Patch Changes
-
#13978
fa1f61fThanks @sassyconsultingllc! - Bumpwsfrom 8.18.0 to 8.20.1 to address GHSA-58qx-3vcg-4xpxGHSA-58qx-3vcg-4xpx / CVE-2026-45736 reports an uninitialized-memory disclosure in
ws@<8.20.1when aTypedArrayis passed as the reason argument toWebSocket.close(). The fix shipped in ws@8.20.1 on 2026-05-12. This change bumps the workspace catalog entry so thatminiflare,wrangler, and@cloudflare/vite-pluginall pick up the patched release. -
#13977
2679e05Thanks @dependabot! - Update dependencies of "miniflare", "wrangler"The following dependency versions have been updated:
Dependency From To workerd 1.20260518.1 1.20260519.1 -
#13984
7e40d98Thanks @dependabot! - Update dependencies of "miniflare", "wrangler"The following dependency versions have been updated:
Dependency From To workerd 1.20260519.1 1.20260520.1 -
#13912
d803737Thanks @petebacondarwin! - Fix/cdn-cgi/*host validation incorrectly accepting subdomains of exact configured routesMiniflare's
/cdn-cgi/*host/origin validator was treating exact configured routes the same as wildcard configured routes, so a request whoseHostorOriginhostname was a subdomain of an exact route (e.g.sub.my-custom-site.comfor amy-custom-site.com/*route) was incorrectly accepted. Exact configured routes and the configuredupstreamhostname are now required to match the request hostname exactly. Subdomain matching is only applied to wildcard routes such as*.example.com/*. Localhost hostnames continue to be allowed as before.This affects
wrangler devand local development through@cloudflare/vite-plugin, both of which use Miniflare under the hood. -
#13971
59cd880Thanks @petebacondarwin! - Improve error diagnostics in the Browser Run binding workerWhen the local Browser Run binding failed to reach an upstream — for example when Chrome failed to launch and miniflare's loopback
/browser/launchendpoint returned a 500 with a stack-trace text body — the binding worker would callresponse.json()on the non-JSON body and throw an opaqueSyntaxError: Unexpected token X, "..." is not valid JSON. The actual upstream error message (e.g.Chrome readiness probe at ... timed out after 5000ms) was discarded.The binding worker now reads the response body as text first, surfaces the HTTP status and body content in the thrown error, and chains the original
SyntaxErrorviacausewhen the body was a 2xx response that didn't parse as JSON. This makes both local-dev failures and CI test flakes self-diagnosing. -
#13980
e8c2031Thanks @petebacondarwin! - Recover from corrupted@puppeteer/browserscache when launching a Browser Run sessionWhen Miniflare's local Browser Run binding launches Chrome, it calls
@puppeteer/browsers'install()to ensure the binary is present. If a previousinstall()was interrupted mid-extraction (test timeout, process kill, antivirus quarantine), the cache directory can be left partially populated — the folder exists but the executable inside it is missing.install()then throwsThe browser folder (...) exists but the executable (...) is missingon every subsequent call within the same process and the entire test session, breaking every later Browser Run operation until the cache is manually cleared.launchBrowsernow catches that specific error, removes the corrupted cache directory, and retriesinstall()once. If the corruption persists after cleanup, the original error is rethrown with a clearer message.This complements #13971, which surfaced the original error from inside the binding worker. With that diagnostic in place and this self-healing layer, the previously-intermittent "browser folder exists but executable missing" failure mode should no longer fail an entire CI run.