Bump ws and wrangler

[dependabot]

Bumps ws to 8.20.1 and updates ancestor dependency wrangler. These dependencies need to be updated together.

Updates ws from 8.18.0 to 8.20.1

Release notes

Sourced from ws's releases.

8.20.1

Bug fixes

• Fixed an uninitialized memory disclosure issue in websocket.close() (c0327ec1).

Providing a TypedArray (e.g. Float32Array) as the reason argument for websocket.close(), rather than the supported string or Buffer types, caused uninitialized memory to be disclosed to the remote peer.

import { deepStrictEqual } from 'node:assert';
import { WebSocket, WebSocketServer } from 'ws';
const wss = new WebSocketServer(
{ port: 0, skipUTF8Validation: true },
function () {
const { port } = wss.address();
const ws = new WebSocket(ws://localhost:${port}, {
skipUTF8Validation: true
});
ws.on('close', function (code, reason) {
  deepStrictEqual(reason, Buffer.alloc(80));
});

}
);
wss.on('connection', function (ws) {
ws.close(1000, new Float32Array(20));
});

The issue was privately reported by Nikita Skovoroda.

8.20.0

Features

• Added exports for the PerMessageDeflate class and utilities for the Sec-WebSocket-Extensions and Sec-WebSocket-Protocol headers (d3503c1f).

8.19.0

Features

• Added the closeTimeout option (#2308).

Bug fixes

• Handled a forthcoming breaking change in Node.js core (19984854).

... (truncated)

Commits

• 5d9b316 [dist] 8.20.1
• c0327ec [security] Fix uninitialized memory disclosure in websocket.close()
• ce2a3d6 [ci] Test on node 26
• 58e45b8 [ci] Do not test on node 25
• 5f26c24 [ci] Run the lint step on node 24
• 8439255 [dist] 8.20.0
• d3503c1 [minor] Export the PerMessageDeflate class and header utils
• 3ee5349 [api] Convert the isServer and maxPayload parameters to options
• 91707b4 [doc] Add missing space
• 8b55319 [pkg] Update eslint to version 10.0.1
• Additional commits viewable in compare view

Updates wrangler from 4.90.0 to 4.94.0

Release notes

Sourced from wrangler's releases.

wrangler@4.94.0

Minor Changes

• #13897 52e9082 Thanks @​dario-piotrowicz! - Add automatic Cloudflare skills installation for AI coding agents

  Wrangler now detects AI coding agents and offers to install Cloudflare skill files from the cloudflare/skills GitHub repository. Users are prompted once interactively; subsequent runs skip the prompt. Use --install-skills to install without prompting.

• #13989 f598eac Thanks @​MattieTK! - Print a QR code alongside the tunnel URL when sharing via Cloudflare Tunnel

  When a tunnel is started (via wrangler dev --tunnel or the Vite plugin with tunnel: true), a scannable QR code is now printed to the terminal beneath the tunnel URL. This makes it easy to open the tunnel on a mobile device without manually copying the URL.

  The QR code uses Unicode block characters for a compact representation and is generated best-effort -- if generation fails for any reason, the tunnel URL is still displayed as before.

• #13467 3a1fbed Thanks @​deloreyj! - Add schedule property to Workflow bindings for cron-based triggering

  Note: This is a configuration-only change. Scheduled triggering of Workflow instances is not yet available — adding schedule to a Workflow binding will not result in scheduled invocations at this time. This change lays the groundwork for an upcoming feature.

  Workflow bindings in wrangler.json now accept an optional schedule field that configures one or more cron expressions to automatically trigger new workflow instances on a schedule.

  // wrangler.json
  {
    "workflows": [
      {
        "binding": "MY_WORKFLOW",
        "name": "my-workflow",
        "class_name": "MyWorkflow",
        "schedule": "0 9 * * 1"
      }
    ]
  }

  Multiple schedules can be provided as an array:

  {
    "workflows": [
      {
        "binding": "MY_WORKFLOW",
        "name": "my-workflow",
        "class_name": "MyWorkflow",
        "schedule": ["0 9 * * 1", "0 17 * * 5"]
      }
    ]
  }

  The schedule is sent to the Workflows control plane on wrangler deploy. Configuring schedule on a workflow binding that references an external script_name is an error — the schedule must be configured on the worker that defines the workflow.

... (truncated)

Commits

• b92f87c Version Packages (#13995)
• fc1f7b9 [wrangler] Fix Access Service Token authentication for service-auth-only apps...
• f598eac [wrangler][vite-plugin] Print QR code for tunnel URLs (#13989)
• 52e9082 Add automatic Cloudflare skills installation for AI coding agents (#13897)
• 0733688 build(deps): bump the workerd-and-workers-types group with 2 updates (#13993)
• 8c569c6 [wrangler] Include column names in D1 SQL export (#12277)
• 3a1fbed [wrangler] Add schedule property to Workflow bindings for cron-based triggeri...
• 90092c0 [vitest-pool-workers] Stop externalizing devDependencies from the published b...
• 5ee65d5 Version Packages (#13969)
• e04e180 [wrangler] Improve asset upload retry log message (#13990)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	wrangler@​4.90.0 ⏵ 4.94.0			+1

View full report