Update all non-major dependencies

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@biomejs/biome (source)	2.4.9 → 2.4.10
hono (source)	4.12.9 → 4.12.10
wrangler (source)	4.78.0 → 4.80.0

---

Release Notes

biomejs/biome (@​biomejs/biome)

v2.4.10

Compare Source

Patch Changes

• #​8838 f3a6a6b Thanks @​baeseokjae! - Added new lint nursery rule noImpliedEval.

  The rule detects implied eval() usage through functions like setTimeout, setInterval, and setImmediate when called with string arguments.

  // Invalid
  setTimeout("alert('Hello');", 100);
  
  // Valid
  setTimeout(() => alert("Hello"), 100);

• #​9320 93c3b6c Thanks @​taberoajorge! - Fixed #​7664: noUnusedVariables no longer reports false positives for TypeScript namespace declarations that participate in declaration merging with an exported or used value declaration (const, function, or class) of the same name. The reverse direction is also handled: a value declaration merged with an exported namespace is no longer flagged.

• #​9630 1dd4a56 Thanks @​raashish1601! - Fixed #​9629: noNegationElse now keeps ternary branch comments attached to the correct branch when applying its fixer.

• #​9216 04243b0 Thanks @​FrederickStempfle! - Fixed #​9061: noProcessEnv now also detects process.env when process is imported from the "process" or "node:process" modules.

  Previously, only the global process object was flagged:

  import process from "node:process";
  // This was not flagged, but now it is:
  console.log(process.env.NODE_ENV);

• #​9692 61b7ec5 Thanks @​mkosei! - Fixed Svelte #each destructuring parsing and formatting for nested patterns such as [key, { a, b }].

• #​9627 06a0f35 Thanks @​ematipico! - Fixed #​191: Improved the performance of how the Biome Language Server pulls code actions and diagnostics.

  Before, code actions were pulled and computed all at once in one request. This approach couldn't work in big files, and caused Biome to stale and have CPU usage spikes up to 100%.

  Now, code actions are pulled and computed lazily, and Biome won't choke anymore in big files.

• #​9643 5bfee36 Thanks @​dyc3! - Fixed #​9347: useVueValidVBind no longer reports valid object bindings like v-bind="props".

• #​9627 06a0f35 Thanks @​ematipico! - Fixed assist diagnostics being invisible when using --diagnostic-level=error. Enforced assist violations (e.g. useSortedKeys) were filtered out before being promoted to errors, causing biome check to incorrectly return success.

• #​9695 9856a87 Thanks @​dyc3! - Added the new nursery rule noUnsafePlusOperands, which reports + and += operations that use object-like, symbol, unknown, or never operands, or that mix number with bigint.

• #​9627 06a0f35 Thanks @​ematipico! - Fixed duplicate parse errors in check and ci output. When a file had syntax errors, the same parse error was printed twice and the error count was inflated.

• #​9627 06a0f35 Thanks @​ematipico! - Improved the performance of the commands lint and check when they are called with --write.

• #​9627 06a0f35 Thanks @​ematipico! - Fixed --diagnostic-level not fully filtering diagnostics. Setting --diagnostic-level=error now correctly excludes warnings and infos from both the output and the summary counts.

• #​9623 13b3261 Thanks @​ematipico! - Fixed #​9258: --skip no longer causes suppressions/unused warnings for suppression comments targeting skipped rules or domains.

• #​9631 599dd04 Thanks @​raashish1601! - Fixed #​9625: experimentalEmbeddedSnippetsEnabled no longer crashes when a file mixes formatable CSS-in-JS templates with tagged templates that the embedded formatter can't currently delegate, such as a styled-components interpolation returning `css```.

honojs/hono (hono)

v4.12.10

Compare Source

What's Changed

• test(router): fix Simple capturing group test by @​yusukebe in #​4838
• docs: fix impaired -> inspired typo in benchmark READMEs by @​Abhi3975 in #​4843
• fix(jsx/dom): apply select value after children are rendered by @​usualoma in #​4847
• fix(compress): convert strong ETag to weak ETag when compressing by @​usualoma in #​4848
• docs(ip-restriction): add clear JSDoc examples and param types by @​VISHNU7KASIREDDY in #​4851

New Contributors

• @​Abhi3975 made their first contribution in #​4843
• @​VISHNU7KASIREDDY made their first contribution in #​4851

Full Changelog: honojs/hono@v4.12.9...v4.12.10

cloudflare/workers-sdk (wrangler)

v4.80.0

Compare Source

Minor Changes

• #​13151 9c4035b Thanks @​G4brym! - Add type generation for AI Search bindings

  Running wrangler types now generates AiSearchNamespace and AiSearchInstance types for ai_search_namespaces and ai_search config bindings respectively. Both simple and per-environment modes are supported.

  // wrangler.json
  {
    "ai_search_namespaces": [
      { "binding": "AI_SEARCH", "namespace": "production" }
    ],
    "ai_search": [
      { "binding": "BLOG_SEARCH", "instance_name": "cloudflare-blog" }
    ]
  }

  // Generated by `wrangler types`
  interface Env {
    AI_SEARCH: AiSearchNamespace;
    BLOG_SEARCH: AiSearchInstance;
  }

• #​13011 b9b7e9d Thanks @​ruifigueira! - Add experimental headful browser rendering support for local development

  Experimental: This feature may be removed or changed without notice.

  When developing locally with the Browser Rendering API, you can enable headful (visible) mode via the X_BROWSER_HEADFUL environment variable to see the browser while debugging:

  X_BROWSER_HEADFUL=true wrangler dev
  X_BROWSER_HEADFUL=true vite dev

  Note: when using @cloudflare/playwright, two Chrome windows may appear — the initial blank page and the one created by browser.newPage(). This is expected behavior due to how Playwright handles browser contexts via CDP.

• #​12992 48d83ca Thanks @​RiscadoA! - Add vpc_networks binding support for routing Worker traffic through a Cloudflare Tunnel or network.

  {
    "vpc_networks": [
      // Route through a specific Cloudflare Tunnel
      { "binding": "MY_FIRST_VPC", "tunnel_id": "<tunnel-id>" },
      // Route through the Cloudflare One mesh network
      { "binding": "MY_SECOND_VPC", "network_id": "cf1:network" }
    ]
  }

Patch Changes

• #​13155 5d29055 Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260329.1	1.20260331.1

• #​13162 fb67a18 Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260331.1	1.20260401.1

• #​13136 ab44870 Thanks @​petebacondarwin! - Display build errors for auxiliary workers in multi-worker mode

  Previously, when running wrangler dev with multiple -c config flags (multi-worker mode), build errors from auxiliary/secondary workers were only logged at debug level, causing Wrangler to silently hang. Build errors from all workers are now displayed at error level so you can see what went wrong and fix it.

• #​12992 48d83ca Thanks @​RiscadoA! - Fix remote proxy worker not catching errors thrown by bindings during wrangler dev

• #​13238 b2f53ea Thanks @​guybedford! - Fix source phase imports in bundled and non-bundled Workers

  Wrangler now preserves import source syntax when it runs esbuild, including module format detection and bundled deploy output. This fixes both --no-bundle and bundled deployments for Workers that import WebAssembly using source phase imports.

• #​10126 14e72eb Thanks @​nekoze1210! - fix: Sort D1 migration files to ensure consistent chronological ordering

  wrangler d1 migrations list and wrangler d1 migrations apply previously returned migration files in an order dependent on the filesystem, which could vary across operating systems. Migration filenames are now sorted alphabetically before being returned, ensuring consistent chronological ordering.

• #​13150 4dc94fd Thanks @​dario-piotrowicz! - Polish Cloudflare Vite plugin installation during autoconfig

  Projects using Vite 6.0.x were rejected by auto-configuration because the minimum supported version was set to 6.1.0 (the @cloudflare/vite-plugin peer dependency). The minimum version check is now 6.0.0, and when a project has Vite in the [6.0.0, 6.1.0) range, auto-configuration will automatically upgrade it to the latest 6.x before installing @cloudflare/vite-plugin.

• #​13051 d5bffde Thanks @​dario-piotrowicz! - Use today's date as the default compatibility date

  Previously, when generating a compatibility date for new projects or when no compatibility date was configured, the date was resolved by loading the locally installed workerd package via miniflare. This approach was unreliable in some package manager environments (notably pnpm). The logic now simply uses today's date instead, which is always correct and works reliably across all environments.

• Updated dependencies [5d29055, fb67a18, d5bffde, b9b7e9d, b2f53ea, 48d83ca]:

  • miniflare@​4.20260401.0

v4.79.0

Compare Source

Minor Changes

• #​12868 ffbc268 Thanks @​danielgek! - Add wrangler ai-search command namespace for managing Cloudflare AI Search instances

  Introduces a CLI surface for the Cloudflare AI Search API (open beta), including:

  • Instance management: ai-search list, create, get, update, delete
  • Semantic search: ai-search search with repeatable --filter key=value flags
  • Instance stats: ai-search stats

  The create command uses an interactive wizard to guide configuration. All commands require authentication via wrangler login.

• #​13097 cd0e971 Thanks @​pombosilva! - Add --local flag to Workflows commands for interacting with local dev

  All Workflows CLI commands now support a --local flag that targets a running wrangler dev session instead of the Cloudflare production API. This uses the /cdn-cgi/explorer/api/workflows endpoints served by the local dev server.

  wrangler workflows list --local
  wrangler workflows trigger my-workflow '{"key":"value"}' --local
  wrangler workflows instances describe my-workflow latest --local
  wrangler workflows instances pause my-workflow <id> --local --port 9000
  

  By default, commands continue to hit remote (production). Pass --local to opt in, and optionally --port to specify a custom dev server port (defaults to 8787).

Patch Changes

• #​13050 ed20a9b Thanks @​dario-piotrowicz! - Add minimum and maximum version checks for frameworks during auto-configuration

  When Wrangler automatically configures a project, it now validates the installed version of the detected framework before proceeding:

  • If the version is below the minimum known-good version, the command exits with an error asking the user to upgrade the framework.
  • If the version is above the maximum known major version, a warning is emitted to let the user know the framework version has not been officially tested with this feature, and the command continues.

• #​13111 f214760 Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260317.1	1.20260329.1

• #​13079 746858a Thanks @​penalosa! - Fix getPlatformProxy and unstable_getMiniflareWorkerOptions crashing when assets is configured without a directory

  getPlatformProxy and unstable_getMiniflareWorkerOptions now skip asset setup when the config has an assets block but no directory — instead of throwing "missing required directory property". This happens when an external tool like @cloudflare/vite-plugin handles asset serving independently.

• #​13112 9aad27f Thanks @​dario-piotrowicz! - Fix autoconfig failing on waku projects that use hono

  Waku has a tight integration with Hono, causing both to be detected simultaneously and triggering a "multiple frameworks found" error. Hono is now filtered out when Waku is also detected.

• #​13113 1fc5518 Thanks @​dario-piotrowicz! - Skip lock file warning for static projects during autoconfig

  Previously, running autoconfig on a static project (one with no framework detected) would emit a misleading warning about a missing lock file, suggesting the project might be in a workspace. Since static projects don't require a lock file, this warning is now suppressed for them.

• #​13072 b539dc7 Thanks @​jbwcloudflare! - Skip unnecessary GET /versions?deployable=true API call in wrangler versions deploy when all version IDs are explicitly provided and --yes is passed

  When deploying a specific version non-interactively (e.g. wrangler versions deploy <id> --yes), Wrangler previously always fetched the full list of deployable versions to populate the interactive selection prompt — even though the prompt is skipped entirely when --yes is used and all versions are already specified. The deployable-versions list is now only fetched when actually needed (i.e. when no version IDs are provided, or when running interactively).

• #​13115 2565b1d Thanks @​dario-piotrowicz! - Improve error message when the assets directory path points to a file instead of a directory

  Previously, if the path provided as the assets directory (via --assets flag or assets.directory config) pointed to an existing file rather than a directory, Wrangler would throw an unhelpful ENOTDIR system error when trying to read the _redirects file inside it. Now Wrangler detects this condition earlier and throws a clear user error.

• Updated dependencies [9eff028, f214760, 9282493, a532eea, d4c6158]:

  • miniflare@​4.20260329.0

---

Configuration

📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM, only on Monday ( * 0-3 * * 1 ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.