#12837 2363d48 Thanks @edmundhung! - Update Astro Workers template for Astro v6
The Astro Workers template now scaffolds projects using Astro v6. The adapter uses the Cloudflare Vite plugin under the hood, so astro dev runs on the workerd runtime locally and wrangler.jsonc fields like main and assets are no longer needed in the template.
For existing projects, see the Astro Cloudflare adapter migration guide.
#12866 077c4d5 Thanks @edmundhung! - Fix React app creation flow skipping Cloudflare setup
Creating a React app with create-cloudflare no longer allows the Cloudflare setup step to be skipped by accepting create-vite's Install and start now prompt.
#12853 ff543e3 Thanks @gpanders! - Deprecate SSH passthrough flags in wrangler containers ssh
The --cipher, --log-file, --escape-char, --config-file, --pkcs11, --identity-file, --mac-spec, --option, and --tag flags are now deprecated. These flags expose OpenSSH-specific options that are tied to the current implementation. A future release will replace the underlying SSH transport, at which point these flags will be removed. They still function for now.
#12815 e63539d Thanks @NuroDev! - Support disabling persistence in unstable_startWorker() and unstable_dev()
You can now disable persistence entirely by setting persist: false in the dev options:
const worker = await unstable_dev("./src/worker.ts", {
persist: false,
});Or when using unstable_startWorker():
const worker = await unstable_startWorker({
entrypoint: "./src/worker.ts",
dev: {
persist: false,
},
});This is useful for testing scenarios where you want to ensure a clean state on each run without any persisted data from previous runs.
#12861 f7de0fd Thanks @dependabot! - Update dependencies of "miniflare", "wrangler"
The following dependency versions have been updated:
| Dependency | From | To |
|---|---|---|
| workerd | 1.20260310.1 | 1.20260312.1 |
#12734 8e89e85 Thanks @flostellbrink! - Add back support for wrangler d1 exports with multiple tables.
Example:
# All tables (default)
wrangler d1 export db --output all-tables.sql
# Single table (unchanged)
wrangler d1 export db --output single-table.sql --table foo
# Multiple tables (new)
wrangler d1 export db --output multiple-tables.sql --table foo --table bar#12807 8d1e130 Thanks @MaxwellCalkin! - fix: vectorize commands now output valid json
This fixes:
wrangler vectorize createwrangler vectorize infowrangler vectorize insertwrangler vectorize upsertwrangler vectorize listwrangler vectorize list-vectorswrangler vectorize list-metadata-indexAlso, wrangler vectorize create --json now also includes the created_at, modified_on and description fields.
#12856 6ee18e1 Thanks @dario-piotrowicz! - Fix autoconfig for Astro v6 projects to skip wrangler config generation
Astro 6+ generates its own wrangler configuration on build, so autoconfig now detects the Astro version and skips creating a wrangler.jsonc file for projects using Astro 6 or later. This prevents conflicts between the autoconfig-generated config and Astro's built-in config generation.
#12700 4bb61b9 Thanks @RiscadoA! - Add client-side validation for VPC service host flags
The --hostname, --ipv4, and --ipv6 flags on wrangler vpc service create and wrangler vpc service update now validate input before sending requests to the API. Previously, invalid values were accepted by the CLI and only rejected by the API with opaque error messages. Now users get clear, actionable error messages for common mistakes like passing a URL instead of a hostname, using an IP address in the --hostname flag, or providing malformed IP addresses.
Updated dependencies [f7de0fd, ecc7f79, 1dda1c8]:
#12655 a31ee0b Thanks @petebacondarwin! - Migrate workers-playground from Cloudflare Pages to Cloudflare Workers
Replace the Cloudflare Pages deployment with a Workers + static assets deployment.
In production (wrangler.jsonc), this is an assets-only Worker with no code entry point — the playground-preview-worker handles all routing and proxying in front of it.
For local development, a separate config (wrangler.dev.jsonc) adds a Worker entry point (src/worker.ts) that replicates the proxying behavior of the production playground-preview-worker. It proxies /playground/api/* requests to the testing playground-preview-worker, and for the /playground route it fetches an auth cookie from the testing endpoint, transforms it for local use (stripping SameSite/Secure directives and replacing the testing origin with localhost), and injects it into the response so the preview iframe can authenticate.
The playground-preview-worker referer allowlist is updated to also accept requests from *.workers-playground.workers.dev (in addition to the existing *.workers-playground.pages.dev).
#11632 a6ddbdb Thanks @penalosa! - Support Vitest 4 in @cloudflare/vitest-pool-workers.
This a breaking change to the @cloudflare/vitest-pool-workers integration in order to support Vitest v4. Along with supporting Vitest v4 (and dropping support for Vitest v2 and v3), we've made a number of changes that may require changes to your tests. Our aim has been to improve stability & the foundations of @cloudflare/vitest-pool-workers as we move towards a v1 release of the package.
We've made a codemod to make the migration easier, which will make the required changes to your config file:
npx jscodeshift -t node_modules/@cloudflare/vitest-pool-workers/dist/codemods/vitest-v3-to-v4.mjs vitest.config.tsOr, without installing the package first:
npx jscodeshift -t https://unpkg.com/@cloudflare/vitest-pool-workers/dist/codemods/vitest-v3-to-v4.mjs --parser=ts vitest.config.tsConfig API: defineWorkersProject and defineWorkersConfig from @cloudflare/vitest-pool-workers/config have been replaced with a cloudflareTest() Vite plugin exported from @cloudflare/vitest-pool-workers. The test.poolOptions.workers options are now passed directly to cloudflareTest():
Before:
import { defineWorkersProject } from "@cloudflare/vitest-pool-workers/config";
export default defineWorkersProject({
test: {
poolOptions: {
workers: {
wrangler: { configPath: "./wrangler.jsonc" },
},
},
},
});After:
import { cloudflareTest } from "@cloudflare/vitest-pool-workers";
import { defineConfig } from "vitest/config";
export default defineConfig({
plugins: [
cloudflareTest({
wrangler: { configPath: "./wrangler.jsonc" },
}),
],
});isolatedStorage & singleWorker: These have been removed in favour of a simpler isolation model that more closely matches Vitest. Storage isolation is now on a per test file basis, and you can make your test files share the same storage by using the Vitest flags --max-workers=1 --no-isolate
import { env, SELF } from "cloudflare:test": These have been removed in favour of import { env, exports } from "cloudflare:workers". exports.default.fetch() has the same behaviour as SELF.fetch(), except that it doesn't expose Assets. To test your assets, write an integration test using startDevWorker()
import { fetchMock } from "cloudflare:test": This has been removed. Instead, mock globalThis.fetch or use ecosystem libraries like MSW (recommended).
Vitest peer dependency: @cloudflare/vitest-pool-workers now requires vitest@^4.1.0.
#12805 9e78285 Thanks @dependabot! - Update dependencies of "create-cloudflare"
The following dependency versions have been updated:
| Dependency | From | To |
|---|---|---|
| @angular/create | 21.2.0 | 21.2.1 |
#12806 56986b9 Thanks @dependabot! - Update dependencies of "create-cloudflare"
The following dependency versions have been updated:
| Dependency | From | To |
|---|---|---|
| create-vike | 0.0.591 | 0.0.592 |
#12512 01f252d Thanks @thebeyondr! - Fix C3 success summary dashboard link to point to Workers service production view
The "Dash:" URL now includes /production so it opens the correct Workers & Pages service view in the Cloudflare dashboard.
#12820 556bce0 Thanks @dario-piotrowicz! - Generate app/env.d.ts and server/env.d.ts for Nuxt applications
Previously, only a top-level env.d.ts was created, which meant server files didn't receive Cloudflare types. Now the CLI generates separate app/env.d.ts and server/env.d.ts files, both importing from a shared _cloudflare/env.d.ts to avoid duplication.
This ensures Cloudflare types are available in both app and server directories.
#12861 f7de0fd Thanks @dependabot! - Update dependencies of "miniflare", "wrangler"
The following dependency versions have been updated:
| Dependency | From | To |
|---|---|---|
| workerd | 1.20260310.1 | 1.20260312.1 |
#12864 ecc7f79 Thanks @NuroDev! - Fix local explorer route matching to be more precise
Previously, the route matching used startsWith("/cdn-cgi/explorer") which would incorrectly match paths like /cdn-cgi/explorerfoo or /cdn-cgi/explorereeeeee, causing unexpected behavior. The route matching has been improved to only match:
/cdn-cgi/explorer (exact match)/cdn-cgi/explorer/ and any sub-paths (e.g., /cdn-cgi/explorer/api/*)Paths that merely start with /cdn-cgi/explorer but aren't actually the explorer (like /cdn-cgi/explorerfoo) will now correctly fall through to the user worker.
#12775 1dda1c8 Thanks @fhanau! - Add support for worker connect handler in miniflare
#12655 a31ee0b Thanks @petebacondarwin! - Migrate workers-playground from Cloudflare Pages to Cloudflare Workers
Replace the Cloudflare Pages deployment with a Workers + static assets deployment.
In production (wrangler.jsonc), this is an assets-only Worker with no code entry point — the playground-preview-worker handles all routing and proxying in front of it.
For local development, a separate config (wrangler.dev.jsonc) adds a Worker entry point (src/worker.ts) that replicates the proxying behavior of the production playground-preview-worker. It proxies /playground/api/* requests to the testing playground-preview-worker, and for the /playground route it fetches an auth cookie from the testing endpoint, transforms it for local use (stripping SameSite/Secure directives and replacing the testing origin with localhost), and injects it into the response so the preview iframe can authenticate.
