chore(deps-dev): bump miniflare from 4.20260515.0 to 4.20260521.0

[dependabot]

Bumps miniflare from 4.20260515.0 to 4.20260521.0.

Release notes

Sourced from miniflare's releases.

miniflare@4.20260521.0

Patch Changes

• #13993 0733688 Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260520.1	1.20260521.1

• #13999 30657e1 Thanks @​edmundhung! - Fix TCP requests failing when outboundService is configured

  Workers using outboundService can now open TCP connections with cloudflare:sockets. Previously, TCP requests could throw an error when a custom outbound service was configured.

miniflare@4.20260520.0

Patch Changes

• #13978 fa1f61f Thanks @​sassyconsultingllc! - Bump ws from 8.18.0 to 8.20.1 to address GHSA-58qx-3vcg-4xpx

  GHSA-58qx-3vcg-4xpx / CVE-2026-45736 reports an uninitialized-memory disclosure in ws@<8.20.1 when a TypedArray is passed as the reason argument to WebSocket.close(). The fix shipped in ws@8.20.1 on 2026-05-12. This change bumps the workspace catalog entry so that miniflare, wrangler, and @cloudflare/vite-plugin all pick up the patched release.

• #13977 2679e05 Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260518.1	1.20260519.1

• #13984 7e40d98 Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260519.1	1.20260520.1

• #13912 d803737 Thanks @​petebacondarwin! - Fix /cdn-cgi/* host validation incorrectly accepting subdomains of exact configured routes

  Miniflare's /cdn-cgi/* host/origin validator was treating exact configured routes the same as wildcard configured routes, so a request whose Host or Origin hostname was a subdomain of an exact route (e.g. sub.my-custom-site.com for a my-custom-site.com/* route) was incorrectly accepted. Exact configured routes and the configured upstream hostname are now required to match the request hostname exactly. Subdomain matching is only applied to wildcard routes such as *.example.com/*. Localhost hostnames continue to be allowed as before.

  This affects wrangler dev and local development through @cloudflare/vite-plugin, both of which use Miniflare under the hood.

• #13971 59cd880 Thanks @​petebacondarwin! - Improve error diagnostics in the Browser Run binding worker

  When the local Browser Run binding failed to reach an upstream — for example when Chrome failed to launch and miniflare's loopback /browser/launch endpoint returned a 500 with a stack-trace text body — the binding worker would call response.json() on the non-JSON body and throw an opaque SyntaxError: Unexpected token X, "..." is not valid JSON. The actual upstream error message (e.g. Chrome readiness probe at ... timed out after 5000ms) was discarded.

  The binding worker now reads the response body as text first, surfaces the HTTP status and body content in the thrown error, and chains the original SyntaxError via cause when the body was a 2xx response that didn't parse as JSON. This makes both local-dev failures and CI test flakes self-diagnosing.

... (truncated)

Changelog

Sourced from miniflare's changelog.

4.20260521.0

Patch Changes

• #13993 0733688 Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260520.1	1.20260521.1

• #13999 30657e1 Thanks @​edmundhung! - Fix TCP requests failing when outboundService is configured

  Workers using outboundService can now open TCP connections with cloudflare:sockets. Previously, TCP requests could throw an error when a custom outbound service was configured.

4.20260520.0

Patch Changes

• #13978 fa1f61f Thanks @​sassyconsultingllc! - Bump ws from 8.18.0 to 8.20.1 to address GHSA-58qx-3vcg-4xpx

  GHSA-58qx-3vcg-4xpx / CVE-2026-45736 reports an uninitialized-memory disclosure in ws@<8.20.1 when a TypedArray is passed as the reason argument to WebSocket.close(). The fix shipped in ws@8.20.1 on 2026-05-12. This change bumps the workspace catalog entry so that miniflare, wrangler, and @cloudflare/vite-plugin all pick up the patched release.

• #13977 2679e05 Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260518.1	1.20260519.1

• #13984 7e40d98 Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260519.1	1.20260520.1

• #13912 d803737 Thanks @​petebacondarwin! - Fix /cdn-cgi/* host validation incorrectly accepting subdomains of exact configured routes

  Miniflare's /cdn-cgi/* host/origin validator was treating exact configured routes the same as wildcard configured routes, so a request whose Host or Origin hostname was a subdomain of an exact route (e.g. sub.my-custom-site.com for a my-custom-site.com/* route) was incorrectly accepted. Exact configured routes and the configured upstream hostname are now required to match the request hostname exactly. Subdomain matching is only applied to wildcard routes such as *.example.com/*. Localhost hostnames continue to be allowed as before.

  This affects wrangler dev and local development through @cloudflare/vite-plugin, both of which use Miniflare under the hood.

• #13971 59cd880 Thanks @​petebacondarwin! - Improve error diagnostics in the Browser Run binding worker

  When the local Browser Run binding failed to reach an upstream — for example when Chrome failed to launch and miniflare's loopback /browser/launch endpoint returned a 500 with a stack-trace text body — the binding worker would call response.json() on the non-JSON body and throw an opaque SyntaxError: Unexpected token X, "..." is not valid JSON. The actual upstream error message (e.g. Chrome readiness probe at ... timed out after 5000ms) was discarded.

... (truncated)

Commits

• b92f87c Version Packages (#13995)
• 30657e1 fix(miniflare): allow tcp connection when a outboundService is configured (#1...
• 0733688 build(deps): bump the workerd-and-workers-types group with 2 updates (#13993)
• 8c569c6 [wrangler] Include column names in D1 SQL export (#12277)
• 65a4b4e document local explorer via agent skill (#13987)
• 5ee65d5 Version Packages (#13969)
• 7e40d98 build(deps): bump the workerd-and-workers-types group across 1 directory with...
• 25c3d9f [ci] Cache Chrome binary across CI runs for Browser Run tests (#13981)
• e8c2031 [miniflare] Recover from corrupted @​puppeteer/browsers cache in launchBrowser...
• 2679e05 build(deps): bump the workerd-and-workers-types group with 2 updates (#13977)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[codecov]

Bundle Report

Bundle size has no change ✅

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 100.00%. Comparing base (03b7b97) to head (809ce13).

Additional details and impacted files

@@            Coverage Diff            @@
##              main      #165   +/-   ##
=========================================
  Coverage   100.00%   100.00%           
=========================================
  Files           21        21           
  Lines          588       588           
  Branches       155       155           
=========================================
  Hits           588       588           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[dependabot]

Superseded by #166.