Skip to content

Bump the security group across 1 directory with 3 updates#206

Merged
willswire merged 1 commit into
mainfrom
dependabot/npm_and_yarn/security-87fc7548d6
Mar 4, 2026
Merged

Bump the security group across 1 directory with 3 updates#206
willswire merged 1 commit into
mainfrom
dependabot/npm_and_yarn/security-87fc7548d6

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Mar 4, 2026

Copy link
Copy Markdown
Contributor

Bumps the security group with 2 updates in the / directory: wrangler and esbuild.

Updates wrangler from 3.111.0 to 3.114.17

Changelog

Sourced from wrangler's changelog.

3.114.17

Patch Changes

  • #11891 6d5557b Thanks @​emily-shen! - Use argument array when executing git commands with wrangler pages deploy

    Pass user provided values from --commit-hash safely to underlying git command.

3.114.16

Patch Changes

  • #11689 9bab0a0 Thanks @​ascorbic! - Display a warning when authentication errors occur and the account_id in your Wrangler configuration does not match any of your authenticated accounts. This helps identify configuration issues where you may have the wrong account ID set in your wrangler.toml or wrangler.jsonc file.

  • #10737 c41a078 Thanks @​workers-devprod! - Allow WRANGLER_SEND_ERROR_REPORTS env var to override whether to report Wrangler crashes to Sentry

  • #11134 bd39455 Thanks @​petebacondarwin! - Reduce the amount of arguments being passed in metrics capture.

    Now the argument values that are captured come from an allow list, and can be marked as ALLOW (capture the real value) or REDACT (capture as "").

  • #11020 9cb702e Thanks @​dario-piotrowicz! - Fix observability.logs.persist being flagged as an unexpected field during the wrangler config file validation

  • #11147 cf4993b Thanks @​FlorentCollin! - Improve the formatting of the D1 execute command to always show the duration in milliseconds with two decimal places.

  • #11650 cc29ead Thanks @​ascorbic! - fix: respect TypeScript path aliases when resolving non-JS modules with module rules

    When importing non-JavaScript files (like .graphql, .txt, etc.) using TypeScript path aliases defined in tsconfig.json, Wrangler's module-collection plugin now correctly resolves these imports. Previously, path aliases were only respected for JavaScript/TypeScript files, causing imports like import schema from '~lib/schema.graphql' to fail when using module rules.

  • #11179 7f779e9 Thanks @​ascorbic! - Log a more helpful error when attempting to "r2 object put" a non-existent file

  • #11501 c78d942 Thanks @​edmundhung! - fix: prevent reporting SQLite error from wrangler d1 execute to Sentry

  • #11262 b2683f7 Thanks @​workers-devprod! - Avoid using object lookup for OAuth Error classes

  • #11107 d8037d3 Thanks @​workers-devprod! - Fixed conflict between --env and --expires flags in wrangler r2 object put.

    --e now aliases --env only, and NOT --expires.

  • #10961 02d2ea9 Thanks @​devin-ai-integration! - Acquire Cloudflare Access tokens for additional requests made during a wrangler dev --remote session

  • #11108 892ec4f Thanks @​emily-shen! - Fixed self-bindings (service bindings to the same worker) showing as [not connected] in wrangler dev. Self-bindings now correctly show as [connected] since a worker is always available to itself.

  • #11138 3db872a Thanks @​devin-ai-integration! - Implement tail-based logging for wrangler dev remote mode, behind the --x-tail-tags flag. This will become the default in the future.

  • #10889 204616c Thanks @​workers-devprod! - Clarify that wrangler check startup generates a local CPU profile

  • #11491 ed8aaef Thanks @​edmundhung! - Explicitly close FileHandle in wrangler d1 execute to support Node 25

  • #10962 203e599 Thanks @​devin-ai-integration! - Fixed duplicate warning messages appearing during wrangler dev when configuration changes or state transitions occur

... (truncated)

Commits
  • f21ee75 Version Packages (#11895)
  • 6d5557b fix: execute git commands in pages deploy safely (#11889) (#11891)
  • 0e19ae9 Version Packages (#10906)
  • 3db872a [v3 backport] Backport tail-based logging from #11135 and #11346 (#11138)
  • 02d2ea9 Fix remote dev with Access (#10961)
  • 9bab0a0 fix(wrangler): add warning when account_id mismatch detected on auth error (v...
  • 4b18c6f Introduce internal isWorkerNotFoundError utility and avoid worker-not-found...
  • ed8aaef fix(wrangler): close FileHandle in to support Node 25 (#11491)
  • c78d942 V3 backport of #11467: prevent SQLite users error from being reported to Sent...
  • cc29ead fix: respect TypeScript path aliases when resolving non-JS modules with modul...
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for wrangler since your current version.


Updates cookie from 0.5.0 to 0.7.2

Release notes

Sourced from cookie's releases.

v0.7.2

Fixed

  • Fix object assignment of hasOwnProperty (#177) bc38ffd

jshttp/cookie@v0.7.1...v0.7.2

0.7.1

Fixed

  • Allow leading dot for domain (#174)
    • Although not permitted in the spec, some users expect this to work and user agents ignore the leading dot according to spec
  • Add fast path for serialize without options, use obj.hasOwnProperty when parsing (#172)

jshttp/cookie@v0.7.0...v0.7.1

0.7.0

jshttp/cookie@v0.6.0...v0.7.0

0.6.0

  • Add partitioned option
Commits
Maintainer changes

This version was pushed to npm by blakeembrey, a new releaser for cookie since your current version.


