chore(deps): update npm minor and patch dependencies

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@cloudflare/vitest-pool-workers (source)	^0.16.17 → ^0.16.20
@hono/node-server	^1.13.7 → ^1.19.14
@​lovable.dev/vite-tanstack-config	2.5.3 → 2.6.2
@tanstack/react-query (source)	^5.101.0 → ^5.101.1
@types/node (source)	^22.10.2 → ^22.20.0
@types/node (source)	^22.19.21 → ^22.20.0
agents (source)	^0.16.2 → ^0.17.0
hono (source)	^4.6.14 → ^4.12.27
hono (source)	^4.12.26 → ^4.12.27
motion	^12.40.0 → ^12.42.0
playwright (source)	^1.61.0 → ^1.61.1
prettier (source)	^3.8.4 → ^3.8.5
react-hook-form (source)	^7.79.0 → ^7.80.0
tar	^7.5.16 → ^7.5.17
typescript (source)	^5.7.2 → ^5.9.3
typescript-eslint (source)	^8.61.1 → ^8.62.0
vite (source)	^8.0.16 → ^8.1.0
wrangler (source)	^4.102.0 → ^4.105.0

Dependency PRs must keep npm run test:ci passing. The 97% coverage requirement is enforced as Codecov patch coverage on changed lines (codecov/patch), so dependency-only bumps satisfy it without new tests.

GitHub Actions updates must remain SHA-pinned.

Renovate is the sole dependency and security-update bot for this repo; GitHub Dependabot security updates are disabled to avoid duplicate PRs (e.g. the two hono advisory PRs).

---

Release Notes

cloudflare/workers-sdk (@​cloudflare/vitest-pool-workers)

v0.16.20

Compare Source

Patch Changes

• #​14398 c5014cc Thanks @​apeacock1991! - Add evictDurableObject and evictAllDurableObjects test helpers to cloudflare:test

  These helpers let you exercise how a Durable Object behaves across evictions in your tests. Eviction is graceful: durable storage is preserved, in-memory state is reset by tearing down the instance, hibernatable WebSockets are hibernated rather than closed, and eviction waits for in-flight requests to drain.

  import { evictDurableObject, evictAllDurableObjects } from "cloudflare:test";
  import { env } from "cloudflare:workers";
  
  const id = env.COUNTER.idFromName("my-counter");
  const stub = env.COUNTER.get(id);
  
  // Evict the Durable Object instance pointed to by a specific stub
  await evictDurableObject(stub);
  await evictDurableObject(stub, { webSockets: "close" });
  
  // Evict all currently-running Durable Objects in evictable namespaces
  await evictAllDurableObjects();

• #​14394 8a5cf8c Thanks @​Partha-Shankar! - fix(d1): escape migrationsTableName and filenames in SQLite queries

  D1 migration commands in both wrangler and @cloudflare/vitest-pool-workers interpolated the migrationsTableName config value and migration filenames directly into SQL strings without any escaping. This meant:

  • A table name such as my"table would produce invalid SQL in CREATE TABLE, SELECT, and INSERT statements, and
  • A migration filename containing an apostrophe (e.g. what's-new.sql) would break the INSERT INTO ... VALUES ('...') statement appended after each migration in wrangler.

  Both identifiers are now properly escaped before interpolation: migrationsTableName is wrapped in double-quotes with internal double-quotes doubled (SQL-standard identifier quoting), and migration filenames used as string literals have their single-quotes doubled before insertion.

• Updated dependencies [5f40dd5, 34e0cef, 3b743c1, daa5389, 8a5cf8c]:

  • wrangler@​4.105.0
  • miniflare@​4.20260625.0

v0.16.19

Compare Source

Patch Changes

• Updated dependencies [a085dec, 9a0de8f, fab565f, 3f02864, 4ef872f, 2a02858, e312dec]:
  • miniflare@​4.20260623.0
  • wrangler@​4.104.0

v0.16.18

Compare Source

Patch Changes

• Updated dependencies [c6579d3, 444b75e, b38823f, cfd6205, cfd6205]:
  • wrangler@​4.103.0
  • miniflare@​4.20260617.1

TanStack/query (@​tanstack/react-query)

v5.101.1

Compare Source

Patch Changes

• Updated dependencies [9eff92e]:
  • @​tanstack/query-core@​5.101.1

cloudflare/agents (agents)

v0.17.0

Compare Source

Minor Changes

• #​1758 6b46b04 Thanks @​threepointone! - Add progress signalling and durable milestones for agent-tool sub-agents
  (#​1758, rfc-detached-agent-tools §progress, phases 4a + 4b).

  A sub-agent running as an agent tool (awaited or detached/background) can now
  report mid-run progress:

  // Inside the child sub-agent (e.g. from a tool's execute):
  await this.reportProgress({
    fraction: 0.6,
    phase: "deploying",
    message: "Generating menu page…",
  });

  These signals ride the child's own turn stream as a transient
  data-agent-progress part, so they re-broadcast to the parent's connected
  clients and surface on AgentToolRunState.progress via useAgentToolEvents — a
  background-runs tray can render a live bar / phase / status line without drilling
  in. Highlights:

  • reportProgress({ fraction?, message?, phase?, data? }, { persist? }) on
    chat agents (@cloudflare/think, AIChatAgent); a no-op with a dev warning on
    the base Agent and when called outside an active agent-tool run. The framework
    resolves the run id from the active turn — no threading required. Bursts are
    coalesced (latest-wins; a fraction >= 1 "done" frame always flushes). data
    is live-only unless { persist: true }.
  • onProgress(run, progress) parent hook, fired best-effort from the tail
    for both awaited and detached runs.
  • Latest-snapshot persistence + recovery inspect. The child stores a
    progress_json + last_signal_at on its run row and surfaces it through
    inspectAgentToolRun().progress, so a rehydrated parent reconstructs progress
    after eviction.
  • Resetting no-progress budget for detached runs. Once a detached child has
    reported at least one signal, the backbone gives up if it then goes silent for
    detachedNoProgressBudgetMs (default 1h; per-run override via
    detached: { noProgressBudgetMs }), surfaced as interrupted with the
    no-progress reason. A child that never reports is bounded only by the absolute
    detachedMaxBudgetMs ceiling — we never give up on a run merely for being slow.

honojs/hono (hono)

v4.12.27

Compare Source

Security fixes

This release includes fixes for the following security issues:

hono/jsx does not isolate context per request

Affects: hono/jsx, hono/jsx-renderer. During SSR, context was stored process-wide instead of per request, so useContext()/useRequestContext() read after an await in an async component could return another concurrent request's value — leading to cross-request data disclosure or authorization checks against the wrong request. GHSA-hvrm-45r6-mjfj

Server-Side XSS via JSX escaping bypass in cx()

Affects: hono/css. cx() marked its composed class name as already-escaped without escaping the input, so untrusted input passed as a class name could break out of the JSX class attribute during SSR and inject markup (XSS). GHSA-w62v-xxxg-mg59

API Gateway v1 adapter can drop a repeated request header value

Affects: hono/aws-lambda. The API Gateway v1 (and VPC Lattice) adapter de-duplicated repeated header values by substring instead of exact match, dropping a value that is a substring of another (e.g. 203.0.113.1 dropped when 203.0.113.10 is present) — affecting logic such as X-Forwarded-For-based IP restriction. GHSA-xgm2-5f3f-mvvc

---

Users of hono/jsx/hono/jsx-renderer, hono/css (cx()), or the hono/aws-lambda API Gateway v1 / VPC Lattice adapters are encouraged to upgrade.

motiondivision/motion (motion)

v12.42.0

Compare Source

Changed

• animateView: Layers are automatically grouped to match their DOM-hierarchy. New .group(false) method opts-out.

