fix(deps): update all non-major dependencies

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@azure/functions	4.11.0 → 4.11.2
@babel/core (source)	7.28.6 → 7.29.0
@babel/plugin-proposal-decorators (source)	7.28.6 → 7.29.0
@babel/preset-env (source)	7.28.6 → 7.29.0
@cloudflare/workers-types	4.20260127.0 → 4.20260207.0
@eslint/plugin-kit (source)	0.5.1 → 0.6.0
@ianvs/prettier-plugin-sort-imports	4.7.0 → 4.7.1
@types/node (source)	24.10.9 → 24.10.12
@types/react (source)	18.3.27 → 18.3.28
axios (source)	1.13.4 → 1.13.5
fastify (source)	5.7.3 → 5.7.4
firebase-admin (source)	13.6.0 → 13.6.1
firebase-functions	7.0.3 → 7.0.5
glob	13.0.0 → 13.0.1
pnpm (source)	10.28.2 → 10.29.2
webpack	5.104.1 → 5.105.0
wrangler (source)	4.61.0 → 4.63.0

---

Release Notes

Azure/azure-functions-nodejs-library (@​azure/functions)

v4.11.1

Compare Source

Removing Long as depndency
Removing dependency from lib.DOM

babel/babel (@​babel/core)

v7.29.0

Compare Source

v7.29.0 (2026-01-31)

Thanks @​simbahax for your first PR!

🚀 New Feature

• babel-types
  • #​17750 [7.x backport] Add attributes import declaration builder (@​JLHwung)
• babel-standalone
  • #​17663 [7.x backport] feat(standalone): export async transform (@​JLHwung)
  • #​17725 [7.x backport] feat: read standalone targets from data-targets (@​JLHwung)

🐛 Bug Fix

• babel-parser
  • #​17765 fix(parser): correctly parse type assertions in extends clause (@​nicolo-ribaudo)
  • #​17723 [7.x backport] fix(parser): improve super type argument parsing (@​JLHwung)
• babel-traverse
  • #​17708 fix(traverse): provide a hub when traversing a File or Program and no parentPath is given (@​simbahax)
• babel-plugin-transform-block-scoping, babel-traverse
  • #​17737 [7.x backport] fix: Rename switch discriminant references when body creates shadowing variable (@​magic-akari)

🏃‍♀️ Performance

• babel-generator, babel-runtime-corejs3
  • #​17642 [Babel 7] Improve generator performance (@​liuxingbaoyu)

Committers: 6

• David (@​simbahax)
• Huáng Jùnliàng (@​JLHwung)
• Nicolò Ribaudo (@​nicolo-ribaudo)
• @​liuxingbaoyu
• @​magic-akari

cloudflare/workerd (@​cloudflare/workers-types)

v4.20260207.0

Compare Source

v4.20260206.0

Compare Source

v4.20260205.0

Compare Source

v4.20260203.0

Compare Source

v4.20260131.0

Compare Source

v4.20260130.0

Compare Source

v4.20260129.0

Compare Source

v4.20260128.0

Compare Source

eslint/rewrite (@​eslint/plugin-kit)

v0.6.0

Compare Source

Features

• add CustomRuleVisitorWithExit type to @eslint/plugin-kit (#​351) (e7d1be4)
• Add custom rule type helpers to @eslint/plugin-kit (#​355) (8ac8530)

Dependencies

• The following workspace dependencies were updated
  • dependencies
    • @​eslint/core bumped from ^1.0.1 to ^1.1.0

ianvs/prettier-plugin-sort-imports (@​ianvs/prettier-plugin-sort-imports)

v4.7.1

Compare Source

What's Changed

Fixes

• Fix: Vue preprocessor: Support variations in block syntax by @​ccondrup in IanVS#247

Dependencies

• feat(plugin-oxc): support v0.1.x by @​CHC383 in IanVS#249

Docs

• Add note for how to specify subpath import regex to README by @​jasikpark in IanVS#243

New Contributors

• @​jasikpark made their first contribution in IanVS#243
• @​ccondrup made their first contribution in IanVS#247
• @​CHC383 made their first contribution in IanVS#249

