fix(deps): update dependency wrangler to v3.19.0 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
wrangler (source)	3.10.1 -> 3.19.0

GitHub Vulnerability Alerts

CVE-2023-7079

Impact

Sending specially crafted HTTP requests and inspector messages to Wrangler's dev server could result in any file on the user's computer being accessible over the local network. An attacker that could trick any user on the local network into opening a malicious website could also read any file.

Patches

This issue was fixed in wrangler@3.19.0. Wrangler will now only serve files that are part of your bundle, or referenced by your bundle's source maps.

Workarounds

Configure Wrangler to listen on local interfaces instead with wrangler dev --ip 127.0.0.1. This is the default as of wrangler@3.16.0, and removes the local network as an attack vector, but does not prevent an attack from visiting a malicious website.

References

• https://github.com/cloudflare/workers-sdk/pull/4532
• https://github.com/cloudflare/workers-sdk/pull/4535

CVE-2023-7080

Impact

The V8 inspector intentionally allows arbitrary code execution within the Workers sandbox for debugging. wrangler dev would previously start an inspector server listening on all network interfaces. This would allow an attacker on the local network to connect to the inspector and run arbitrary code. Additionally, the inspector server did not validate Origin/Host headers, granting an attacker that can trick any user on the local network into opening a malicious website the ability to run code. If wrangler dev --remote was being used, an attacker could access production resources if they were bound to the worker.

Patches

This issue was fixed in wrangler@3.19.0 and wrangler@2.20.2. Whilst wrangler dev's inspector server listens on local interfaces by default as of wrangler@3.16.0, an SSRF vulnerability in miniflare allowed access from the local network until wrangler@3.18.0. wrangler@3.19.0 and wrangler@2.20.2 introduced validation for the Origin/Host headers.

Workarounds

Unfortunately, Wrangler doesn't provide any configuration for which host that inspector server should listen on. Please upgrade to at least wrangler@3.16.0, and configure Wrangler to listen on local interfaces instead with wrangler dev --ip 127.0.0.1 to prevent SSRF. This removes the local network as an attack vector, but does not prevent an attack from visiting a malicious website.

References

• https://github.com/cloudflare/workers-sdk/issues/4430
• https://github.com/cloudflare/workers-sdk/pull/4437
• https://github.com/cloudflare/workers-sdk/pull/4535
• https://github.com/cloudflare/workers-sdk/pull/4550

---

Release Notes

cloudflare/workers-sdk (wrangler)

v3.19.0

Compare Source

Minor Changes

• #​4547 86c81ff0 Thanks @​mrbbot! - fix: listen on IPv4 loopback only by default on Windows

  Due to a known issue, workerd will only listen on the IPv4 loopback address 127.0.0.1 when it's asked to listen on localhost. On Node.js > 17, localhost will resolve to the IPv6 loopback address, meaning requests to workerd would fail. This change switches to using the IPv4 loopback address throughout Wrangler on Windows, while workerd#1408 gets fixed.

• #​4535 29df8e17 Thanks @​mrbbot! - Reintroduces some internal refactorings of wrangler dev servers (including wrangler dev, wrangler dev --remote, and unstable_dev()).

  These changes were released in 3.13.0 and reverted in 3.13.1 -- we believe the changes are now more stable and ready for release again.

  There are no changes required for developers to opt-in. Improvements include:

  • fewer 'address in use' errors upon reloads
  • upon config/source file changes, requests are buffered to guarantee the response is from the new version of the Worker

Patch Changes

• #​4521 6c5bc704 Thanks @​zebp! - fix: init from dash specifying explicit usage model in wrangler.toml for standard users

• #​4550 63708a94 Thanks @​mrbbot! - fix: validate Host and Orgin headers where appropriate

  Host and Origin headers are now checked when connecting to the inspector and Miniflare's magic proxy. If these don't match what's expected, the request will fail.

• Updated dependencies [71fb0b86, 63708a94]:

  • miniflare@3.20231030.3

v3.18.0

Compare Source

Minor Changes

• #​4532 311ffbd5 Thanks @​mrbbot! - fix: change wrangler (pages) dev to listen on localhost by default

  Previously, Wrangler listened on all interfaces (*) by default. This change switches wrangler (pages) dev to just listen on local interfaces. Whilst this is technically a breaking change, we've decided the security benefits outweigh the potential disruption caused. If you need to access your dev server from another device on your network, you can use wrangler (pages) dev --ip * to restore the previous behaviour.

Patch Changes

• Updated dependencies [1b348782]:
  • miniflare@3.20231030.2

v3.17.1

Compare Source

Patch Changes

• #​4474 382ef8f5 Thanks @​mrbbot! - fix: open browser to correct url pressing b in --remote mode

  This change ensures Wrangler doesn't try to open http://* when * is used as the dev server's hostname. Instead, Wrangler will now open http://127.0.0.1.

• #​4488 3bd57238 Thanks @​RamIdeas! - Changes the default directory for log files to workaround frameworks that are watching the entire .wrangler directory in the project root for changes

  Also includes a fix for commands with --json where the log file location message would cause stdout to not be valid JSON. That message now goes to stderr.

v3.17.0

Compare Source

Minor Changes

• #​4341 d9908743 Thanks @​RamIdeas! - Wrangler now writes all logs to a .log file in the .wrangler directory. Set a directory or specific .log filepath to write logs to with WRANGLER_LOG_PATH=../Desktop/my-logs/ or WRANGLER_LOG_PATH=../Desktop/my-logs/my-log-file.log. When specifying a directory or using the default location, a filename with a timestamp is used.

  Wrangler now filters workerd stdout/stderr and marks unactionable messages as debug logs. These debug logs are still observable in the debug log file but will no longer show in the terminal by default without the user setting the env var WRANGLER_LOG=debug.

Patch Changes

• #​4469 d5e1966b Thanks @​mrbbot! - fix: report correct line and column numbers when source mapping errors with wrangler dev --remote

• #​4455 1747d215 Thanks @​rozenmd! - fix: make it possible to ignore hyperdrive warnings

• #​4456 805d5241 Thanks @​dario-piotrowicz! - add warnings about ai and verctorize bindings not being supported locally

• #​4478 7b54350b Thanks @​penalosa! - Don't log sensitive data to the Wrangler debug log file by default. This includes API request headers and responses.

• Updated dependencies [be2b9cf5, d9908743]:

  • miniflare@3.20231030.1

v3.16.0

Compare Source

Minor Changes

• #​4347 102e15f9 Thanks @​Skye-31! - Feat(unstable_dev): Provide an option for unstable_dev to perform the check that prompts users to update wrangler, defaulting to false. This will prevent unstable_dev from sending a request to NPM on startup to determine whether it needs to be updated.

• #​4179 dd270d00 Thanks @​matthewdavidrodgers! - Simplify secret:bulk api via script settings

  Firing PUTs to the secret api in parallel has never been a great solution - each request independently needs to lock the script, so running in parallel is at best just as bad as running serially.

  Luckily, we have the script settings PATCH api now, which can update the settings for a script (including secret bindings) at once, which means we don't need any parallelization. However this api doesn't work with a partial list of bindings, so we have to fetch the current bindings and merge in with the new secrets before PATCHing. We can however just omit the value of the binding (i.e. only provide the name and type) which instructs the config service to inherit the existing value, which simplifies this as well. Note that we don't use the bindings in your current wrangler.toml, as you could be in a draft state, and it makes sense as a user that a bulk secrets update won't update anything else. Instead, we use script settings api again to fetch the current state of your bindings.

  This simplified implementation means the operation can only fail or succeed, rather than succeeding in updating some secrets but failing for others. In order to not introduce breaking changes for logging output, the language around "${x} secrets were updated" or "${x} secrets failed" is kept, even if it doesn't make much sense anymore.

Patch Changes

• #​4402 baa76e77 Thanks @​rozenmd! - This PR adds a fetch handler that uses page, assuming result_info provided by the endpoint contains page, per_page, and total

  This is needed as the existing fetchListResult handler for fetching potentially paginated results doesn't work for endpoints that don't implement cursor.

  Fixes #​4349

• #​4337 6c8f41f8 Thanks @​Skye-31! - Improve the error message when a script isn't exported a Durable Object class

  Previously, wrangler would error with a message like Uncaught TypeError: Class extends value undefined is not a constructor or null. This improves that messaging to be more understandable to users.

