Update dependency wrangler to v3.19.0 [SECURITY] #491
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
3.4.0
->3.19.0
GitHub Vulnerability Alerts
CVE-2023-7080
Impact
The V8 inspector intentionally allows arbitrary code execution within the Workers sandbox for debugging.
wrangler dev
would previously start an inspector server listening on all network interfaces. This would allow an attacker on the local network to connect to the inspector and run arbitrary code. Additionally, the inspector server did not validateOrigin
/Host
headers, granting an attacker that can trick any user on the local network into opening a malicious website the ability to run code. Ifwrangler dev --remote
was being used, an attacker could access production resources if they were bound to the worker.Patches
This issue was fixed in
[email protected]
and[email protected]
. Whilstwrangler dev
's inspector server listens on local interfaces by default as of[email protected]
, an SSRF vulnerability inminiflare
allowed access from the local network until[email protected]
.[email protected]
and[email protected]
introduced validation for theOrigin
/Host
headers.Workarounds
Unfortunately, Wrangler doesn't provide any configuration for which host that inspector server should listen on. Please upgrade to at least
[email protected]
, and configure Wrangler to listen on local interfaces instead withwrangler dev --ip 127.0.0.1
to prevent SSRF. This removes the local network as an attack vector, but does not prevent an attack from visiting a malicious website.References
Release Notes
cloudflare/workers-sdk (wrangler)
v3.19.0
Compare Source
Minor Changes
#4547
86c81ff0
Thanks @mrbbot! - fix: listen on IPv4 loopback only by default on WindowsDue to a known issue,
workerd
will only listen on the IPv4 loopback address127.0.0.1
when it's asked to listen onlocalhost
. On Node.js > 17,localhost
will resolve to the IPv6 loopback address, meaning requests toworkerd
would fail. This change switches to using the IPv4 loopback address throughout Wrangler on Windows, while workerd#1408 gets fixed.#4535
29df8e17
Thanks @mrbbot! - Reintroduces some internal refactorings of wrangler dev servers (includingwrangler dev
,wrangler dev --remote
, andunstable_dev()
).These changes were released in 3.13.0 and reverted in 3.13.1 -- we believe the changes are now more stable and ready for release again.
There are no changes required for developers to opt-in. Improvements include:
Patch Changes
6c5bc704
Thanks @zebp! - fix: init from dash specifying explicit usage model in wrangler.toml for standard users#4550
63708a94
Thanks @mrbbot! - fix: validateHost
andOrgin
headers where appropriateHost
andOrigin
headers are now checked when connecting to the inspector and Miniflare's magic proxy. If these don't match what's expected, the request will fail.Updated dependencies [
71fb0b86
,63708a94
]:v3.18.0
Compare Source
Minor Changes
#4532
311ffbd5
Thanks @mrbbot! - fix: changewrangler (pages) dev
to listen onlocalhost
by defaultPreviously, Wrangler listened on all interfaces (
*
) by default. This change switcheswrangler (pages) dev
to just listen on local interfaces. Whilst this is technically a breaking change, we've decided the security benefits outweigh the potential disruption caused. If you need to access your dev server from another device on your network, you can usewrangler (pages) dev --ip *
to restore the previous behaviour.Patch Changes
1b348782
]:v3.17.1
Compare Source
Patch Changes
#4474
382ef8f5
Thanks @mrbbot! - fix: open browser to correct url pressingb
in--remote
modeThis change ensures Wrangler doesn't try to open
http://*
when*
is used as the dev server's hostname. Instead, Wrangler will now openhttp://127.0.0.1
.#4488
3bd57238
Thanks @RamIdeas! - Changes the default directory for log files to workaround frameworks that are watching the entire.wrangler
directory in the project root for changesAlso includes a fix for commands with
--json
where the log file location message would cause stdout to not be valid JSON. That message now goes to stderr.v3.17.0
Compare Source
Minor Changes
#4341
d9908743
Thanks @RamIdeas! - Wrangler now writes all logs to a .log file in the.wrangler
directory. Set a directory or specific .log filepath to write logs to withWRANGLER_LOG_PATH=../Desktop/my-logs/
orWRANGLER_LOG_PATH=../Desktop/my-logs/my-log-file.log
. When specifying a directory or using the default location, a filename with a timestamp is used.Wrangler now filters workerd stdout/stderr and marks unactionable messages as debug logs. These debug logs are still observable in the debug log file but will no longer show in the terminal by default without the user setting the env var
WRANGLER_LOG=debug
.Patch Changes
d5e1966b
Thanks @mrbbot! - fix: report correct line and column numbers when source mapping errors withwrangler dev --remote
1747d215
Thanks @rozenmd! - fix: make it possible to ignore hyperdrive warnings805d5241
Thanks @dario-piotrowicz! - add warnings about ai and verctorize bindings not being supported locally#4478
7b54350b
Thanks @penalosa! - Don't log sensitive data to the Wrangler debug log file by default. This includes API request headers and responses.Updated dependencies [
be2b9cf5
,d9908743
]:v3.16.0
Compare Source
Minor Changes
102e15f9
Thanks @Skye-31! - Feat(unstable_dev): Provide an option for unstable_dev to perform the check that prompts users to update wrangler, defaulting to false. This will prevent unstable_dev from sending a request to NPM on startup to determine whether it needs to be updated.#4179
dd270d00
Thanks @matthewdavidrodgers! - Simplify secret:bulk api via script settingsFiring PUTs to the secret api in parallel has never been a great solution - each request independently needs to lock the script, so running in parallel is at best just as bad as running serially.
Luckily, we have the script settings PATCH api now, which can update the settings for a script (including secret bindings) at once, which means we don't need any parallelization. However this api doesn't work with a partial list of bindings, so we have to fetch the current bindings and merge in with the new secrets before PATCHing. We can however just omit the value of the binding (i.e. only provide the name and type) which instructs the config service to inherit the existing value, which simplifies this as well. Note that we don't use the bindings in your current wrangler.toml, as you could be in a draft state, and it makes sense as a user that a bulk secrets update won't update anything else. Instead, we use script settings api again to fetch the current state of your bindings.
This simplified implementation means the operation can only fail or succeed, rather than succeeding in updating some secrets but failing for others. In order to not introduce breaking changes for logging output, the language around "${x} secrets were updated" or "${x} secrets failed" is kept, even if it doesn't make much sense anymore.
Patch Changes
#4402
baa76e77
Thanks @rozenmd! - This PR adds a fetch handler that usespage
, assumingresult_info
provided by the endpoint containspage
,per_page
, andtotal
This is needed as the existing
fetchListResult
handler for fetching potentially paginated results doesn't work for endpoints that don't implementcursor
.Fixes #4349
#4337
6c8f41f8
Thanks @Skye-31! - Improve the error message when a script isn't exported a Durable Object classPreviously, wrangler would error with a message like
Uncaught TypeError: Class extends value undefined is not a constructor or null
. This improves that messaging to be more understandable to users.7fbe1937
Thanks @jspspike! - Change local dev server default ip to*
instead of0.0.0.0
. This will cause the dev server to listen on both ipv4 and ipv6 interfacesf867e01c
Thanks @tmthecoder! - Support for hyperdrive bindings in local wrangler dev7e05f38e
Thanks @jspspike! - Fixed issue withtail
not using proxy0453b447
Thanks @maxwellpeterson! - Allows uploads with both cron triggers and smart placement enabled#4437
05b1bbd2
Thanks @jspspike! - Change dev registry and inspector server to listen on 127.0.0.1 instead of all interfacesUpdated dependencies [
4f8b3420
,16cc2e92
,3637d97a
,29a59d4e
,7fbe1937
,76787861
,8a25b7fb
]:v3.15.0
Compare Source
Minor Changes
0cac2c46
Thanks @penalosa! - Callout--minify
when script size is too large#4209
24d1c5cf
Thanks @mrbbot! - fix: suppress compatibility date fallback warnings if nowrangler
update is availableIf a compatibility date greater than the installed version of
workerd
wasconfigured, a warning would be logged. This warning was only actionable if a new
version of
wrangler
was available. The intent here was to warn if a user seta new compatibility date, but forgot to update
wrangler
meaning changesenabled by the new date wouldn't take effect. This change hides the warning if
no update is available.
It also changes the default compatibility date for
wrangler dev
sessionswithout a configured compatibility date to the installed version of
workerd
.This previously defaulted to the current date, which may have been unsupported
by the installed runtime.
#4135
53218261
Thanks @Cherry! - feat: resolve npm exports for file importsPreviously, when using wasm (or other static files) from an npm package, you would have to import the file like so:
This update now allows you to import the file like so, assuming it's exposed and available in the package's
exports
field:This will look at the package's
exports
field inpackage.json
and resolve the file usingresolve.exports
.#4232
69b43030
Thanks @romeupalos! - fix: usezone_name
to determine a zone when the pattern is a custom hostnameIn Cloudflare for SaaS, custom hostnames of third party domain owners can be used in Cloudflare.
Workers are allowed to intercept these requests based on the routes configuration.
Before this change, the same logic used by
wrangler dev
was used inwrangler deploy
, which caused wrangler to fail with:✘ [ERROR] Could not find zone for [partner-saas-domain.com]
b404ab70
Thanks @penalosa! - When uploading additional modules with your worker, Wrangler will now report the (uncompressed) size of each individual module, as well as the aggregate size of your WorkerPatch Changes
950bc401
Thanks @RamIdeas! - fix various logging of shell commands to correctly quote args when needed#4274
be0c6283
Thanks @jspspike! - chore: bumpminiflare
to3.20231025.0
This change enables Node-like
console.log()
ing in local mode. Objects withlots of properties, and instances of internal classes like
Request
,Headers
,ReadableStream
, etc will now be logged with much more detail.#4127
3d55f965
Thanks @mrbbot! - fix: store temporary files in.wrangler
As Wrangler builds your code, it writes intermediate files to a temporary
directory that gets cleaned up on exit. Previously, Wrangler used the OS's
default temporary directory. On Windows, this is usually on the
C:
drive.If your source code was on a different drive, our bundling tool would generate
invalid source maps, breaking breakpoint debugging. This change ensures
intermediate files are always written to the same drive as sources. It also
ensures unused build outputs are cleaned up when running
wrangler pages dev
.This change also means you no longer need to set
cwd
andresolveSourceMapLocations
in.vscode/launch.json
when creating anattach
configuration for breakpoint debugging. Your
.vscode/launch.json
should nowlook something like...
05798038
Thanks @gabivlj! - Move helper cli files of C3 into @cloudflare/cli and make Wrangler and C3 depend on it#4235
46cd2df5
Thanks @mrbbot! - fix: ensureconsole.log()
s during startup are displayedPreviously,
console.log()
calls before the Workers runtime was ready toreceive requests wouldn't be shown. This meant any logs in the global scope
likely weren't visible. This change ensures startup logs are shown. In particular,
this should fix Remix's HMR,
which relies on startup logs to know when the Worker is ready.
v3.14.0
Compare Source
Minor Changes
#4204
38fdbe9b
Thanks @matthewdavidrodgers! - Support user limits for CPU timeUser limits provided via script metadata on upload
Example configuration:
#2162
a1f212e6
Thanks @WalshyDev! - add support for service bindings inwrangler pages dev
by providing thenew
--service
|-s
flag which accepts an array ofBINDING_NAME=SCRIPT_NAME
where
BINDING_NAME
is the name of the binding andSCRIPT_NAME
is the nameof the worker (as defined in its
wrangler.toml
), such workers need to berunning locally with with
wrangler dev
.For example if a user has a worker named
worker-a
, in order to locally bindto that they'll need to open two different terminals, in each navigate to the
respective worker/pages application and then run respectively
wrangler dev
andwrangler pages ./publicDir --service MY_SERVICE=worker-a
this will add theMY_SERVICE
binding to pages' workerenv
object.Note: additionally after the
SCRIPT_NAME
the name of an environment can be specified,prefixed by an
@
(as in:MY_SERVICE=SCRIPT_NAME@PRODUCTION
), this behavior is howeverexperimental and not fully properly defined.
v3.13.2
Compare Source
Patch Changes
8e927170
Thanks @1000hz! - chore: bumpminiflare
to3.20231016.0
54800f6f
Thanks @a-robinson! - Log a warning when using a Hyperdrive binding in local wrangler devv3.13.1
Compare Source
Patch Changes
88f15f61
Thanks @penalosa! - patch: This release fixes some regressions related to runningwrangler dev
that were caused by internal refactoring of the dev server architecture (#3960). The change has been reverted, and will be added back in a future release.v3.13.0
Compare Source
Minor Changes
403bc25c
Thanks @RamIdeas! - Fix wrangler generated types to match runtime exports#3960
c36b78b4
Thanks @RamIdeas! - Refactoring the internals of wrangler dev servers (includingwrangler dev
,wrangler dev --remote
andunstable_dev()
).There are no changes required for developers to opt-in. Improvements include:
Patch Changes
f4ad634a
Thanks @penalosa! - fix: When a middleware is configured which doesn't support your Worker's script format, fail early with a helpful error messagev3.12.0
Compare Source
Minor Changes
#4071
f880a009
Thanks @matthewdavidrodgers! - Support TailEvent messages in Tail sessionsWhen tailing a tail worker, messages previously had a null event property. Following https://github.com/cloudflare/workerd/pull/1248, these events have a valid event, specifying which scripts produced events that caused your tail worker to run.
As part of rolling this out, we're filtering out tail events in the internal tail infrastructure, so we control when these new messages are forward to tail sessions, and can merge this freely.
One idiosyncracy to note, however, is that tail workers always report an "OK" status, even if they run out of memory or throw. That is being tracked and worked on separately.
#2397
93833f04
Thanks @a-robinson! - feature: Support Queue consumer events in tailSo that it's less confusing when tailing a worker that consumes events from a Queue.
Patch Changes
#2687
3077016f
Thanks @jrf0110! - Fixes large Pages projects failing to complete direct upload due to expiring JWTsFor projects which are slow to upload - either because of client bandwidth or large numbers of files and sizes - It's possible for the JWT to expire multiple times. Since our network request concurrency is set to 3, it's possible that each time the JWT expires we get 3 failed attempts. This can quickly exhaust our upload attempt count and cause the entire process to bail.
This change makes it such that jwt refreshes do not count as a failed upload attempt.
f4d28918
Thanks @a-robinson! - Default new Hyperdrive configs for PostgreSQL databases to port 5432 if the port is not specifiedv3.11.0
Compare Source
Minor Changes
#3726
7d20bdbd
Thanks @petebacondarwin! - feat: support partial bundling with configurable external modulesSetting
find_additional_modules
totrue
in your configuration file will now instruct Wrangler to look for files inyour
base_dir
that match your configuredrules
, and deploy them as unbundled, external modules with your Worker.base_dir
defaults to the directory containing yourmain
entrypoint.Wrangler can operate in two modes: the default bundling mode and
--no-bundle
mode. In bundling mode, dynamic imports(e.g.
await import("./large-dep.mjs")
) would be bundled into your entrypoint, making lazy loading less effective.Additionally, variable dynamic imports (e.g.
await import(`./lang/${language}.mjs`)
) would always fail at runtime,as Wrangler would have no way of knowing which modules to upload. The
--no-bundle
mode sought to address these issuesby disabling Wrangler's bundling entirely, and just deploying code as is. Unfortunately, this also disabled Wrangler's
code transformations (e.g. TypeScript compilation,
--assets
,--test-scheduled
, etc).With this change, we now additionally support partial bundling. Files are bundled into a single Worker entry-point file
unless
find_additional_modules
istrue
, and the file matches one of the configuredrules
. Seehttps://developers.cloudflare.com/workers/wrangler/bundling/ for more details and examples.
c71d8a0f
Thanks @mrbbot! - chore: bumpminiflare
to3.20231002.0
Patch Changes
#3726
7d20bdbd
Thanks @petebacondarwin! - fix: ensure that additional modules appear in the out-dirWhen using
find_additional_modules
(orno_bundle
) we find files thatwill be uploaded to be deployed alongside the Worker.
Previously, if an
outDir
was specified, only the Worker code was outputto this directory. Now all additional modules are also output there too.
#4067
31270711
Thanks @mrbbot! - fix: generate valid source maps withwrangler pages dev
on macOSOn macOS,
wrangler pages dev
previously generated source maps with anincorrect number of
../
s in relative paths. This change ensures paths arealways correct, improving support for breakpoint debugging.
9a7559b6
Thanks @RamIdeas! - fix: respect the options.local value in unstable_dev (it was being ignored)807ab931
Thanks @mrbbot! - chore: bumpminiflare
to3.20231002.1
#3726
7d20bdbd
Thanks @petebacondarwin! - fix: allow__STATIC_CONTENT_MANIFEST
module to be imported anywhere__STATIC_CONTENT_MANIFEST
can now be imported in subdirectories when--no-bundle
orfind_additional_modules
are enabled.f585f695
Thanks @penalosa! - Log more detail about tokens after authentication errors1d0b7ad5
Thanks @JacksonKearl! - Fixedpages dev
crashing and leaving port open when building a worker script fails#4066
c8b4a07f
Thanks @RamIdeas! - fix: we no longer infer pathnames from route patterns as the hostDuring local development, inside your worker, the host of
request.url
is inferred from theroutes
in your config.Previously, route patterns like "*/some/path/name" would infer the host as "some". We now handle this case and determine we cannot infer a host from such patterns.
v3.10.1
Compare Source
Patch Changes
6b1c327d
Thanks @elithrar! - Fixed a bug in Vectorize that send preset configurations with the wrong key. This was patched on the server-side to work around this for users in the meantime.#4054
f8c52b93
Thanks @mrbbot! - fix: allowwrangler pages dev
sessions to be reloadedPreviously,
wrangler pages dev
attempted to send messages on a closed IPCchannel when sources changed, resulting in an
ERR_IPC_CHANNEL_CLOSED
error.This change ensures the channel stays open until the user exits
wrangler pages dev
.v3.10.0
Compare Source
Minor Changes
3cd72862
Thanks @elithrar! - Adds wrangler support for Vectorize, Cloudflare's new vector database, withwrangler vectorize
. Visit the developer documentation(https://developers.cloudflare.com/vectorize/) to learn more and create your
first vector database with
wrangler vectorize create my-first-index
.ee6f3458
Thanks @OilyLime! - Adds support for Hyperdrive, viawrangler hyperdrive
.Patch Changes
bde9d64a
Thanks @ndisidore! - Adds Vectorize support uploading batches of newline delimited json (ndjson)vectors from a source file.
Load a dataset with
vectorize insert my-index --file vectors.ndjson
#4028
d5389731
Thanks @JacobMGEvans! - fix: Bulk Secret Draft WorkerFixes the issue of a upload of a Secret when a Worker doesn't exist yet, the draft worker is created and the secret is uploaded to it.
Fixes https://github.com/cloudflare/wrangler-action/issues/162
v3.9.1
Compare Source
Patch Changes
#3992
35564741
Thanks @edevil! - Add AI binding that will be used to interact with the AI project.Example
wrangler.toml
Example script:
bc8c147a
Thanks @rozenmd! - fix: remove warning around using D1's binding, and clean up the epilogue when running D1 commands9e466599
Thanks @jspspike! - Add WebGPU support through miniflare update00247a8d
Thanks @edevil! - Added AI related CLI commandsv3.9.0
Compare Source
Minor Changes
#3951
e0850ad1
Thanks @mrbbot! - feat: add support for breakpoint debugging towrangler dev
's--remote
and--no-bundle
modesPreviously, breakpoint debugging using Wrangler's DevTools was only supported
in local mode, when using Wrangler's built-in bundler. This change extends that
to remote development, and
--no-bundle
.When using
--remote
and--no-bundle
together, uncaught errors will now besource-mapped when logged too.
#3951
e0850ad1
Thanks @mrbbot! - feat: add support for Visual Studio Code's built-in breakpoint debuggerWrangler now supports breakpoint debugging with Visual Studio Code's debugger.
Create a
.vscode/launch.json
file with the following contents......then run
wrangler dev
, and launch the configuration.Patch Changes
bc88f0ec
Thanks @dario-piotrowicz! - updatewrangler pages dev
D1 and DO descriptions#3928
95b24b1e
Thanks @JacobMGEvans! - Colorize Deployed Bundle SizeMost bundlers, and other tooling that give you size outputs will colorize their the text to indicate if the value is within certain ranges.
The current range values are:
red 100% - 90%
yellow 89% - 70%
green <70%
resolves #1312
v3.8.0
Compare Source
Minor Changes
#3775
3af30879
Thanks @bthwaites! - R2 Jurisdictional Restrictions guarantee objects in a bucket are stored within a specific jurisdiction. Wrangler now allows you to interact with buckets in a defined jurisdiction.Wrangler R2 operations now support a
-J
flag that allows the user to specify a jurisdiction. When passing the-J
flag, you will only be able to interact with R2 resources within that jurisdiction.v3.7.0
Compare Source
Minor Changes
a3b3765d
Thanks @jspspike! - Bump esbuild version to 0.17.19. Breaking changes to esbuild are documented here40f56562
Thanks @mrbbot! - chore: bumpminiflare
to3.20230904.0
#3774
ae2d5cb5
Thanks @mrbbot! - feat: support breakpoint debugging in local modewrangler dev
now supports breakpoint debugging in local mode! Pressd
to open DevTools and set breakpoints.v3.6.0
Compare Source
Minor Changes
a5e7c0be
Thanks @echen67! - Warn user when the last deployment was via the APIPatch Changes
18dc7b54
Thanks @GregBrimble! - feat: Add internalwrangler pages project validate [directory]
command which validates an asset directory#3758
0adccc71
Thanks @jahands! - fix: Retry deployment errors in wrangler pages publishThis will improve reliability when deploying to Cloudflare Pages
v3.5.1
Compare Source
Patch Changes
8f5ed7fe
Thanks @DaniFoldi! - Changed the binding type of WfP Dispatch Namespaces toDispatchNamespace
e17d3096
Thanks @RamIdeas! - bump miniflare version to 3.20230814.1v3.5.0
Compare Source
Minor Changes
e600f029
Thanks @jspspike! - Added --local option for r2 commands to interact with local persisted r2 objects8e231afd
Thanks @JacobMGEvans! - secret:bulk exit 1 on failurePreviously
secret"bulk
would only log an error on failure of any of the upload requests.Now when 'secret:bulk' has an upload request fail it throws an Error which sends an
process.exit(1)
at the root.catch()
signal.This will enable error handling in programmatic uses of
secret:bulk
.ff8603b6
Thanks @jspspike! - Added --local option for kv commands to interact with local persisted kv entriesc302bec6
Thanks @geelen! - Removing the D1 shim from the build process, in preparation for the Open Beta. D1 can now be used with --no-bundle enabled.6de3c5ec
Thanks @dario-piotrowicz! - Added handling of .mjs files to be picked up by inside the Pages _worker.js directory(currently only .js files are)
Patch Changes
8f257126
Thanks @RamIdeas! - Bump the version of miniflare to 3.20230801.0Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.