[miniflare/wrangler] Bump undici to v7.24.8 and remove pnpm patch

[petebacondarwin]

Fixes #13013.

Bumps undici from 7.24.4 to 7.24.8, which includes the upstream fix (nodejs/undici#5006) for isTraversableNavigable() returning true unconditionally. This caused POST/PUT requests with non-2xx responses (e.g. 401) to throw TypeError: fetch failed because undici entered the 401 credential-retry block and failed on stream-backed request bodies.

Since the fix is now included upstream, this PR removes the pnpm patch we applied in #13058 as a workaround.

Changes

• Bump undici and undici-types from 7.24.4 → 7.24.8 in the pnpm catalog
• Remove undici@7.24.4 from patchedDependencies and delete patches/undici@7.24.4.patch
• Remove now-unused @ts-expect-error directives on the clone() overrides in src/http/request.ts and src/http/response.ts (undici 7.24.8 types no longer error on these)
• Fix SpecIterableIterator type incompatibility in R2 tests — use structural types for keys/delimitedPrefixes helpers instead of R2Objects from @cloudflare/workers-types (removes unused R2Objects import)
• Fix SpecIterableIterator type incompatibility in vite-plugin websockets.ts — convert @remix-run/node-fetch-server Headers to Record<string, string> before passing to miniflare.dispatchFetch
• Add regression test covering GET/POST/PUT × various non-2xx status codes via dispatchFetch

Reviewer notes

• undici@7.24.4 (unpatched) still appears in the lockfile as a transitive dependency of an older bundled miniflare version — this is expected and harmless since workspace packages now resolve to 7.24.8.
• The test exercises dispatchFetch which routes through undici's fetch() to workerd, covering the exact code path that was broken.
• The @ts-ignore comments on the super.clone() calls are intentionally kept — only the outer @ts-expect-error directives (which suppressed the method-override error) became unused with the new types.
• undici 7.24.8 changed Headers.keys() to return SpecIterableIterator<string> instead of IterableIterator<string>. This causes type mismatches wherever third-party Headers types (e.g. @cloudflare/workers-types, @remix-run/node-fetch-server) are passed to undici-typed APIs. The fixes in this PR work around these at the call sites.

⚠️ Human review checklist

• Verify the @ts-expect-error removals are safe — confirm that clone() and status overrides still compile correctly with undici 7.24.8 types (CI build will confirm this)
• Confirm no other @ts-expect-error directives in miniflare reference undici types that may have changed
• Review websockets.ts Record<string, string> conversion — headers.forEach collapses multi-value headers to a single value per key; verify this is acceptable for WebSocket upgrade requests
• Check if there are other places in the monorepo where Headers objects cross the undici / workers-types boundary that may also need fixing

---

• Tests
  • Tests included/updated
  • Automated tests not possible - manual testing has been completed as follows:
  • Additional testing not necessary because:
• Public documentation
  • Cloudflare docs PR(s):
  • Documentation not necessary because: this is a dependency bump with no user-facing API changes

Link to Devin session: https://app.devin.ai/sessions/fea4cbb20470478ca29d0c117e41896d
Requested by: @petebacondarwin

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR that start with 'DevinAI' or '@devin'.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring

[changeset-bot]

🦋 Changeset detected

Latest commit: 5b3c9f0

The changes in this PR will be included in the next version bump.

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[ask-bonk]

The new test correctly uses useDispose(mf) which is the standard pattern in this test file.

Let me review the overall changes once more:

1. pnpm-workspace.yaml: Catalog updated from 7.24.4 to 7.24.8 for both undici and undici-types. Patch removed. Clean.
2. patches/undici@7.24.4.patch: Deleted. Correct since the fix is upstream.
3. pnpm-lock.yaml: All workspace packages moved from patched 7.24.4 to 7.24.8. The old unpatched 7.24.4 remains only as transitive dep of bundled miniflare@4.20260317.1. Clean.
4. .changeset/bump-undici-remove-patch.md: Proper changeset for miniflare and wrangler as patch. Good.
5. Test: Good regression test covering the exact code path. Uses useDispose, comments reference the issue, covers GET/POST/PUT with various status codes.

This is a clean, well-structured PR. The dependency bump is correct, the patch removal is justified, the lockfile changes are consistent, the test is well-written and follows existing patterns, and the changeset is appropriate.

LGTM

github run

[github-actions]

✅ All changesets look good

[pkg-pr-new]

create-cloudflare

npm i https://pkg.pr.new/create-cloudflare@13450

@cloudflare/kv-asset-handler

npm i https://pkg.pr.new/@cloudflare/kv-asset-handler@13450

miniflare

npm i https://pkg.pr.new/miniflare@13450

@cloudflare/pages-shared

npm i https://pkg.pr.new/@cloudflare/pages-shared@13450

@cloudflare/unenv-preset

npm i https://pkg.pr.new/@cloudflare/unenv-preset@13450

@cloudflare/vite-plugin

npm i https://pkg.pr.new/@cloudflare/vite-plugin@13450

@cloudflare/vitest-pool-workers

npm i https://pkg.pr.new/@cloudflare/vitest-pool-workers@13450

@cloudflare/workers-editor-shared

npm i https://pkg.pr.new/@cloudflare/workers-editor-shared@13450

wrangler

npm i https://pkg.pr.new/wrangler@13450

commit: be99cfc

[workers-devprod]

Codeowners approval required for this PR:

• ✅ @cloudflare/wrangler

Show detailed file reviewers

[devin-ai-integration]

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no potential bugs to report.

View in Devin Review to see 4 additional findings.

[workers-devprod]

Codeowners reviews satisfied