• #​4307 7fbe1937 Thanks @​jspspike! - Change local dev server default ip to * instead of 0.0.0.0. This will cause the dev server to listen on both ipv4 and ipv6 interfaces

• #​4222 f867e01c Thanks @​tmthecoder! - Support for hyperdrive bindings in local wrangler dev

• #​4149 7e05f38e Thanks @​jspspike! - Fixed issue with tail not using proxy

• #​4219 0453b447 Thanks @​maxwellpeterson! - Allows uploads with both cron triggers and smart placement enabled

• #​4437 05b1bbd2 Thanks @​jspspike! - Change dev registry and inspector server to listen on 127.0.0.1 instead of all interfaces

• Updated dependencies [4f8b3420, 16cc2e92, 3637d97a, 29a59d4e, 7fbe1937, 76787861, 8a25b7fb]:

  • miniflare@3.20231030.0

v3.15.0

Compare Source

Minor Changes

• #​4201 0cac2c46 Thanks @​penalosa! - Callout --minify when script size is too large

• #​4209 24d1c5cf Thanks @​mrbbot! - fix: suppress compatibility date fallback warnings if no wrangler update is available

  If a compatibility date greater than the installed version of workerd was
  configured, a warning would be logged. This warning was only actionable if a new
  version of wrangler was available. The intent here was to warn if a user set
  a new compatibility date, but forgot to update wrangler meaning changes
  enabled by the new date wouldn't take effect. This change hides the warning if
  no update is available.

  It also changes the default compatibility date for wrangler dev sessions
  without a configured compatibility date to the installed version of workerd.
  This previously defaulted to the current date, which may have been unsupported
  by the installed runtime.

• #​4135 53218261 Thanks @​Cherry! - feat: resolve npm exports for file imports

  Previously, when using wasm (or other static files) from an npm package, you would have to import the file like so:

  import wasm from "../../node_modules/svg2png-wasm/svg2png_wasm_bg.wasm";

  This update now allows you to import the file like so, assuming it's exposed and available in the package's exports field:

  import wasm from "svg2png-wasm/svg2png_wasm_bg.wasm";

  This will look at the package's exports field in package.json and resolve the file using resolve.exports.

• #​4232 69b43030 Thanks @​romeupalos! - fix: use zone_name to determine a zone when the pattern is a custom hostname

  In Cloudflare for SaaS, custom hostnames of third party domain owners can be used in Cloudflare.
  Workers are allowed to intercept these requests based on the routes configuration.
  Before this change, the same logic used by wrangler dev was used in wrangler deploy, which caused wrangler to fail with:

  ✘ [ERROR] Could not find zone for [partner-saas-domain.com]

• #​4198 b404ab70 Thanks @​penalosa! - When uploading additional modules with your worker, Wrangler will now report the (uncompressed) size of each individual module, as well as the aggregate size of your Worker

Patch Changes

• #​4215 950bc401 Thanks @​RamIdeas! - fix various logging of shell commands to correctly quote args when needed

• #​4274 be0c6283 Thanks @​jspspike! - chore: bump miniflare to 3.20231025.0

  This change enables Node-like console.log()ing in local mode. Objects with
  lots of properties, and instances of internal classes like Request, Headers,
  ReadableStream, etc will now be logged with much more detail.

• #​4127 3d55f965 Thanks @​mrbbot! - fix: store temporary files in .wrangler

  As Wrangler builds your code, it writes intermediate files to a temporary
  directory that gets cleaned up on exit. Previously, Wrangler used the OS's
  default temporary directory. On Windows, this is usually on the C: drive.
  If your source code was on a different drive, our bundling tool would generate
  invalid source maps, breaking breakpoint debugging. This change ensures
  intermediate files are always written to the same drive as sources. It also
  ensures unused build outputs are cleaned up when running wrangler pages dev.

  This change also means you no longer need to set cwd and
  resolveSourceMapLocations in .vscode/launch.json when creating an attach
  configuration for breakpoint debugging. Your .vscode/launch.json should now
  look something like...

