Skip to content

Update dependency wrangler to v2.20.2 [SECURITY] #60

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Update dependency wrangler to v2.20.2 [SECURITY] #60

wants to merge 1 commit into from

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Aug 3, 2023
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
wrangler (source) 2.1.10 -> 2.20.2 age confidence

GitHub Vulnerability Alerts

CVE-2023-3348

Impact

The Wrangler command line tool (<=wrangler@3.1.0 or <=wrangler@2.20.1) was affected by a directory traversal vulnerability when running a local development server for Pages (wrangler pages dev command). This vulnerability enabled an attacker in the same network as the victim to connect to the local development server and access the victim's files present outside of the directory for the development server.

Patches

Wrangler2: Upgrade to v2.20.1 or higher.
Wrangler3: Upgrade to v3.1.1 or higher.

References

Workers SDK on Github
Wrangler docs
CVE-2023-3348

CVE-2023-7080

Impact

The V8 inspector intentionally allows arbitrary code execution within the Workers sandbox for debugging. wrangler dev would previously start an inspector server listening on all network interfaces. This would allow an attacker on the local network to connect to the inspector and run arbitrary code. Additionally, the inspector server did not validate Origin/Host headers, granting an attacker that can trick any user on the local network into opening a malicious website the ability to run code. If wrangler dev --remote was being used, an attacker could access production resources if they were bound to the worker.

Patches

This issue was fixed in wrangler@3.19.0 and wrangler@2.20.2. Whilst wrangler dev's inspector server listens on local interfaces by default as of wrangler@3.16.0, an SSRF vulnerability in miniflare allowed access from the local network until wrangler@3.18.0. wrangler@3.19.0 and wrangler@2.20.2 introduced validation for the Origin/Host headers.

Workarounds

Unfortunately, Wrangler doesn't provide any configuration for which host that inspector server should listen on. Please upgrade to at least wrangler@3.16.0, and configure Wrangler to listen on local interfaces instead with wrangler dev --ip 127.0.0.1 to prevent SSRF. This removes the local network as an attack vector, but does not prevent an attack from visiting a malicious website.

References

Release Notes

cloudflare/workers-sdk (wrangler)

v2.20.2

Compare Source

Patch Changes

  • #​4609 c228c912 Thanks @​mrbbot! - fix: pin workerd to 1.20230404.0

  • #​4587 49a46960 Thanks @​mrbbot! - Change dev registry and inspector server to listen on 127.0.0.1 instead of all interfaces

  • #​4587 49a46960 Thanks @​mrbbot! - fix: validate Host and Orgin headers where appropriate

    Host and Origin headers are now checked when connecting to the inspector proxy. If these don't match what's expected, the request will fail.

v2.20.1

Compare Source

Patch Changes

v2.20.0

Compare Source

Minor Changes

  • #​3095 133c0423 Thanks @​zebp! - feat: add support for placement in wrangler config

    Allows a placement object in the wrangler config with a mode of off or smart to configure Smart placement. Enabling Smart Placement can be done in your wrangler.toml like:

    [placement]
mode = "smart"

  • #​3140 5fd080c8 Thanks @​penalosa! - feat: Support sourcemaps in DevTools

    Intercept requests from DevTools in Wrangler to inject sourcemaps and enable folders in the Sources Panel of DevTools. When errors are thrown in your Worker, DevTools should now show your source file in the Sources panel, rather than Wrangler's bundled output.

Patch Changes

v2.19.0

Compare Source

Minor Changes

v2.18.0

Compare Source

Minor Changes

  • #​3098 8818f551 Thanks @​mrbbot! - fix: improve Workers Sites asset upload reliability

    • Wrangler no longer buffers all assets into memory before uploading. This should prevent out-of-memory errors when publishing sites with many large files.
    • Wrangler now limits the number of in-flight asset upload requests to 5, fixing the Too many bulk operations already in progress error.
    • Wrangler now correctly logs upload progress. Previously, the reported percentage was per upload request group, not across all assets.
    • Wrangler no longer logs all assets to the console by default. Instead, it will just log the first 100. The rest can be shown by setting the WRANGLER_LOG=debug environment variable. A splash of colour has also been added.

v2.17.0

Compare Source

Minor Changes

  • #​3004 6d5000a7 Thanks @​rozenmd! - feat: teach wrangler docs to use algolia search index

    This PR lets you search Cloudflare's entire docs via wrangler docs [search term here].

    By default, if the search fails to find what you're looking for, you'll get an error like this:

    ✘ [ERROR] Could not find docs for: <search term goes here>. Please try again with another search term.