Fixed

• animateView: Auto-crop is now aspect-ratio aware, disabling crops for matching aspect-ratios.
• animateView: Disabled automatic border-radius animation.

v12.41.0

Compare Source

Added

• animateView: Moves from Motion+ Early Access and alpha to main library.
• animateView: .add() resolves a CSS selector or Element to automatically generate, apply and remove view-transition-name.
• animateView: .new() and .old() configures values to animate on new and old layers.
• animateView: .layout() can set a custom transition on the size/position animation of the currently selected elements.
• animateView: Group layers now automatically crop with children set to cover, with border-radius animating from old radius to new. .crop(false) disables this behaviour.
• animateView: .class(name) tags currently selected elements with a view-transition-class as a custom CSS hook.

Fixed

• AnimatePresence: Prevent stuck exit animations when children interrupt.
• drag: Child e.stopPropagation() no longer break drag end.
• Fixing Next.js OOM on Windows when importing via motion package.
• animateLayout: Improve handling of parallel/interleaved calls.

Changed

• animateView: .enter() and .exit() now refer specifically to new and old layers where there are no matching old or new layers.
• animateView: Interrupted transition setups now return resolved animation rather than throwing.

microsoft/playwright (playwright)

v1.61.1

Compare Source

prettier/prettier (prettier)

v3.8.5

Compare Source

react-hook-form/react-hook-form (react-hook-form)

v7.80.0: Version 7.80.0

Compare Source

🧄 feat: disable useFieldArray fields (#​13535)

const { fields } = useFieldArray({ disabled: true });
fields[0].disabled; // contains disabled props

🛺 perf: make rhf more performant (#​13524)
🐞 fix(deepEqual): empty array and empty plain object should not be equal (#​13533)

thanks to @​JSap0914

isaacs/node-tar (tar)

v7.5.17

Compare Source

typescript-eslint/typescript-eslint (typescript-eslint)

v8.62.0

Compare Source

🚀 Features

• remove redundant package.json "files" (#​12444)

❤️ Thank You

• Kirk Waiblinger @​kirkwaiblinger

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

vitejs/vite (vite)

v8.1.0

Compare Source

Features

• extend server.fs.deny list with common files (#​22707) (61ba8fd)
• update rolldown to 1.1.2 (#​22695) (4f008a6)
• use ~ for Rolldown (#​22693) (9928722)

Bug Fixes

• bundled-dev: errors should be kept when incremental build fails (#​22617) (9a0dd48)
• cache falsy values in perEnvironmentState (#​22715) (0e91e79)
• glob: respect caseSensitive option in hmr matcher (#​22711) (65f525e)
• html: omit nonce on import map when cspNonce is unset (#​22713) (8340bb5)
• optimizer: skip null-valued exports in expandGlobIds glob resolution (#​22611) (8b9f5cd)
• resolved build options should be kept as a getter (#​22691) (3527191)
• server: handle malformed URI in memory files middleware (#​22714) (df9e0a5)
• use literal envPrefix queries for Vite Task (#​22706) (da72733)
• warn on deprecated envFile (#​22555) (ed7b283)

Code Refactoring

• client: inline dev-id value in CSS selector (#​22736) (57f59bc)
• remove unused removeRawQuery util (#​22724) (403cc60)
• use rolldownOptions property for chunkImportMap (#​22692) (8e8816c)

cloudflare/workers-sdk (wrangler)

v4.105.0

Compare Source

Minor Changes

• #​14311 34e0cef Thanks @​sherryliu-lsy! - Add Google Artifact Registry support to containers registries configure

  wrangler containers registries configure now recognizes *-docker.pkg.dev (Google Artifact Registry) domains.

  • The Google service account email is the public credential, supplied with --gar-email. It must match the client_email in the service account key.
  • The service account JSON key is the private credential. It is provided via stdin (a file path, raw JSON, or base64) or an interactive prompt (a file path or base64) — never as a CLI flag, so it does not appear in shell history. The key is validated against --gar-email and stored base64-encoded.
  • Secret reuse inherits the existence-first flow: when the target Secrets Store secret already exists, it is reused by reference and the key is not required. In that case the email cannot be verified locally; it is validated against the key when images are pulled.

  <path-to-key>.json | npx wrangler@latest containers registries configure <region>-docker.pkg.dev --gar-email=<service-account-email> --secret-name=Google_Service_Account_JSON_Key

Patch Changes

• #​14424 5f40dd5 Thanks @​MattieTK! - Bump am-i-vibing from 0.4.0 to 0.5.0

  This updates the agentic environment detection library to the latest version, which adds detection for the Pi coding agent (earendil-works/pi).

• #​14406 3b743c1 Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260623.1	1.20260625.1

• #​14343 daa5389 Thanks @​th0m! - Use digest-pinned image references for Dockerfile container deploys

  Dockerfile-backed container deploys now use the pushed image digest when deploying the container application. This lets snapshot-enabled container apps pass Cloudchamber validation while keeping local, non-pushed builds and registry image URI deploys unchanged.

• #​14394 8a5cf8c Thanks @​Partha-Shankar! - fix(d1): escape migrationsTableName and filenames in SQLite queries

  D1 migration commands in both wrangler and @cloudflare/vitest-pool-workers interpolated the migrationsTableName config value and migration filenames directly into SQL strings without any escaping. This meant:

  • A table name such as my"table would produce invalid SQL in CREATE TABLE, SELECT, and INSERT statements, and
  • A migration filename containing an apostrophe (e.g. what's-new.sql) would break the INSERT INTO ... VALUES ('...') statement appended after each migration in wrangler.

  Both identifiers are now properly escaped before interpolation: migrationsTableName is wrapped in double-quotes with internal double-quotes doubled (SQL-standard identifier quoting), and migration filenames used as string literals have their single-quotes doubled before insertion.

• Updated dependencies [3b743c1]:

  • miniflare@​4.20260625.0

v4.104.0

Compare Source

Minor Changes

• #​14369 e312dec Thanks @​edmundhung! - Add getEnv() to createTestHarness() Worker handles

  Tests can now access the full env object for a Worker with await server.getWorker<Env>().getEnv(), including vars, secrets, and bindings.

Patch Changes

• #​14364 a085dec Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260617.1	1.20260619.1

• #​14383 9a0de8f Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260619.1	1.20260621.1

• #​14397 fab565f Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260621.1	1.20260623.1

• #​14388 3f02864 Thanks @​petebacondarwin! - Stop erroring when find_additional_modules discovers a file that only matches a inactive module rule

  Module rules assign module types to imported files — they are not include/exclude filters. Also, setting fallthrough: false in a rule will cause subsequent rules to become inactive. Previously, when find_additional_modules walked the filesystem and discovered a file whose only matching rule is inactive, Wrangler would throw an error and fail the build.

  This meant that adding a user rule like the one below would break the build for any .txt, .html, .sql, .bin or .wasm file that didn't match the user-supplied globs but lived somewhere under the module root:

  // wrangler.json
  {
    "rules": [
      {
        "type": "Text",
        "globs": ["html/includeme.html"],
        "fallthrough": false
      }
    ]
  }

  Discovered files that only match an inactive rule are now silently skipped (a debug-level log records each skip for troubleshooting), so users can use fallthrough: false to narrow the set of files attached to their Worker without having to delete or move untouched files on disk.

  The direct-import path is unchanged: importing a file in code that only matches an inactive rule is still a hard error, because the imported file genuinely needs a defined module type.

  Fixes #​14257.

• #​14358 4ef872f Thanks @​gabivlj! - Fix container egress interception on arm64 Docker runtimes

  Both wrangler dev and the Cloudflare Vite plugin no longer force the proxy-everything sidecar image to pull as linux/amd64, allowing Docker to select the native image from the multi-platform manifest. Set MINIFLARE_CONTAINER_EGRESS_IMAGE_PLATFORM to force a specific platform when needed.

