chore(deps): update dependency @cloudflare/vite-plugin to v1.40.0

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
@cloudflare/vite-plugin (source)	1.14.2 → 1.40.0

---

Release Notes

cloudflare/workers-sdk (@​cloudflare/vite-plugin)

v1.40.0

Compare Source

Minor Changes

• #​14013 3cf9d0e Thanks @​jamesopstad! - Add experimental experimental.newConfig option to load the entry Worker's configuration from cloudflare.config.ts

  This is an experimental, opt-in feature. When enabled, the plugin loads the entry Worker's configuration from a cloudflare.config.ts file instead of the usual wrangler.json / wrangler.jsonc / wrangler.toml.

  Pass true to enable with defaults, or an object to customise behaviour. Currently the only sub-option is types.generate (defaults to true), which writes a worker-configuration.d.ts file next to the config. This enables typed env and exports for your Worker and currently assumes that you have @cloudflare/workers-types installed.

  // vite.config.ts
  import { defineConfig } from "vite";
  import { cloudflare } from "@​cloudflare/vite-plugin";
  
  export default defineConfig({
    plugins: [
      cloudflare({
        experimental: {
          newConfig: true,
        },
      }),
    ],
  });

  // cloudflare.config.ts
  import {
  	defineWorker,
  	bindings,
  } from "@​cloudflare/vite-plugin/experimental-config";
  import * as entrypoint from "./src/index.ts" with { type: "cf-worker" };
  
  export default defineWorker((ctx) => ({
  	name: "my-worker",
  	entrypoint,
  	compatibilityDate: "2026-05-18",
  	env: {
  		MY_TEXT: bindings.text(`The mode is ${ctx.mode}`),
  		MY_KV: bindings.kv(),
  	},
  }));

  A few limitations apply while the feature is experimental:

  • configPath cannot be combined with experimental.newConfig. The entry Worker is always loaded from cloudflare.config.ts at the project root.
  • auxiliaryWorkers are not yet supported with experimental.newConfig.

  Because this is experimental, the option, the cloudflare.config.ts schema, and the @cloudflare/vite-plugin/experimental-config exports may change in any release.

Patch Changes

• Updated dependencies [c6c61b5, c6c61b5, a3eea27, 7a6b1a4, 7539a9b, 1fdd8de, 3b8b80a, 0bb2d55, 8400fb9, b502d54, 7949f81, d462013, c2280cd, 3b8b80a, ea12b58, acf7817]:
  • wrangler@​4.98.0
  • miniflare@​4.20260603.0

v1.39.2

Compare Source

Patch Changes

• #​13893 d8a16e7 Thanks @​penalosa! - Add an experimental, internal cf-vite delegate binary

  This adds an experimental bin/cf-vite binary that is spawned by Cloudflare's own parent tooling to drive the plugin as a long-running dev-server subprocess. It is not part of the plugin's public API surface, is not intended to be invoked directly, and its contract may change at any time without notice.

• #​14117 3c86121 Thanks @​aicayzer! - Forward response headers from the Worker on WebSocket upgrade responses

  Headers set on a new Response(null, { status: 101, webSocket, headers }) returned from the Worker are now propagated to the upgrade response sent to the browser during vite dev. Previously the headers were dropped, so cookies (Set-Cookie) and custom headers (X-*) on WebSocket handshake responses were invisible client-side — even though they were delivered correctly by wrangler dev.

• Updated dependencies [b210c5e, aec1bb8, e06cbb7, 9a26191, 5565823, 4ef790b, 890fca7, 6fc9777, 337e912, 8e7b74f, e86489a, 42288d4, 65b5f9e, 3a746ac, 64ef9fd, 94b29f7]:

  • wrangler@​4.97.0
  • miniflare@​4.20260601.0

v1.39.1

Compare Source

Patch Changes

• #​14087 e3c862a Thanks @​edmundhung! - Filter compatibility date fallback warning when no update is available

  The compatibility date warning from workerd (e.g., "The latest compatibility date supported by the installed Cloudflare Workers Runtime is...") is now only shown when a newer version of @cloudflare/vite-plugin is available. This matches the behavior in Wrangler and reduces noise when the user is already on the latest version.

  The update-check logic has been extracted to @cloudflare/workers-utils so it can be shared across packages.

• #​14080 ec70cf1 Thanks @​edmundhung! - Fix Tunnel closed being logged when no tunnel was opened

  Previously, the Vite plugin printed Tunnel closed during cleanup even when tunnel startup had never begun. This message is now only shown after tunnel startup begins, including when the tunnel is still starting or has already expired.

• Updated dependencies [e3c862a, cbb39bd, cbb39bd, 408432a, 1103c07, 7bb5c7a, 5b5cbd3, e3c862a, e3c862a, 97d7d81, c647ccc, e3c862a, e3c862a, e3c862a, e3c862a, e3c862a, b64b7e4, e3c862a, e3c862a, e4c8fd9, 2dffeeb, e3c862a, e3c862a, 4c0da7b, 972d13d, 13cbadb, 59e43e4]:

  • miniflare@​4.20260529.0
  • wrangler@​4.96.0

v1.39.0

Compare Source

Minor Changes

• #​13985 c809d30 Thanks @​jamesopstad! - Add assetsOnly (entry Worker) and devOnly (auxiliary Workers) options to the plugin config

  Both options accept a boolean or a function that returns a boolean. The function is evaluated lazily at build time, allowing frameworks to provide the value after initialization.

  Use assetsOnly on the entry Worker to skip building the Worker and instead emit an assets-only Wrangler config to the client output directory. This enables frameworks such as Astro to use the ssr environment during development but produce a fully static app for deployment.

  export default defineConfig({
    plugins: [
      cloudflare({
        assetsOnly: () => isStaticBuild,
      }),
    ],
  });

  Use devOnly on an auxiliary Worker to include it during vite dev but skip it at build time.

  export default defineConfig({
    plugins: [
      cloudflare({
        auxiliaryWorkers: [
          { configPath: "./dev-only-worker/wrangler.jsonc", devOnly: true },
        ],
      }),
    ],
  });

Patch Changes

• Updated dependencies [ca5b604, c1fd2fd, 49c1a59, fee1ce4, b3962ff, d042705, 420e457, 8b1467e]:
  • wrangler@​4.95.0
  • miniflare@​4.20260526.0

v1.38.0

Compare Source

Minor Changes

• #​13989 f598eac Thanks @​MattieTK! - Print a QR code alongside the tunnel URL when sharing via Cloudflare Tunnel

  When a tunnel is started (via wrangler dev --tunnel or the Vite plugin with tunnel: true), a scannable QR code is now printed to the terminal beneath the tunnel URL. This makes it easy to open the tunnel on a mobile device without manually copying the URL.

  The QR code uses Unicode block characters for a compact representation and is generated best-effort -- if generation fails for any reason, the tunnel URL is still displayed as before.

Patch Changes

• Updated dependencies [52e9082, 0733688, fc1f7b9, 30657e1, 8c569c6, f598eac, 3a1fbed]:
  • wrangler@​4.94.0
  • miniflare@​4.20260521.0

v1.37.3

Compare Source

Patch Changes

• #​13978 fa1f61f Thanks @​sassyconsultingllc! - Bump ws from 8.18.0 to 8.20.1 to address GHSA-58qx-3vcg-4xpx

  GHSA-58qx-3vcg-4xpx / CVE-2026-45736 reports an uninitialized-memory disclosure in ws@<8.20.1 when a TypedArray is passed as the reason argument to WebSocket.close(). The fix shipped in ws@8.20.1 on 2026-05-12. This change bumps the workspace catalog entry so that miniflare, wrangler, and @cloudflare/vite-plugin all pick up the patched release.

• #​13912 d803737 Thanks @​petebacondarwin! - Fix /cdn-cgi/* host validation incorrectly accepting subdomains of exact configured routes

  Miniflare's /cdn-cgi/* host/origin validator was treating exact configured routes the same as wildcard configured routes, so a request whose Host or Origin hostname was a subdomain of an exact route (e.g. sub.my-custom-site.com for a my-custom-site.com/* route) was incorrectly accepted. Exact configured routes and the configured upstream hostname are now required to match the request hostname exactly. Subdomain matching is only applied to wildcard routes such as *.example.com/*. Localhost hostnames continue to be allowed as before.

  This affects wrangler dev and local development through @cloudflare/vite-plugin, both of which use Miniflare under the hood.

• #​13919 c7eab7f Thanks @​petebacondarwin! - Fix the outbound CF-Worker header reflecting the route pattern hostname instead of the parent zone, and falling back to <worker-name>.example.com under vite dev, vitest-pool-workers, and getPlatformProxy

  Two related issues affected the CF-Worker header on outbound subrequests in local development:

  1. Under @cloudflare/vite-plugin, @cloudflare/vitest-pool-workers, and getPlatformProxy, the header fell back to <worker-name>.example.com even when routes were configured, because unstable_getMiniflareWorkerOptions and the equivalent getPlatformProxy worker-options path did not propagate a zone value to Miniflare. This broke local development against services that reject unknown CF-Worker hosts (for example, Apple WeatherKit returns 403 Forbidden).
  2. Across the above paths and wrangler dev --local, when a route used the zone_name field (for example { pattern: "foo.example.com/*", zone_name: "example.com" }), the header was set to the pattern's hostname (foo.example.com) rather than the zone name (example.com). Production sets CF-Worker to the zone name that owns the Worker, so this was inconsistent with deployed behaviour.

  Both bugs are fixed: the new unstable_getMiniflareWorkerOptions / getPlatformProxy path now propagates a zone derived from the first configured route, and all four local-dev paths now prefer a route's explicit zone_name over the pattern hostname when computing that zone. When zone_name isn't set, the existing best-effort behaviour is preserved — for wrangler dev this means dev.host is still honoured as a local override and the pattern hostname is used as a final fallback. Resolving the parent zone for zone_id-only, custom_domain, or plain-string routes would require an API lookup, so locally we still approximate it with the pattern hostname.

  Note: dev.host is intentionally not consulted by the unstable_getMiniflareWorkerOptions / getPlatformProxy paths — the dev config block is specific to wrangler dev.

• Updated dependencies [fa1f61f, 2679e05, 7e40d98, adc9221, 735852d, d803737, c7eab7f, e04e180, 59cd880, 62abf97, e8c2031, e349fe0, da0fa8c, a5c9365]:

  • miniflare@​4.20260520.0
  • wrangler@​4.93.1

v1.37.2

Compare Source

Patch Changes

• #​13098 67a881a Thanks @​raashish1601! - fix: route WebSocket upgrade requests directly to the user worker in dev mode

• Updated dependencies [aac7ca0, b25dc0d, ae047ee, a4f22bc, f78d435, aac7ca0, c5c9e20, ebf4b24, b27eb18, 895baf5, 7bcdf45]:

  • wrangler@​4.93.0
  • miniflare@​4.20260518.0

v1.37.1

Compare Source

Patch Changes

• #​13922 23800f8 Thanks @​edmundhung! - Add a tunnel shortcut hint when CLI shortcuts are printed

  The Cloudflare Vite plugin now includes a t + enter tunnel hint alongside the other CLI shortcuts it prints.

• #​13920 f579e57 Thanks @​petebacondarwin! - Honor X-Forwarded-Proto when constructing the Worker's request.url

  When running the Vite dev server behind a TLS-terminating reverse proxy or tunnel, the Worker's request.url was always http://... even though the client reached the server over https://.... This caused frameworks that perform Origin/Host checks (e.g. CSRF protection) to reject requests with 403.

  The Vite plugin now reads the X-Forwarded-Proto header from the incoming request and uses it to set the protocol of request.url. If the header is absent or invalid, the connection protocol is used as before. The same handling is applied to WebSocket upgrade URLs.

  Fixes #​13801.

• Updated dependencies [19ed49a, 3ff0a50, bf688f7, 2e72c83, 802eaf4, 506aa02, 8f5cdb1, be8a98c]:

  • miniflare@​4.20260515.0
  • wrangler@​4.92.0

v1.37.0

Compare Source

Minor Changes

• #​13903 7ce6f6f Thanks @​edmundhung! - Add named tunnel support to the cloudflare() Vite plugin

  You can now expose your local dev server publicly with a stable hostname by configuring tunnel with a named Cloudflare Tunnel:

  cloudflare({
    tunnel: { name: "my-tunnel", autoStart: true },
  });

  If autoStart is omitted or set to false, you can still start or close the tunnel by pressing t + enter.

Patch Changes

• Updated dependencies [d4794a8, 58b4403, 4352f87, a9e6741, da664d5, bdc398c, f781a2b, 1420f10, c8be316]:
  • wrangler@​4.91.0
  • miniflare@​4.20260511.0

v1.36.4

Compare Source

Patch Changes

• #​13888 2af4ce0 Thanks @​jamesopstad! - Update Vite to v8.0.12

  This updates the bundled Vite module runner to include the bug fix in vitejs/vite#22369.

• Updated dependencies [4e44ce6, b0cee1d, d878e13, 971dfe3, 971dfe3, 5d936c5]:

  • miniflare@​4.20260508.0
  • wrangler@​4.90.1

v1.36.3

Compare Source

Patch Changes

• Updated dependencies [8852b0c, 248bc08, e414e56]:
  • wrangler@​4.90.0
  • miniflare@​4.20260507.1

v1.36.2

Compare Source

Patch Changes

• Updated dependencies [dd3baf3, 5cf6f81]:
  • wrangler@​4.89.1
  • miniflare@​4.20260507.1

v1.36.1

Compare Source

Patch Changes

• #​13802 a7fd465 Thanks @​deodad! - Fix .dev.vars written for vite preview to round-trip values containing quotes

  When the plugin emits dist/<env>/.dev.vars for vite preview, it previously wrote each value as a double-quoted dotenv string with " escaped to \". dotenv (the parser wrangler uses) does not unescape \" inside double-quoted values, so values containing " arrived at the worker with literal backslashes still in them.

  The plugin now quotes strings using the first quote character that does not appear in the value (with the priority order: single → backtick → double), all of which dotenv strips correctly. If a value contains every supported quote character it throws instead of silently corrupting the value.

• Updated dependencies [2284f20, 332f527, 039bada, 18e833d, b6cea17, 1a54ac5, 53e846a, f3fed88, beff19c, af42fed, 1a54ac5]:

  • miniflare@​4.20260507.0
  • wrangler@​4.89.0

v1.36.0

Compare Source

Minor Changes

• #​13810 2b8c0cc Thanks @​jamesopstad! - Stabilize the secrets configuration property

  The secrets property in the Wrangler config file is no longer experimental and will no longer emit an experimental warning when used. Required secrets are validated during local development and deploy, and used as the source of truth for type generation.

  {
    "secrets": {
      "required": ["API_KEY", "DB_PASSWORD"]
    }
  }

Patch Changes

• #​13814 a2f9c26 Thanks @​edmundhung! - Deny additional credential files from the Vite dev server

  The Cloudflare Vite plugin now adds .npmrc, .yarnrc, .yarnrc.yml, and more certificate and key file extensions to server.fs.deny. This prevents common credential files from being fetched directly during local development.

• Updated dependencies [e07825a, 58899d8, 3020214, 0099265, 25f5ef2, bb27219, 194d75e, 12fb5db, 18b9d5b, 9f532f7, 1127114, 3ceadef, 2b8c0cc, 1a5cc86]:

  • wrangler@​4.88.0
  • miniflare@​4.20260504.0

v1.35.0

Compare Source

Minor Changes

• #​13618 c07d0cb Thanks @​jamesopstad! - Support V2 protocol for module fallback service

  When the new_module_registry compatibility flag is set, requests sent to unsafeModuleFallbackService() use a different protocol. The Vite plugin now supports both protocols in its handling of additional module types.

Patch Changes

• #​13363 6457fb3 Thanks @​courtney-sims! - Prepares router-worker for a more gradual rollout by refactoring and separating out the invocation from the business logic. In the future, this will provide space for us to route requests to new versions of router-worker based on their plan, but should make no functional difference today.

• Updated dependencies [22e1a61, 00523c8, b5ac54b, e653edf, e1eff94, 1c4d850, 6d28037, 9a1f014, e539008, 0bf64a7, 0827815, b04eedf, 6457fb3, c07d0cb, e539008]:

  • miniflare@​4.20260430.0
  • wrangler@​4.87.0

v1.34.0

Compare Source

Minor Changes

• #​13666 edcff69 Thanks @​edmundhung! - Add tunnel: true to the cloudflare() Vite plugin for sharing your local dev and preview servers via Cloudflare Quick Tunnels

  You can now expose your local dev server publicly by setting tunnel: true:

  cloudflare({
    tunnel: true,
  });

  You can also enable tunnel sharing dynamically using an environment variable:

  cloudflare({
    tunnel: process.env.ENABLE_DEV_TUNNEL === "true",
  });

  This starts a Cloudflare Quick Tunnel that gives you a random *.trycloudflare.com URL to share. The tunnel stops automatically when the dev or preview session ends. Quick tunnels don't require a Cloudflare account or any configuration.

  A warning is shown when Server-Sent Events (SSE) responses are detected through the tunnel, since quick tunnels don't support SSE.

Patch Changes

• Updated dependencies [ea943ff, 21b87b2, 62e9f2a, 9eb9e69, 2dc6175, 0a5db08, 033d6ec, ae8eae3, f2e2241, 4f6ed93, ed2f4ec, ef24ff2, 92bb8a5, 6d27479, f2e2241, 118027d, fcc491a, e6c437a, e867ac2]:
  • wrangler@​4.86.0
  • miniflare@​4.20260426.0

v1.33.2

Compare Source

Patch Changes

• #​13636 1d54fb7 Thanks @​edmundhung! - Stop denying vite.config.* files from Vite dev server access

  This allows projects to access vite.config.* files during development when needed.

• #​13653 48c61b6 Thanks @​jamesopstad! - Use the date that the plugin is built as the default compatibility date.

  When no compatibility date was set by the user, the plugin was falling back to the current date. This meant that the date could get ahead of the latest date supported by the installed version of workerd. We now populate the default compatibility date when the plugin is built. This means that it is updated with each release but then stays fixed.

• #​13634 f3cb2b2 Thanks @​jamesopstad! - Simplify /cdn-cgi/ handling

  We now only add special handling for /cdn-cgi/handler/* routes, so that trigger handlers are invoked on the User Worker.

• #​13611 6e99feb Thanks @​smaldd14! - Support Cloudflare-managed registry images in Vite plugin local dev

  Previously, using a registry.cloudflare.com image in a containers binding would crash vite dev with an unsupported error. The Vite plugin now configures the Cloudflare API client using CLOUDFLARE_API_TOKEN and CLOUDFLARE_ACCOUNT_ID before pulling container images, matching the behavior of wrangler dev.

• Updated dependencies [5a2968a, 5680287, 3494842, 7d728fb, df9319d, d5e3c57, 3ceeec3, 7567ef7, 0a95061, 2831b54, 7fc50c1, 377715d]:

  • wrangler@​4.85.0
  • miniflare@​4.20260424.0
  • @​cloudflare/unenv-preset@​2.16.1

v1.33.1

Compare Source

Patch Changes

• Updated dependencies [8fec8b8, 2f3d7b9, a610749]:
  • miniflare@​4.20260421.0
  • wrangler@​4.84.1

v1.33.0

Compare Source

Minor Changes

• #​12600 50bf819 Thanks @​penalosa! - Use workerd's debug port to power cross-process service bindings, Durable Objects, and tail workers via the dev registry. This enables Durable Object RPC via the dev registry, and is an overall stability improvement.

Patch Changes

• #​13587 fdb32ca Thanks @​vimtor! - Allow internal Wrangler config path overrides via env

  @cloudflare/vite-plugin now checks CLOUDFLARE_VITE_WRANGLER_CONFIG_PATH when configPath is not set explicitly. This lets integrators provide generated Wrangler configs outside the project root without requiring users to thread configPath through framework config.

• Updated dependencies [05f4443, 4a9ba90, d8c895a, b35617b, 7dc0433, 8ca78bb, b6e1351, d8314c6, b35617b, 7f50300, 4fda685, be5e6a0, e456952, 59eec63, 50bf819, cc1413a, d0a9d1c, 4eb1da9, 8ca78bb, 266c418, 6d887db, 5716d69]:

  • wrangler@​4.84.0
  • miniflare@​4.20260420.0

v1.32.3

Compare Source

Patch Changes

• #​13427 c4deb1d Thanks @​edmundhung! - Harden file serving for Vite dev

  The Vite plugin now includes Wrangler config files, Vite config files, and .wrangler state files in server.fs.deny so they cannot be fetched directly from the Vite dev server.

• Updated dependencies [854d66c, 6f63eaa, aef9825, eaaa728, 58292f6, 5e5bbc1, d5ff5a4, 07a918c, [89c7829](https://redir

✂ Note

PR body was truncated to here.

---

Configuration

📅 Schedule: (in timezone Asia/Tokyo)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

Version Preview URL: ❌deployment failed.