chore(deps): bump undici, @cloudflare/vite-plugin and wrangler

[dependabot]

Bumps undici to 7.24.4 and updates ancestor dependencies undici, @cloudflare/vite-plugin and wrangler. These dependencies need to be updated together.

Updates undici from 7.18.2 to 7.24.4

Release notes

Sourced from undici's releases.

v7.24.4

What's Changed

• fix(fetch): handle URL credentials in dispatch path extraction by @​mcollina in nodejs/undici#4892

Full Changelog: nodejs/undici@v7.24.3...v7.24.4

v7.24.3

What's Changed

• fix(h2): TypeError: Cannot read properties of null (reading 'push') i… by @​hxinhan in nodejs/undici#4881

Full Changelog: nodejs/undici@v7.24.2...v7.24.3

v7.24.2

What's Changed

• fix fetch path logic by @​KhafraDev in nodejs/undici#4890
• remove maxDecompressedMessageSize by @​KhafraDev in nodejs/undici#4891

Full Changelog: nodejs/undici@v7.24.1...v7.24.2

v7.24.1

What's Changed

• fix: proto pollution by @​rahulyadav5524 in nodejs/undici#4885

Full Changelog: nodejs/undici@v7.24.0...v7.24.1

v7.24.0

Undici v7.24.0 Security Release Notes

This release addresses multiple security vulnerabilities in Undici.

Upgrade guidance

All users on v7 should upgrade to v7.24.0 or later.

Fixed advisories

• GHSA-2mjp-6q6p-2qxm / CVE-2026-1525 (Medium)
  Inconsistent interpretation of HTTP requests (request/response smuggling class issue).

• GHSA-f269-vfmq-vjvj / CVE-2026-1528 (High)
  Malicious WebSocket 64-bit frame length handling could crash the client.

• GHSA-phc3-fgpg-7m6h / CVE-2026-2581 (Medium)
  Unbounded memory consumption in deduplication interceptor response buffering (DoS risk).

• GHSA-4992-7rv2-5pvq / CVE-2026-1527 (Medium)

... (truncated)

Commits

• 4991f3e Bumped v7.24.4
• ea3a06d fix(fetch): preserve path for credentialed URLs (#4892)
• 9b96516 Bumped v7.24.3
• 7926660 Ignore .githuman
• 9eaa5af fix(h2): TypeError: Cannot read properties of null (reading 'push') in Reques...
• a9bfe21 ignore .pi
• f2e155b Bumped v7.24.2
• 4d2d1af remove maxDecompressedMessageSize (#4891)
• 3a05a4f fix fetch path logic (#4890)
• 23e3cd3 Bumped v7.24.1
• Additional commits viewable in compare view

Updates @cloudflare/vite-plugin from 1.21.2 to 1.30.1

Release notes

Sourced from @​cloudflare/vite-plugin's releases.

@​cloudflare/vite-plugin@​1.30.1

Patch Changes

• #12851 86a40f0 Thanks @​jamesopstad! - Fix a bug that prevented using subpath imports for additional module types

  You can now use subpath imports for additional module types (.html, .txt, .sql, .bin, .wasm) by defining them in your package.json imports field:

  // package.json
  {
    "imports": {
      "#templates/page": "./src/templates/page.html"
    }
  }

  import page from "#templates/page";
  export default {
  fetch() {
  return new Response(page, {
  headers: { "Content-Type": "text/html" },
  });
  },
  } satisfies ExportedHandler;

• Updated dependencies [593c4db, b8f3309, 451dae3, 5aaaab2, 5aaaab2, f8516dd, 9c9fe30, 379f2a2, c2e9163, 6a6449e, 9a1cf29, 875da60]:

  • wrangler@4.77.0
  • miniflare@4.20260317.2

@​cloudflare/vite-plugin@​1.30.0

Minor Changes

• #12848 ce48b77 Thanks @​emily-shen! - Enable local explorer by default

  This ungates the local explorer, a UI that lets you inspect the state of D1, DO and KV resources locally by visiting /cdn-cgi/explorer during local development.

  Note: this feature is still experimental, and can be disabled by setting the env var X_LOCAL_EXPLORER=false.

Patch Changes

• #12942 4f7fd79 Thanks @​jamesopstad! - Avoid splicing into the middleware stack for Vite versions other than v6

  Previously, the plugin spliced its pre-middleware into the Vite middleware stack relative to viteCachedTransformMiddleware. In Vite 8, this middleware can be omitted in some scenarios, which would cause the splice to fail. The plugin now registers pre-middleware using server.middlewares.use() directly, which places it in the correct position for Vite 7+. For Vite 6, the middleware is moved to the correct position in a post hook.

• Updated dependencies [782df44, 3c988e2, 62545c9, d028ffb, cb71403, 71ab981, 3a1c149, 7c3c6c6, ce48b77, 8729f3d]:

  • wrangler@4.76.0
  • miniflare@4.20260317.1

... (truncated)

Changelog

Sourced from @​cloudflare/vite-plugin's changelog.

1.30.1

Patch Changes

• #12851 86a40f0 Thanks @​jamesopstad! - Fix a bug that prevented using subpath imports for additional module types

  You can now use subpath imports for additional module types (.html, .txt, .sql, .bin, .wasm) by defining them in your package.json imports field:

  // package.json
  {
    "imports": {
      "#templates/page": "./src/templates/page.html"
    }
  }

  import page from "#templates/page";
  export default {
  fetch() {
  return new Response(page, {
  headers: { "Content-Type": "text/html" },
  });
  },
  } satisfies ExportedHandler;

• Updated dependencies [593c4db, b8f3309, 451dae3, 5aaaab2, 5aaaab2, f8516dd, 9c9fe30, 379f2a2, c2e9163, 6a6449e, 9a1cf29, 875da60]:

  • wrangler@4.77.0
  • miniflare@4.20260317.2

1.30.0

Minor Changes

• #12848 ce48b77 Thanks @​emily-shen! - Enable local explorer by default

  This ungates the local explorer, a UI that lets you inspect the state of D1, DO and KV resources locally by visiting /cdn-cgi/explorer during local development.

  Note: this feature is still experimental, and can be disabled by setting the env var X_LOCAL_EXPLORER=false.

Patch Changes

• #12942 4f7fd79 Thanks @​jamesopstad! - Avoid splicing into the middleware stack for Vite versions other than v6

  Previously, the plugin spliced its pre-middleware into the Vite middleware stack relative to viteCachedTransformMiddleware. In Vite 8, this middleware can be omitted in some scenarios, which would cause the splice to fail. The plugin now registers pre-middleware using server.middlewares.use() directly, which places it in the correct position for Vite 7+. For Vite 6, the middleware is moved to the correct position in a post hook.

• Updated dependencies [782df44, 3c988e2, 62545c9, d028ffb, cb71403, 71ab981, 3a1c149, 7c3c6c6, ce48b77, 8729f3d]:

... (truncated)

Commits

• a61451f Version Packages (#12980)
• 86a40f0 Fix subpath imports of additional module types (#12851)
• cf98836 Use Vite 8 and Vitest 4 everywhere (#12947)
• 451dae3 [wrangler] Attempts to reduce remote e2e test flakiness (#12896)
• 7d2661b Version Packages (#12945)
• 4f7fd79 Avoid splicing into the middleware stack for Vite versions other than v6 (#12...
• aa26784 Convert from ESLint to oxlint, Prettier to oxfmt (#12930)
• a671740 Version Packages (#12923)
• e25bd0e Update prettier to 3.8.1 (#12939)
• cff91ff Use Vite 8 for building the plugin and as the default for running tests (#12936)
• Additional commits viewable in compare view

Updates wrangler from 4.60.0 to 4.77.0

Release notes

Sourced from wrangler's releases.

wrangler@4.77.0

Minor Changes

• #13023 593c4db Thanks @​jamesopstad! - Add wrangler versions upload support for the experimental secrets configuration property

  When the new secrets property is defined, wrangler versions upload now validates that all secrets declared in secrets.required are configured on the Worker before the upload succeeds. If any required secrets are missing, the upload fails with a clear error listing which secrets need to be set.

  When secrets is not defined, the existing behavior is unchanged.

  // wrangler.jsonc
  {
    "secrets": {
      "required": ["API_KEY", "DB_PASSWORD"]
    }
  }

• #12732 c2e9163 Thanks @​jamesopstad! - Add deploy support for the experimental secrets configuration property

  When the new secrets property is defined, wrangler deploy now validates that all secrets declared in secrets.required are configured on the Worker before the deploy succeeds. If any required secrets are missing, the deploy fails with a clear error listing which secrets need to be set.

  When secrets is not defined, the existing behavior is unchanged.

  // wrangler.jsonc
  {
    "secrets": {
      "required": ["API_KEY", "DB_PASSWORD"]
    }
  }

Patch Changes

• #12896 451dae3 Thanks @​petebacondarwin! - fix: Add retry and timeout protection to remote preview API calls

  Remote preview sessions (wrangler dev --remote) now automatically retry transient 5xx API errors (up to 3 attempts with linear backoff) and enforce a 30-second per-request timeout. Previously, a single hung or failed API response during session creation or worker upload could block the dev session reload indefinitely.

• #12569 379f2a2 Thanks @​MattieTK! - Use qwik add cloudflare-workers instead of qwik add cloudflare-pages for Workers targets

  Both the wrangler autoconfig and C3 Workers template for Qwik were running qwik add cloudflare-pages even when targeting Cloudflare Workers. This caused the wrong adapter directory structure to be scaffolded (adapters/cloudflare-pages/ instead of adapters/cloudflare-workers/), and required post-hoc cleanup of Pages-specific files like _routes.json.

  Qwik now provides a dedicated cloudflare-workers adapter that generates the correct Workers configuration, including wrangler.jsonc with main and assets fields, a public/.assetsignore file, and the correct adapters/cloudflare-workers/vite.config.ts.

  Also adds --skipConfirmation=true to all qwik add invocations so the interactive prompt is skipped in automated contexts.

• #11899 9a1cf29 Thanks @​hoodmane! - Remove cf-requirements support for Python workers. It hasn't worked with the runtime for a while now.

• #11800 875da60 Thanks @​southpolesteve! - Add upgrade hint to unexpected configuration field warnings when an update is available

... (truncated)

Commits

• a61451f Version Packages (#12980)
• 593c4db Add versions upload support for explicit secrets (#13023)
• 875da60 [wrangler] Add upgrade hint to unexpected configuration field warnings (#11800)
• b045d2d fix: Optimize Edge Preview Authenticated Proxy and typo issues (#11046)
• c2e9163 Add deploy support for explicit secrets (#12732)
• 9a1cf29 Remove cf-requirements support from wrangler (#11899)
• cf98836 Use Vite 8 and Vitest 4 everywhere (#12947)
• 663be1c [wrangler] Fix e2e flakes in startWorker, deployments, and containers tests (...
• 379f2a2 [wrangler][C3] Use qwik add cloudflare-workers instead of cloudflare-pages (#...
• f3871f8 [wrangler] Shard E2E tests across 4 parallel CI jobs (#12941)
• Additional commits viewable in compare view