Full Changelog: IanVS/prettier-plugin-sort-imports@v4.7.0...v4.7.1

axios/axios (axios)

v1.13.5

Compare Source

Release 1.13.5

Highlights

• Security: Fixed a potential Denial of Service issue involving the __proto__ key in mergeConfig. (PR #​7369)
• Bug fix: Resolved an issue where AxiosError could be missing the status field on and after v1.13.3. (PR #​7368)

Changes

Security

• Fix Denial of Service via __proto__ key in mergeConfig. (PR #​7369)

Fixes

• Fix/5657. (PR #​7313)
• Ensure status is present in AxiosError on and after v1.13.3. (PR #​7368)

Features / Improvements

• Add input validation to isAbsoluteURL. (PR #​7326)
• Refactor: bump minor package versions. (PR #​7356)

Documentation

• Clarify object-check comment. (PR #​7323)
• Fix deprecated Buffer constructor usage and README formatting. (PR #​7371)

CI / Maintenance

• Chore: fix issues with YAML. (PR #​7355)
• CI: update workflow YAMLs. (PR #​7372)
• CI: fix run condition. (PR #​7373)
• Dev deps: bump karma-sourcemap-loader from 0.3.8 to 0.4.0. (PR #​7360)
• Chore(release): prepare release 1.13.5. (PR #​7379)

New Contributors

• @​sachin11063 (first contribution — PR #​7323)
• @​asmitha-16 (first contribution — PR #​7326)

Full Changelog: axios/axios@v1.13.4...v1.13.5

fastify/fastify (fastify)

v5.7.4

Compare Source

Full Changelog: fastify/fastify@v5.7.3...v5.7.4

firebase/firebase-admin-node (firebase-admin)

v13.6.1: Firebase Admin Node.js SDK v13.6.1

Compare Source

Bug Fixes

• fix: Refactor isURL() to use Built-in URL Constructor (#​3061)
• fix(data-connect): correctly serialize strings with special characters (#​3056)

Miscellaneous

• [chore] Release 13.6.1 (#​3063)
• build(deps): bump jws (#​3029)
• chore: Update release workflows for push triggers (#​3062)
• build(deps-dev): bump lodash from 4.17.21 to 4.17.23 (#​3057)
• build(deps-dev): bump mocha from 11.7.1 to 11.7.5 (#​3012)
• chore: Update github actions workflows and integration test resources (#​3052)
• chore: Rename default branch to (#​3033)
• build(deps): bump node-forge from 1.3.1 to 1.3.2 (#​3024)
• build(deps): bump glob from 10.4.5 to 10.5.0 (#​3019)
• build(deps-dev): bump bcrypt and @​types/bcrypt (#​3015)
• fix validate unit tests (#​3009)

firebase/firebase-functions (firebase-functions)

v7.0.5

Compare Source

• Fixed issue with missing dependency on graphql. (#​1795)
• Internal improvements (#​1800)

v7.0.4

Compare Source

isaacs/node-glob (glob)

v13.0.1

Compare Source

pnpm/pnpm (pnpm)

v10.29.2

Compare Source

v10.29.1: pnpm 10.29.1

Compare Source

Minor Changes

• The pnpm dlx / pnpx command now supports the catalog: protocol. Example: pnpm dlx shx@catalog:.
• Support configuring auditLevel in the pnpm-workspace.yaml file #​10540.
• Support bare workspace: protocol without version specifier. It is now treated as workspace:* and resolves to the concrete version during publish #​10436.

Patch Changes

• Fixed pnpm list --json returning incorrect paths when using global virtual store #​10187.

• Fix pnpm store path and pnpm store status using workspace root for path resolution when storeDir is relative #​10290.

• Fixed pnpm run -r failing with "No projects matched the filters" when an empty pnpm-workspace.yaml exists #​10497.

• Fixed a bug where catalogMode: strict would write the literal string "catalog:" to pnpm-workspace.yaml instead of the resolved version specifier when re-adding an existing catalog dependency #​10176.

• Fixed the documentation URL shown in pnpm completion --help to point to the correct page at https://pnpm.io/completion #​10281.

• Skip local file: protocol dependencies during pnpm fetch. This fixes an issue where pnpm fetch would fail in Docker builds when local directory dependencies were not available #​10460.