• #​14362 2a02858 Thanks @​sherryliu-lsy! - Don't require the private credential when reusing an existing Secrets Store secret in containers registries configure

  wrangler containers registries configure now checks whether the target Secrets Store secret already exists before resolving the private credential. When the secret already exists it is reused by reference, so the private credential no longer needs to be supplied (via stdin in non-interactive mode, or via a prompt interactively). This applies to all external registries.

  The new-secret path is unchanged: the credential is still required and stored. The only visible interactive change is that the secret prompt now appears last and only when a new secret is being created.

• Updated dependencies [a085dec, 9a0de8f, fab565f]:

  • miniflare@​4.20260623.0

v4.103.0

Compare Source

Minor Changes

• #​14295 cfd6205 Thanks @​dario-piotrowicz! - Move unstable_getWorkerNameFromProject from wrangler to @cloudflare/workers-utils

  The unstable_getWorkerNameFromProject export has been removed from the wrangler package. This function is now available as getWorkerNameFromProject (without the unstable_ prefix) from @cloudflare/workers-utils. If you were importing this function from wrangler, update your import to use @cloudflare/workers-utils instead.

• #​14295 cfd6205 Thanks @​dario-piotrowicz! - Remove experimental autoconfig exports

  The experimental autoconfig exports (experimental_getDetailsForAutoConfig, experimental_runAutoConfig, experimental_AutoConfigFramework) have been removed. This logic has been moved to the @cloudflare/autoconfig package (without the experimental_ prefixes since the package itself is pre-v1).

Patch Changes

• #​14366 c6579d3 Thanks @​jamesopstad! - Resolve relative cf-worker entrypoint imports relative to the importing module

  When loading the experimental cloudflare.config.ts, a relative entrypoint imported with import ... with { type: "cf-worker" } (e.g. ./src/index.ts) is now anchored to the module where the import is written, rather than being passed through verbatim and later resolved against the top-level config file. This fixes incorrect resolution when the import lives in a file other than the entry config — for example a config that re-exports from a nested file.

  Bare specifiers (such as @scope/pkg) and virtual modules (such as virtual:foo) are still left unresolved so that consumers can apply their own resolution.

• #​14316 444b75e Thanks @​matingathani! - Prevent wrangler dev crash when source-mapping a truncated error chunk

  When a worker logs many errors in quick succession, the stderr chunks received by wrangler dev can be truncated mid-stack-frame, leaving a call site with an invalid column number. The source map library throws in that case, which was crashing the wrangler process entirely. The error is now caught and the original (un-source-mapped) text is returned instead.

• #​14118 b38823f Thanks @​aicayzer! - Fix Uint8Array step outputs in local Workflows being persisted with the full backing ArrayBuffer

  A Uint8Array returned from a Workflows step under wrangler dev was serialised together with its full underlying ArrayBuffer, causing a raw SQLITE_TOOBIG error at view sizes well below the documented 1MiB step-output limit. For example, a 200KB view sliced from an 800KB buffer (a common pattern from crypto.getRandomValues or arr.slice(...) on a larger pool) would fail. The view's bytes are now copied to a tight buffer before persistence, bringing local behaviour in line with production. Fixes #​14101.

• Updated dependencies [b38823f]:

  • miniflare@​4.20260617.1

---

Configuration

📅 Schedule: (in timezone America/Phoenix)

• Branch creation
  • "before 6am on monday"
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[cloudflare-workers-and-pages]

Deploying with    Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status	Name	Latest Commit	Preview URL	Updated (UTC)
✅ Deployment successful! View logs	gittensory-ui	c65fb76	Commit Preview URL Branch Preview URL	Jun 29 2026, 01:25 PM

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 95.59%. Comparing base (29da3b1) to head (c65fb76).
✅ All tests successful. No failed tests found.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #1722   +/-   ##
=======================================
  Coverage   95.59%   95.59%           
=======================================
  Files         204      204           
  Lines       22316    22316           
  Branches     8067     8067           
=======================================
  Hits        21332    21332           
  Misses        408      408           
  Partials      576      576           

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.