Updates esbuild from 0.17.19 to 0.27.3

Release notes

Sourced from esbuild's releases.

v0.27.3

  • Preserve URL fragments in data URLs (#4370)

    Consider the following HTML, CSS, and SVG:

    • index.html:

      <!DOCTYPE html>
      <html>
        <head><link rel="stylesheet" href="icons.css"></head>
        <body><div class="triangle"></div></body>
      </html>
    • icons.css:

      .triangle {
        width: 10px;
        height: 10px;
        background: currentColor;
        clip-path: url(./triangle.svg#x);
      }
    • triangle.svg:

      <svg xmlns="http://www.w3.org/2000/svg">
        <defs>
          <clipPath id="x">
            <path d="M0 0H10V10Z"/>
          </clipPath>
        </defs>
      </svg>

    The CSS uses a URL fragment (the #x) to reference the clipPath element in the SVG file. Previously esbuild's CSS bundler didn't preserve the URL fragment when bundling the SVG using the dataurl loader, which broke the bundled CSS. With this release, esbuild will now preserve the URL fragment in the bundled CSS:

    /* icons.css */
    .triangle {
      width: 10px;
      height: 10px;
      background: currentColor;
      clip-path: url('data:image/svg+xml,<svg xmlns="http://www.w3.org/2000/svg"><defs><clipPath id="x"><path d="M0 0H10V10Z"/></clipPath></defs></svg>#x');
    }

... (truncated)

Changelog

Sourced from esbuild's changelog.

Changelog: 2023

This changelog documents all esbuild versions published in the year 2023 (versions 0.16.13 through 0.19.11).

0.19.11

  • Fix TypeScript-specific class transform edge case (#3559)

    The previous release introduced an optimization that avoided transforming super() in the class constructor for TypeScript code compiled with useDefineForClassFields set to false if all class instance fields have no initializers. The rationale was that in this case, all class instance fields are omitted in the output so no changes to the constructor are needed. However, if all of this is the case and there are #private instance fields with initializers, those private instance field initializers were still being moved into the constructor. This was problematic because they were being inserted before the call to super() (since super() is now no longer transformed in that case). This release introduces an additional optimization that avoids moving the private instance field initializers into the constructor in this edge case, which generates smaller code, matches the TypeScript compiler's output more closely, and avoids this bug:

    // Original code
    class Foo extends Bar {
      #private = 1;
      public: any;
      constructor() {
        super();
      }
    }
    // Old output (with esbuild v0.19.9)
    class Foo extends Bar {
    constructor() {
    super();
    this.#private = 1;
    }
    #private;
    }
    // Old output (with esbuild v0.19.10)
    class Foo extends Bar {
    constructor() {
    this.#private = 1;
    super();
    }
    #private;
    }
    // New output
    class Foo extends Bar {
    #private = 1;
    constructor() {
    super();
    }
    }

  • Minifier: allow reording a primitive past a side-effect (#3568)

    The minifier previously allowed reordering a side-effect past a primitive, but didn't handle the case of reordering a primitive past a side-effect. This additional case is now handled:

... (truncated)

Commits
  • 9129e00 publish 0.27.3 to npm
  • e20e411 small fix to release notes
  • 0dc0f2d fix #4322: parse and print CSS @scope rules
  • 55fe391 update firefox css gradient support
  • 2c35297 update gradient lowering transform
  • 9209e44 Update Go to 1.25.7 (#4388)
  • e8d861b close #4374: compat table for the using feature
  • 19b8887 no longer need williamkapke/node-compat-table
  • 7e44218 the kangax/compat-table repo moved to a new url
  • 23b9338 run make update-compat-table
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for esbuild since your current version.


Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
    You can disable automated security fix PRs for this repo from the Security Alerts page.

Bumps the security group with 2 updates in the / directory: [wrangler](https://github.com/cloudflare/workers-sdk/tree/HEAD/packages/wrangler) and [esbuild](https://github.com/evanw/esbuild).


Updates `wrangler` from 3.111.0 to 3.114.17
- [Release notes](https://github.com/cloudflare/workers-sdk/releases)
- [Changelog](https://github.com/cloudflare/workers-sdk/blob/wrangler@3.114.17/packages/wrangler/CHANGELOG.md)
- [Commits](https://github.com/cloudflare/workers-sdk/commits/wrangler@3.114.17/packages/wrangler)

Updates `cookie` from 0.5.0 to 0.7.2
- [Release notes](https://github.com/jshttp/cookie/releases)
- [Commits](jshttp/cookie@v0.5.0...v0.7.2)

Updates `esbuild` from 0.17.19 to 0.27.3
- [Release notes](https://github.com/evanw/esbuild/releases)
- [Changelog](https://github.com/evanw/esbuild/blob/main/CHANGELOG-2023.md)
- [Commits](evanw/esbuild@v0.17.19...v0.27.3)

---
updated-dependencies:
- dependency-name: wrangler
  dependency-version: 3.114.17
  dependency-type: direct:development
  dependency-group: security
- dependency-name: cookie
  dependency-version: 0.7.2
  dependency-type: indirect
  dependency-group: security
- dependency-name: esbuild
  dependency-version: 0.27.3
  dependency-type: indirect
  dependency-group: security
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Mar 4, 2026
@github-actions

github-actions Bot commented Mar 4, 2026

Copy link
Copy Markdown
Contributor

Coverage Report

Status Category Percentage Covered / Total
🔵 Lines 100% 58 / 58
🔵 Statements 100% 58 / 58
🔵 Functions 100% 5 / 5
🔵 Branches 100% 38 / 38
File CoverageNo changed files found.
Generated in workflow #106 for commit 4f448c2 by the Vitest Coverage Report Action

@willswire willswire merged commit b73374b into main Mar 4, 2026
2 checks passed
@willswire willswire deleted the dependabot/npm_and_yarn/security-87fc7548d6 branch March 4, 2026 01:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant