Skip to content

chore(deps): Bump the npm-minor-and-patch group with 6 updates#20

Merged
github-actions[bot] merged 1 commit into
mainfrom
dependabot/npm_and_yarn/npm-minor-and-patch-43e6f45b0b
Jun 11, 2026
Merged

chore(deps): Bump the npm-minor-and-patch group with 6 updates#20
github-actions[bot] merged 1 commit into
mainfrom
dependabot/npm_and_yarn/npm-minor-and-patch-43e6f45b0b

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 11, 2026

Copy link
Copy Markdown
Contributor

Bumps the npm-minor-and-patch group with 6 updates:

Package From To
@tightknitai/block-kitchen 0.8.4 0.8.5
hono 4.12.23 4.12.25
@cloudflare/vite-plugin 1.40.0 1.40.2
@cloudflare/workers-types 4.20260604.1 4.20260611.1
@types/react 19.2.16 19.2.17
wrangler 4.98.0 4.100.0

Updates @tightknitai/block-kitchen from 0.8.4 to 0.8.5

Release notes

Sourced from @​tightknitai/block-kitchen's releases.

block-kitchen: v0.8.5

0.8.5 (2026-06-11)

Bug Fixes

  • rich-text: autolink, ordered-list input rule, and soft line breaks (ENG-4850) (cf4d68a)
  • rich-text: autolink, ordered-list input rule, and soft line breaks (ENG-4850) (17eb863)
Changelog

Sourced from @​tightknitai/block-kitchen's changelog.

0.8.5 (2026-06-11)

Bug Fixes

  • rich-text: autolink, ordered-list input rule, and soft line breaks (ENG-4850) (cf4d68a)
  • rich-text: autolink, ordered-list input rule, and soft line breaks (ENG-4850) (17eb863)
Commits
  • 481e904 Merge pull request #99 from TightknitAI/release-please--branches--main--compo...
  • 9e0f15b chore(main): release block-kitchen 0.8.5
  • cf4d68a Merge pull request #98 from TightknitAI/claude/determined-einstein-7nudho
  • 17eb863 fix(rich-text): autolink, ordered-list input rule, and soft line breaks (ENG-...
  • 568bed6 chore(deps-dev): Bump the dev-dependencies group with 14 updates (#96)
  • c1f769c chore(deps): Bump the production-dependencies group (#95)
  • cbf4660 chore(deps-dev): Bump vite in /demo in the dev-dependencies group (#94)
  • See full diff in compare view

Updates hono from 4.12.23 to 4.12.25

Release notes

Sourced from hono's releases.

v4.12.25

Security fixes

This release includes fixes for the following security issues:

CORS Middleware reflects any Origin with credentials when origin defaults to the wildcard

Affects: hono/cors. Fixes the wildcard origin reflecting the request Origin and sending Access-Control-Allow-Credentials: true when credentials: true is set without an explicit origin, where any site a logged-in user visited could make credentialed cross-origin requests and read responses from cookie-authenticated endpoints. GHSA-88fw-hqm2-52qc

Body Limit Middleware can be bypassed on AWS Lambda by understating Content-Length

Affects: hono/body-limit on AWS Lambda (hono/aws-lambda, hono/lambda-edge). Fixes the request being built with the client-declared Content-Length while the body is delivered fully buffered, where a client could declare a small Content-Length with a much larger body and slip past the configured size limit. GHSA-rv63-4mwf-qqc2

Path traversal in serve-static on Windows via encoded backslash (%5C)

Affects: serveStatic on Windows (Node, Bun, Deno adapters). Fixes the path guard allowing a lone backslash, where an encoded backslash (%5C) decoded to \ was treated as a separator by the Windows path resolver, letting a single URL segment escape into a middleware-guarded subtree. GHSA-wwfh-h76j-fc44

AWS Lambda adapter merges multiple Set-Cookie headers into one value, dropping cookies on ALB single-header and Lattice

Affects: hono/aws-lambda. Fixes multiple Set-Cookie response headers being joined into one comma-separated value for ALB single-header responses and VPC Lattice v2, where the value could not be split back into individual cookies and clients silently dropped or misparsed them. GHSA-j6c9-x7qj-28xf

Lambda@Edge adapter keeps only the last value of a repeated request header, dropping the rest

Affects: hono/lambda-edge. Fixes repeated request headers being written with overwrite instead of append, where only the last value of a header such as X-Forwarded-For reached the application and the remaining values were silently dropped. GHSA-wgpf-jwqj-8h8p

v4.12.24

What's Changed

Full Changelog: honojs/hono@v4.12.23...v4.12.24

Commits

Updates @cloudflare/vite-plugin from 1.40.0 to 1.40.2

Release notes

Sourced from @​cloudflare/vite-plugin's releases.

@​cloudflare/vite-plugin@​1.40.2

Patch Changes

  • #14184 e305126 Thanks @​penalosa! - Drop the --config flag from the experimental internal cf-vite delegate binary.

    The wrangler config file is now discovered by cloudflare() itself rather than being passed through, keeping cf-vite's flag surface (--mode, --port, --host, --local) in sync with the sibling cf-wrangler delegate. cf-vite is an internal integration point spawned by Cloudflare tooling and is not intended to be run directly by users.

  • Updated dependencies [98c9afe, e305126, f3990b2, 4597f08, 25722ac, 41f75c0, 10b5538, 818c105, 2ae6099, 2047a32, 2047a32, e8561c2]:

    • wrangler@4.100.0
    • miniflare@4.20260611.0

@​cloudflare/vite-plugin@​1.40.1

Patch Changes

Changelog

Sourced from @​cloudflare/vite-plugin's changelog.

1.40.2

Patch Changes

  • #14184 e305126 Thanks @​penalosa! - Drop the --config flag from the experimental internal cf-vite delegate binary.

    The wrangler config file is now discovered by cloudflare() itself rather than being passed through, keeping cf-vite's flag surface (--mode, --port, --host, --local) in sync with the sibling cf-wrangler delegate. cf-vite is an internal integration point spawned by Cloudflare tooling and is not intended to be run directly by users.

  • Updated dependencies [98c9afe, e305126, f3990b2, 4597f08, 25722ac, 41f75c0, 10b5538, 818c105, 2ae6099, 2047a32, 2047a32, e8561c2]:

    • wrangler@4.100.0
    • miniflare@4.20260611.0

1.40.1

Patch Changes

Commits

Updates @cloudflare/workers-types from 4.20260604.1 to 4.20260611.1

Commits

Updates @types/react from 19.2.16 to 19.2.17

Commits

Updates wrangler from 4.98.0 to 4.100.0

Release notes

Sourced from wrangler's releases.

wrangler@4.100.0

Minor Changes

  • #14119 2047a32 Thanks @​tahmid-23! - Serve local R2 bucket objects publicly via the dev server

    When running wrangler dev locally, objects in each local R2 binding are now reachable under /cdn-cgi/local/r2/public/<bucket-id>/<key> on the existing dev server, simulating a public bucket. The <bucket-id> is the bucket's bucket_name when set, otherwise its binding. Bindings configured with remote: true are not exposed.

  • #14202 e8561c2 Thanks @​jamesopstad! - Add experimental --x-new-config flag for authoring config in TypeScript

    This is an experimental, opt-in feature. When enabled, wrangler dev, wrangler build, wrangler deploy, wrangler versions upload, and wrangler versions deploy load the Worker's configuration from a cloudflare.config.ts file instead of wrangler.json / wrangler.jsonc / wrangler.toml. Additionally, an optional wrangler.config.ts file can be provided for Wrangler-specific dev/build configuration.

    • cloudflare.config.ts (required) — Worker runtime configuration (bindings, triggers, observability, placement, limits, compatibility, routes, etc.). Authored via defineWorker from wrangler/experimental-config.
    • wrangler.config.ts (optional) — Tooling / bundling / dev-server configuration (noBundle, minify, alias, define, rules, tsconfig, build, dev, assetsDirectory, etc.). Authored via defineWranglerConfig from wrangler/experimental-config.

    Per-environment configuration is via ctx.mode branching inside the function form of either file.

    Example cloudflare.config.ts:

    import { defineWorker, bindings } from "wrangler/experimental-config";
    import * as entrypoint from "./src/index.ts" with { type: "cf-worker" };
    export default defineWorker((ctx) => ({
    name: "my-worker",
    entrypoint,
    compatibilityDate: "2026-05-18",
    env: {
    MY_KV: bindings.kv(),
    MY_TEXT: bindings.text(The mode is ${ctx.mode}),
    },
    }));

    Example wrangler.config.ts:

    import { defineWranglerConfig } from "wrangler/experimental-config";
    export default defineWranglerConfig({
    minify: true,
    assetsDirectory: "./public",
    });

    Because this is experimental, the flag, the config formats, and the wrangler/experimental-config exports may change in any release.

Patch Changes

... (truncated)

Commits
  • 341bd13 Version Packages (#14237)
  • e8561c2 Wrangler support for experimental new config (#14202)
  • 4597f08 Bump the workerd-and-workers-types group with 2 updates (#14256)
  • 2ae6099 move build earlier in deploy path (#14259)
  • 25722ac Gate Network.enable on an attached DevTools client (#14243)
  • 98c9afe [workers-auth] Make OAuth identity and token storage injectable for reuse by ...
  • 10b5538 Improve authentication error messages with specific failure reasons (#14213)
  • e305126 [wrangler] Add cf-wrangler delegate entrypoint; remove @​cloudflare/wrangler-b...
  • 818c105 Improve R2 Sippy error messages (#14233)
  • f3990b2 Bump the workerd-and-workers-types group with 2 updates (#14246)
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

Bumps the npm-minor-and-patch group with 6 updates:

| Package | From | To |
| --- | --- | --- |
| [@tightknitai/block-kitchen](https://github.com/TightknitAI/block-kitchen) | `0.8.4` | `0.8.5` |
| [hono](https://github.com/honojs/hono) | `4.12.23` | `4.12.25` |
| [@cloudflare/vite-plugin](https://github.com/cloudflare/workers-sdk/tree/HEAD/packages/vite-plugin-cloudflare) | `1.40.0` | `1.40.2` |
| [@cloudflare/workers-types](https://github.com/cloudflare/workerd) | `4.20260604.1` | `4.20260611.1` |
| [@types/react](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/react) | `19.2.16` | `19.2.17` |
| [wrangler](https://github.com/cloudflare/workers-sdk/tree/HEAD/packages/wrangler) | `4.98.0` | `4.100.0` |


Updates `@tightknitai/block-kitchen` from 0.8.4 to 0.8.5
- [Release notes](https://github.com/TightknitAI/block-kitchen/releases)
- [Changelog](https://github.com/TightknitAI/block-kitchen/blob/main/CHANGELOG.md)
- [Commits](TightknitAI/block-kitchen@block-kitchen-v0.8.4...block-kitchen-v0.8.5)

Updates `hono` from 4.12.23 to 4.12.25
- [Release notes](https://github.com/honojs/hono/releases)
- [Commits](honojs/hono@v4.12.23...v4.12.25)

Updates `@cloudflare/vite-plugin` from 1.40.0 to 1.40.2
- [Release notes](https://github.com/cloudflare/workers-sdk/releases)
- [Changelog](https://github.com/cloudflare/workers-sdk/blob/main/packages/vite-plugin-cloudflare/CHANGELOG.md)
- [Commits](https://github.com/cloudflare/workers-sdk/commits/@cloudflare/vite-plugin@1.40.2/packages/vite-plugin-cloudflare)

Updates `@cloudflare/workers-types` from 4.20260604.1 to 4.20260611.1
- [Release notes](https://github.com/cloudflare/workerd/releases)
- [Changelog](https://github.com/cloudflare/workerd/blob/main/RELEASE.md)
- [Commits](https://github.com/cloudflare/workerd/commits)

Updates `@types/react` from 19.2.16 to 19.2.17
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/react)

Updates `wrangler` from 4.98.0 to 4.100.0
- [Release notes](https://github.com/cloudflare/workers-sdk/releases)
- [Commits](https://github.com/cloudflare/workers-sdk/commits/wrangler@4.100.0/packages/wrangler)

---
updated-dependencies:
- dependency-name: "@tightknitai/block-kitchen"
  dependency-version: 0.8.5
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: npm-minor-and-patch
- dependency-name: hono
  dependency-version: 4.12.25
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: npm-minor-and-patch
- dependency-name: "@cloudflare/vite-plugin"
  dependency-version: 1.40.2
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: npm-minor-and-patch
- dependency-name: "@cloudflare/workers-types"
  dependency-version: 4.20260611.1
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: npm-minor-and-patch
- dependency-name: "@types/react"
  dependency-version: 19.2.17
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: npm-minor-and-patch
- dependency-name: wrangler
  dependency-version: 4.100.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: npm-minor-and-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jun 11, 2026
@github-actions github-actions Bot merged commit 5ee3bf7 into main Jun 11, 2026
1 check passed
@dependabot dependabot Bot deleted the dependabot/npm_and_yarn/npm-minor-and-patch-43e6f45b0b branch June 11, 2026 20:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants