chore(deps): update all non-major dependencies

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence	Type	Update	Pending
@types/node (source)	24.12.4 → 24.13.1			devDependencies	minor	24.13.2
actions/checkout	v6.0.2 → v6.0.3			action	patch
awscli	2.34.58 → 2.34.63				patch	2.35.4 (+5)
chezmoi	2.70.4 → 2.70.5				patch
deno	2.8.1 → 2.8.2				patch	2.8.3
docker-cli	29.5.2 → 29.5.3				patch
jdx/mise-action	v4.0.1 → v4.1.0			action	minor
npm:@openai/codex (source)	0.136.0 → 0.137.0				minor	0.139.0 (+1)
pnpm (source)	11.5.1 → 11.5.2			packageManager	patch	11.6.0 (+1)
pnpm (source)	11.5.1 → 11.5.2				patch	11.6.0 (+1)
vercel (source)	54.7.1 → 54.9.1				minor	54.13.0 (+9)
wrangler (source)	4.96.0 → 4.98.0				minor	4.100.0 (+1)

---

Release Notes

actions/checkout (actions/checkout)

v6.0.3

Compare Source

• Fix checkout init for SHA-256 repositories by @​yaananth in #​2439
• fix: expand merge commit SHA regex and add SHA-256 test cases by @​yaananth in #​2414

aws/aws-cli (awscli)

v2.34.63

Compare Source

v2.34.62

Compare Source

v2.34.61

Compare Source

v2.34.60

Compare Source

v2.34.59

Compare Source

twpayne/chezmoi (chezmoi)

v2.70.5

Compare Source

Changelog

Documentation

• 1c53abd docs: Add links to articles
• 50af2d3 docs: Add link to article

denoland/deno (deno)