    If you provide the --yes or -y flag, wrangler will open the docs to https://developers.cloudflare.com/workers/wrangler/commands/, even if the search fails.

v2.16.0

Compare Source

Minor Changes

  • #​3058 1bd50f56 Thanks @​mrbbot! - chore: upgrade miniflare@3 to 3.0.0-next.13

    Notably, this adds native support for Windows to wrangler dev --experimental-local, logging for incoming requests, and support for a bunch of newer R2 features.

Patch Changes

  • #​3058 1bd50f56 Thanks @​mrbbot! - fix: disable persistence without --persist in --experimental-local

    This ensures --experimental-local doesn't persist data on the file-system, unless the --persist flag is set.
    Data is still always persisted between reloads.

  • #​3055 5f48c405 Thanks @​rozenmd! - fix: Teach D1 commands to read auth configuration from wrangler.toml

    This PR fixes a bug in how D1 handles a user's accounts. We've updated the D1 commands to read from config (typically via wrangler.toml) before trying to run commands. This means if an account_id is defined in config, we'll use that instead of erroring out when there are multiple accounts to pick from.

    Fixes #​3046

  • #​3058 1bd50f56 Thanks @​mrbbot! - fix: disable route validation when using --experimental-local

    This ensures wrangler dev --experimental-local doesn't require a login or an internet connection if a route is configured.

v2.15.1

Compare Source

Patch Changes

v2.15.0

Compare Source

Minor Changes

  • #​2769 0a779904 Thanks @​penalosa! - feature: Support modules with --no-bundle

    When the --no-bundle flag is set, Wrangler now has support for uploading additional modules alongside the entrypoint. This will allow modules to be imported at runtime on Cloudflare's Edge. This respects Wrangler's module rules configuration, which means that only imports of non-JS modules will trigger an upload by default. For instance, the following code will now work with --no-bundle (assuming the example.wasm file exists at the correct path):

    // index.js
import wasm from './example.wasm'

export default {
  async fetch() {
    await WebAssembly.instantiate(wasm, ...)
    ...
  }
}

    For JS modules, it's necessary to specify an additional module rule (or rules) in your wrangler.toml to configure your modules as ES modules or Common JS modules. For instance, to upload additional JavaScript files as ES modules, add the following module rule to your wrangler.toml, which tells Wrangler that all **/*.js files are ES modules.

    rules = [
  { type = "ESModule", globs = ["**/*.js"]},
]

    If you have Common JS modules, you'd configure Wrangler with a CommonJS rule (the following rule tells Wrangler that all .cjs files are Common JS modules):

    rules = [
  { type = "CommonJS", globs = ["**/*.cjs"]},
]

    In most projects, adding a single rule will be sufficient. However, for advanced usecases where you're mixing ES modules and Common JS modules, you'll need to use multiple rule definitions. For instance, the following set of rules will match all .mjs files as ES modules, all .cjs files as Common JS modules, and the nested/say-hello.js file as Common JS.

    rules = [
  { type = "CommonJS", globs = ["nested/say-hello.js", "**/*.cjs"]},
  { type = "ESModule", globs = ["**/*.mjs"]}
]

    If multiple rules overlap, Wrangler will log a warning about the duplicate rules, and will discard additional rules that matches a module. For example, the following rule configuration classifies dep.js as both a Common JS module and an ES module:

    rules = [
  { type = "CommonJS", globs = ["dep.js"]},
  { type = "ESModule", globs = ["dep.js"]}
]

    Wrangler will treat dep.js as a Common JS module, since that was the first rule that matched, and will log the following warning:

    ▲ [WARNING] Ignoring duplicate module: dep.js (esm)

    This also adds a new configuration option to wrangler.toml: base_dir. Defaulting to the directory of your Worker's main entrypoint, this tells Wrangler where your additional modules are located, and determines the module paths against which your module rule globs are matched.

    For instance, given the following directory structure:

    - wrangler.toml
- src/
  - index.html
  - vendor/
    - dependency.js
  - js/
    - index.js

    If your wrangler.toml had main = "src/js/index.js", you would need to set base_dir = "src" in order to be able to import src/vendor/dependency.js and src/index.html from src/js/index.js.

Patch Changes

  • #​2957 084b2c58 Thanks @​esimons! - fix: Respect querystring params when calling .fetch on a worker instantiated with unstable_dev

    Previously, querystring params would be stripped, causing issues for test cases that depended on them. For example, given the following worker script:

    export default {
	fetch(req) {
		const url = new URL(req.url);
		const name = url.searchParams.get("name");
		return new Response("Hello, " + name);
	},
};

    would fail the following test case:

    const worker = await unstable_dev("script.js");
const res = await worker.fetch("http://worker?name=Walshy");
const text = await res.text();
expect(text).toBe("Hello, Walshy");

  • #​2840 e311bbbf Thanks @​mrbbot! - fix: make WRANGLER_LOG case-insensitive, warn on unexpected values, and fallback to log if invalid

    Previously, levels set via the WRANGLER_LOG environment-variable were case-sensitive.
    If an unexpected level was set, Wrangler would fallback to none, hiding all logs.
    The fallback has now been switched to log, and lenient case-insensitive matching is used when setting the level.

  • #​2735 3f7a75cc Thanks @​JacobMGEvans! - Fix: Generate Remote URL
    Previous URL was pointing to the old cloudflare/templates repo,
    updated the URL to point to templates in the workers-sdk monorepo.

v2.14.0

Compare Source

Minor Changes

  • #​2914 9af1a640 Thanks @​edevil! - feat: add support for send email bindings

    Support send email bindings in order to send emails from a worker. There
    are three types of bindings:

    • Unrestricted: can send email to any verified destination address.
    • Restricted: can only send email to the supplied destination address (which
      does not need to be specified when sending the email but also needs to be a
      verified destination address).
    • Allowlist: can only send email to the supplied list of verified destination
      addresses.
Patch Changes

  • #​2931 5f6c4c0c Thanks @​Skye-31! - Fix: Pages Dev incorrectly allowing people to turn off local mode

    Local mode is not currently supported in Pages Dev, and errors when people attempt to use it. Previously, wrangler hid the "toggle local mode" button when using Pages dev, but this got broken somewhere along the line.

v2.13.0

Compare Source

Minor Changes

  • #​2905 6fd06241 Thanks @​edevil! - feat: support external imports from cloudflare:... prefixed modules

    Going forward Workers will be providing built-in modules (similar to node:...) that can be imported using the cloudflare:... prefix. This change adds support to the Wrangler bundler to mark these imports as external.

wrangler deployments view [deployment-id] will get the details of a deployment, including bindings and usage model information.
This information can be used to help debug bad deployments.

wrangler rollback [deployment-id] will rollback to a specific deployment in the runtime. This will be useful in situations like recovering from a bad
deployment quickly while resolving issues. If a deployment id is not specified wrangler will rollback to the previous deployment. This rollback only changes the code in the runtime and doesn't affect any code or configurations
in a developer's local setup.

wrangler deployments list will list the 10 most recent deployments. This command originally existed as wrangler deployments

example of view <deployment-id> output:

v2.12.3

Compare Source

Patch Changes
  • #​2884 e33bea9b Thanks @​WalshyDev! - Changed console.debug for logger.debug in Pages uploading. This will ensure the debug logs are only sent when debug logging is enabled with WRANGLER_LOG=debug.

  • #​2878 6ebb23d5 Thanks @​rozenmd! - feat: Add D1 binding support to Email Workers

    This PR makes it possible to query D1 from an Email Worker, assuming a binding has been setup.

    As D1 is in alpha and not considered "production-ready", this changeset is a patch, rather than a minor bump to wrangler.

v2.12.2

Compare Source

Patch Changes

v2.12.1

Compare Source

Patch Changes

  • #​2839 ad4b123b Thanks @​mrbbot! - fix: remove vitest from wrangler init's generated tsconfig.json types array

    Previously, wrangler init generated a tsconfig.json with "types": ["@&#8203;cloudflare/workers-types", "vitest"], even if Vitest tests weren't generated.
    Unlike Jest, Vitest doesn't provide global APIs by default, so there's no need for ambient types.

  • #​2806 8d462c0c Thanks @​GregBrimble! - feat: Add --outdir as an option when running wrangler pages functions build.

    This deprecates --outfile when building a Pages Plugin with --plugin.

    When building functions normally, --outdir may be used to produce a human-inspectable format of the _worker.bundle that is produced.

  • #​2806 8d462c0c Thanks @​GregBrimble! - Enable bundling in Pages Functions by default.

    We now enable bundling by default for a functions/ folder and for an _worker.js in Pages Functions. This allows you to use external modules such as Wasm. You can disable this behavior in Direct Upload projects by using the --no-bundle argument in wrangler pages publish and wrangler pages dev.

  • #​2836 42fb97e5 Thanks @​GregBrimble! - fix: preserve the entrypoint filename when running wrangler publish --outdir <dir>.

    Previously, this entrypoint filename would sometimes be overwritten with some internal filenames. It should now be based off of the entrypoint you provide for your Worker.

  • #​2828 891ddf19 Thanks @​GregBrimble! - fix: Bring pages dev logging in line with dev proper's

    wrangler pages dev now defaults to logging at the log level (rather than the previous warn level), and the pages prefix is removed.

  • #​2855 226e63fa Thanks @​GregBrimble! - fix: --experimental-local with wrangler pages dev

    We previously had a bug which logged an error (local worker: TypeError: generateASSETSBinding2 is not a function). This has now been fixed.

v2.12.0

Compare Source

Minor Changes

  • #​2810 62784131 Thanks @​mrbbot! - chore: upgrade @miniflare/tre to 3.0.0-next.12, incorporating changes from 3.0.0-next.11

    Notably, this brings the following improvements to wrangler dev --experimental-local:

    • Adds support for Durable Objects and D1
    • Fixes an issue blocking clean exits and script reloads
    • Bumps to better-sqlite3@&#8203;8, allowing installation on Node 19
  • #​2665 4756d6a1 Thanks @​alankemp! - Add new [unsafe.metadata] section to wrangler.toml allowing arbitary data to be added to the metadata section of the upload
Patch Changes

  • #​2539 3725086c Thanks @​GregBrimble! - feat: Add support for the nodejs_compat Compatibility Flag when bundling a Worker with Wrangler

    This new Compatibility Flag is incompatible with the legacy --node-compat CLI argument and node_compat configuration option. If you want to use the new runtime Node.js compatibility features, please remove the --node-compat argument from your CLI command or your config file.

v2.11.1

Compare Source

Patch Changes
  • #​2795 ec3e181e Thanks @​penalosa! - fix: Adds a duplex: "half" property to R2 fetch requests with stream bodies in order to be compatible with undici v5.20
  • #​2789 4ca8c0b0 Thanks @​GregBrimble! - fix: Support overriding the next URL in subsequent executions with next("/new-path") from within a Pages Plugin

v2.11.0

Compare Source

Minor Changes
  • #​2651 a9adfbe7 Thanks @​penalosa! - Previously, wrangler dev would not work if the root of your zone wasn't behind Cloudflare. This behaviour has changed so that now only the route which your Worker is exposed on has to be behind Cloudflare.

  • #​2708 b3346cfb Thanks @​Skye-31! - Feat: Pages now supports Proxying (200 status) redirects in it's _redirects file

    This will look something like the following, where a request to /users/123 will appear as that in the browser, but will internally go to /users/[id].html.

    /users/:id /users/[id] 200
Patch Changes

  • #​2766 7912e63a Thanks @​mrbbot! - fix: correctly detect service-worker format when using typeof module

    Wrangler automatically detects whether your code is a modules or service-worker format Worker based on the presence of a default export. This check currently works by building your entrypoint with esbuild and looking at the output metafile.

    Previously, we were passing format: "esm" to esbuild when performing this check, which enables format conversion. This may introduce export default into the built code, even if it wasn't there to start with, resulting in incorrect format detections.

    This change removes format: "esm" which disables format conversion when bundling is disabled. See https://esbuild.github.io/api/#format for more details.

  • #​2780 80f1187a Thanks @​GregBrimble! - fix: Ensure we don't mangle internal constructor names in the wrangler bundle when building with esbuild

    Undici changed how they referenced FormData, which meant that when used in our bundle process, we were failing to upload multipart/form-data bodies. This affected wrangler pages publish and wrangler publish.

  • #​2720 de0cb57a Thanks @​JacobMGEvans! - Fix: Upgraded to ES2022 for improved compatibility
    Upgraded worker code target version from ES2020 to ES2022 for better compatibility and unblocking of a workaround related to issue #​2029. The worker runtime now uses the same V8 version as recent Chrome and is 99% ES2016+ compliant. The only thing we don't support on the Workers runtime, the remaining 1%, is the ES2022 RegEx feature as seen in the compat table for the latest Chrome version.

    Compatibility table: https://kangax.github.io/compat-table/es2016plus/

    resolves #​2716

v2.10.0

Compare Source

Minor Changes

  • #​2567 02ea098e Thanks @​matthewdavidrodgers! - Add mtls-certificate commands and binding support

    Functionality implemented first as an api, which is used in the cli standard
    api commands

    Note that this adds a new OAuth scope, so OAuth users will need to log out and
    log back in to use the new 'mtls-certificate' commands
    However, publishing with mtls-certifcate bindings (bindings of type
    'mtls_certificate') will work without the scope.

  • #​2717 c5943c9f Thanks @​mrbbot! - Upgrade miniflare to 2.12.0, including support for R2 multipart upload bindings, the nodejs_compat compatibility flag, D1 fixes and more!

  • #​2579 bf558bdc Thanks @​JacobMGEvans! - Added additional fields to the output of wrangler deployments command. The additional fields are from the new value in the response annotations which includes workers/triggered_by and rollback_from

    Example:

    Deployment ID: Galaxy-Class
Created on:    2021-01-04T00:00:00.000000Z

Trigger:       Upload from Wrangler 🤠
Rollback from: MOCK-DEPLOYMENT-ID-2222
Patch Changes

  • #​2624 882bf592 Thanks @​CarmenPopoviciu! - Add wasm support in wrangler pages publish

    Currently it is not possible to import wasm modules in either Pages
    Functions or Pages Advanced Mode projects.

    This commit caries out work to address the aforementioned issue by
    enabling wasm module imports in wrangler pages publish. As a result,
    Pages users can now import their wasm modules withing their Functions
    or _worker.js files, and wrangler pages publish will correctly
    bundle everything and serve these "external" modules.

  • #​2683 68a2a19e Thanks @​mrbbot! - Fix internal middleware system to allow D1 databases and --test-scheduled to be used together
  • #​2685 2b1177ad Thanks @​CarmenPopoviciu! - You can now import Wasm modules in Pages Functions and Pages Functions Advanced Mode (_worker.js).
    This change specifically enables wasm module imports in wrangler pages functions build.
    As a result, Pages users can now import their wasm modules within their Functions or
    _worker.js files, and wrangler pages functions build will correctly bundle everything
    and output the expected result file.

v2.9.1

Compare Source

Patch Changes
  • #​2592 dd66618b Thanks @​rozenmd! - fix: bump esbuild to 0.16.3 (fixes a bug in esbuild's 0.15.13 release that would cause it to hang, is the latest release before a major breaking change that requires us to refactor)

v2.9.0

Compare Source

Minor Changes

  • #​2629 151733e5 Thanks @​mrbbot! - Prefer the workerd exports condition when bundling.

    This can be used to build isomorphic libraries that have different implementations depending on the JavaScript runtime they're running in.
    When bundling, Wrangler will try to load the workerd key.
    This is the standard key for the Cloudflare Workers runtime.
    Learn more about the conditional exports field here.

Patch Changes
  • #​2409 89d78c0a Thanks @​penalosa! - Wrangler now supports an --experimental-json-config flag which will read your configuration from a wrangler.json file, rather than wrangler.toml. The format of this file is exactly the same as the wrangler.toml configuration file, except that the syntax is JSONC (JSON with comments) rather than TOML. This is experimental, and is not recommended for production use.

  • #​2597 416babf0 Thanks @​petebacondarwin! - fix: do not crash in wrangler dev when passing a request object to fetch

    This reverts and fixes the changes in #​1769
    which does not support creating requests from requests whose bodies have already been consumed.

    Fixes #​2562

v2.8.1

Compare Source

Patch Changes

  • #​2501 a0e5a491 Thanks @​geelen! - fix: make it possible to query d1 databases from durable objects

    This PR makes it possible to access D1 from Durable Objects.

    To be able to query D1 from your Durable Object, you'll need to install the latest version of wrangler, and redeploy your Worker.

    For a D1 binding like:

    [[d1_databases]]
binding = "DB" # i.e. available in your Worker on env.DB
database_name = "my-database-name"
database_id = "UUID-GOES-HERE"
preview_database_id = "UUID-GOES-HERE"

    You'll be able to access your D1 database via env.DB in your Durable Object.

  • #​2280 ef110923 Thanks @​penalosa! - Support queue and trace events in module middleware. This means that queue and trace events should work properly with the --test-scheduled flag

  • #​2554 fbeaf609 Thanks @​CarmenPopoviciu! - feat: Add support for wasm module imports in wrangler pages dev

    Currently it is not possible to import wasm modules in either Pages
    Functions or Pages Advanced Mode projects.

    This commit caries out work to address the aforementioned issue by
    enabling wasm module imports in wrangler pages dev. As a result,
    Pages users can now import their wasm modules withing their Functions
    or _worker.js files, and wrangler pages dev will correctly bundle
    everything and serve these "external" modules.

    import hello from "./hello.wasm"

export async function onRequest() {
	const module = await WebAssembly.instantiate(hello);
	return new Response(module.exports.hello);
}

  • #​2563 5ba39569 Thanks @​CarmenPopoviciu! - fix: Copy module imports related files to outdir

    When we bundle a Worker esbuild takes care of writing the
    results to the output directory. However, if the Worker contains
    any external imports, such as text/wasm/binary module imports,
    that cannot be inlined into the same bundle file, bundleWorker
    will not copy these files to the output directory. This doesn't
    affect wrangler publish per se, because of how the Worker
    upload FormData is created. It does however create some
    inconsistencies when running wrangler publish --outdir or
    wrangler publish --outdir --dry-run, in that, outdir will
    not contain those external import files.

    This commit addresses this issue by making sure the aforementioned
    files do get copied over to outdir together with esbuild's
    resulting bundle files.

v2.8.0

Compare Source

Minor Changes

  • #​2404 3f824347 Thanks @​petebacondarwin! - feat: support bundling the raw Pages _worker.js before deploying

    Previously, if you provided a _worker.js file, then Pages would simply check the
    file for disallowed imports and then deploy the file as-is.

    Not bundling the _worker.js file means that it cannot containing imports to other
    JS files, but also prevents Wrangler from adding shims such as the one for the D1 alpha
    release.

    This change adds the ability to tell Wrangler to pass the _worker.js through the
    normal Wrangler bundling process before deploying by setting the --bundle
    command line argument to wrangler pages dev and wrangler pages publish.

    This is in keeping with the same flag for wrangler publish.

    Currently bundling is opt-in, flag defaults to false if not provided.

Patch Changes

  • #​2551 bfffe595 Thanks @​rozenmd! - fix: wrangler init --from-dash incorrectly expects index.ts while writing index.js

    This PR fixes a bug where Wrangler would write a wrangler.toml expecting an index.ts file, while writing an index.js file.

  • #​2529 2270507c Thanks @​CarmenPopoviciu! - Remove "experimental _routes.json" warnings

    _routes.json is no longer considered an experimental feature, so let's
    remove all warnings we have in place for that.

  • #​2548 4db768fa Thanks @​rozenmd! - fix: path should be optional for wrangler d1 backup download

    This PR fixes a bug that forces folks to provide a --output flag to wrangler d1 backup download.

  • #​2528 18208091 Thanks @​caass! - Add some guidance when folks encounter a 10021 error.

    Error code 10021 can occur when your worker doesn't pass startup validation. This error message will make it a little easier to reason about what happened and what to do next.

    Closes #​2519

v2.7.1

Compare Source

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot changed the title Update dependency wrangler to v3 [SECURITY] Update dependency wrangler to v3 [SECURITY] - autoclosed Aug 28, 2023
@renovate renovate bot closed this Aug 28, 2023
@renovate renovate bot deleted the renovate/npm-wrangler-vulnerability branch August 28, 2023 20:19
@renovate renovate bot changed the title Update dependency wrangler to v3 [SECURITY] - autoclosed Update dependency wrangler to v3 [SECURITY] Aug 28, 2023
@renovate renovate bot reopened this Aug 28, 2023
@renovate renovate bot restored the renovate/npm-wrangler-vulnerability branch August 28, 2023 21:57
@renovate renovate bot force-pushed the renovate/npm-wrangler-vulnerability branch from c2ad43f to 020f68c Compare August 28, 2023 21:58
@renovate renovate bot changed the title Update dependency wrangler to v3 [SECURITY] Update dependency wrangler to v2.20.1 [SECURITY] Aug 31, 2023
@renovate renovate bot force-pushed the renovate/npm-wrangler-vulnerability branch from 020f68c to bb94650 Compare August 31, 2023 19:34
@renovate renovate bot force-pushed the renovate/npm-wrangler-vulnerability branch from bb94650 to 4cccb5a Compare January 3, 2024 23:22
@renovate renovate bot changed the title Update dependency wrangler to v2.20.1 [SECURITY] Update dependency wrangler to v2.20.2 [SECURITY] Jan 3, 2024
@renovate renovate bot force-pushed the renovate/npm-wrangler-vulnerability branch from 4cccb5a to 3228ad8 Compare August 10, 2025 13:07
@renovate renovate bot force-pushed the renovate/npm-wrangler-vulnerability branch from 3228ad8 to 73aec5f Compare September 25, 2025 20:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant