fix(deps): bump the non-major-deps group across 3 directories with 13 updates

[dependabot]

Bumps the non-major-deps group with 3 updates in the /cloudflare/apelsin-api directory: hono, @types/node and wrangler.
Bumps the non-major-deps group with 10 updates in the /cloudflare/apelsin-fe directory:

Package	From	To
wrangler	4.80.0	4.83.0
@react-router/node	7.14.0	7.14.1
@react-router/serve	7.14.0	7.14.1
isbot	5.1.36	5.1.39
react	19.2.4	19.2.5
react-dom	19.2.4	19.2.5
react-router	7.14.0	7.14.1
@cloudflare/vite-plugin	1.13.5	1.32.3
@react-router/dev	7.14.0	7.14.1
vite	8.0.3	8.0.9

Bumps the non-major-deps group with 2 updates in the /cloudflare/apelsin-media directory: wrangler and @cloudflare/workers-types.

Updates hono from 4.6.20 to 4.12.14

Release notes

Sourced from hono's releases.

v4.12.14

Security fixes

This release includes fixes for the following security issues:

Improper handling of JSX attribute names in hono/jsx SSR

Affects: hono/jsx. Fixes missing validation of JSX attribute names during server-side rendering, which could allow malformed attribute keys to corrupt the generated HTML output and inject unintended attributes or elements. GHSA-458j-xx4x-4375

Other changes

• fix(aws-lambda): handle invalid header names in request processing (#4883) fa2c74fe

v4.12.13

What's Changed

• fix(types): infer response type from last handler in app.on 9-/10-handler overloads by @​T4ko0522 in honojs/hono#4865
• feat(trailing-slash): add skip option by @​yusukebe in honojs/hono#4862
• feat(cache): add onCacheNotAvailable option by @​yusukebe in honojs/hono#4876

New Contributors

• @​T4ko0522 made their first contribution in honojs/hono#4865

Full Changelog: honojs/hono@v4.12.12...v4.12.13

v4.12.12

Security fixes

This release includes fixes for the following security issues:

Middleware bypass via repeated slashes in serveStatic

Affects: Serve Static middleware. Fixes a path normalization inconsistency where repeated slashes (//) could bypass route-based middleware protections and allow access to protected static files. GHSA-wmmm-f939-6g9c

Path traversal in toSSG() allows writing files outside the output directory

Affects: toSSG() for Static Site Generation. Fixes a path traversal issue where crafted ssgParams values could write files outside the configured output directory. GHSA-xf4j-xp2r-rqqx

Incorrect IP matching in ipRestriction() for IPv4-mapped IPv6 addresses

Affects: IP Restriction Middleware. Fixes improper handling of IPv4-mapped IPv6 addresses (e.g. ::ffff:127.0.0.1) that could cause allow/deny rules to be bypassed. GHSA-xpcf-pg52-r92g

Missing validation of cookie name on write path in setCookie()

Affects: setCookie(), serialize(), and serializeSigned() from hono/cookie. Fixes missing validation of cookie names on the write path, preventing inconsistent handling between parsing and serialization. GHSA-26pp-8wgv-hjvm

Non-breaking space prefix bypass in cookie name handling in getCookie()

Affects: getCookie() from hono/cookie. Fixes a discrepancy in cookie name handling that could allow attacker-controlled cookies to override legitimate ones and bypass prefix protections. GHSA-r5rp-j6wh-rvv4

---

... (truncated)

Commits

• cf2d2b7 4.12.14
• 66daa2e Merge commit from fork
• fa2c74f fix(aws-lambda): handle invalid header names in request processing (#4883)
• 3779927 4.12.13
• faa6c46 feat(cache): add onCacheNotAvailable option (#4876)
• f23e97b feat(trailing-slash): add skip option (#4862)
• 1aa32fb fix(types): infer response type from last handler in app.on 9- and 10-handler...
• c37ba26 4.12.12
• cc067c8 Merge commit from fork
• a586cd7 Merge commit from fork
• Additional commits viewable in compare view

Updates @types/node from 25.5.2 to 25.6.0

Commits

• See full diff in compare view

Updates wrangler from 4.80.0 to 4.83.0

Release notes

Sourced from wrangler's releases.

wrangler@4.83.0

Minor Changes

• #13391 60565dd Thanks @​mikenomitch! - Mark wrangler containers commands as stable

  This changes the status of the Containers CLI from open beta to stable. Wrangler no longer shows [open beta] labels or beta warning text for wrangler containers commands, so the help output matches the feature's current availability.

• #13311 6cbcdeb Thanks @​ryanking13! - JS files imported by the Python Workers runtime SDK are now handled as ESM modules.

  This is not a user-facing change, but Python Workers users should update their wrangler version to make sure to get Python workers SDK working properly.

Patch Changes

• #13450 6f63eaa Thanks @​petebacondarwin! - Fix POST/PUT requests with non-2xx responses throwing "fetch failed"

  Previously, sending a POST or PUT request that received a non-2xx response (e.g. 401, 400, 403) would throw a TypeError: fetch failed error. This was caused by an undici bug where isTraversableNavigable() incorrectly returned true, causing the 401 credential-retry block to execute in Node.js and fail on stream-backed request bodies. This has been fixed upstream in undici v7.24.8, so we've bumped our dependency and removed the previous pnpm patch workaround.

• #13447 aef9825 Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260410.1	1.20260413.1

• #13475 eaaa728 Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260413.1	1.20260415.1

• #13386 5e5bbc1 Thanks @​mksglu! - Make startup network requests non-blocking on slow connections

  Wrangler makes network requests during startup (npm update check, request.cf data fetch) that previously blocked the CLI indefinitely on slow or degraded connections (airplane wifi, trains), causing 10+ second delays.

  • Update check: The banner now races the update check against a 100ms grace period. On a cache hit (most runs) the result resolves in <1ms via the I/O poll phase; on a cache miss the banner prints immediately without blocking. A 3s safety-net timeout caps the update-check library's auth-retry path.
  • request.cf fetch: The fetch to workers.cloudflare.com/cf.json now uses AbortSignal.timeout(3000), falling back to cached/default data on timeout.

• #13469 07a918c Thanks @​1000hz! - wrangler preview no longer warns on inheritable binding types being missing from previews config.

• #13463 90aee27 Thanks @​roerohan! - Remove unnecessary flagship:read OAuth scope

  The flagship:read scope is not needed since flagship:write already implies read access. This reduces the OAuth permissions requested during login to only what is required.

• Updated dependencies [854d66c, 6f63eaa, aef9825, eaaa728, 58292f6, 5e5bbc1, d5ff5a4, 89c7829]:

  • miniflare@4.20260415.0

wrangler@4.82.2

... (truncated)

Commits

• 4af4d54 Version Packages (#13461)
• 6cbcdeb Vendor JS files in python workers SDK as esm modules (#13311)
• eaaa728 Bump the workerd-and-workers-types group with 2 updates (#13475)
• 07a918c fix(wrangler): wrangler preview no longer warns about missing inheritable b...
• 60565dd Remove containers "beta" (#13391)
• aef9825 Bump the workerd-and-workers-types group with 2 updates (#13447)
• 051db1f Make all properties in previews optional (#13468)
• 5efac31 [wrangler] Add e2e test to validate default OAuth scopes (#13465)
• 7d81a83 Revert "[wrangler] fix: prevent remote binding sessions expiring during long ...
• 90aee27 [wrangler] remove unnecessary flagship:read OAuth scope (#13463)
• Additional commits viewable in compare view

Updates @types/node from 25.5.2 to 25.6.0

Commits

• See full diff in compare view

Updates wrangler from 4.80.0 to 4.83.0

Release notes

Sourced from wrangler's releases.

wrangler@4.83.0

Minor Changes

• #13391 60565dd Thanks @​mikenomitch! - Mark wrangler containers commands as stable

  This changes the status of the Containers CLI from open beta to stable. Wrangler no longer shows [open beta] labels or beta warning text for wrangler containers commands, so the help output matches the feature's current availability.

• #13311 6cbcdeb Thanks @​ryanking13! - JS files imported by the Python Workers runtime SDK are now handled as ESM modules.

  This is not a user-facing change, but Python Workers users should update their wrangler version to make sure to get Python workers SDK working properly.

Patch Changes

• #13450 6f63eaa Thanks @​petebacondarwin! - Fix POST/PUT requests with non-2xx responses throwing "fetch failed"

  Previously, sending a POST or PUT request that received a non-2xx response (e.g. 401, 400, 403) would throw a TypeError: fetch failed error. This was caused by an undici bug where isTraversableNavigable() incorrectly returned true, causing the 401 credential-retry block to execute in Node.js and fail on stream-backed request bodies. This has been fixed upstream in undici v7.24.8, so we've bumped our dependency and removed the previous pnpm patch workaround.

• #13447 aef9825 Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260410.1	1.20260413.1

• #13475 eaaa728 Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260413.1	1.20260415.1

• #13386 5e5bbc1 Thanks @​mksglu! - Make startup network requests non-blocking on slow connections

  Wrangler makes network requests during startup (npm update check, request.cf data fetch) that previously blocked the CLI indefinitely on slow or degraded connections (airplane wifi, trains), causing 10+ second delays.

  • Update check: The banner now races the update check against a 100ms grace period. On a cache hit (most runs) the result resolves in <1ms via the I/O poll phase; on a cache miss the banner prints immediately without blocking. A 3s safety-net timeout caps the update-check library's auth-retry path.
  • request.cf fetch: The fetch to workers.cloudflare.com/cf.json now uses AbortSignal.timeout(3000), falling back to cached/default data on timeout.

• #13469 07a918c Thanks @​1000hz! - wrangler preview no longer warns on inheritable binding types being missing from previews config.

• #13463 90aee27 Thanks @​roerohan! - Remove unnecessary flagship:read OAuth scope

  The flagship:read scope is not needed since flagship:write already implies read access. This reduces the OAuth permissions requested during login to only what is required.

• Updated dependencies [854d66c, 6f63eaa, aef9825, eaaa728, 58292f6, 5e5bbc1, d5ff5a4, 89c7829]:

  • miniflare@4.20260415.0

wrangler@4.82.2

... (truncated)

Commits

• 4af4d54 Version Packages (#13461)
• 6cbcdeb Vendor JS files in python workers SDK as esm modules (#13311)
• eaaa728 Bump the workerd-and-workers-types group with 2 updates (#13475)
• 07a918c fix(wrangler): wrangler preview no longer warns about missing inheritable b...
• 60565dd Remove containers "beta" (#13391)
• aef9825 Bump the workerd-and-workers-types group with 2 updates (#13447)
• 051db1f Make all properties in previews optional (#13468)
• 5efac31 [wrangler] Add e2e test to validate default OAuth scopes (#13465)
• 7d81a83 Revert "[wrangler] fix: prevent remote binding sessions expiring during long ...
• 90aee27 [wrangler] remove unnecessary flagship:read OAuth scope (#13463)
• Additional commits viewable in compare view

Updates wrangler from 4.80.0 to 4.83.0

Release notes

Sourced from wrangler's releases.

wrangler@4.83.0

Minor Changes

• #13391 60565dd Thanks @​mikenomitch! - Mark wrangler containers commands as stable

  This changes the status of the Containers CLI from open beta to stable. Wrangler no longer shows [open beta] labels or beta warning text for wrangler containers commands, so the help output matches the feature's current availability.

• #13311 6cbcdeb Thanks @​ryanking13! - JS files imported by the Python Workers runtime SDK are now handled as ESM modules.

  This is not a user-facing change, but Python Workers users should update their wrangler version to make sure to get Python workers SDK working properly.

Patch Changes

• #13450 6f63eaa Thanks @​petebacondarwin! - Fix POST/PUT requests with non-2xx responses throwing "fetch failed"

  Previously, sending a POST or PUT request that received a non-2xx response (e.g. 401, 400, 403) would throw a TypeError: fetch failed error. This was caused by an undici bug where isTraversableNavigable() incorrectly returned true, causing the 401 credential-retry block to execute in Node.js and fail on stream-backed request bodies. This has been fixed upstream in undici v7.24.8, so we've bumped our dependency and removed the previous pnpm patch workaround.

• #13447 aef9825 Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260410.1	1.20260413.1

• #13475 eaaa728 Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260413.1	1.20260415.1

• #13386 5e5bbc1 Thanks @​mksglu! - Make startup network requests non-blocking on slow connections

  Wrangler makes network requests during startup (npm update check, request.cf data fetch) that previously blocked the CLI indefinitely on slow or degraded connections (airplane wifi, trains), causing 10+ second delays.

  • Update check: The banner now races the update check against a 100ms grace period. On a cache hit (most runs) the result resolves in <1ms via the I/O poll phase; on a cache miss the banner prints immediately without blocking. A 3s safety-net timeout caps the update-check library's auth-retry path.
  • request.cf fetch: The fetch to workers.cloudflare.com/cf.json now uses AbortSignal.timeout(3000), falling back to cached/default data on timeout.

• #13469 07a918c Thanks @​1000hz! - wrangler preview no longer warns on inheritable binding types being missing from previews config.

• #13463 90aee27 Thanks @​roerohan! - Remove unnecessary flagship:read OAuth scope

  The flagship:read scope is not needed since flagship:write already implies read access. This reduces the OAuth permissions requested during login to only what is required.

• Updated dependencies [854d66c, 6f63eaa, aef9825, eaaa728, 58292f6, 5e5bbc1, d5ff5a4, 89c7829]:

  • miniflare@4.20260415.0

wrangler@4.82.2

... (truncated)

Commits

• 4af4d54 Version Packages (#13461)
• 6cbcdeb Vendor JS files in python workers SDK as esm modules (#13311)
• eaaa728 Bump the workerd-and-workers-types group with 2 updates (#13475)
• 07a918c fix(wrangler): wrangler preview no longer warns about missing inheritable b...
• 60565dd Remove containers "beta" (#13391)
• aef9825 Bump the workerd-and-workers-types group with 2 updates (#13447)
• 051db1f Make all properties in previews optional (#13468)
• 5efac31 [wrangler] Add e2e test to validate default OAuth scopes (#13465)
• 7d81a83 Revert "[wrangler] fix: prevent remote binding sessions expiring during long ...
• 90aee27 [wrangler] remove unnecessary flagship:read OAuth scope (#13463)
• Additional commits viewable in compare view

Updates wrangler from 4.80.0 to 4.83.0

Release notes

Sourced from wrangler's releases.

wrangler@4.83.0

Minor Changes

• #13391 60565dd Thanks @​mikenomitch! - Mark wrangler containers commands as stable

  This changes the status of the Containers CLI from open beta to stable. Wrangler no longer shows [open beta] labels or beta warning text for wrangler containers commands, so the help output matches the feature's current availability.

• #13311 6cbcdeb Thanks @​ryanking13! - JS files imported by the Python Workers runtime SDK are now handled as ESM modules.

  This is not a user-facing change, but Python Workers users should update their wrangler version to make sure to get Python workers SDK working properly.

Patch Changes

• #13450 6f63eaa Thanks @​petebacondarwin! - Fix POST/PUT requests with non-2xx responses throwing "fetch failed"

  Previously, sending a POST or PUT request that received a non-2xx response (e.g. 401, 400, 403) would throw a TypeError: fetch failed error. This was caused by an undici bug where isTraversableNavigable() incorrectly returned true, causing the 401 credential-retry block to execute in Node.js and fail on stream-backed request bodies. This has been fixed upstream in undici v7.24.8, so we've bumped our dependency and removed the previous pnpm patch workaround.

• #13447 aef9825 Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260410.1	1.20260413.1

• #13475 eaaa728 Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260413.1	1.20260415.1

• #13386 5e5bbc1 Thanks @​mksglu! - Make startup network requests non-blocking on slow connections

  Wrangler makes network requests during startup (npm update check, request.cf data fetch) that previously blocked the CLI indefinitely on slow or degraded connections (airplane wifi, trains), causing 10+ second delays.

  • Update check: The banner now races the update check against a 100ms grace period. On a cache hit (most runs) the result resolves in <1ms via the I/O poll phase; on a cache miss the banner prints immediately without blocking. A 3s safety-net timeout caps the update-check library's auth-retry path.
  • request.cf fetch: The fetch to workers.cloudflare.com/cf.json now uses AbortSignal.timeout(3000), falling back to cached/default data on timeout.

• #13469 07a918c Thanks @​1000hz! - wrangler preview no longer warns on inheritable binding types being missing from previews config.

• #13463 90aee27 Thanks @​roerohan! - Remove unnecessary flagship:read OAuth scope

  The flagship:read scope is not needed since flagship:write already implies read access. This reduces the OAuth permissions requested during login to only what is required.

• Updated dependencies [854d66c, 6f63eaa, aef9825, eaaa728, 58292f6, 5e5bbc1, d5ff5a4, 89c7829]:

  • miniflare@4.20260415.0

wrangler@4.82.2

... (truncated)

Commits

• 4af4d54 Version Packages (#13461)
• 6cbcdeb Vendor JS files in python workers SDK as esm modules (#13311)
• eaaa728 Bump the workerd-and-workers-types group with 2 updates (#13475)
• 07a918c fix(wrangler): wrangler preview no longer warns about missing inheritable b...
• 60565dd Remove containers "beta" (#13391)
• aef9825 Bump the workerd-and-workers-types group with 2 updates (#13447)
• 051db1f Make all properties in previews optional (#13468)
• 5efac31 [wrangler] Add e2e test to validate default OAuth scopes (#13465)
• 7d81a83 Revert "[wrangler] fix: prevent remote binding sessions expiring during long ...
• 90aee27 [wrangler] remove unnecessary flagship:read OAuth scope (#13463)
• Additional commits viewable in compare view

Updates @react-router/node from 7.14.0 to 7.14.1

Release notes

Sourced from @​react-router/node's releases.

v7.14.1

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v7141

Changelog

Sourced from @​react-router/node's changelog.

v7.14.1

Patch Changes

• Add TypeScript 6 support to peer dependency ranges
• Updated dependencies:
  • react-router@7.14.1

Commits

• 197674b Release 7.14.1 (#14973)
• 05f80c8 Migrate changesets files to .changes files
• a87774f Add new release process (#14916)
• 5ac7a72 Add Typescript 6 range to peer dependencies (#14935)
• 80c67a9 chore: format
• See full diff in compare view

Updates @react-router/serve from 7.14.0 to 7.14.1

Release notes

Sourced from @​react-router/serve's releases.

v7.14.1

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v7141

Changelog

Sourced from @​react-router/serve's changelog.

v7.14.1

Patch Changes

• Updated dependencies:
  • react-router@7.14.1
  • @react-router/express@7.14.1
  • @react-router/node@7.14.1

Commits

• 197674b Release 7.14.1 (#14973)
• a87774f Add new release process (#14916)
• 80c67a9 chore: format
• See full diff in compare view

Updates isbot from 5.1.36 to 5.1.39

Changelog

Sourced from isbot's changelog.

5.1.39

• Pattern updates

5.1.38

• Pattern updates

5.1.37

• Better checking for non empty strings in the interface functions
• [Internal] Build with tsup

Commits

• 860045c pattern updates
• 800ae1e Pattern updates
• 819c051 [admin] Use codeQL native integration instead
• 0c7ed9a New build system. Better type checking (#303)
• See full diff in compare view

Updates react from 19.2.4 to 19.2.5

Release notes

Sourced from react's releases.

19.2.5 (April 8th, 2026)

React Server Components

• Add more cycle protections (#36236 by @​eps1lon and @​unstubbable)

Commits

• 23f4f9f 19.2.5
• See full diff in compare view

Updates react-dom from 19.2.4 to 19.2.5

Release notes

Sourced from react-dom's releases.

19.2.5 (April 8th, 2026)

React Server Components

• Add more cycle protections (#36236 by @​eps1lon and @​unstubbable)

Commits

• 23f4f9f 19.2.5
• See full diff in compare view

Updates react-router from 7.14.0 to 7.14.1

Release notes

Sourced from react-router's releases.

v7.14.1

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v7141

Changelog

Sourced from react-router's changelog.

v7.14.1

Patch Changes

• Fix a potential race condition that can occur when rendering a HydrateFallback and initial loaders land before the router.subscribe call happens in the RouterProvider layout effect
• Normalize double-slashes in redirect paths

Commits

• 197674b Release 7.14.1 (#14973)
• 583fcce Merge branch 'main' into release
• 05f80c8 Migrate changesets files to .changes files
• a87774f Add new release process (#14916)
• f6d1268 Add new release process (#14916)
• 4547c80 Fix rendering/router.subscribe race condition during hydration (#14497)
• f7a0130 Consolidate slash handling (#14962)
• b768d62 Update redirect docs with note on validation
• 80c67a9 chore: format
• 201cd41 chore: format
• See full diff in compare view

Updates @cloudflare/vite-plugin from 1.13.5 to 1.32.3

Release notes

Sourced from @​cloudflare/vite-plugin's releases.

@​cloudflare/vite-plugin@​1.32.3

Patch Changes

• #13427 c4deb1d Thanks @​edmundhung! - Harden file serving for Vite dev

  The Vite plugin now includes Wrangler config files, Vite config files, and .wrangler state files in server.fs.deny so they cannot be fetched directly from the Vite dev server.

• Updated dependencies [854d66c, 6f63eaa, aef9825, eaaa728, 58292f6, 5e5bbc1, d5ff5a4, 07a918c, 89c7829, 60565dd, 6cbcdeb, 90aee27]:

  • miniflare@4.20260415.0
  • wrangler@4.83.0

@​cloudflare/vite-plugin@​1.32.2

Patch Changes

• Updated dependencies [9b2b6ba]:
  • wrangler@4.82.2

@​cloudflare/vite-plugin@​1.32.1

Patch Changes

• Updated dependencies [6b11b07, dd4e888]:
  • wrangler@4.82.1

@​cloudflare/vite-plugin@​1.32.0

Minor Changes

• #13137 1313275 Thanks @​emily-shen! - Add e hotkey to open local explorer during dev

  Press e during vite dev to open the local explorer UI at /cdn-cgi/explorer, which allows you to inspect the state of your D1, R2, KV, DO and Workflow bindings.

Patch Changes

• Updated dependencies [5338bb6, 79fd529, 28bc2be, 4fd138b, bafb96b, c50cb5b, 2589395, 525a46b, 5eff8c1, 1313275]:
  • wrangler@4.82.0
  • miniflare@4.20260410.0

@​cloudflare/vite-plugin@​1.31.2

Patch Changes

• Updated dependencies [42c7ef0, c510494, 8b71eca, a42e0e8, 7ca6f6e]:
  • miniflare@4.20260409.0
  • wrangler@4.81.1

@​cloudflare/vite-plugin@​1.31.1

Patch Changes

Description has been truncated