code · pull · Mar 6, 2026 · Mar 6, 2026 · Mar 6, 2026 · Mar 6, 2026
diff --git a/.changeset/bump-vulnerable-deps-create-cloudflare.md b/.changeset/bump-vulnerable-deps-create-cloudflare.md
@@ -0,0 +1,5 @@
+---
+"create-cloudflare": patch
+---
+
+Bump glob to ^10.5.0 to address command injection vulnerability in glob CLI
diff --git a/.changeset/bump-vulnerable-deps-miniflare.md b/.changeset/bump-vulnerable-deps-miniflare.md
@@ -0,0 +1,7 @@
+---
+"miniflare": patch
+---
+
+Bump hono to ^4.12.5 and devalue to ^5.6.3 to address security vulnerabilities
+
+Hono had multiple advisories including arbitrary file access via serveStatic, JWT algorithm confusion, and XSS through ErrorBoundary. Devalue had denial of service vulnerabilities in devalue.parse. These are bundled dependencies so the fix is delivered via this patch.
diff --git a/.changeset/bump-vulnerable-deps-pages-shared.md b/.changeset/bump-vulnerable-deps-pages-shared.md
@@ -0,0 +1,5 @@
+---
+"@cloudflare/pages-shared": patch
+---
+
+Bump glob to ^10.5.0 to address command injection vulnerability in glob CLI
diff --git a/.changeset/bump-vulnerable-deps-vitest-pool-workers.md b/.changeset/bump-vulnerable-deps-vitest-pool-workers.md
@@ -0,0 +1,7 @@
+---
+"@cloudflare/vitest-pool-workers": patch
+---
+
+Bump devalue to ^5.6.3 to address security vulnerabilities
+
+Devalue had denial of service and prototype pollution vulnerabilities. This is a bundled dependency.
diff --git a/.changeset/bump-vulnerable-deps-wrangler.md b/.changeset/bump-vulnerable-deps-wrangler.md
@@ -0,0 +1,7 @@
+---
+"wrangler": patch
+---
+
+Bump node-forge to ^1.3.2 to address security vulnerabilities
+
+node-forge had ASN.1 unbounded recursion, OID integer truncation, and ASN.1 validator desynchronization vulnerabilities. This is a bundled dependency used for local HTTPS certificate handling.
diff --git a/.changeset/dependabot-update-12795.md b/.changeset/dependabot-update-12795.md
@@ -0,0 +1,12 @@
+---
+"miniflare": patch
+"wrangler": patch
+---
+
+Update dependencies of "miniflare", "wrangler"
+
+The following dependency versions have been updated:
+
+| Dependency | From         | To           |
+| ---------- | ------------ | ------------ |
+| workerd    | 1.20260301.1 | 1.20260306.1 |
diff --git a/.changeset/evil-rivers-draw.md b/.changeset/evil-rivers-draw.md
@@ -0,0 +1,24 @@
+---
+"wrangler": minor
+---
+
+Add support for inheritable bindings in type generation
+
+When using `wrangler types` with multiple environments, bindings from inheritable config properties (like `assets`) are now correctly inherited from the top-level config in all named environments. Previously, if you defined `assets.binding` at the top level with named environments, the binding would be marked as optional in the generated `Env` type because the type generation didn't account for inheritance.
+
+Example:
+
+```json
+{
+	"assets": {
+		"binding": "ASSETS",
+		"directory": "./public"
+	},
+	"env": {
+		"staging": {},
+		"production": {}
+	}
+}
+```
+
+Before this change, `ASSETS` would be typed as `ASSETS?: Fetcher` (optional). Now, `ASSETS` is correctly typed as `ASSETS: Fetcher` (required). This fix currently applies to the `assets` binding, with an extensible mechanism to support additional inheritable bindings in the future.
diff --git a/.changeset/thirty-mammals-live.md b/.changeset/thirty-mammals-live.md
@@ -0,0 +1,7 @@
+---
+"@cloudflare/local-explorer-ui": patch
+---
+
+Refactors KV & sidebar to use route loaders.
+
+This change improves the user experience of the Local Explorer dashboard by ensuring that the data used for the initial render is fetched server-side and passed down to the client. This avoids the initial flicker when loading in. Both D1 & Durable Object routes already incorporate this system.
diff --git a/.github/actions/install-dependencies/action.yml b/.github/actions/install-dependencies/action.yml
@@ -17,7 +17,7 @@ runs:
   using: "composite"
   steps:
     - name: Install pnpm
-      uses: pnpm/action-setup@v4
+      uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4
       with:
         version: 9.12.0
 

