cloudflare/workers-sdk @cloudflare/vitest-pool-workers@0.12.7

on GitHub

Patch Changes

• #12056 6d5f69f Thanks @edmundhung! - fix: allow Vite query parameters like ?raw on .sql file imports

  Importing .sql files with Vite query parameters (e.g., import sql from "./query.sql?raw") would fail with "No such module" errors in vitest-pool-workers 0.12.x. Both import styles now work:

  • import sql from "./query.sql?raw" (Vite handles the ?raw transform)
  • import sql from "./query.sql" (loaded as Text module)

• #11917 7b40ceb Thanks @ksawaneh! - Fix CommonJS require() of .json files in the module fallback service (avoids SyntaxError: Unexpected token ':').

• #11897 bbd8a5e Thanks @dario-piotrowicz! - Bundle the zod dependency to reduce supply chain attack surface

  In order to prevent possible npm vulnerability attacks, the team's policy is to bundle
  dependencies in our packages where possible. This helps ensure that only trusted code
  runs on the user's system, even if compromised packages are later published to npm.

  This change bundles zod (a pure JavaScript validation library with no native dependencies)
  into miniflare and @cloudflare/vitest-pool-workers.

  Other dependencies remain external for technical reasons:

  • sharp: Native binary with platform-specific builds
  • undici: Dynamically required at runtime in worker threads
  • ws: Has optional native bindings for performance
  • workerd: Native binary (Cloudflare's JavaScript runtime)
  • @cspotcode/source-map-support: Uses require.cache manipulation at runtime
  • youch: Dynamically required for lazy loading

• Updated dependencies [a0a9ef6, ad4666c, 014e7aa, e414f05, 77e82d2, f08ef21, 0641e6c, eacedba, 05714f8, e8b2ef5, bbd8a5e]:

  • wrangler@4.61.0
  • miniflare@4.20260124.0