• Fixed pnpm audit --json to respect the --audit-level setting for both exit code and output filtering #​10540.

• update tar to version 7.5.7 to fix security issue

  Updating the version of dependency tar to 7.5.7 because the previous one have a security vulnerability reported here: CVE-2026-24842

• Fix pnpm audit --fix replacing reference overrides (e.g. $foo) with concrete versions #​10325.

• Fix shamefullyHoist set via updateConfig in .pnpmfile.cjs not being converted to publicHoistPattern #​10271.

• pnpm help should correctly report if the currently running pnpm CLI is bundled with Node.js #​10561.

• Add a warning when the current directory contains the PATH delimiter character. On macOS, folder names containing forward slashes (/) appear as colons (:) at the Unix layer. Since colons are PATH separators in POSIX systems, this breaks PATH injection for node_modules/.bin, causing binaries to not be found when running commands like pnpm exec #​10457.

Platinum Sponsors

Gold Sponsors

webpack/webpack (webpack)

v5.105.0

Compare Source

Minor Changes

• Allow resolving worker module by export condition name when using new Worker() (by @​hai-x in #​20353)

• Detect conditional imports to avoid compile-time linking errors for non-existent exports. (by @​hai-x in #​20320)

• Added the tsconfig option for the resolver options (replacement for tsconfig-paths-webpack-plugin). Can be false (disabled), true (use the default tsconfig.json file to search for it), a string path to tsconfig.json, or an object with configFile and references options. (by @​alexander-akait in #​20400)

• Support import.defer() for context modules. (by @​ahabhgk in #​20399)

• Added support for array values ​​to the devtool option. (by @​hai-x in #​20191)

• Improve rendering node built-in modules for ECMA module output. (by @​hai-x in #​20255)

• Unknown import.meta properties are now determined at runtime instead of being statically analyzed at compile time. (by @​xiaoxiaojx in #​20312)

Patch Changes

• Fixed ESM default export handling for .mjs files in Module Federation (by @​y-okt in #​20189)

• Optimized import.meta.env handling in destructuring assignments by using cached stringified environment definitions. (by @​xiaoxiaojx in #​20313)

• Respect the stats.errorStack option in stats output. (by @​samarthsinh2660 in #​20258)

• Fixed a bug where declaring a module variable in module scope would conflict with the default moduleArgument. (by @​xiaoxiaojx in #​20265)

• Fix VirtualUrlPlugin to set resourceData.context for proper module resolution. Previously, when context was not set, it would fallback to the virtual scheme path (e.g., virtual:routes), which is not a valid filesystem path, causing subsequent resolve operations to fail. (by @​xiaoxiaojx in #​20390)

• Fixed Worker self-import handling to support various URL patterns (e.g., import.meta.url, new URL(import.meta.url), new URL(import.meta.url, import.meta.url), new URL("./index.js", import.meta.url)). Workers that resolve to the same module are now properly deduplicated, regardless of the URL syntax used. (by @​xiaoxiaojx in #​20381)

• Reuse the same async entrypoint for the same Worker URL within a module to avoid circular dependency warnings when multiple Workers reference the same resource. (by @​xiaoxiaojx in #​20345)

• Fixed a bug where a self-referencing dependency would have an unused export name when imported inside a web worker. (by @​samarthsinh2660 in #​20251)

• Fix missing export generation when concatenated modules in different chunks share the same runtime in module library bundles. (by @​hai-x in #​20346)

• Fixed import.meta.env.xxx behavior: when accessing a non-existent property, it now returns empty object instead of full object at runtime. (by @​xiaoxiaojx in #​20289)

• Improved parsing error reporting by adding a link to the loader documentation. (by @​gaurav10gg in #​20244)

• Fix typescript types. (by @​alexander-akait in #​20305)

• Add declaration for unused harmony import specifier. (by @​hai-x in #​20286)

• Fix compressibility of modules while retaining portability. (by @​dmichon-msft in #​20287)

• Optimize source map generation: only include ignoreList property when it has content, avoiding empty arrays in source maps. (by @​xiaoxiaojx in #​20319)

• Preserve star exports for dependencies in ECMA module output. (by @​hai-x in #​20293)

• Consider asset modulem to be side-effect free. (by @​hai-x in #​20352)

• Avoid generating JavaScript modules for CSS exports that are not used, reducing unnecessary output and bundle size. (by @​xiaoxiaojx in #​20337)

cloudflare/workers-sdk (wrangler)

v4.63.0

Compare Source

Minor Changes

• #​12386 447daa3 Thanks @​NuroDev! - Added new "open local explorer" hotkey for experimental/WIP local resource explorer

  When running wrangler dev with the experimental local explorer feature enabled, you can now press the e hotkey to open the local resource explorer UI in your browser.

