Important
This release patches two medium-severity vulnerabilities in proxy and redirect route rules. Users relying on either are strongly encouraged to upgrade. See GHSA-5w89-w975-hf9q and GHSA-9phm-9p8f-hw5m for details.
π Enhancements
- tracing: Enable tracing channels for unstorage (#4226)
π©Ή Fixes
- Accept ipv4-mapped ipv6 loopback in vfs handler (#4212)
- route-rules: Reject out-of-scope requests (#4222)
- route-rules: Prevent open redirect via protocol-relative url bypass (#4236)
- vite: Route browser asset loads to vite when
sec-fetch-destis absent (#4238)
π Refactors
- Use built-in
escapeRegExputil (#4109)
π Documentation
π¦ Build
- Shim oxc-parser via rolldown/utils (#4237)
π Types
- vite: Make
experimental.vitetype optional (#4225)
Preset Changes
- cloudflare: Add missing types for cloudflare.wrangler.observability.traces (#4220)
- vercel: Enable
shouldAddSourcemapSupportwhen sourcemap is enabled (#4232)