diff --git a/.github/actions/install-python-uv/action.yml b/.github/actions/install-python-uv/action.yml
@@ -3,7 +3,7 @@ runs:
   using: "composite"
   steps:
     - name: Install uv for Python
-      uses: astral-sh/setup-uv@v6
+      uses: astral-sh/setup-uv@d0cc045d04ccac9d8b7881df0226f9e82c39688e # v6
       with:
         version: "0.9.3"
         enable-cache: false
diff --git a/.github/workflows/auto-assign-issues.yml b/.github/workflows/auto-assign-issues.yml
@@ -22,7 +22,7 @@ jobs:
           node-version: 22 # need this version for `Set` methods
 
       - name: Install pnpm
-        uses: pnpm/action-setup@v4
+        uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4
         with:
           version: 9.12.0
 

diff --git a/.github/workflows/c3-e2e.yml b/.github/workflows/c3-e2e.yml
@@ -38,7 +38,7 @@ jobs:
         with:
           fetch-depth: 0
 
-      - uses: dorny/paths-filter@v3
+      - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3
         id: changes
         with:
           filters: |

diff --git a/.github/workflows/changeset-review.yml b/.github/workflows/changeset-review.yml
@@ -35,7 +35,7 @@ jobs:
 
       - name: Get changed changeset files
         id: changed-changesets
-        uses: tj-actions/changed-files@v45
+        uses: tj-actions/changed-files@48d8f15b2aaa3d255ca5af3eba4870f807ce6b3c # v45
         with:
           files: |
             .changeset/*.md
@@ -79,7 +79,7 @@ jobs:
 
       - name: Post review comment
         if: steps.opencode-review.outcome == 'success'
-        uses: marocchino/sticky-pull-request-comment@v2
+        uses: marocchino/sticky-pull-request-comment@773744901bac0e8cbb5a0dc842800d45e9b2b405 # v2
         with:
           header: changeset-review
           path: changeset-review.md

diff --git a/.github/workflows/changesets.yml b/.github/workflows/changesets.yml
@@ -54,7 +54,7 @@ jobs:
 
       - name: Create Version PR or Publish to NPM
         id: changesets
-        uses: changesets/action@v1
+        uses: changesets/action@6a0a831ff30acef54f2c6aa1cbbc1096b066edaf # v1
         with:
           version: node .github/changeset-version.js
           publish: pnpm exec changeset publish

diff --git a/.github/workflows/deploy-pages-previews.yml b/.github/workflows/deploy-pages-previews.yml
@@ -83,7 +83,7 @@ jobs:
 
       - name: "Comment on PR with Devtools Link"
         if: contains(github.event.*.labels.*.name, 'preview:chrome-devtools-patches')
-        uses: marocchino/sticky-pull-request-comment@v2
+        uses: marocchino/sticky-pull-request-comment@773744901bac0e8cbb5a0dc842800d45e9b2b405 # v2
         with:
           header: ${{ steps.finder.outputs.pr }}
           message: |
@@ -102,7 +102,7 @@ jobs:
 
       - name: "Comment on PR with Combined Link"
         if: contains(github.event.*.labels.*.name, 'preview:chrome-devtools-patches') && contains(github.event.*.labels.*.name, 'preview:workers-playground')
-        uses: marocchino/sticky-pull-request-comment@v2
+        uses: marocchino/sticky-pull-request-comment@773744901bac0e8cbb5a0dc842800d45e9b2b405 # v2
         with:
           header: ${{ steps.finder.outputs.pr }}
           append: true

diff --git a/.github/workflows/e2e.yml b/.github/workflows/e2e.yml
@@ -32,7 +32,7 @@ jobs:
         with:
           fetch-depth: 0
 
-      - uses: dorny/paths-filter@v3
+      - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3
         id: changes
         with:
           filters: |
@@ -106,7 +106,7 @@ jobs:
         with:
           fetch-depth: 0
 
-      - uses: dorny/paths-filter@v3
+      - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3
         id: changes
         with:
           filters: |

diff --git a/.github/workflows/hotfix-release.yml b/.github/workflows/hotfix-release.yml
@@ -31,7 +31,7 @@ jobs:
           fetch-depth: 0
 
       - name: Check user for team affiliation
-        uses: tspascoal/get-user-teams-membership@v2
+        uses: tspascoal/get-user-teams-membership@ba78054988f58bea69b7c6136d563236f8ed2fc0 # v2
         id: teamAffiliation
         with:
           GITHUB_TOKEN: ${{ secrets.READ_ONLY_ORG_GITHUB_TOKEN }}

diff --git a/.github/workflows/test-and-check-other-node.yml b/.github/workflows/test-and-check-other-node.yml
@@ -35,7 +35,7 @@ jobs:
           fetch-depth: 1
 
       - name: Filter changed paths
-        uses: dorny/paths-filter@v3
+        uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3
         id: changes
         with:
           filters: |

diff --git a/.github/workflows/test-and-check.yml b/.github/workflows/test-and-check.yml
@@ -98,7 +98,7 @@ jobs:
           fetch-depth: 0
 
       - name: Filter changed paths
-        uses: dorny/paths-filter@v3
+        uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3
         id: changes
         with:
           filters: |

diff --git a/.github/workflows/validate-pr-description.yml b/.github/workflows/validate-pr-description.yml
@@ -33,7 +33,7 @@ jobs:
         with:
           fetch-depth: 1
 
-      - uses: dorny/paths-filter@v3
+      - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3
         id: changes
         with:
           filters: |
@@ -52,7 +52,7 @@ jobs:
       - name: List changed files
         if: steps.changes.outputs.everything_but_markdown == 'true'
         id: files
-        uses: Ana06/get-changed-files@v2.3.0
+        uses: Ana06/get-changed-files@25f79e676e7ea1868813e21465014798211fad8c # v2.3.0
         with:
           format: "json"
 

diff --git a/.github/workflows/vite-plugin-playgrounds.yml b/.github/workflows/vite-plugin-playgrounds.yml
@@ -34,7 +34,7 @@ jobs:
       - name: Checkout Repo
         uses: actions/checkout@v4
       - name: Filter changed paths
-        uses: dorny/paths-filter@v3
+        uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3
         id: changes
         with:
           filters: |

diff --git a/fixtures/nodejs-hybrid-app/tests/index.test.ts b/fixtures/nodejs-hybrid-app/tests/index.test.ts
@@ -1,36 +1,39 @@
 import { resolve } from "node:path";
 import { fetch } from "undici";
 import { afterAll, beforeAll, describe, it, test } from "vitest";
+import { createMockPostgresServer } from "../../shared/src/mock-postgres-server";
 import { runWranglerDev } from "../../shared/src/run-wrangler-long-lived";
 
 describe("nodejs compat", () => {
 	let wrangler: Awaited<ReturnType<typeof runWranglerDev>>;
+	let mockPg: Awaited<ReturnType<typeof createMockPostgresServer>>;
 
 	beforeAll(async () => {
+		// Start a local mock Postgres server that returns canned results
+		mockPg = await createMockPostgresServer({
+			rows: [{ id: "1", name: "test-row" }],
+		});
+
 		wrangler = await runWranglerDev(resolve(__dirname, "../src"), [
 			"--port=0",
 			"--inspector-port=0",
+			`--var`,
+			`DB_PORT:${mockPg.port}`,
 		]);
 	});
 
 	afterAll(async () => {
 		await wrangler.stop();
+		await mockPg.stop();
 	});
+
 	it("should work when running code requiring polyfills", async ({
 		expect,
 	}) => {
 		const { ip, port } = wrangler;
 		const response = await fetch(`http://${ip}:${port}/test-process`);
 		const body = await response.text();
 		expect(body).toMatchInlineSnapshot(`"OK!"`);
-
-		// Disabling actually querying the database since we are getting this error:
-		// > too many connections for role 'reader'
-		// const response = await fetch(`http://${ip}:${port}/query`);
-		// const body = await response.text();
-		// console.log(body);
-		// const result = JSON.parse(body) as { id: string };
-		// expect(result.id).toEqual("1");
 	});
 
 	it("should be able to call `getRandomValues()` bound to any object", async ({
@@ -113,7 +116,7 @@ describe("nodejs compat", () => {
 		const { ip, port } = wrangler;
 		const response = await fetch(`http://${ip}:${port}/process-env`);
 		await expect(response.json()).resolves.toMatchObject({
-			DB_HOSTNAME: "hh-pgsql-public.ebi.ac.uk",
+			DB_HOSTNAME: "127.0.0.1",
 			DEV_VAR_FROM_DOT_ENV: "dev-var-from-dot-env",
 		});
 	});
@@ -122,7 +125,7 @@ describe("nodejs compat", () => {
 		const { ip, port } = wrangler;
 		const response = await fetch(`http://${ip}:${port}/env`);
 		await expect(response.json()).resolves.toMatchObject({
-			DB_HOSTNAME: "hh-pgsql-public.ebi.ac.uk",
+			DB_HOSTNAME: "127.0.0.1",
 			DEV_VAR_FROM_DOT_ENV: "dev-var-from-dot-env",
 		});
 	});
@@ -131,5 +134,7 @@ describe("nodejs compat", () => {
 		const { ip, port } = wrangler;
 		const response = await fetch(`http://${ip}:${port}/query`);
 		expect(response.status).toBe(200);
+		const body = await response.json();
+		expect(body).toMatchObject({ id: "1" });
 	});
 });
diff --git a/fixtures/nodejs-hybrid-app/worker-configuration.d.ts b/fixtures/nodejs-hybrid-app/worker-configuration.d.ts
@@ -1,10 +1,9 @@
-// Generated by Wrangler on Tue Mar 05 2024 16:04:07 GMT+0000 (Greenwich Mean Time)
-// by running `wrangler types`
+// Generated by Wrangler by running `wrangler types`
 
 interface Env {
-	DB_HOSTNAME: "hh-pgsql-public.ebi.ac.uk";
-	DB_PORT: "5432";
-	DB_NAME: "pfmegrnargs";
-	DB_USERNAME: "reader";
-	DB_PASSWORD: "NWDMCE5xdipIjRrp";
+	DB_HOSTNAME: string;
+	DB_PORT: string;
+	DB_NAME: string;
+	DB_USERNAME: string;
+	DB_PASSWORD: string;
 }
diff --git a/fixtures/nodejs-hybrid-app/wrangler.jsonc b/fixtures/nodejs-hybrid-app/wrangler.jsonc
@@ -5,17 +5,14 @@
 	// Setting compat date after 2025/04/01 means we don't need to use `nodejs_compat_populate_process_env`
 	"compatibility_date": "2025-07-01",
 	"compatibility_flags": ["nodejs_compat"],
-	/*
-    These DB connection values are to a public database containing information about
-    RNA, genes, etc. See https://rnacentral.org/help/public-database.
-    In case GitGuardian complains in future PRs, this is public information so a false positive.
-  */
+	// Default DB connection values point at 127.0.0.1.
+	// Tests override DB_PORT at runtime to point at a local mock Postgres server.
 	"vars": {
-		"DB_HOSTNAME": "hh-pgsql-public.ebi.ac.uk",
+		"DB_HOSTNAME": "127.0.0.1",
 		"DB_PORT": "5432",
-		"DB_NAME": "pfmegrnargs",
-		"DB_USERNAME": "reader",
-		"DB_PASSWORD": "NWDMCE5xdipIjRrp",
+		"DB_NAME": "testdb",
+		"DB_USERNAME": "testuser",
+		"DB_PASSWORD": "testpassword",
 		"DEBUG": "example:*,test",
 	},
 }