<cache_name_1> named:<cache_name_2> ... with each of your KV namespace IDs (not binding names) and named caches.
#455063708a94 Thanks @mrbbot! - fix: validate Host and Orgin headers where appropriate
Host and Origin headers are now checked when connecting to the inspector and Miniflare's magic proxy. If these don't match what's expected, the request will fail.
When using Workers Sites with a module worker, the asset manifest must be imported from the __STATIC_CONTENT_MANIFEST virtual module. Miniflare provided this module, but also erroneously added __STATIC_CONTENT_MANIFEST to the env object too. Whilst this didn't break anything locally, it could cause users to develop Workers that ran locally, but not when deployed. This change ensures env doesn't contain __STATIC_CONTENT_MANIFEST.
When storing data in KV, Cache and R2, Miniflare uses both an SQL database and separate blob store. When writing a key/value pair, a blob is created for the new value and the old blob for the previous value (if any) is deleted. A few months ago, we introduced a change that prevented old blobs being deleted for KV and Cache. R2 was unaffected. This shouldn't have caused any problems, but could lead to persistence directories growing unnecessarily as they filled up with garbage blobs. This change ensures garbage blobs are deleted.
Note existing garbage will not be cleaned up. If you'd like to do this, download this Node script (https://gist.github.com/mrbbot/68787e19dcde511bd99aa94997b39076). If you're using the default Wrangler persistence directory, run node gc.mjs kv .wrangler/state/v3/kv <namespace_id_1> <namespace_id_2> ... and node gc.mjs cache .wrangler/state/v3/cache default named:<cache_name_1> named:<cache_name_2> ... with each of your KV namespace IDs (not binding names) and named caches.
#455063708a94 Thanks @mrbbot! - fix: validate Host and Orgin headers where appropriate
Host and Origin headers are now checked when connecting to the inspector and Miniflare's magic proxy. If these don't match what's expected, the request will fail.
When using Workers Sites with a module worker, the asset manifest must be imported from the __STATIC_CONTENT_MANIFEST virtual module. Miniflare provided this module, but also erroneously added __STATIC_CONTENT_MANIFEST to the env object too. Whilst this didn't break anything locally, it could cause users to develop Workers that ran locally, but not when deployed. This change ensures env doesn't contain __STATIC_CONTENT_MANIFEST.
This change adds a new wrappedBindings worker option for configuring
workerd's wrapped bindings.
These allow custom bindings to be written as JavaScript functions accepting an
env parameter of "inner bindings" and returning the value to bind. For more
details, refer to the API docs.
#4341d9908743 Thanks @RamIdeas! - Added a handleRuntimeStdio which enables wrangler (or any other direct use of Miniflare) to handle the stdout and stderr streams from the workerd child process. By default, if this option is not provided, the previous behaviour is retained which splits the streams into lines and calls console.log/console.error.
Add option to leverage the newly introduced UnsafeEval workerd binding API,
such API is used to evaluate javascript code at runtime via the provided eval and newFunction methods.
The API, for security reasons (as per the workers docs), is not to be use in production but it is intended for local purposes only such as local testing.
To use the binding you need to specify a string value for the unsafeEvalBinding, such will be the name of the UnsafeEval bindings that will be made available in the workerd runtime.
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency
- `@dependabot ignore major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
- `@dependabot ignore minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
- `@dependabot ignore ` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore ` will remove all of the ignore conditions of the specified dependency
- `@dependabot unignore ` will remove the ignore condition of the specified dependency and ignore conditions
You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/pastelsky/tsdocs/network/alerts).
dependabot[bot]
commented
7 months ago
Bumps the npm_and_yarn group with 4 updates in the / directory: axios, vite, follow-redirects and ip. Bumps the npm_and_yarn group with 2 updates in the /cf-tsdocs-worker directory: ip and wrangler.
Updates
axiosfrom 1.6.5 to 1.6.6Release notes
Sourced from axios's releases.
Changelog
Sourced from axios's changelog.
Commits
104aa3fchore(release): v1.6.6 (#6199)a1938fffix: fixed missed dispatchBeforeRedirect argument (#5778)123f354fix: wrap errors to improve async stack trace (#5987)Updates
vitefrom 5.0.10 to 5.0.12Changelog
Sourced from vite's changelog.
Commits
ee81e19release: v5.0.1291641c4fix: fs deny for case insensitive systems (#15653)ef89f80fix: awaitconfigResolvedhooks of worker plugins (#15597) (#15605)b44c493release: v5.0.11d2aa096fix: inject__vite__mapDepscode before sourcemap file comment (#15483)2a540eechore(deps): update tj-actions/changed-files action to v41 (#15476)5ea9edbfix(html): handle offset magic-string slice error (#15435)49d21fechore(deps): update dependency strip-literal to v2 (#15475)8de7bd2fix(assets): avoid splitting,inside base64 value ofsrcsetattribute (#...19e3c9afix: don't pretransform classic script links (#15361)Updates
follow-redirectsfrom 1.15.4 to 1.15.6Commits
35a517cRelease version 1.15.6 of the npm package.c4f847fDrop Proxy-Authorization across hosts.8526b4aUse GitHub for disclosure.b1677ceRelease version 1.15.5 of the npm package.d8914f7Preserve fragment in responseUrl.Updates
ipfrom 1.1.8 to 1.1.9Commits
1ecbf2f1.1.96a3ada9lib: fixed CVE-2023-42282 and added unit testUpdates
ipfrom 2.0.0 to 2.0.1Commits
1ecbf2f1.1.96a3ada9lib: fixed CVE-2023-42282 and added unit testUpdates
wranglerfrom 3.15.0 to 3.19.0Release notes
Sourced from wrangler's releases.
... (truncated)
Changelog
Sourced from wrangler's changelog.
... (truncated)
Commits
5e67ea1Version Packages (#4536)63708a9fix: validateHost/Originheaders in magic proxy and `InspectorProxyWorke...86c81fffix: listen on IPv4 loopback only by default on Windows (#4547)6c5bc70fix: init from dash using explicit usage model for standard accounts (#4521)29df8e1Revert "Revert "startDevWorker - Milestone 1 (#4497)" (#4531)" (#4535)97727deVersion Packages (#4495)311ffbd[wrangler] fix: changewrangler (pages) devto listen onlocalhostby def...310281aRevert "startDevWorker - Milestone 1 (#4497)" (#4531)01eda78startDevWorker - Milestone 1 (#4497)961c8earemove unused npx-import dependency (#4477)Updates
miniflarefrom 3.20231025.0 to 3.20231030.3Release notes
Sourced from miniflare's releases.
Changelog
Sourced from miniflare's changelog.
... (truncated)
Commits
5e67ea1Version Packages (#4536)63708a9fix: validateHost/Originheaders in magic proxy and `InspectorProxyWorke...71fb0b8fix: ensure unused KV and Cache blobs cleaned up (#4466)97727deVersion Packages (#4495)311ffbd[wrangler] fix: changewrangler (pages) devto listen onlocalhostby def...1b34878fix: remove__STATIC_CONTENT_MANIFESTfrom module workerenv(#4505)f728503Version Packages (#4463)be2b9cffeat: add support for wrapped bindings (#4348)d990874Intercept workerd logs + write all debug logs to a hidden file (#4341)08615aaVersion Packages (#4291)Updates
undicifrom 5.27.0 to 5.28.3Release notes
Sourced from undici's releases.
... (truncated)
Commits
e71cb4cBumped v5.28.320c65b8Fix tests for Node.js v20.11.0 (#2618)8ec52cdFix tests for Node.js v21 (#2609)d3aa574Merge pull request from GHSA-3787-6prv-h9w39a14e5fBumped v5.28.2fcdfe87build(deps): bump actions/upload-artifact from 3.1.2 to 3.1.3 (#2302)169c157build(deps-dev): bump formdata-node from 4.4.1 to 6.0.3 (#2389)9788177build(deps): bump step-security/harden-runner from 2.5.0 to 2.6.0 (#2392)1f6d159build(deps): bump actions/setup-node from 3.8.1 to 4.0.0 (#2395)a393a86build(deps): bump ossf/scorecard-action from 2.2.0 to 2.3.1 (#2396)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show