v2.8.2

Compare Source

• feat(compile): improve --bundle dependency resolution and add --minify
  (#​34536)
• feat(compile): scope --bundle npm embed to packages actually reached (#​34532)
• feat(ext/crypto): add ChaCha20-Poly1305, SHAKE, cSHAKE, TurboSHAKE, SHA-3 HMAC
  (#​34417)
• feat(ext/crypto): add ML-DSA (FIPS 204) post-quantum signatures (#​34448)
• feat(ext/crypto): implement ML-KEM (FIPS 203) post-quantum KEM (#​34447)
• feat(ext/node): env/global proxy support for node:http and node:https (#​34257)
• feat(ext/node): support DENO_SERVE_ADDRESS override in node:http servers
  (#​34662)
• feat(jupyter): rewrite kernel in JS, drop zeromq/runtimelib deps (#​34083)
• feat(lsp): autocomplete jsr:/npm:/node: in deno.json(c) imports (#​34724)
• feat(publish): unfurl import specifiers in Wasm modules (#​34549)
• feat(task): support --env-file flag (#​34508)
• feat(task): support exclusion groups in task name wildcards (#​34506)
• feat(unstable): add --bundle flag to deno compile (#​34527)
• feat: bump deno_task_shell to 0.33.0 (#​34642)
• fix(add): handle version tags like @latest in deno add for JSR packages
  (#​32859)
• fix(add): replace panic with error when deno.json discovery fails (#​34517)
• fix(bundle): skip decorator pass when module has no decorators (#​34489)
• fix(bundle): use node-style CJS interop for the Deno platform (#​34533)
• fix(cache): skip WAL journal mode on WSL-1 (#​34499)
• fix(cache_dir): EnsureCachedStrategy must surface cached redirects (#​34563)
• fix(check): make node:stream/web types alias the globals (#​34606)
• fix(check): resolve npm packages without types when type checking (#​34551)
• fix(cli): suppress bug-report banner on broken pipe print panics (#​34552)
• fix(cli/task): run recursive workspace tasks in parallel (#​34512)
• fix(compile): allow process.chdir() into the VFS (#​34610)
• fix(compile): bundle workers separately under --bundle (#​34531)
• fix(compile): cover CJS-deep imports under --bundle (#​34534)
• fix(compile): create code cache when importing JSON or Wasm modules (#​34614)
• fix(compile): detect svelte-adapter-deno build output (#​34535)
• fix(compile): don't surface graph errors for --include files (#​34568)
• fix(compile): embed workspace package.json files in the VFS (#​34530)
• fix(compile): enable ANSI colors on Windows in compiled binaries (#​34701)
• fix(compile): handle CJS and native addons in --bundle (#​34529)
• fix(compile): respect npm registry sub-paths when flattening node_modules
  (#​34575)
• fix(compile): support workers loaded from blob URLs (#​34574)
• fix(compile): transpile TypeScript imported at runtime (#​34616)
• fix(config): hook up verbatimModuleSyntax for the emit pipeline (#​34495)
• fix(config): make config auto-discovery skip the same errors on every platform
  (#​34558)
• fix(config): surface invalid "exports" map in linked/workspace packages
  (#​34473)
• fix(config): warn instead of erroring when start dir is not a workspace member
  (#​34458)
• fix(config): warn instead of erroring when workspace member dir is missing
  (#​34511)
• fix(core): TLA hang on dyn import when async dep triggers lazy ESM load
  (#​34469)
• fix(core): preserve WebAssembly streaming callback across new contexts
  (#​34679)
• fix(crypto): correct X448 PKCS#8 handling (#​34578)
• fix(doc): don't lint private-type-ref for cross-package types (#​34339)
• fix(doc): handle non-ASCII doc lint diagnostics (#​34626)
• fix(ext/console): degrade gracefully when getKeys throws (#​24980) (#​34464)
• fix(ext/fetch): implement missing Request properties (#​34607)
• fix(ext/fetch): preserve static request body length (#​34546)
• fix(ext/ffi): match V8 stack-arg layout in turbocall trampoline on Apple
  silicon (#​34561)
• fix(ext/fs): error when copyFile source and destination are the same file
  (#​34718)
• fix(ext/fs): retry without FILE_FLAG_BACKUP_SEMANTICS on Windows when driver
  rejects it (#​34686)
• fix(ext/fs): surface non-UTF-8 file names from read_dir (#​34623)
• fix(ext/http): reject Response-like return from respondWith (#​34589)
• fix(ext/http): reject Response-like return from serve handler (#​34416)
• fix(ext/io): cancel pending FileResource reads on close (#​34544)
• fix(ext/napi): clear error for Windows addons that link against node.exe
  (#​34696)
• fix(ext/napi): disallow JS execution during napi_new_instance (#​34496)
• fix(ext/napi): polyfill libuv thread + semaphore primitives (#​34571)
• fix(ext/napi): polyfill more libuv symbols from compat layer (#​34488)
• fix(ext/net): re-enable 0-RTT support in QUIC (#​34520)
• fix(ext/node): add module findPackageJSON export (#​34597)
• fix(ext/node): add node:test/reporters builtin (#​34595)
• fix(ext/node): add stripTypeScriptTypes export (#​34594)
• fix(ext/node): capture IPC handle eagerly to fix cluster send deadlock
  (#​34661)
• fix(ext/node): cover node:module SourceMap export (#​34591)
• fix(ext/node): disable repl preview when a custom eval is supplied (#​34498)
• fix(ext/node): drop bogus Buffer.prototype._isBuffer marker (#​34502)
• fix(ext/node): export syncBuiltinESMExports from node:module (#​34593)
• fix(ext/node): expose gc from v8 setFlagsFromString (#​34604)
• fix(ext/node): fix latin1Slice being too slow (#​34503)
• fix(ext/node): honor windowsHide in child_process spawn (#​34627)
• fix(ext/node): prevent buffer decode detach race (#​34632)
• fix(ext/node): re-export inner spec for module.exports = require(X).Y (#​34363)
• fix(ext/node): refuse sqlite close() while a user callback is running (#​34515)
• fix(ext/node): report real error code for failed dns.lookup (#​34697)
• fix(ext/node): resolve global cache packages when require referrer is outside
  DENODIR (#​34497)
• fix(ext/node): route node:fs.statfs through FileSystem trait (#​34444)
• fix(ext/node): support cyclic imports in vm.Module.prototype.link() (#​34472)
• fix(ext/node): support vm dynamic import callback (#​34572)
• fix(ext/node): tolerate unreadable cwd in require._nodeModulePaths (#​34542)
• fix(ext/node): vm dynamic import without callback throws
  ERR_VM_DYNAMIC_IMPORT_CALLBACK_MISSING (#​34427)
• fix(ext/web): forward console.group label to inspector log (#​34341)
• fix(ext/web): honor PerformanceObserver buffered flag (#​34748)
• fix(ext/web): make MessageEvent.ports a frozen array (#​34773)
• fix(fmt): update markup_fmt to fix quadratic inline CSS formatting (#​34663)
• fix(install): allow "minimumDependencyAge" object without "age" (#​34523)
• fix(install): handle pre-existing node_modules symlink on Windows (#​34659)
• fix(install): rewrite relative imports/scopes in copied deno.json (#​34562)
• fix(install): run workspace member dependency lifecycle scripts with member
  INIT_CWD (#​34700)
• fix(install): vendor type-only imports during deno ci (#​34459)
• fix(jupyter): exit kernel process after sending shutdown reply (#​34554)
• fix(jupyter): keep kernel alive across transient peer disconnects (#​34550)
• fix(jupyter): make kernel ZMTP handshake compatible with libzmq (#​34755)
• fix(jupyter): send transient: {} in execute_result so nbclient doesn't crash
  (#​34483)
• fix(jupyter): use stable PATH entry for kernel binary path (#​34492)
• fix(lsp): avoid empty import specifier completions (#​34647)
• fix(lsp): complete npm package exports (#​34675)
• fix(lsp): complete string union literals containing dots (#​34664)
• fix(lsp): discover all tests when names are duplicated (#​34624)
• fix(lsp): handle empty jsx completion ranges (#​34651)
• fix(lsp): handle parser panics while parsing documents (#​34640)
• fix(lsp): honor moduleResolution: "bundler" for npm dir imports (#​34643)
• fix(lsp): include configured deps in auto-imports (#​34650)
• fix(lsp): limit node_modules auto-import aliasing (#​34674)
• fix(lsp): merge duplicate completion imports (#​34658)
• fix(lsp): preserve URL extensions in typeof import(...) hovers (#​34565)
• fix(lsp): recover from TSC isolate OOM instead of crashing the language server
  (#​34693)
• fix(lsp): release idle memory back to the OS (#​34727)
• fix(lsp): skip parent process check when PID isn't visible (#​34744)
• fix(lsp): spurious diagnostics in Jupyter notebook cells (#​34734)
• fix(lsp): support test steps from imported helpers (#​34648)
• fix(lsp): surface CSS imports as .js to TypeScript (#​34419)
• fix(lsp): surface module-level uncaught errors in test runs (#​34641)
• fix(lsp): use cached registry config when offline (#​34723)
• fix(lsp): use file uris for neovim virtual definitions (#​34653)
• fix(lsp): walk to enabled nested workspaces (#​34654)
• fix(napi): report a clear error for legacy V8/nan native addons (#​34683)
• fix(napi): support ZeroMQ libuv addon symbols (#​34657)
• fix(node): avoid spurious ERR_MULTIPLE_CALLBACK on process.stdout/stderr
  (#​34728)
• fix(node): classify required js files as commonjs by default (#​34673)
• fix(node): full re-export fallback for unresolvable member re-exports (#​34689)
• fix(node): resolve CJS requires with multi-level relative specifiers on
  Windows (#​34655)
• fix(node): support module-sync export condition (#​34599)
• fix(node/repl): gate preview through V8 inspector throwOnSideEffect (#​34566)
• fix(npm): apply scoped registry auth to same-origin tarballs (#​34698)
• fix(npm): clean node_modules after deno remove (#​34110)
• fix(npm): downgrade latest tag for release age (#​34581)
• fix(npm): execute native binaries from npm package bin entries (#​34375)
• fix(npm): hoist direct deps over higher transitive versions (#​34470)
• fix(npm): share copy-package variants via symlink for class identity (#​34691)
• fix(resolver): don't resolve linked packages via bare specifier (#​34519)
• fix(rt): support host-FS CJS files in the standalone runtime (#​34560)
• fix(runtime): better error message when Deno.consoleSize() has no tty (#​34538)
• fix(runtime): suggest --allow-scripts for bindings native addon error
  (#​34666)
• fix(runtime): suggest N-API alternatives for legacy V8/nan addons (#​34695)
• fix(runtime): suggest Worker/node:vm alternatives for npm:isolated-vm (#​34702)
• fix(runtime/ops): unwatch shared RecommendedWatcher on FsWatcher close
  (#​34467)
• fix(task): preserve trailing backslashes in task arguments (#​34505)
• fix(task): restore terminal mode after task exits on Windows (#​34685)
• fix(test): abort with a message when a test exits with sanitizeExit disabled
  (#​34491)
• fix(test): don't kill the deno process on top-level Deno.exit() (#​34564)
• fix(test): wait for inspector to disconnect before exiting (#​34559)
• fix(tsc): resolve Web globals to Deno's versions in npm packages (#​34634)
• fix(watch): register dynamic raw imports with file watcher (#​34463)
• fix(watch): restore original cwd between watcher restarts (#​34465)
• fix: absolute links should be processed using directory functions (#​34218)
• fix: link to docs in JSON import error message (#​34611)
• fix: load classic blob worker main script directly (#​34592)
• fix: opt-in mitigation for React RCE/DoS CVEs (#​34676)
• fix: reject empty package name in package.json dependencies (#​34514)
• fix: remove node_shim exec dependency (#​34739)
• fix: resolve local file when folder name matches import-mapped package
  (#​32854)
• fix: send BroadcastChannel messages before close (#​34628)
• perf(cli): drop unused deno_ast bundler feature (#​34424)
• perf(ext/fetch): cache lowercased header names per Headers instance (#​33683)
• perf(ext/node): bulk-build header array and trim header OWS in place (#​34443)
• perf(ext/node): cache member-export-props analysis (#​34471)
• perf(ext/node): gate node:http async resource entry (#​34608)
• perf(ext/node): optimize empty node:http response end (#​34493)
• perf(ext/node): optimize node:http header matching (#​34484)
• perf(ext/node): skip node:http perf timing without observers (#​34409)
• perf(ext/web): convert hot stream queues to O(1) Queue, cache _state reads
  (#​34437)
• perf(http): remove legacy hyper 0.14 from deno_http (#​34557)
• perf(node): lazy stdio + fix LazyEsmModuleLoader source consumption (#​34440)
• perf(node): lazy-load node:stream/web cluster out of the snapshot (#​34548)
• perf(node): skip require permission checks when read is fully granted (#​34722)
• perf(runtime): update notify watcher dependency (#​34567)
• perf(web): reduce Brotli CompressionStream binary size (#​34432)
• perf: enable safe ICF (identical code folding) when linking (#​34478)
• perf: replace ipnetwork with ipnet (#​34580)

docker/cli (docker-cli)

v29.5.3

Compare Source

jdx/mise-action (jdx/mise-action)

v4.1.0: : automatic --locked installs

Compare Source

This release adds automatic locked installs when a mise.lock is present, and fixes a long-standing cache-key collision that could poison tool installs when workflows migrate between runner providers.

Added

Automatic --locked install when mise.lock exists (#​495) by @​zeitlinger

When a repo contains mise.lock, the action now automatically passes --locked to mise install (on mise versions that support it). This removes the need to manually set install_args: --locked and prevents mise install from silently mutating the lockfile in CI. Explicit install_args and older mise versions are still respected.

Note: workflows with a stale lockfile may now fail earlier and more explicitly instead of silently updating mise.lock mid-run — this surfaces lockfile drift rather than hiding it.

Fixed

• Cache key collisions across runner providers (#​456) — the default cache key now includes the runner image (e.g. macos15, ubuntu24 for GitHub-hosted runners; self-hosted otherwise). Previously, repos migrating between providers like github-hosted, namespace.so, BuildJet, and self-hosted runners with the same OS/arch could restore a peer provider's ~/.local/share/mise/installs/*, causing failures like does not have an executable named '…' or SIGILL crashes from binaries built against a different glibc/CPU featureset. Expect a one-time cache miss after upgrading; thereafter the cache stays scoped per image.
• mise-shim.exe missing on Windows (#​476) by @​risu729 — the action now installs mise-shim.exe alongside mise.exe and repairs restored caches that lack the shim. Fixes #​475.

Changed

• Migrated the bundled action build from ncc (CommonJS) to Rollup (ESM) (#​436). No user-facing behavior change.

Full Changelog: jdx/mise-action@v4.0.1...v4.1.0

openai/codex (npm:@​openai/codex)

v0.137.0

pnpm/pnpm (pnpm)

v11.5.2

Compare Source

Patch Changes

• Peer dependency resolution now reuses the peer contexts already recorded in the lockfile when those providers are still present in the dependency graph and still satisfy the peer ranges. This avoids unnecessary peer-context rewrites during lockfile regeneration. Current manifest choices remain authoritative: a newly added, explicitly updated, or aliased direct provider, a changed nested provider, or a locked version that no longer satisfies the range still takes precedence.

• The lockfile verifier now checks that a registry entry pinning an explicit tarball URL points at the artifact the registry's own metadata lists for that name@version. Previously a tampered lockfile could pair a trusted name@version with an attacker-chosen tarball URL (and a matching integrity for those bytes), so the install fetched the attacker's bytes. A mismatch — or any entry that can't be confirmed against the registry — is rejected with ERR_PNPM_TARBALL_URL_MISMATCH. Non-registry resolutions (file:, git-hosted, etc.) and registry entries without an explicit tarball URL (the URL is reconstructed from name+version+registry, so it is inherently bound) are unaffected; non-standard registry tarball URLs (npm Enterprise, GitHub Packages) still pass because they match the metadata.

• Fix pnpm update --recursive --lockfile-only <pkg>@&#8203;<version> crashing with Invalid Version when the catalog entry for <pkg> is a version range (e.g. ^21.2.10) and catalogMode is strict or prefer. The catalog–version comparison now skips the equality check when either side is a range rather than passing a range to semver.eq(), so range specifiers fall through to the existing mismatch handling instead of throwing #​11570.

• Avoided a Node.js crash when pnpm exits after network requests on Windows.

• Fixed packages being materialized into the virtual store without their root-level files (package.json, LICENSE, README, root entrypoints) when multiple pnpm install processes ran against the same store/workspace concurrently. The fast import path used to destructively empty the shared target directory, so a concurrent importer could wipe files another importer had already written; if the surviving files included the package.json completion marker, every later install treated the broken directory as complete and never repaired it. The fast path now imports directly only when it can create the target directory exclusively, and otherwise builds the package in a private temp directory and atomically renames it into place #​12197.

• Fix dependency build scripts not running under the global virtual store (enableGlobalVirtualStore).

  In a workspace install, dependency build scripts are deferred to a single rebuild pass (buildProjects). That pass resolved each package's location from the classic node_modules/.pnpm/<depPathToFilename> layout, which does not exist under the global virtual store — so native dependencies (e.g. packages using node-gyp / prebuild-install) were never built and failed to load at runtime (Cannot find module .../build/Release/*.node).

  buildProjects now resolves the global-virtual-store projection directory (<storeDir>/links/<hash>, computed with the same graph hash the installer uses) when enableGlobalVirtualStore is set, and serializes concurrent builds of the same shared projection so parallel workspace projects don't race on the same directory.

• Don't promote a runtime: dependency (such as the Node.js version from devEngines.runtime or pnpm runtime set) into a catalog when catalogMode is strict or prefer. A runtime: dependency round-trips to devEngines.runtime, which only recognizes the runtime: protocol; cataloging it rewrote the manifest entry to catalog:, which broke that round-trip, stranded it in devDependencies, and left devEngines.runtime untouched.

• Skip lockfile minimumReleaseAge/trustPolicy verification for non-registry tarball protocols (for example file:), so local tarball dependencies are not incorrectly checked against npm registry metadata.

vercel/vercel (vercel)

v54.9.1

Compare Source

Patch Changes

• f5ab607: [evals] Shrink eval result uploads and fix run discovery

  The eval ingest transform (transform-agent-eval-to-canonical.js) now excludes raw transcripts (transcript-raw.jsonl) from the --upload-artifacts all path, roughly halving each ingest payload. The parsed transcript.json is still uploaded and still read for resolvedModels metadata.

  It also normalizes provider-prefixed model paths before upload. Models that resolve to provider/model (e.g. openai/gpt-5.5-pro) write results one directory deeper, pushing the timestamp past the experiment/model/timestamp shape the ingest endpoint discovers runs from, which previously failed with Could not discover any experiment/model/timestamp runs. The model is now collapsed to a single segment (openai-gpt-5.5-pro) so discovery succeeds.

• 2b31813: Fix vc build --standalone failing to zip Lambdas when run from a monorepo
  subdirectory. When dependencies are hoisted to the monorepo root (e.g. pnpm's
  node_modules/.pnpm/...), the recorded function file paths could escape the
  function root (../../node_modules/...), which later caused zipping to fail
  with invalid relative path: ../../node_modules/.... These paths are now
  re-anchored inside the function so the standalone output is self-contained.

• 252c6eb: [cli] Show claim in vercel integration resource --help

  The claim subcommand was missing from resourceSubcommand.subcommands, so vercel integration resource --help only listed connect, disconnect, remove, and create-threshold. The legacy vercel integration-resource --help and the dispatcher's runtime resolution both already included claim — this was purely a help/discoverability gap on the canonical nested path. Adds claimSubcommand to the subcommand list and updates the parent description accordingly.

• 0a170fd: [services] wire experimentalServicesV2 into fs-detectors.

• Updated dependencies [aeb5bfa]

• Updated dependencies [0a170fd]

  • @​vercel/backends@​0.8.7
  • @​vercel/build-utils@​13.27.1
  • @​vercel/static-build@​2.9.37
  • @​vercel/elysia@​0.1.88
  • @​vercel/express@​0.1.98
  • @​vercel/fastify@​0.1.91
  • @​vercel/go@​3.8.0
  • @​vercel/h3@​0.1.97
  • @​vercel/hono@​0.2.91
  • @​vercel/hydrogen@​1.3.8
  • @​vercel/koa@​0.1.71
  • @​vercel/nestjs@​0.2.92
  • @​vercel/next@​4.17.5
  • @​vercel/node@​5.8.12
  • @​vercel/python@​6.44.0
  • @​vercel/redwood@​2.4.15
  • @​vercel/remix-builder@​5.8.6
  • @​vercel/ruby@​2.4.0
  • @​vercel/rust@​1.3.0

v54.9.0

Compare Source

Minor Changes

• fb4fb2d: Add support for claiming sandbox marketplace resources (Stripe, Shopify) from the CLI. integration list shows a new Claim column, integration-resource claim <name> opens the provider claim URL in the browser and polls until completion, and integration add offers to claim sandbox resources after provisioning with new --claim / --no-claim flags.

Patch Changes

• 338cc35: Add isPackageInstalled util for detecting dependencies during build.
  Fix Vercel Flags dependency detection for emitting datafiles during builds with OIDC tokens.
• Updated dependencies [338cc35]
  • @​vercel/build-utils@​13.27.0
  • @​vercel/backends@​0.8.6
  • @​vercel/elysia@​0.1.87
  • @​vercel/express@​0.1.97
  • @​vercel/fastify@​0.1.90
  • @​vercel/go@​3.8.0
  • @​vercel/h3@​0.1.96
  • @​vercel/hono@​0.2.90
  • @​vercel/hydrogen@​1.3.8
  • @​vercel/koa@​0.1.70
  • @​vercel/nestjs@​0.2.91
  • @​vercel/next@​4.17.5
  • @​vercel/node@​5.8.11
  • @​vercel/python@​6.44.0
  • @​vercel/redwood@​2.4.15
  • @​vercel/remix-builder@​5.8.6
  • @​vercel/ruby@​2.4.0
  • @​vercel/rust@​1.3.0
  • @​vercel/static-build@​2.9.36

v54.8.0

Compare Source

Minor Changes

• fddeb55: Add configurable credentials storage handling across the CLI auth stack. Storage of credentials can be configured by the new credStorage key in global config.json or the new VERCEL_TOKEN_STORAGE environment variable. The environment variable takes precedence over the configuration key. Accepted values are file (store credentials in auth.json), keyring (store credentials in system keyring, e.g macOS Keychain or Secrets Service on Linux), and auto (try storing in keyring if available, fall back to file if keyring is not available).

  @vercel/oidc supports keyring-stored authentication credentials by delegating the OIDC minting to the CLI executable via @vercel/cli-exec.

Patch Changes

• a869874: [connect] Rename user-facing "client" references to "connector"

  Updates the vercel connect CLI commands to use the official "connector" terminology in all user-facing surfaces: help text argument names (remove/attach/detach), usage strings in error messages, and the --format=json output key (clients → connectors) for vercel connect list.

• 200aa3b: [connect] Forward --scopes and --installation-id into the authorize/install recovery URL

  When vercel connect token hits an action-required error (user_authorization_required or client_installation_required), the CLI builds an authorize/install URL for the user to complete consent in the browser. Previously this URL carried only teamId and request_code, dropping the --scopes and --installation-id the user supplied. As a result the consent flow fell back to provider defaults (e.g. Slack's users.profile:read), and the post-authorization token retry mismatched the requested scopes. The CLI now forwards scopes (comma-joined) and installationId as query params, which the authorize and install endpoints already accept.

• 3019788: [services] Remove the services field from vercel.json and the VERCEL_USE_SERVICES gate.

• fe893ec: [services] Add experimentalServicesV2 field to vercel.json implementing the new schema for services.

• d22d812: [cli] Nest integration-resource under integration resource and add integration resource connect

  The marketplace resource subcommands (disconnect, remove, create-threshold) are now discoverable under vercel integration resource <sub>. The standalone vercel integration-resource and vc ir forms still work as hidden aliases — no scripts or tests break.

  Adds a new vercel integration resource connect <resource> [project] command (the inverse of disconnect). Accepts --environment (repeatable, defaults to all three), --prefix for env var namespacing, --yes, and --format=json. Defaults to the project linked in the current directory when <project> is omitted.

  Tightens disconnect to error (exit 1) when the specified project is not connected to the resource, instead of exiting 0 with a "not found" message.

  Both commands emit a structured outputAgentError payload with reason: confirmation_required and a next: [{command}] retry hint when run in non-interactive / agent mode without --yes. When connect fails because an env var with the same name already exists on the target project, the error names the conflicting variable and suggests --prefix or vercel env rm as remediation.

• Updated dependencies [3019788]

• Updated dependencies [fe893ec]

• Updated dependencies [fddeb55]

  • @​vercel/build-utils@​13.26.6
  • @​vercel/cli-auth@​0.3.0
  • @​vercel/cli-config@​0.2.0
  • @​vercel/backends@​0.8.5
  • @​vercel/elysia@​0.1.86
  • @​vercel/express@​0.1.96
  • @​vercel/fastify@​0.1.89
  • @​vercel/go@​3.8.0
  • @​vercel/h3@​0.1.95
  • @​vercel/hono@​0.2.89
  • @​vercel/hydrogen@​1.3.8
  • @​vercel/koa@​0.1.69
  • @​vercel/nestjs@​0.2.90
  • @​vercel/next@​4.17.5
  • @​vercel/node@​5.8.10
  • @​vercel/python@​6.44.0
  • @​vercel/redwood@​2.4.15
  • @​vercel/remix-builder@​5.8.6
  • @​vercel/ruby@​2.4.0
  • @​vercel/rust@​1.3.0
  • @​vercel/static-build@​2.9.35

cloudflare/workers-sdk (wrangler)

v4.98.0

Compare Source

Minor Changes

• #​14089 c6c61b5 Thanks @​alsuren! - Add migrations_pattern to D1 database bindings