Patch Changes

• #​11350 ee9b81f Thanks @​dario-piotrowicz! - fix: improve error message when the entrypoint is incorrect

  Error messages for incorrect entrypoint configuration have been improved to provide clearer and more actionable feedback. The updated messages help users understand what went wrong and how to fix their configuration.

• #​12402 63f1adb Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260131.0	1.20260203.0

• #​12418 ba13de9 Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260203.0	1.20260205.0

• #​12216 fe3af35 Thanks @​ichernetsky-cf! - Deprecate 'wrangler cloudchamber apply' in favor of 'wrangler deploy'

• #​12368 bd4bb98 Thanks @​KianNH! - Preserve Containers configuration when using versions commands

  Previously, commands like wrangler versions upload would inadvertently disable Containers on associated Durable Object namespaces because the containers property was being omitted from the API request body.

• #​12396 dab4bc9 Thanks @​petebacondarwin! - fix: redact email addresses and account names in non-interactive mode

  To prevent sensitive information from being exposed in public CI logs, email addresses and account names are now redacted when running in non-interactive mode (e.g., CI environments). Account IDs remain visible to aid debugging.

• #​12378 18c0784 Thanks @​X6TXY! - Truncate Pages commit messages at UTF-8 boundaries to avoid invalid UTF-8

• Updated dependencies [63f1adb, ba13de9, 83adb2c]:

  • miniflare@​4.20260205.0

v4.62.0

Compare Source

Minor Changes

• #​12064 964a39d Thanks @​G4brym! - Add AI Search OAuth scopes to login

  Adds ai-search:write and ai-search:run OAuth scopes to the default login scopes, enabling wrangler to authenticate with AI Search APIs.

• #​11867 253a85d Thanks @​rahulsuresh-git! - Add wrangler r2 bucket local-uploads command to manage local uploads for R2 buckets

  When enabled, object data is written to the nearest region first, then asynchronously replicated to the bucket's primary region.

  Docs: https://developers.cloudflare.com/r2/buckets/local-uploads

  # Get local uploads status
  wrangler r2 bucket local-uploads get my-bucket
  
  # Enable local uploads (will prompt for confirmation)
  wrangler r2 bucket local-uploads enable my-bucket
  
  # Enable without confirmation prompt
  wrangler r2 bucket local-uploads enable my-bucket --force
  
  # Disable local uploads
  wrangler r2 bucket local-uploads disable my-bucket

• #​11803 1bd1488 Thanks @​dario-piotrowicz! - Add a new subrequests limit to the limits field of the Wrangler configuration file

  Before only the cpu_ms limit was supported in the limits field of the Wrangler configuration file, now a subrequests limit can be specified as well which enables the user to limit the number of fetch requests that a Worker's invocation can make.

  Example:

  {
  	"$schema": "./node_modules/wrangler/config-schema.json",
  	"limits": {
  		"cpu_ms": 1000,
  		"subrequests": 150 // newly added field
  	}
  }

• #​12185 f7aa8c7 Thanks @​penalosa! - Add timestamp field to the version metadata binding in local development. The version metadata binding now includes id, tag, and timestamp fields, making it easier to test version-aware logic locally.

Patch Changes

• #​12190 ce736b9 Thanks @​dario-piotrowicz! - Update autoconfig logic to handle Next.js projects by using the new @opennextjs/cloudflare migrate command

• #​12065 47944d1 Thanks @​langningchen! - Improve error message when d1 export --output points to a directory

• #​12292 4c4d5a5 Thanks @​dario-piotrowicz! - Add versionCommand to the autoconfig_summary field in the autoconfig output entry

  Add the version upload command to the output being printed by wrangler deploy to WRANGLER_OUTPUT_FILE_DIRECTORY/WRANGLER_OUTPUT_FILE_PATH. This complements the existing buildCommand and deployCommand fields and allows CI systems to know how to upload new versions of Workers.

  For example, for a standard npm project this would be:

  • Version command: npx wrangler versions upload

  While for a Next.js project it would be:

  • Version command: npx @​opennextjs/cloudflare upload

• #​12050 b05b919 Thanks @​NuroDev! - Fixed Wrangler's error handling for both invalid commands with and without the --help flag, ensuring consistent and clear error messages.

  Additionally, it also ensures that if you provide an invalid argument to a valid command, Wrangler will now correctly display that specific commands help menu.

• #​12289 0aaf080 Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260128.0	1.20260129.0

• #​12295 b981db5 Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260129.0	1.20260130.0

• #​12355 a113c0d Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260130.0	1.20260131.0

• #​11971 fdd7a9f Thanks @​dario-piotrowicz! - Add framework id, build command, and deploy command to the autoconfig_summary field in the deploy output entry

  Add the framework id alongside the commands to build and deploy the project to the output being printed by wrangler deploy to WRANGLER_OUTPUT_FILE_DIRECTORY or WRANGLER_OUTPUT_FILE_PATH.

  For example for an npm Astro project these would be:

  • Framework id: astro
  • Build command: npm run build
  • Deploy command: npx wrangler deploy

  While for a Next.js project they would instead be:

  • Framework id: next
  • Build command: npx @​opennextjs/cloudflare build
  • Deploy command: npx @​opennextjs/cloudflare deploy

• #​12211 a5fca2c Thanks @​elithrar! - Remove the 'pubsub' sub-command and related functionality

  The Pub/Sub product was never made publicly available and has been discontinued. This removes the wrangler pubsub command and all associated functionality.

• Updated dependencies [0c9625a, 0aaf080, b981db5, a113c0d, f7aa8c7]:

  • miniflare@​4.20260131.0
  • @​cloudflare/kv-asset-handler@​0.4.2

v4.61.1

Compare Source

Patch Changes

• #​12189 eb8a415 Thanks @​NuroDev! - Fixed Durable Object missing migrations warning message.

  If a Workers project includes some durable_objects in it but no migrations we show a warning to the user to add migrations to their config. However, this warning recommended new_classes for their migrations, but we instead now recommend all users use new_sqlite_classes instead.

• #​11804 3b06b18 Thanks @​emily-shen! - fix: allow d1 execute, d1 export, and d1 migrations to work locally without database_id in config.

• #​12183 17961bb Thanks @​dependabot! - chore: update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260124.0	1.20260127.0

• #​12196 52fdfe7 Thanks @​dependabot! - chore: update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260127.0	1.20260128.0

• #​12199 6d8d9cd Thanks @​petebacondarwin! - Prevent wrangler logout from failing when the Wrangler configuration file is invalid

  Previously, if your wrangler.toml or wrangler.json file contained syntax errors or invalid values, the wrangler logout command would fail. Now, configuration parsing errors are caught and logged at debug level, allowing you to log out regardless of the state of your configuration file.

• #​12153 cb72c11 Thanks @​petebacondarwin! - Sanitize commands and arguments in telemetry to prevent accidentally capturing sensitive information.

  Changes:

  • Renamed telemetry fields from command/args to sanitizedCommand/sanitizedArgs to distinguish from historical fields that may have contained sensitive data in older versions
  • Command names now come from command definitions rather than user input, preventing accidental capture of sensitive data pasted as positional arguments
  • Sentry breadcrumbs now use the safe command name from definitions
  • Argument values are only included if explicitly allowed via COMMAND_ARG_ALLOW_LIST
  • Argument keys (names) are always included since they come from command definitions, not user input

• Updated dependencies [8a210af, 17961bb, 52fdfe7, 5f060c9]:

  • miniflare@​4.20260128.0
  • @​cloudflare/unenv-preset@​2.12.0

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

💻 Website Preview

The latest changes are available as preview in: https://15fa2fee.envelop.pages.dev