chore(deps): Bump the npm-deps group with 3 updates

[dependabot]

Bumps the npm-deps group with 3 updates: hono, @cloudflare/workers-types and wrangler.

Updates hono from 4.12.24 to 4.12.25

Release notes

Sourced from hono's releases.

v4.12.25

Security fixes

This release includes fixes for the following security issues:

CORS Middleware reflects any Origin with credentials when origin defaults to the wildcard

Affects: hono/cors. Fixes the wildcard origin reflecting the request Origin and sending Access-Control-Allow-Credentials: true when credentials: true is set without an explicit origin, where any site a logged-in user visited could make credentialed cross-origin requests and read responses from cookie-authenticated endpoints. GHSA-88fw-hqm2-52qc

Body Limit Middleware can be bypassed on AWS Lambda by understating Content-Length

Affects: hono/body-limit on AWS Lambda (hono/aws-lambda, hono/lambda-edge). Fixes the request being built with the client-declared Content-Length while the body is delivered fully buffered, where a client could declare a small Content-Length with a much larger body and slip past the configured size limit. GHSA-rv63-4mwf-qqc2

Path traversal in serve-static on Windows via encoded backslash (%5C)

Affects: serveStatic on Windows (Node, Bun, Deno adapters). Fixes the path guard allowing a lone backslash, where an encoded backslash (%5C) decoded to \ was treated as a separator by the Windows path resolver, letting a single URL segment escape into a middleware-guarded subtree. GHSA-wwfh-h76j-fc44

AWS Lambda adapter merges multiple Set-Cookie headers into one value, dropping cookies on ALB single-header and Lattice

Affects: hono/aws-lambda. Fixes multiple Set-Cookie response headers being joined into one comma-separated value for ALB single-header responses and VPC Lattice v2, where the value could not be split back into individual cookies and clients silently dropped or misparsed them. GHSA-j6c9-x7qj-28xf

Lambda@Edge adapter keeps only the last value of a repeated request header, dropping the rest

Affects: hono/lambda-edge. Fixes repeated request headers being written with overwrite instead of append, where only the last value of a header such as X-Forwarded-For reached the application and the remaining values were silently dropped. GHSA-wgpf-jwqj-8h8p

Commits

• fce483e 4.12.25
• 751ba41 Merge commit from fork
• f0b094d Merge commit from fork
• fa5f9bf Merge commit from fork
• 3892a6c Merge commit from fork
• 74c2cf8 test(aws-lambda): update integration tests (#5012)
• 7ae7cba Merge commit from fork
• 1b13848 chore(ci): bump codecov-action to v7.0.0 (#5011)
• See full diff in compare view

Updates @cloudflare/workers-types from 4.20260608.1 to 4.20260615.1

Commits

• See full diff in compare view

Updates wrangler from 4.98.0 to 4.100.0

Release notes

Sourced from wrangler's releases.

wrangler@4.100.0

Minor Changes

• #14119 2047a32 Thanks @​tahmid-23! - Serve local R2 bucket objects publicly via the dev server

  When running wrangler dev locally, objects in each local R2 binding are now reachable under /cdn-cgi/local/r2/public/<bucket-id>/<key> on the existing dev server, simulating a public bucket. The <bucket-id> is the bucket's bucket_name when set, otherwise its binding. Bindings configured with remote: true are not exposed.

• #14202 e8561c2 Thanks @​jamesopstad! - Add experimental --x-new-config flag for authoring config in TypeScript

  This is an experimental, opt-in feature. When enabled, wrangler dev, wrangler build, wrangler deploy, wrangler versions upload, and wrangler versions deploy load the Worker's configuration from a cloudflare.config.ts file instead of wrangler.json / wrangler.jsonc / wrangler.toml. Additionally, an optional wrangler.config.ts file can be provided for Wrangler-specific dev/build configuration.

  • cloudflare.config.ts (required) — Worker runtime configuration (bindings, triggers, observability, placement, limits, compatibility, routes, etc.). Authored via defineWorker from wrangler/experimental-config.
  • wrangler.config.ts (optional) — Tooling / bundling / dev-server configuration (noBundle, minify, alias, define, rules, tsconfig, build, dev, assetsDirectory, etc.). Authored via defineWranglerConfig from wrangler/experimental-config.

  Per-environment configuration is via ctx.mode branching inside the function form of either file.

  Example cloudflare.config.ts:

  import { defineWorker, bindings } from "wrangler/experimental-config";
  import * as entrypoint from "./src/index.ts" with { type: "cf-worker" };
  export default defineWorker((ctx) => ({
  name: "my-worker",
  entrypoint,
  compatibilityDate: "2026-05-18",
  env: {
  MY_KV: bindings.kv(),
  MY_TEXT: bindings.text(The mode is ${ctx.mode}),
  },
  }));

  Example wrangler.config.ts:

  import { defineWranglerConfig } from "wrangler/experimental-config";
  export default defineWranglerConfig({
  minify: true,
  assetsDirectory: "./public",
  });

  Because this is experimental, the flag, the config formats, and the wrangler/experimental-config exports may change in any release.

Patch Changes

• #14185 98c9afe Thanks @​penalosa! - Use the shared env-credential resolver from @cloudflare/workers-auth

... (truncated)

Commits

• 341bd13 Version Packages (#14237)
• e8561c2 Wrangler support for experimental new config (#14202)
• 4597f08 Bump the workerd-and-workers-types group with 2 updates (#14256)
• 2ae6099 move build earlier in deploy path (#14259)
• 25722ac Gate Network.enable on an attached DevTools client (#14243)
• 98c9afe [workers-auth] Make OAuth identity and token storage injectable for reuse by ...
• 10b5538 Improve authentication error messages with specific failure reasons (#14213)
• e305126 [wrangler] Add cf-wrangler delegate entrypoint; remove @​cloudflare/wrangler-b...
• 818c105 Improve R2 Sippy error messages (#14233)
• f3990b2 Bump the workerd-and-workers-types group with 2 updates (#14246)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions