chore(deps): Bump the minor-and-patch group across 1 directory with 4 updates

[dependabot]

Bumps the minor-and-patch group with 4 updates in the / directory: hono, yaml, @cloudflare/vitest-pool-workers and wrangler.

Updates hono from 4.12.15 to 4.12.16

Release notes

Sourced from hono's releases.

v4.12.16

Security fixes

This release includes fixes for the following security issues:

Unvalidated JSX Tag Names in hono/jsx May Allow HTML Injection

Affects: hono/jsx. Fixes missing validation of JSX tag names when using jsx() or createElement(), which could allow HTML injection if untrusted input is used as the tag name. GHSA-69xw-7hcm-h432

bodyLimit() can be bypassed for chunked / unknown-length requests

Affects: Body Limit Middleware. Fixes late enforcement for request bodies without a reliable Content-Length (e.g. chunked requests), where oversized requests could reach handlers and return successful responses before being rejected. GHSA-9vqf-7f2p-gf9v

Commits

• 90d4182 4.12.16
• db05b96 Merge commit from fork
• 614b834 Merge commit from fork
• 027e3df fix(method-override): handle Content-Type with charset parameter (#4894)
• See full diff in compare view

Updates yaml from 2.8.3 to 2.8.4

Release notes

Sourced from yaml's releases.

v2.8.4

• Disable alias resolution with maxAliasCount:0 (#677)
• Handle invalid unicode escapes (e1a1a77)
• Apply minFractionDigits only to decimal strings (#676)

Commits

• ccdf743 2.8.4
• f625789 fix: Disable alias resolution with maxAliasCount:0 (#677)
• e1a1a77 fix: Handle invalid unicode escapes
• a163ea0 style: Satify Prettier
• b2a5a6c fix: Apply minFractionDigits only to decimal strings (#676)
• 93c951b chore: Bump JSR version to v2.8.3 (#673)
• 0f226a3 docs: Add trailingComma ToString option
• See full diff in compare view

Updates @cloudflare/vitest-pool-workers from 0.15.1 to 0.15.2

Release notes

Sourced from @​cloudflare/vitest-pool-workers's releases.

@​cloudflare/vitest-pool-workers@​0.15.2

Patch Changes

• Updated dependencies [22e1a61, 00523c8, b5ac54b, e653edf, e1eff94, 1c4d850, 6d28037, 9a1f014, e539008, 0bf64a7, 0827815, b04eedf, 6457fb3, c07d0cb, e539008]:
  • miniflare@4.20260430.0
  • wrangler@4.87.0

Changelog

Sourced from @​cloudflare/vitest-pool-workers's changelog.

0.15.2

Patch Changes

• Updated dependencies [22e1a61, 00523c8, b5ac54b, e653edf, e1eff94, 1c4d850, 6d28037, 9a1f014, e539008, 0bf64a7, 0827815, b04eedf, 6457fb3, c07d0cb, e539008]:
  • miniflare@4.20260430.0
  • wrangler@4.87.0

Commits

• 47cf644 Version Packages (#13714)
• See full diff in compare view

Updates wrangler from 4.86.0 to 4.87.0

Release notes

Sourced from wrangler's releases.

wrangler@4.87.0

Minor Changes

• #13726 b5ac54b Thanks @​penalosa! - Hard fail on Node.js < 22

  Wrangler no longer supports Node.js 20.x, as it reached end-of-life on 2026-04-30. The minimum supported Node.js version is now 22.0.0. See https://github.com/nodejs/release?tab=readme-ov-file#end-of-life-releases.

• #13717 9a1f014 Thanks @​NuroDev! - Add an experimental experimental_generateTypes() programmatic API.

  Wrangler now exposes experimental_generateTypes() from the package root so you can generate Worker types in code using the same logic as wrangler types. The API supports the same core type-generation options (include env/runtime toggles) and returns structured output with separate env and runtime content alongside the combined formatted output.

Patch Changes

• #13732 22e1a61 Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260426.1	1.20260429.1

• #13754 00523c8 Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260429.1	1.20260430.1

• #13711 1c4d850 Thanks @​dario-piotrowicz! - fix: skip auto-config and OpenNext delegation when --config is explicitly provided

  When --config is passed to wrangler deploy, the user is explicitly targeting a specific Worker configuration. Previously, wrangler would ignore --config and delegate to opennextjs-cloudflare deploy if it detected an OpenNext project in the working directory, silently deploying the wrong Worker. Now, both auto-config detection and OpenNext delegation are skipped when --config is provided, matching the existing behavior for --script and --assets.

• #13735 6d28037 Thanks @​edmundhung! - Improve config-schema.json hover text in more editors

  Wrangler now emits markdownDescription in config-schema.json alongside the existing description field. Editors that support rich JSON Schema hovers can use that markdown directly instead of rendering escaped links and formatting.

• #13722 0827815 Thanks @​MattieTK! - Improve safe telemetry categorisation for user-facing Wrangler errors.

• #13116 e539008 Thanks @​dario-piotrowicz! - Allow getPlatformProxy and unstable_getMiniflareWorkerOptions to start when the assets directory does not exist yet

  Previously, getPlatformProxy would catch and swallow NonExistentAssetsDirError internally when the configured assets directory was absent on disk. This has been refactored so that the directory-existence check is skipped entirely for getPlatformProxy and unstable_getMiniflareWorkerOptions, since these APIs are typically used at dev time in frameworks where the assets directory is a build output that may not exist yet.

  wrangler dev, wrangler deploy, wrangler versions upload, and wrangler triggers deploy continue to require the assets directory to exist when specified.

• Updated dependencies [22e1a61, 00523c8, b5ac54b, e653edf, e1eff94, e539008, 0bf64a7, b04eedf, 6457fb3, c07d0cb]:

  • miniflare@4.20260430.0
  • @​cloudflare/kv-asset-handler@​0.5.0

Commits

• 47cf644 Version Packages (#13714)
• e653edf fix(miniflare): expose send_email in platform proxy (#13723)
• 0827815 [wrangler] Add safe telemetry labels for user errors (#13722)
• 9a1f014 feat(wrangler): Add programmatic type generation API (#13717)
• e539008 Allow users to run getPlatformProxy on static asset workers when the assets...
• 00523c8 Bump the workerd-and-workers-types group with 2 updates (#13754)
• 6d28037 fix(wrangler): emit markdownDescription in config schema (#13735)
• 22e1a61 Bump the workerd-and-workers-types group with 2 updates (#13732)
• b5ac54b Hard fail on Node.js < 22 (#13726)
• 0bf64a7 fix(miniflare): Skip creating hyperdrive proxy server for local database (#13...
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[github-actions]

Hello @dependabot[bot]! Thank you for your contribution.

If you are fixing a bug, please reference the issue number in the description.
If you are implementing a feature request, please check with the maintainers that the feature will be accepted first.