Update all non-major dependencies

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@biomejs/biome (source)	2.3.12 → 2.3.13
hono (source)	4.11.5 → 4.11.7
wrangler (source)	4.60.0 → 4.61.1

---

Release Notes

biomejs/biome (@​biomejs/biome)

v2.3.13

Compare Source

Patch Changes

• #​8815 f924f23 Thanks @​dyc3! - Improved useVueValidVOn to be more closely aligned with the source rule. It will now properly allow modifiers for all possible keyboard events. It should have better performance when there are no violations of the rule as well.

  Now treated valid:

  <div @&#8203;keydown.arrow-down="handler"></div>
  <div @&#8203;keydown.a="handler"></div>
  <div @&#8203;keydown.b="handler"></div>
  <div @&#8203;keydown.27="foo"></div>

• #​8856 85f81f9 Thanks @​dyc3! - Fixed #​8710: Biome now parses Vue dynamic slot shorthand arguments that use template literals in [].

• #​8850 2a190e0 Thanks @​dyc3! - Fixed #​8708: Tailwind @utility directives now parse functional utility names like px-* when Tailwind directives are enabled.

• #​8863 79386e0 Thanks @​dyc3! - Fixed an issue with biome migrate eslint where it couldn't detect rules for CSS, GraphQL, and HTML.

• #​8771 6f56b6e Thanks @​lghuahua! - Fix the --reporter=summary output incorrectly merging and displaying wrong issue counts for different rules. Fixes #​8730

• #​8714 ac3a71f Thanks @​Netail! - Added new nursery rule use-consistent-enum-value-type. This rule disallows enums from having both number and string members.

honojs/hono (hono)

v4.11.7

Compare Source

Security Release

This release includes security fixes for multiple vulnerabilities in Hono and related middleware. We recommend upgrading if you are using any of the affected components.

Components

IP Restriction Middleware

Fixed an IPv4 address validation bypass that could allow IP-based access control to be bypassed under certain configurations.

Cache Middleware

Fixed an issue where responses marked with Cache-Control: private or no-store could be cached, potentially leading to information disclosure on some runtimes.

Serve Static Middleware (Cloudflare Workers adapter)

Fixed an issue that could allow unintended access to internal asset keys when serving static files with user-controlled paths.

hono/jsx ErrorBoundary

Fixed a reflected Cross-Site Scripting (XSS) issue in the ErrorBoundary component that could occur when untrusted strings were rendered without proper escaping.

Recommendation

Users are encouraged to upgrade to this release, especially if they:

• Use IP Restriction Middleware
• Use Cache Middleware on Deno, Bun, or Node.js
• Use Serve Static Middleware with user-controlled paths on Cloudflare Workers
• Render untrusted data inside ErrorBoundary components

Security Advisories & CVEs

• IP Restriction Middleware – IPv4 address validation bypass

  • Advisory: GHSA-r354-f388-2fhh
  • CVE: CVE-2026-24398

• Cache Middleware ignores Cache-Control: private

  • Advisory: GHSA-6wqw-2p9w-4vw4
  • CVE: CVE-2026-24472

• Serve Static Middleware (Cloudflare Workers adapter) – Arbitrary key read

  • Advisory: GHSA-w332-q679-j88p
  • CVE: CVE-2026-24473

• hono/jsx ErrorBoundary – Cross-Site Scripting (XSS)

  • Advisory: GHSA-9r54-q6cx-xmh5
  • CVE: Pending

---

Full Changelog: honojs/hono@v4.11.6...v4.11.7

v4.11.6

Compare Source

What's Changed

• refactor: use unique symbol for more accurate typing. by @​usualoma in #​4651
• docs: align CODE_OF_CONDUCT.md wording with Contributor Covenant by @​sano-suguru in #​4630
• fix(sse): handle \r and \r\n line endings in writeSSE by @​AprilNEA in #​4644
• feat(bun): export getBunServer by @​artemtam in #​4626

New Contributors

• @​sano-suguru made their first contribution in #​4630
• @​AprilNEA made their first contribution in #​4644
• @​artemtam made their first contribution in #​4626

Full Changelog: honojs/hono@v4.11.5...v4.11.6

cloudflare/workers-sdk (wrangler)

v4.61.1

Compare Source

Patch Changes

• #​12189 eb8a415 Thanks @​NuroDev! - Fixed Durable Object missing migrations warning message.

  If a Workers project includes some durable_objects in it but no migrations we show a warning to the user to add migrations to their config. However, this warning recommended new_classes for their migrations, but we instead now recommend all users use new_sqlite_classes instead.

• #​11804 3b06b18 Thanks @​emily-shen! - fix: allow d1 execute, d1 export, and d1 migrations to work locally without database_id in config.

• #​12183 17961bb Thanks @​dependabot! - chore: update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260124.0	1.20260127.0

• #​12196 52fdfe7 Thanks @​dependabot! - chore: update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260127.0	1.20260128.0

• #​12199 6d8d9cd Thanks @​petebacondarwin! - Prevent wrangler logout from failing when the Wrangler configuration file is invalid

  Previously, if your wrangler.toml or wrangler.json file contained syntax errors or invalid values, the wrangler logout command would fail. Now, configuration parsing errors are caught and logged at debug level, allowing you to log out regardless of the state of your configuration file.

• #​12153 cb72c11 Thanks @​petebacondarwin! - Sanitize commands and arguments in telemetry to prevent accidentally capturing sensitive information.

  Changes:

  • Renamed telemetry fields from command/args to sanitizedCommand/sanitizedArgs to distinguish from historical fields that may have contained sensitive data in older versions
  • Command names now come from command definitions rather than user input, preventing accidental capture of sensitive data pasted as positional arguments
  • Sentry breadcrumbs now use the safe command name from definitions
  • Argument values are only included if explicitly allowed via COMMAND_ARG_ALLOW_LIST
  • Argument keys (names) are always included since they come from command definitions, not user input

• Updated dependencies [8a210af, 17961bb, 52fdfe7, 5f060c9]:

  • miniflare@​4.20260128.0
  • @​cloudflare/unenv-preset@​2.12.0

v4.61.0

Compare Source

Minor Changes

• #​12008 e414f05 Thanks @​penalosa! - Add support for customising the inspector IP address

  Adds a new --inspector-ip CLI flag and dev.inspector_ip configuration option to allow customising the IP address that the inspector server listens on. Previously, the inspector was hardcoded to listen only on 127.0.0.1.

  Example usage:

  # CLI flag
  wrangler dev --inspector-ip 0.0.0.0

  // wrangler.json
  {
  	"dev": {
  		"inspector_ip": "0.0.0.0",
  	},
  }

• #​12034 05714f8 Thanks @​emily-shen! - Add a no-op local explorer worker, which is gated by the experimental flag X_LOCAL_EXPLORER.

Patch Changes

• #​12134 a0a9ef6 Thanks @​NuroDev! - Fixed Fish shell tab completions.

  The wrangler tab completions are powered by @bomb.sh/tab which has been upgraded to version 0.0.12 which includes a fix for the Fish shell which was previously not working at all.

• #​12006 ad4666c Thanks @​penalosa! - Remove --use-remote option from wrangler hyperdrive create command

  Hyperdrive does not support remote bindings during local development - it requires a localConnectionString to connect to a local database. This change removes the confusing "remote resource" prompt that was shown when creating a Hyperdrive config.

  Fixes #​11674

• #​11853 014e7aa Thanks @​43081j! - Use built-in stripVTControlCharacters utility rather than the strip-ansi package.

• #​12040 77e82d2 Thanks @​dependabot! - chore: update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260120.0	1.20260122.0

• #​12061 f08ef21 Thanks @​dependabot! - chore: update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260122.0	1.20260123.0

• #​12088 0641e6c Thanks @​dependabot! - chore: update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260123.0	1.20260124.0

• #​12044 eacedba Thanks @​edmundhung! - Fix wrangler secret list to error when the Worker is not found

  Previously, running wrangler secret list against a non-existent Worker would silently return an empty array, making it difficult to diagnose issues like being logged into the wrong account. It now returns an error with suggestions for common causes.

• #​12150 e8b2ef5 Thanks @​dario-piotrowicz! - Emit autoconfig summary as a separate output entry

  Move the autoconfig summary from the deploy output entry to a dedicated autoconfig output entry type. This entry is now emitted by both wrangler deploy and wrangler setup commands when autoconfig runs, making it easier to track autoconfig results independently of deployments.

• Updated dependencies [014e7aa, e414f05, 77e82d2, f08ef21, 0641e6c, 05714f8, bbd8a5e]:

  • miniflare@​4.20260124.0

---

Configuration

📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM, only on Monday ( * 0-3 * * 1 ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.