cloudflare/workers-sdk wrangler@4.102.0

wrangler@4.102.0

Repository: cloudflare/workers-sdk

Tag: wrangler@4.102.0

Published: 2026-06-18T15:13:43Z

Prerelease: no

Release notes:

Minor Changes

• #14340 `f6e49dd` Thanks @emily-shen! - Add cf-wrangler build delegate support

The experimental cf-wrangler delegate binary now accepts build and emits the Build Output API directory through Wrangler's new-config build path. This lets parent tools invoke Wrangler's build-output implementation with cf-wrangler build instead of shelling out through the public Wrangler CLI.

• #14324 `36777db` Thanks @jamesopstad! - Add experimental --experimental-cf-build-output flag to wrangler build

When used alongside --experimental-new-config, wrangler build now emits a self-contained Build Output API directory under .cloudflare/output/v0/ instead of delegating to wrangler deploy --dry-run.

Patch Changes

• #14347 `673b09e` Thanks @jamesopstad! - Update undici from 7.24.8 to 7.28.0

• #14346 `e930bd4` Thanks @haidargit! - Bump ws from 8.20.1 to 8.21.0 to address GHSA-96hv-2xvq-fx4p

GHSA-96hv-2xvq-fx4p / CVE-2026-48779 (high severity) reports a remote memory-exhaustion DoS in `ws@ Found a database with name or binding DB but it is missing a database_id, which is needed for operations on remote resources.

when the [[d1_databases]] config entry only had binding and database_name (the shape wrangler deploy writes for automatically-provisioned bindings). They now resolve the real database UUID via GET /accounts/:accountId/d1/database/:name?fields=uuid and proceed as if database_id had been set in config.

If the config entry only has a binding (no database_name, no database_id), the lookup uses the same name wrangler deploy would create via auto provisioning (-).

Non-404 API failures (auth, rate-limit, server errors) now propagate verbatim instead of being masked as "database not found".

• #14315 `a79b899` Thanks @matingathani! - Respect find_additional_modules = false when no_bundle is set

When using no_bundle = true, wrangler was always scanning for and attaching additional modules even if find_additional_modules was explicitly set to false in the config. Additional modules are now only collected when find_additional_modules is not false, consistent with the bundled code path.

• #14269 `5dfb788` Thanks @mattjohnsonpint! - Support dev.plugin on typed services bindings

Wrangler only honored dev.plugin on unsafe.bindings entries, so users authoring a service binding via services[] could not wire it to a local Miniflare plugin during wrangler dev — they had to fall back to unsafe.bindings and accept a "directly supported by wrangler" warning. Typed services bindings now accept the same dev: { plugin, options? } shape, route the binding through Miniflare's external-plugin pathway in wrangler dev, and strip the field at deploy time. Validation rejects malformed dev shapes.

• #14328 `ca61558` Thanks @edevil! - Mention temporary preview accounts in wrangler whoami output when unauthenticated

When you run wrangler whoami without being logged in, Wrangler now also tells you that you can deploy without logging in by running a command like wrangler deploy --temporary to use a temporary preview account.

• Updated dependencies [`673b09e`, `e930bd4`, `5c3bb11`, `296ad65`]:
• miniflare@4.20260617.0