Update all non-major dependencies

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
hono (source)	4.11.3 → 4.11.4
wrangler (source)	4.58.0 → 4.59.2

---

Release Notes

honojs/hono (hono)

v4.11.4

Compare Source

Security

Fixed a JWT algorithm confusion issue in the JWT and JWK/JWKS middleware.

Both middlewares now require an explicit algorithm configuration to prevent the verification algorithm from being influenced by untrusted JWT header values.

If you are using the JWT or JWK/JWKS middleware, please update to the latest version as soon as possible.

JWT middleware

import { jwt } from 'hono/jwt'

app.use(
  '/auth/*',
  jwt({
    secret: 'it-is-very-secret',
    alg: 'HS256', // required
  })
)

JWK/JWKS middleware

import { jwk } from 'hono/jwk'

app.use(
  '/auth/*',
  jwk({
    jwks_uri: 'https://example.com/.well-known/jwks.json',
    alg: ['RS256'], // required (asymmetric algorithms only)
  })
)

For more details, see the Security Advisory.

• GHSA-f67f-6cw9-8mq4
• GHSA-3vhc-576x-3qv4

What's Changed

• test(utils/jwt): add missing algorithm types in jwa.test.ts by @​flathill404 in #​4607
• chore: bump @hono/eslint-config and enable curly rule by @​yusukebe in #​4620
• docs(bun/websocket): Fixed a typo in hono/bun deprecation message and updated test. by @​Itsnotaka in #​4618
• test: support alg option for JWT middleware by @​yusukebe in #​4624

New Contributors

• @​flathill404 made their first contribution in #​4607
• @​Itsnotaka made their first contribution in #​4618

Full Changelog: honojs/hono@v4.11.3...v4.11.4

cloudflare/workers-sdk (wrangler)

v4.59.2

Compare Source

Patch Changes

• #​11908 e78186d Thanks @​dependabot! - chore: update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260111.0	1.20260114.0

• #​11880 fe4faa3 Thanks @​penalosa! - Show helpful messages for errors outside of Wrangler's control. This prevents unnecessary Sentry reports.

  Errors now handled with user-friendly messages:

  • Connection timeouts to Cloudflare's API (UND_ERR_CONNECT_TIMEOUT) - typically due to slow networks or connectivity issues
  • File system permission errors (EPERM, EACCES) - caused by insufficient permissions, locked files, or antivirus software
  • DNS resolution failures (ENOTFOUND) - caused by network connectivity issues or DNS configuration problems

• #​11882 695b043 Thanks @​GregBrimble! - Improve the error message for wrangler secret put when using Worker versions or gradual deployments. wrangler versions secret put should be used instead, or ensure to deploy the latest version before using wrangler secret put. wrangler secret put alone will add the new secret to the latest version (possibly undeployed) and immediately deploy that which is usually not intended.

• Updated dependencies [e78186d, fec8f5b, d39777f, 4714ca1, c17e971]:

  • miniflare@​4.20260114.0
  • @​cloudflare/unenv-preset@​2.10.0
  • @​cloudflare/kv-asset-handler@​0.4.2

v4.59.1

Compare Source

Patch Changes

• #​11889 99b1f32 Thanks @​emily-shen! - Use argument array when executing git commands with wrangler pages deploy

  Pass user provided values from --commit-hash safely to underlying git command.

v4.59.0

Compare Source

Minor Changes

• #​11852 ad65efa Thanks @​NuroDev! - Add --check flag to wrangler types command

  The new --check flag allows you to verify that your generated types file is up-to-date without regenerating it. This is useful for CI/CD pipelines, pre-commit hooks, or any scenario where you want to ensure types have been committed after configuration changes.

  When types are up-to-date, the command exits with code 0:

  $ wrangler types --check
  ✨ Types at worker-configuration.d.ts are up to date.

  When types are out-of-date, the command exits with code 1:

  $ wrangler types --check
  ✘ [ERROR] Types at worker-configuration.d.ts are out of date. Run `wrangler types` to regenerate.

  You can also use it with a custom output path:

  $ wrangler types ./custom-types.d.ts --check

• #​11529 43d5363 Thanks @​matthewdavidrodgers! - Add ability to enable higher asset count limits for Pages deployments

  Wrangler can now read asset count limits from JWT claims during Pages deployments,
  allowing users to be enabled for higher limits (up to 100,000 assets) on a per-account
  basis. The default limit remains at 20,000 assets.

• #​11755 0f8d69d Thanks @​nikitassharma! - Users can now specify constraints.tiers for their container applications. tier is deprecated in favor of tiers.
  If left unset, we will default to tiers: [1, 2].
  Note that constraints is an experimental feature.

Patch Changes

• #​11820 b0e54b2 Thanks @​MattieTK! - Add AI agent detection to analytics events

  Wrangler now detects when commands are executed by AI coding agents (such as Claude Code, Cursor, GitHub Copilot, etc.) using the am-i-vibing library. This information is included as an agent property in all analytics events, helping Cloudflare understand how developers interact with Wrangler through AI assistants.

  The agent property will contain the agent ID (e.g., "claude-code", "cursor-agent") when detected, or null when running outside an agentic environment.

• #​11494 ed60c4f Thanks @​jalmonter! - Fix scheduled trigger warning showing undefined port

  When running wrangler dev with a worker that has cron triggers, the warning message displayed an invalid URL like curl "http://localhost:undefined/cdn-cgi/handler/scheduled" because the port wasn't yet determined when the warning was logged.

  Moved the warning to after the proxy server is fully ready, where the actual public URL and port are known.

• #​11831 faa5753 Thanks @​dependabot! - chore: update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260107.1	1.20260108.0

• #​11844 e574ef3 Thanks @​dependabot! - chore: update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260108.0	1.20260109.0

• #​11872 b6148ed Thanks @​dependabot! - chore: update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260109.0	1.20260111.0

• #​11843 ab3859c Thanks @​dario-piotrowicz! - Update the Wrangler autoconfig logic to work with the latest version of Waku

  The latest version of Waku (0.12.5-1.0.0-alpha.1-0) requires a src/waku.server.tsx file instead of a src/server-entry.tsx one, so the Wrangler autoconfig logic (the logic being run as part of wrangler setup and wrangler deploy --x-autoconfig that configures a project to be deployable on Cloudflare) has been updated accordingly.

  Also the way the worker needs to handle static assets has been updated as recommended from the Waku team.

• #​11848 0eb973d Thanks @​petebacondarwin! - Fix incorrect warning about multiple environments when using redirected config

  Previously, when using a redirected config (via configPath in another config file) that originated from a config with multiple environments, wrangler would incorrectly warn about missing environment specification. This fix ensures the warning is only shown when the actual config being used has multiple environments defined, not when the original config did.

• Updated dependencies [ed60c4f, 5c59217, faa5753, e574ef3, b6148ed, beb96af, 5c59217, fc96e5f]:

  • miniflare@​4.20260111.0
  • @​cloudflare/unenv-preset@​2.9.0

---

Configuration

📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM, only on Monday ( * 0-3 * * 1 ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.