The playground-preview-worker referer allowlist is updated to also accept requests from *.workers-playground.workers.dev (in addition to the existing *.workers-playground.pages.dev).
#12855 c2b76bc Thanks @jamesopstad! - Support local explorer /cdn-cgi/ routes
The local explorer UI can now be accessed at /cdn-cgi/explorer.
#12834 64edac7 Thanks @jamesopstad! - Warn when the assets field is provided for auxiliary Workers
Auxiliary Workers do not support static assets. Previously, the assets field was silently ignored but we now warn if it is used.
#12794 b980af6 Thanks @aron-cf! - Fix Sandbox SDK preview URL WebSocket routing
When using Sandbox SDK preview URLs, WebSocket requests using the vite-hmr protocol could be dropped before they reached the worker, causing HMR to fail. The plugin now forwards Sandbox WebSocket traffic and preserves the original request origin/host so worker proxy logic receives the correct URL.
Updated dependencies [f7de0fd, ff543e3, 8e89e85, e63539d, 8d1e130, 6ee18e1, ecc7f79, 1dda1c8, 4bb61b9]:
#12823 784c5cb Thanks @petebacondarwin! - Add frame-ancestors CSP and postMessage origin validation to quick-edit
Mitigate postMessage origin bypass:
#12790 5451a7f Thanks @petebacondarwin! - Bump glob to ^10.5.0 to address command injection vulnerability in glob CLI
#12787 d6d75a7 Thanks @petebacondarwin! - Bump create-qwik from 1.19.0 to 1.19.1
This update fixes an upstream issue where create-qwik installed @eslint/js at "latest", which resolved to v10 and conflicted with the project's eslint 9.x.
#12771 b8c33f5 Thanks @penalosa! - Remove prewarm, inspector_websocket, and exchange proxy from preview flow
The preview session exchange endpoint (/exchange) has been removed from the edge-preview-authenticated-proxy — it has been unused since the dash started fetching the exchange URL directly (DEVX-979). The prewarm parameter is no longer required or accepted by the .update-preview-token endpoint.
The playground preview worker now treats exchange_url as optional, falling back to the initial token from the edge-preview API when exchange is unavailable. Inspector websocket proxying and prewarm have been removed in favour of using tail_url for live logs.
#12823 784c5cb Thanks @petebacondarwin! - The workers playground's VSCodeEditor's postMessage targetOrigin is updated from '\*' to the specific quickEditHost.
This prevents the workers-playground from accidentally posting to an incorrect iframe.
#12771 b8c33f5 Thanks @penalosa! - Remove prewarm, inspector_websocket, and exchange proxy from preview flow
The preview session exchange endpoint (/exchange) has been removed from the edge-preview-authenticated-proxy — it has been unused since the dash started fetching the exchange URL directly (DEVX-979). The prewarm parameter is no longer required or accepted by the .update-preview-token endpoint.
The playground preview worker now treats exchange_url as optional, falling back to the initial token from the edge-preview API when exchange is unavailable. Inspector websocket proxying and prewarm have been removed in favour of using tail_url for live logs.
#12754 e4d9510 Thanks @emily-shen! - Add cross-process support to the local explorer
When running multiple miniflare processes, the local explorer will now be able to view and edit resources that are bound to workers in other miniflare instances.
#12828 cb14820 Thanks @jamesopstad! - Update @hey-api/openapi-ts to ^0.94.0
#12779 b2f8b47 Thanks @NuroDev! - Refactors KV & sidebar to use route loaders.
This change improves the user experience of the Local Explorer dashboard by ensuring that the data used for the initial render is fetched server-side and passed down to the client. This avoids the initial flicker when loading in. Both D1 & Durable Object routes already incorporate this system.
#12746 211d75d Thanks @NuroDev! - Add support for inheritable bindings in type generation
When using wrangler types with multiple environments, bindings from inheritable config properties (like assets) are now correctly inherited from the top-level config in all named environments. Previously, if you defined assets.binding at the top level with named environments, the binding would be marked as optional in the generated Env type because the type generation didn't account for inheritance.
Example:
{
"assets": {
"binding": "ASSETS",
"directory": "./public"
},
"env": {
"staging": {},
"production": {}
}
}Before this change, ASSETS would be typed as ASSETS?: Fetcher (optional). Now, ASSETS is correctly typed as ASSETS: Fetcher (required). This fix currently applies to the assets binding, with an extensible mechanism to support additional inheritable bindings in the future.