  {
  	"configurations": [
  		{
  			"name": "Wrangler",
  			"type": "node",
  			"request": "attach",
  			"port": 9229,
  			// These can be omitted, but doing so causes silent errors in the runtime
  			"attachExistingChildren": false,
  			"autoAttachChildProcesses": false
  		}
  	]
  }

• #​4189 05798038 Thanks @​gabivlj! - Move helper cli files of C3 into @​cloudflare/cli and make Wrangler and C3 depend on it

• #​4235 46cd2df5 Thanks @​mrbbot! - fix: ensure console.log()s during startup are displayed

  Previously, console.log() calls before the Workers runtime was ready to
  receive requests wouldn't be shown. This meant any logs in the global scope
  likely weren't visible. This change ensures startup logs are shown. In particular,
  this should fix Remix's HMR,
  which relies on startup logs to know when the Worker is ready.

v3.14.0

Compare Source

Minor Changes

• #​4204 38fdbe9b Thanks @​matthewdavidrodgers! - Support user limits for CPU time

  User limits provided via script metadata on upload

  Example configuration:

  [limits]
  cpu_ms = 20000
  

• #​2162 a1f212e6 Thanks @​WalshyDev! - add support for service bindings in wrangler pages dev by providing the
  new --service|-s flag which accepts an array of BINDING_NAME=SCRIPT_NAME
  where BINDING_NAME is the name of the binding and SCRIPT_NAME is the name
  of the worker (as defined in its wrangler.toml), such workers need to be
  running locally with with wrangler dev.

  For example if a user has a worker named worker-a, in order to locally bind
  to that they'll need to open two different terminals, in each navigate to the
  respective worker/pages application and then run respectively wrangler dev and
  wrangler pages ./publicDir --service MY_SERVICE=worker-a this will add the
  MY_SERVICE binding to pages' worker env object.

  Note: additionally after the SCRIPT_NAME the name of an environment can be specified,
  prefixed by an @ (as in: MY_SERVICE=SCRIPT_NAME@PRODUCTION), this behavior is however
  experimental and not fully properly defined.

v3.13.2

Compare Source

Patch Changes

• #​4206 8e927170 Thanks @​1000hz! - chore: bump miniflare to 3.20231016.0

• #​4144 54800f6f Thanks @​a-robinson! - Log a warning when using a Hyperdrive binding in local wrangler dev

v3.13.1

Compare Source

Patch Changes

• #​4171 88f15f61 Thanks @​penalosa! - patch: This release fixes some regressions related to running wrangler dev that were caused by internal refactoring of the dev server architecture (#​3960). The change has been reverted, and will be added back in a future release.

v3.13.0

Compare Source

Minor Changes

• #​4161 403bc25c Thanks @​RamIdeas! - Fix wrangler generated types to match runtime exports

• #​3960 c36b78b4 Thanks @​RamIdeas! - Refactoring the internals of wrangler dev servers (including wrangler dev, wrangler dev --remote and unstable_dev()).

  There are no changes required for developers to opt-in. Improvements include:

  • fewer 'address in use' errors upon reloads
  • upon config/source file changes, requests are buffered to guarantee the response is from the new version of the Worker

Patch Changes

• #​3590 f4ad634a Thanks @​penalosa! - fix: When a middleware is configured which doesn't support your Worker's script format, fail early with a helpful error message

v3.12.0

Compare Source

Minor Changes

• #​4071 f880a009 Thanks @​matthewdavidrodgers! - Support TailEvent messages in Tail sessions

  When tailing a tail worker, messages previously had a null event property. Following https://github.com/cloudflare/workerd/pull/1248, these events have a valid event, specifying which scripts produced events that caused your tail worker to run.

  As part of rolling this out, we're filtering out tail events in the internal tail infrastructure, so we control when these new messages are forward to tail sessions, and can merge this freely.

  One idiosyncracy to note, however, is that tail workers always report an "OK" status, even if they run out of memory or throw. That is being tracked and worked on separately.

• #​2397 93833f04 Thanks @​a-robinson! - feature: Support Queue consumer events in tail

  So that it's less confusing when tailing a worker that consumes events from a Queue.

Patch Changes

• #​2687 3077016f Thanks @​jrf0110! - Fixes large Pages projects failing to complete direct upload due to expiring JWTs

  For projects which are slow to upload - either because of client bandwidth or large numbers of files and sizes - It's possible for the JWT to expire multiple times. Since our network request concurrency is set to 3, it's possible that each time the JWT expires we get 3 failed attempts. This can quickly exhaust our upload attempt count and cause the entire process to bail.

  This change makes it such that jwt refreshes do not count as a failed upload attempt.

• #​4069 f4d28918 Thanks @​a-robinson! - Default new Hyperdrive configs for PostgreSQL databases to port 5432 if the port is not specified

v3.11.0

Compare Source

Minor Changes

• #​3726 7d20bdbd Thanks @​petebacondarwin! - feat: support partial bundling with configurable external modules

  Setting find_additional_modules to true in your configuration file will now instruct Wrangler to look for files in
  your base_dir that match your configured rules, and deploy them as unbundled, external modules with your Worker.
  base_dir defaults to the directory containing your main entrypoint.

  Wrangler can operate in two modes: the default bundling mode and --no-bundle mode. In bundling mode, dynamic imports
  (e.g. await import("./large-dep.mjs")) would be bundled into your entrypoint, making lazy loading less effective.
  Additionally, variable dynamic imports (e.g. await import(`./lang/${language}.mjs`)) would always fail at runtime,
  as Wrangler would have no way of knowing which modules to upload. The --no-bundle mode sought to address these issues
  by disabling Wrangler's bundling entirely, and just deploying code as is. Unfortunately, this also disabled Wrangler's
  code transformations (e.g. TypeScript compilation, --assets, --test-scheduled, etc).

  With this change, we now additionally support partial bundling. Files are bundled into a single Worker entry-point file
  unless find_additional_modules is true, and the file matches one of the configured rules. See
  https://developers.cloudflare.com/workers/wrangler/bundling/ for more details and examples.

• #​4093 c71d8a0f Thanks @​mrbbot! - chore: bump miniflare to 3.20231002.0

Patch Changes

• #​3726 7d20bdbd Thanks @​petebacondarwin! - fix: ensure that additional modules appear in the out-dir

  When using find_additional_modules (or no_bundle) we find files that
  will be uploaded to be deployed alongside the Worker.

  Previously, if an outDir was specified, only the Worker code was output
  to this directory. Now all additional modules are also output there too.

• #​4067 31270711 Thanks @​mrbbot! - fix: generate valid source maps with wrangler pages dev on macOS

  On macOS, wrangler pages dev previously generated source maps with an
  incorrect number of ../s in relative paths. This change ensures paths are
  always correct, improving support for breakpoint debugging.

• #​4084 9a7559b6 Thanks @​RamIdeas! - fix: respect the options.local value in unstable_dev (it was being ignored)

• #​4107 807ab931 Thanks @​mrbbot! - chore: bump miniflare to 3.20231002.1

• #​3726 7d20bdbd Thanks @​petebacondarwin! - fix: allow __STATIC_CONTENT_MANIFEST module to be imported anywhere

  __STATIC_CONTENT_MANIFEST can now be imported in subdirectories when
  --no-bundle or find_additional_modules are enabled.

• #​3926 f585f695 Thanks @​penalosa! - Log more detail about tokens after authentication errors

• #​3695 1d0b7ad5 Thanks @​JacksonKearl! - Fixed pages dev crashing and leaving port open when building a worker script fails

• #​4066 c8b4a07f Thanks @​RamIdeas! - fix: we no longer infer pathnames from route patterns as the host

  During local development, inside your worker, the host of request.url is inferred from the routes in your config.

  Previously, route patterns like "*/some/path/name" would infer the host as "some". We now handle this case and determine we cannot infer a host from such patterns.

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub ↗.

	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License

View full report ↗

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues

Measures
0 Security Hotspots
No data about Coverage
0.0% Duplication on New Code

See analysis details on SonarCloud

[github-actions]

Code review by ChatGPT

[github-actions]

Code review by ChatGPT

[github-actions]

Code review by ChatGPT

[github-actions]

Code review by ChatGPT

[github-actions]

Code review by ChatGPT

[github-actions]

Code review by ChatGPT

[github-actions]

LGTM 👍

[github-actions]

LGTM 👍

[github-actions]

LGTM 👍

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud