build(deps): bump undici, @cloudflare/vite-plugin and wrangler in /site

[dependabot]

Bumps undici to 7.24.4 and updates ancestor dependencies undici, @cloudflare/vite-plugin and wrangler. These dependencies need to be updated together.

Updates undici from 7.18.2 to 7.24.4

Release notes

Sourced from undici's releases.

v7.24.4

What's Changed

• fix(fetch): handle URL credentials in dispatch path extraction by @​mcollina in nodejs/undici#4892

Full Changelog: nodejs/undici@v7.24.3...v7.24.4

v7.24.3

What's Changed

• fix(h2): TypeError: Cannot read properties of null (reading 'push') i… by @​hxinhan in nodejs/undici#4881

Full Changelog: nodejs/undici@v7.24.2...v7.24.3

v7.24.2

What's Changed

• fix fetch path logic by @​KhafraDev in nodejs/undici#4890
• remove maxDecompressedMessageSize by @​KhafraDev in nodejs/undici#4891

Full Changelog: nodejs/undici@v7.24.1...v7.24.2

v7.24.1

What's Changed

• fix: proto pollution by @​rahulyadav5524 in nodejs/undici#4885

Full Changelog: nodejs/undici@v7.24.0...v7.24.1

v7.24.0

Undici v7.24.0 Security Release Notes

This release addresses multiple security vulnerabilities in Undici.

Upgrade guidance

All users on v7 should upgrade to v7.24.0 or later.

Fixed advisories

• GHSA-2mjp-6q6p-2qxm / CVE-2026-1525 (Medium)
  Inconsistent interpretation of HTTP requests (request/response smuggling class issue).

• GHSA-f269-vfmq-vjvj / CVE-2026-1528 (High)
  Malicious WebSocket 64-bit frame length handling could crash the client.

• GHSA-phc3-fgpg-7m6h / CVE-2026-2581 (Medium)
  Unbounded memory consumption in deduplication interceptor response buffering (DoS risk).

• GHSA-4992-7rv2-5pvq / CVE-2026-1527 (Medium)

... (truncated)

Commits

• 4991f3e Bumped v7.24.4
• ea3a06d fix(fetch): preserve path for credentialed URLs (#4892)
• 9b96516 Bumped v7.24.3
• 7926660 Ignore .githuman
• 9eaa5af fix(h2): TypeError: Cannot read properties of null (reading 'push') in Reques...
• a9bfe21 ignore .pi
• f2e155b Bumped v7.24.2
• 4d2d1af remove maxDecompressedMessageSize (#4891)
• 3a05a4f fix fetch path logic (#4890)
• 23e3cd3 Bumped v7.24.1
• Additional commits viewable in compare view

Updates @cloudflare/vite-plugin from 1.21.1 to 1.30.2

Release notes

Sourced from @​cloudflare/vite-plugin's releases.

@​cloudflare/vite-plugin@​1.30.2

Patch Changes

• #12953 80b093e Thanks @​jamesopstad! - Fix Cannot perform I/O on behalf of a different request errors for deferred dynamic imports

  Concurrent requests that loaded the same dynamic import were previously sharing the same promise to resolve it in a Worker context. We now ensure that all imports execute within a Durable Object's IoContext before the result is returned to the Worker.

• Updated dependencies [eeaa473, 9fcdfca, bc24ec8, 1faff35, 0b4c21a, 535582d, 992f9a3, f4ea4ac, 91b7f73, f6cdab2, 53ed15a, ce65246, 7a5be20, 6b50bfa, 0386553, 9c5ebf5, 53ed15a, 53ed15a]:

  • wrangler@4.78.0
  • miniflare@4.20260317.3

@​cloudflare/vite-plugin@​1.30.1

Patch Changes

• #12851 86a40f0 Thanks @​jamesopstad! - Fix a bug that prevented using subpath imports for additional module types

  You can now use subpath imports for additional module types (.html, .txt, .sql, .bin, .wasm) by defining them in your package.json imports field:

  // package.json
  {
    "imports": {
      "#templates/page": "./src/templates/page.html"
    }
  }

  import page from "#templates/page";
  export default {
  fetch() {
  return new Response(page, {
  headers: { "Content-Type": "text/html" },
  });
  },
  } satisfies ExportedHandler;

• Updated dependencies [593c4db, b8f3309, 451dae3, 5aaaab2, 5aaaab2, f8516dd, 9c9fe30, 379f2a2, c2e9163, 6a6449e, 9a1cf29, 875da60]:

  • wrangler@4.77.0
  • miniflare@4.20260317.2

@​cloudflare/vite-plugin@​1.30.0

Minor Changes

• #12848 ce48b77 Thanks @​emily-shen! - Enable local explorer by default

  This ungates the local explorer, a UI that lets you inspect the state of D1, DO and KV resources locally by visiting /cdn-cgi/explorer during local development.

... (truncated)

Changelog

Sourced from @​cloudflare/vite-plugin's changelog.

1.30.2

Patch Changes

• #12953 80b093e Thanks @​jamesopstad! - Fix Cannot perform I/O on behalf of a different request errors for deferred dynamic imports

  Concurrent requests that loaded the same dynamic import were previously sharing the same promise to resolve it in a Worker context. We now ensure that all imports execute within a Durable Object's IoContext before the result is returned to the Worker.

• Updated dependencies [eeaa473, 9fcdfca, bc24ec8, 1faff35, 0b4c21a, 535582d, 992f9a3, f4ea4ac, 91b7f73, f6cdab2, 53ed15a, ce65246, 7a5be20, 6b50bfa, 0386553, 9c5ebf5, 53ed15a, 53ed15a]:

  • wrangler@4.78.0
  • miniflare@4.20260317.3

1.30.1

Patch Changes

• #12851 86a40f0 Thanks @​jamesopstad! - Fix a bug that prevented using subpath imports for additional module types

  You can now use subpath imports for additional module types (.html, .txt, .sql, .bin, .wasm) by defining them in your package.json imports field:

  // package.json
  {
    "imports": {
      "#templates/page": "./src/templates/page.html"
    }
  }

  import page from "#templates/page";
  export default {
  fetch() {
  return new Response(page, {
  headers: { "Content-Type": "text/html" },
  });
  },
  } satisfies ExportedHandler;

• Updated dependencies [593c4db, b8f3309, 451dae3, 5aaaab2, 5aaaab2, f8516dd, 9c9fe30, 379f2a2, c2e9163, 6a6449e, 9a1cf29, 875da60]:

  • wrangler@4.77.0
  • miniflare@4.20260317.2

1.30.0

Minor Changes

• #12848 ce48b77 Thanks @​emily-shen! - Enable local explorer by default

... (truncated)

Commits

• 81b2b9b Version Packages (#13038)
• 9424385 Fix potential memory leak in module runner (#13087)
• 80b093e Fix "Cannot perform I/O on behalf of a different request" errors for deferred...
• a61451f Version Packages (#12980)
• 86a40f0 Fix subpath imports of additional module types (#12851)
• cf98836 Use Vite 8 and Vitest 4 everywhere (#12947)
• 451dae3 [wrangler] Attempts to reduce remote e2e test flakiness (#12896)
• 7d2661b Version Packages (#12945)
• 4f7fd79 Avoid splicing into the middleware stack for Vite versions other than v6 (#12...
• aa26784 Convert from ESLint to oxlint, Prettier to oxfmt (#12930)
• Additional commits viewable in compare view

Updates wrangler from 4.59.3 to 4.78.0

Release notes

Sourced from wrangler's releases.

wrangler@4.78.0

Minor Changes

• #13031 eeaa473 Thanks @​WalshyDev! - Add support for Cloudflare Access Service Token authentication via environment variables

  When running wrangler dev with remote bindings behind a Cloudflare Access-protected domain, Wrangler previously required cloudflared access login which opens a browser for interactive authentication. This does not work in CI/CD environments.

  You can now set the CLOUDFLARE_ACCESS_CLIENT_ID and CLOUDFLARE_ACCESS_CLIENT_SECRET environment variables to authenticate using an Access Service Token instead:

  export CLOUDFLARE_ACCESS_CLIENT_ID="<your-client-id>.access"
  export CLOUDFLARE_ACCESS_CLIENT_SECRET="<your-client-secret>"
  wrangler dev

  Additionally, when running in a non-interactive environment (CI) without these credentials, Wrangler now throws a clear, actionable error instead of hanging on cloudflared access login.

• #13027 9fcdfca Thanks @​G4brym! - feat: Add ai_search_namespaces and ai_search binding types

  Two new binding types for AI Search:

  • ai_search_namespaces: Namespace binding — namespace is required and auto-provisioned at deploy time if it doesn't exist (like R2 buckets)
  • ai_search: Single instance binding bound directly to a pre-existing instance in the default namespace

  Both are remote-only in local dev.

• #12874 53ed15a Thanks @​xortive! - Add Workers VPC service support for Hyperdrive origins

  Hyperdrive configs can now connect to databases through Workers VPC services using the --service-id option:

  wrangler hyperdrive create my-config --service-id <vpc-service-uuid> --database mydb --user myuser --password mypassword

  This enables Hyperdrive to connect to databases hosted in private networks that are accessible through Workers VPC TCP services.

• #12852 6b50bfa Thanks @​Carolx715! - Add interactive data catalog validation to R2 object and lifecycle commands.

  When performing R2 operations that could affect data catalog state (object put, object delete, lifecycle add, lifecycle set), Wrangler now validates with the API and prompts users for confirmation if a conflict is detected. For bulk put operations, Wrangler prompts upfront before starting the batch. Users can bypass prompts with --force (-y). In non-interactive/CI environments, the operation proceeds automatically.

• #13030 0386553 Thanks @​natewong1313! - Add local mode support for Stream bindings

  Miniflare and wrangler dev now support using Cloudflare Stream bindings locally.

  Supported operations:

  • upload() — upload video via URL
  • video(id).details(), .update(), .delete(), .generateToken()
  • videos.list()
  • captions.generate(), .list(), .delete()

... (truncated)

Commits

• 81b2b9b Version Packages (#13038)
• 9fcdfca feat: add ai_search_namespaces and ai_search binding types (#13027)
• 53ed15a Add support for WVPC TCP services, and using them as Hyperdrive origins (#12874)
• 9c5ebf5 [wrangler] Only allow "worker" queue consumer type in wrangler config (#13018)
• 535582d [wrangler] fix: resolve secondary worker types when environment overrides wor...
• 8c08b3f [wrangler] Fix R2 e2e snapshot for data catalog confirmation prompt (#13059)
• 25cb184 [wrangler] fix e2e flakiness: use waitForLong to verify response body after d...
• 6b50bfa [wrangler] add validation to actions that could affect r2 data catalog state ...
• 0386553 [Stream] Add Stream binding local mode (#13030)
• f6cdab2 [wrangler] Support source phase imports (#12996)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.