#12826 de65c58 Thanks @gabivlj! - Enable container egress interception in local dev without the experimental compatibility flag
Container local development now always prepares the egress interceptor sidecar image needed for interceptOutboundHttp(). This makes container-to-Worker interception available by default in Wrangler, Miniflare, and the Cloudflare Vite plugin.
#12790 5451a7f Thanks @petebacondarwin! - Bump node-forge to ^1.3.2 to address security vulnerabilities
node-forge had ASN.1 unbounded recursion, OID integer truncation, and ASN.1 validator desynchronization vulnerabilities. This is a bundled dependency used for local HTTPS certificate handling.
#12795 82cc2a8 Thanks @dependabot! - Update dependencies of "miniflare", "wrangler"
The following dependency versions have been updated:
| Dependency | From | To |
|---|---|---|
| workerd | 1.20260301.1 | 1.20260306.1 |
#12811 3c67c2a Thanks @dependabot! - Update dependencies of "miniflare", "wrangler"
The following dependency versions have been updated:
| Dependency | From | To |
|---|---|---|
| workerd | 1.20260306.1 | 1.20260307.1 |
#12827 d645594 Thanks @dependabot! - Update dependencies of "miniflare", "wrangler"
The following dependency versions have been updated:
| Dependency | From | To |
|---|---|---|
| workerd | 1.20260307.1 | 1.20260310.1 |
#12808 6ed249b Thanks @MaxwellCalkin! - Fix wrangler d1 execute --json returning "null" (string) instead of null (JSON null) for SQL NULL values
When using wrangler d1 execute --json with local execution, SQL NULL values were incorrectly serialized as the string "null" instead of JSON null. This produced invalid JSON output that violated RFC 4627. The fix removes the explicit null-to-string conversion so NULL values are preserved as proper JSON null in the output.
#12824 9f93b54 Thanks @jamesopstad! - Strip query strings from module names before writing to disk
When bundling modules with query string suffixes (e.g. .wasm?module), the ? character was included in the output filename. Since ? is not a valid filename character on Windows, this caused an ENOENT error during wrangler dev. This was particularly visible when using Prisma Client with the D1 adapter, which imports .wasm?module files.
The fix strips query strings from module names before writing them to disk, while preserving correct module resolution.
#12771 b8c33f5 Thanks @penalosa! - Make remote dev exchange_url optional
The edge-preview API's exchange_url is now treated as optional. When unavailable or when the exchange fails, the initial token from the API response is used directly. The prewarm step and inspector_websocket have been removed from the remote dev flow in favour of tail_url for live logs.
Updated dependencies [5451a7f, 82cc2a8, 3c67c2a, d645594, de65c58, cb14820, a7c87d1, e4d9510]:
#12826 de65c58 Thanks @gabivlj! - Enable container egress interception in local dev without the experimental compatibility flag
Container local development now always prepares the egress interceptor sidecar image needed for interceptOutboundHttp(). This makes container-to-Worker interception available by default in Wrangler, Miniflare, and the Cloudflare Vite plugin.
#12826 de65c58 Thanks @gabivlj! - Enable container egress interception in local dev without the experimental compatibility flag
Container local development now always prepares the egress interceptor sidecar image needed for interceptOutboundHttp(). This makes container-to-Worker interception available by default in Wrangler, Miniflare, and the Cloudflare Vite plugin.
#12754 e4d9510 Thanks @emily-shen! - Add cross-process support to the local explorer
When running multiple miniflare processes, the local explorer will now be able to view and edit resources that are bound to workers in other miniflare instances.
#12790 5451a7f Thanks @petebacondarwin! - Bump hono to ^4.12.5 and devalue to ^5.6.3 to address security vulnerabilities
Hono had multiple advisories including arbitrary file access via serveStatic, JWT algorithm confusion, and XSS through ErrorBoundary. Devalue had denial of service vulnerabilities in devalue.parse. These are bundled dependencies so the fix is delivered via this patch.
#12795 82cc2a8 Thanks @dependabot! - Update dependencies of "miniflare", "wrangler"
The following dependency versions have been updated:
| Dependency | From | To |
|---|---|---|
| workerd | 1.20260301.1 | 1.20260306.1 |
#12811 3c67c2a Thanks @dependabot! - Update dependencies of "miniflare", "wrangler"
The following dependency versions have been updated:
| Dependency | From | To |
|---|---|---|
| workerd | 1.20260306.1 | 1.20260307.1 |
#12827 d645594 Thanks @dependabot! - Update dependencies of "miniflare", "wrangler"
The following dependency versions have been updated:
| Dependency | From | To |
|---|---|---|
| workerd | 1.20260307.1 | 1.20260310.1 |
#12828 cb14820 Thanks @jamesopstad! - Update @hey-api/openapi-ts to ^0.94.0
#12786 a7c87d1 Thanks @emily-shen! - local explorer: validate origin and host headers
The local explorer is a WIP experimental feature.