build(deps-dev): bump miniflare from 4.20260415.0 to 4.20260507.1

[dependabot]

Bumps miniflare from 4.20260415.0 to 4.20260507.1.

Release notes

Sourced from miniflare's releases.

miniflare@4.20260507.1

Patch Changes

• #13348 5cf6f81 Thanks @​mglewis! - Improve variant URLs returned by the hosted images mock for local development

  The miniflare hosted images mock previously returned bare variant names (e.g. "public") in the variants field of ImageMetadata. In production, this field contains full delivery URLs. The bare names were not usable as image sources, causing applications that render images from variant URLs to fail during local development.

  Variant URLs now point to a new local delivery endpoint at /cdn-cgi/imagedelivery/<image_id>/<variant> which serves image bytes directly from the local KV store with content-type detection via Sharp.

miniflare@4.20260507.0

Minor Changes

• #13836 039bada Thanks @​Skye-31! - Support named recipients in the Email Sending API MessageBuilder

  The send_email binding's MessageBuilder now accepts EmailAddress objects for to, cc, and bcc in addition to plain strings. You can mix named and plain addresses in the same array:

  await env.SEND_EMAIL.send({
    from: "sender@example.com",
    to: [
      "plain@example.com",
      '"Name" <address@example.com>',
      { name: "Jane Doe", email: "jane@example.com" },
    ],
    cc: [{ name: "CC Person", email: "cc@example.com" }],
    subject: "Hello",
    text: "...",
  });

  Additionally, addresses in "Name" <address> format are now correctly parsed when checking allowed_destination_addresses and allowed_sender_addresses restrictions.

• #13776 1a54ac5 Thanks @​petebacondarwin! - Default the workerd runtime subprocess to TZ=UTC to match the production Cloudflare runtime

  Previously, Miniflare inherited the host machine's timezone, so Date and Intl APIs inside a Worker observed the developer's local timezone during local development but UTC in production. This caused dev/prod drift that was hard to debug.

  Miniflare now sets TZ=UTC on the spawned workerd subprocess by default. A new unsafeRuntimeEnv option (a Record<string, string>) is available on the Miniflare constructor for advanced cases that need to override the default — for example, to test timezone-dependent behaviour:

  new Miniflare({
    modules: true,
    script: "...",
    unsafeRuntimeEnv: { TZ: "Europe/London" },
  });

Patch Changes

• #13829 2284f20 Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

... (truncated)

Changelog

Sourced from miniflare's changelog.

4.20260507.1

Patch Changes

• #13348 5cf6f81 Thanks @​mglewis! - Improve variant URLs returned by the hosted images mock for local development

  The miniflare hosted images mock previously returned bare variant names (e.g. "public") in the variants field of ImageMetadata. In production, this field contains full delivery URLs. The bare names were not usable as image sources, causing applications that render images from variant URLs to fail during local development.

  Variant URLs now point to a new local delivery endpoint at /cdn-cgi/imagedelivery/<image_id>/<variant> which serves image bytes directly from the local KV store with content-type detection via Sharp.

4.20260507.0

Minor Changes

• #13836 039bada Thanks @​Skye-31! - Support named recipients in the Email Sending API MessageBuilder

  The send_email binding's MessageBuilder now accepts EmailAddress objects for to, cc, and bcc in addition to plain strings. You can mix named and plain addresses in the same array:

  await env.SEND_EMAIL.send({
    from: "sender@example.com",
    to: [
      "plain@example.com",
      '"Name" <address@example.com>',
      { name: "Jane Doe", email: "jane@example.com" },
    ],
    cc: [{ name: "CC Person", email: "cc@example.com" }],
    subject: "Hello",
    text: "...",
  });

  Additionally, addresses in "Name" <address> format are now correctly parsed when checking allowed_destination_addresses and allowed_sender_addresses restrictions.

• #13776 1a54ac5 Thanks @​petebacondarwin! - Default the workerd runtime subprocess to TZ=UTC to match the production Cloudflare runtime

  Previously, Miniflare inherited the host machine's timezone, so Date and Intl APIs inside a Worker observed the developer's local timezone during local development but UTC in production. This caused dev/prod drift that was hard to debug.

  Miniflare now sets TZ=UTC on the spawned workerd subprocess by default. A new unsafeRuntimeEnv option (a Record<string, string>) is available on the Miniflare constructor for advanced cases that need to override the default — for example, to test timezone-dependent behaviour:

  new Miniflare({
    modules: true,
    script: "...",
    unsafeRuntimeEnv: { TZ: "Europe/London" },
  });

Patch Changes

... (truncated)

Commits

• e0c97ad Version Packages (#13851)
• 5cf6f81 IMAGES-2191: improve variant URLs returned by miniflare hosted images mock (#...
• 553aaa2 Version Packages (#13826)
• cf09891 Revert "Support stream (but keep pipeline backwards compatible) binding for P...
• 1a54ac5 [miniflare] Default workerd subprocess to TZ=UTC to match production (#13776)
• 039bada Skye/email 1692/rfc5322 to cc bcc formats (#13836)
• 332f527 chore(deps): bump the workerd-and-workers-types group with 2 updates (#13841)
• 2284f20 Bump the workerd-and-workers-types group with 2 updates (#13829)
• 09f1f5a run openapi generation and check diff in CI (#13817)
• 543b20b Support stream (but keep pipeline backwards compatible) binding for Pipelines...
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)