  The D1 binding now accepts an optional migrations_pattern field, allowing you to point wrangler d1 migrations apply and wrangler d1 migrations list at migration files in nested layouts (e.g. ORM-generated folders like migrations/0000_init/migration.sql).

  migrations_pattern is a glob (relative to the wrangler config file) and defaults to ${migrations_dir}/*.sql, which preserves today's behaviour. Files that do not match the pattern are not executed.

  {
    "d1_databases": [
      {
        "binding": "DB",
        "database_name": "my-db",
        "database_id": "...",
        "migrations_dir": "migrations",
        "migrations_pattern": "migrations/*/migration.sql"
      }
    ]
  }

  When no migrations match the configured pattern but files matching the common migrations/*/migration.sql (drizzle-style) layout do exist, Wrangler logs a hint suggesting migrations_pattern as an opt-in.

  wrangler d1 migrations create now returns an actionable error if the generated migration filename would not match the configured pattern.

• #​14153 7a6b1a4 Thanks @​dario-piotrowicz! - Generalize wrangler deploy and wrangler versions upload positional argument from [script] to [path]

  Both wrangler deploy and wrangler versions upload now accept a generic [path] positional argument that can point to either a Worker entry-point file or a directory of static assets. The type is auto-detected. For example:

  • File: wrangler deploy ./src/index.ts deploys a Worker (same as before)
  • Directory: wrangler deploy ./public deploys a static assets site (no interactive confirmation prompt)

  The --script named option is now hidden and deprecated for both commands. It continues to work for backwards compatibility but only accepts file paths. Passing a directory to --script now produces a clear error message suggesting the positional path argument or --assets flag instead.

• #​13863 3b8b80a Thanks @​aslakhellesoy! - getPlatformProxy() now passes through workflow bindings that have a script_name

  Workflows without a script_name are still stripped (and warned about) because the engine for an internal workflow can't run inside the empty proxy worker that backs getPlatformProxy(). Workflows with a script_name are handed to miniflare unchanged; miniflare reroutes the engine's USER_WORKFLOW binding through the dev-registry-proxy when the target worker is running in another Miniflare instance — the same mechanism Durable Objects already use.

  This means SvelteKit/Remix (and similar split-process setups) can call platform.env.MY_WORKFLOW.create({ ... }) directly from their server-side request handlers in dev, as long as the workflow class is exposed by another worker registered in the dev registry.

  Closes #​7459.

• #​14164 b502d54 Thanks @​G4brym! - Rename the web_search binding kind to websearch

  Pre-launch rename of the public binding type from web_search to websearch so the on-the-wire shape matches the product name (Web Search). The wrangler config key, the binding-type string sent to the Cloudflare API, and the miniflare option key all move from web_search / webSearch to websearch.

  Update your wrangler config:

  - "web_search": { "binding": "WEBSEARCH" }
  + "websearch": { "binding": "WEBSEARCH" }

  The runtime WebSearch type exposed on env.WEBSEARCH is unchanged.

Patch Changes

• #​14089 c6c61b5 Thanks @​alsuren! - Restore the D1 executeSql logger level via try/finally

  wrangler d1 execute --json and the internal executeSql helper temporarily lower the global logger to "error" to keep human-readable output out of the JSON payload. Previously the level was restored only on the happy path, so any early return or thrown error left the singleton logger muted, silencing later logger.warn/logger.log output (notably from migration helpers that wrap executeSql and are commonly mocked in tests).

  The level swap is now wrapped in try/finally so it is always restored.

• #​14175 a3eea27 Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260601.1	1.20260603.1

• [#​14121](htt

✂ Note

PR body was truncated to here.

---

Configuration

📅 Schedule: (in timezone Asia/Tokyo)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.