chore(deps): update docs - minor revisions

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
@next/third-parties (source)	16.2.0 → 16.2.1
@opennextjs/cloudflare (source)	1.17.1 → 1.18.0
eslint-config-next (source)	16.1.6 → 16.2.1
fumadocs-core (source)	16.6.17 → 16.7.7
fumadocs-mdx (source)	14.2.10 → 14.2.11
fumadocs-ui (source)	16.6.17 → 16.7.7
next (source)	16.1.7 → 16.2.1
react-resizable-panels (source)	4.7.3 → 4.8.0
wrangler (source)	4.75.0 → 4.78.0

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

vercel/next.js (@​next/third-parties)

v16.2.1

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• docs: post release amends (#​91715)
• docs: fix broken Activity Patterns demo link in preserving UI state guide (#​91698)
• Fix adapter outputs for dynamic metadata routes (#​91680)
• Turbopack: fix webpack loader runner layer (#​91727)
• Fix server actions in standalone mode with cacheComponents (#​91711)
• turbo-persistence: remove Unmergeable mmap advice (#​91713)
• Fix layout segment optimization: move app-page imports to server-utility transition (#​91701)
• Turbopack: lazy require metadata and handle TLA (#​91705)
• [turbopack] Respect {eval:true} in worker_threads constructors (#​91666)

Credits

Huge thanks to @​icyJoseph, @​abhishekmardiya, @​ijjk, @​mischnic, @​unstubbable, @​sokra, and @​lukesandberg for helping!

opennextjs/opennextjs-cloudflare (@​opennextjs/cloudflare)

v1.18.0

Compare Source

Minor Changes

• #​1159 75f5f0a Thanks @​edmundhung! - Use remote dev for R2 cache population

  Using remote dev is not subject to the Cloudflare API rate limit of 1,200 requests per 5 minutes that caused failures for large applications with thousands of prerendered pages.

v1.17.3

Compare Source

Patch Changes

• #​1160 161e726 Thanks @​matthewvolk! - fix(patches): include prefetch-hints.json in loadManifest build-time inlining

  Next.js 16.2.0 introduced prefetch-hints.json as a new server manifest loaded unconditionally
  by NextNodeServer.getPrefetchHints(). The file exists in the build output but wasn't matched by
  the glob pattern *-manifest.json, causing the patched loadManifest() to throw at runtime.

v1.17.2

Compare Source

Patch Changes

• #​1151 a143282 Thanks @​nathanschram! - fix: handle known optional manifests gracefully in loadManifest/evalManifest patches

  Next.js loads certain manifests with handleMissing: true (returning {} when the file doesn't
  exist). The adapter's build-time glob scan doesn't find these files when they're conditionally
  generated, so the patched function threw at runtime, crashing dynamic routes with 500.

  Instead of a blanket catch-all, handle only the specific optional manifests from Next.js
  route-module.ts:

  • react-loadable-manifest (Turbopack per-route, not all routes have dynamic imports)
  • subresource-integrity-manifest (only when experimental.sri configured)
  • server-reference-manifest (App Router only)
  • dynamic-css-manifest (Pages Router + Webpack only)
  • fallback-build-manifest (only for /_error page)
  • prefetch-hints (new in Next.js 16.2)
  • _client-reference-manifest.js (optional for static metadata routes, evalManifest)

  Manifest matching strips .json before comparison since some Next.js constants omit
  the extension (SUBRESOURCE_INTEGRITY_MANIFEST, DYNAMIC_CSS_MANIFEST, etc.).

  Unknown manifests still throw to surface genuine errors.

  Fixes #​1141.

fuma-nama/fumadocs (fumadocs-core)

v16.7.7

Compare Source

Patch Changes

• 9eb3c84: fix TOC line offset
• 0f39a9f: Improve TOC rendering for steps
• Updated dependencies [0a6507b]
  • fumadocs-core@​16.7.7

v16.7.6

Compare Source

Patch Changes

• 6849807: Fix shiki.css padding
  • fumadocs-core@​16.7.6

v16.7.5

Compare Source

Patch Changes

• 55479b3: Improve TOC detection logic
• f9e6367: auto-close TOC popover
• Updated dependencies [55479b3]
  • fumadocs-core@​16.7.5

v16.7.4

Compare Source

Patch Changes

• 57c83a5: fix toc
  • fumadocs-core@​16.7.4

v16.7.3

Compare Source

Patch Changes

• fumadocs-core@​16.7.3

v16.7.2

Compare Source

Patch Changes

• 652c725: Simplify internal types
  • fumadocs-core@​16.7.2

v16.7.1

Compare Source

Patch Changes

• 11b8691: hotfix
• 75b0b94: Refactor TOC slot
  • fumadocs-core@​16.7.1

v16.7.0

Compare Source

Minor Changes

• 8bdee70: Implement renderer API for replacing layout components, deprecate old options
• bdffeba: Improved defineI18nUI() usage: allow language translations to be defined at root config.
• f45d703: stablize Shiki factory API

Patch Changes

• 3d17757: Improve <GithubInfo /> component
• Updated dependencies [f45d703]
• Updated dependencies [45aa454]
  • fumadocs-core@​16.7.0

vercel/next.js (next)

v16.2.1

Compare Source

v16.2.0

Compare Source

bvaughn/react-resizable-panels (react-resizable-panels)

v4.8.0

Compare Source

• 699: useDefaultLayout hook automatically migrates legacy layouts to version 4 format; see issue 605 for details on how this works.

v4.7.6

Compare Source

• 698: Replace Panel aria-disabled attribute with data-disabled

v4.7.5

Compare Source

• 696: Improved server rendering support for defaultSize prop

v4.7.4

Compare Source

• 689: Fix edge case bug with pointer event capture

cloudflare/workers-sdk (wrangler)

v4.78.0

Compare Source

Minor Changes

• #​13031 eeaa473 Thanks @​WalshyDev! - Add support for Cloudflare Access Service Token authentication via environment variables

  When running wrangler dev with remote bindings behind a Cloudflare Access-protected domain, Wrangler previously required cloudflared access login which opens a browser for interactive authentication. This does not work in CI/CD environments.

  You can now set the CLOUDFLARE_ACCESS_CLIENT_ID and CLOUDFLARE_ACCESS_CLIENT_SECRET environment variables to authenticate using an Access Service Token instead:

  export CLOUDFLARE_ACCESS_CLIENT_ID="<your-client-id>.access"
  export CLOUDFLARE_ACCESS_CLIENT_SECRET="<your-client-secret>"
  wrangler dev

  Additionally, when running in a non-interactive environment (CI) without these credentials, Wrangler now throws a clear, actionable error instead of hanging on cloudflared access login.

• #​13027 9fcdfca Thanks @​G4brym! - feat: Add ai_search_namespaces and ai_search binding types

  Two new binding types for AI Search:

  • ai_search_namespaces: Namespace binding — namespace is required and auto-provisioned at deploy time if it doesn't exist (like R2 buckets)
  • ai_search: Single instance binding bound directly to a pre-existing instance in the default namespace

  Both are remote-only in local dev.

• #​12874 53ed15a Thanks @​xortive! - Add Workers VPC service support for Hyperdrive origins

  Hyperdrive configs can now connect to databases through Workers VPC services using the --service-id option:

  wrangler hyperdrive create my-config --service-id <vpc-service-uuid> --database mydb --user myuser --password mypassword

  This enables Hyperdrive to connect to databases hosted in private networks that are accessible through Workers VPC TCP services.

• #​12852 6b50bfa Thanks @​Carolx715! - Add interactive data catalog validation to R2 object and lifecycle commands.

  When performing R2 operations that could affect data catalog state (object put, object delete, lifecycle add, lifecycle set), Wrangler now validates with the API and prompts users for confirmation if a conflict is detected. For bulk put operations, Wrangler prompts upfront before starting the batch. Users can bypass prompts with --force (-y). In non-interactive/CI environments, the operation proceeds automatically.

• #​13030 0386553 Thanks @​natewong1313! - Add local mode support for Stream bindings

  Miniflare and wrangler dev now support using Cloudflare Stream bindings locally.

  Supported operations:

  • upload() — upload video via URL
  • video(id).details(), .update(), .delete(), .generateToken()
  • videos.list()
  • captions.generate(), .list(), .delete()
  • downloads.generate(), .get(), .delete()
  • watermarks.generate(), .list(), .get(), .delete()

  The following are not yet supported in local mode and will throw:

  • createDirectUpload()
  • Caption upload via File
  • Watermark generation via File

  Data is persisted across restarts by default. You must set streamPersist: false in Miniflare options to disable persistence.

• #​12874 53ed15a Thanks @​xortive! - Add --cert-verification-mode option to wrangler vpc service create and wrangler vpc service update

  You can now configure the TLS certificate verification mode when creating or updating a VPC connectivity service. This controls how the connection to the origin server verifies TLS certificates.

  Available modes:

  • verify_full (default) -- verify certificate chain and hostname
  • verify_ca -- verify certificate chain only, skip hostname check
  • disabled -- do not verify the server certificate at all

  wrangler vpc service create my-service --type tcp --tcp-port 5432 --ipv4 10.0.0.1 --tunnel-id <tunnel-uuid> --cert-verification-mode verify_ca

  This applies to both TCP and HTTP VPC service types. When omitted, the default verify_full behavior is used.

• #​12874 53ed15a Thanks @​xortive! - Add TCP service type support for Workers VPC

  You can now create TCP services in Workers VPC using the --type tcp option:

  wrangler vpc service create my-db --type tcp --tcp-port 5432 --ipv4 10.0.0.1 --tunnel-id <tunnel-uuid>

  This enables exposing TCP-based services like PostgreSQL, MySQL, and other database servers through Workers VPC.

Patch Changes

• #​13039 bc24ec8 Thanks @​petebacondarwin! - fix: Angular auto-config now correctly handles projects without SSR configured

  Previously, running wrangler deploy (or wrangler setup) on a plain Angular SPA (created with ng new without --ssr) would crash with Cannot set properties of undefined (setting 'experimentalPlatform'), because the auto-config code unconditionally assumed SSR was configured.

  Angular projects without SSR are now treated as assets-only deployments: no wrangler.jsonc main entry is generated, angular.json is not modified, no src/server.ts is created, and no extra dependencies are installed.

• #​13036 0b4c21a Thanks @​pbrowne011! - Fix wrangler deploy --dry-run skipping asset build-artifact validation checks

  Previously, --dry-run skipped the entire asset sync step, which meant it also skipped validation that runs during asset manifest building. This included the check that errors when a _worker.js file or directory would be uploaded as a public static asset (which can expose private server-side code), as well as the per-file size limit check.

  With this fix, --dry-run now runs buildAssetManifest against the asset directory when assets are configured, performing the same file-system validation as a real deploy without uploading anything or making any API calls.

• #​13061 535582d Thanks @​petebacondarwin! - fix: resolve secondary worker types when environment overrides the worker name in multi-worker type generation

  When running wrangler types with multiple -c config flags and the secondary worker has named environments that override the worker name (e.g. a worker named do-worker with env staging whose effective name becomes do-worker-staging), service bindings and Durable Object bindings in the primary worker that reference do-worker-staging now correctly resolve to the typed entry point instead of falling back to an unresolved comment type such as DurableObjectNamespace /* MyClass from do-worker-staging */.

  The fix extends the secondary entries map to also register environment-specific worker names, so that lookups by the env-qualified name (e.g. do-worker-staging) resolve to the same source file as the base worker name.

• #​13058 992f9a3 Thanks @​petebacondarwin! - fix: patch undici to prevent fetch() throwing on 401 responses with a request body

  Fetching with a request body (string, JSON, FormData, etc.) to an endpoint that returns a 401 would throw TypeError: fetch failed with cause expected non-null body source. This affected Unstable_DevWorker.fetch() and any other use of undici's fetch in wrangler.

  The root cause is isTraversableNavigable() in undici returning true unconditionally, causing the 401 credential-retry logic to run in Node.js where it should never apply (there is no browser UI to prompt for credentials). This is tracked upstream in nodejs/undici#4910. Until an upstream fix is released, we apply a patch to undici that returns false from isTraversableNavigable().

• #​13017 91b7f73 Thanks @​petebacondarwin! - fix: prevent Docker container builds from spawning console windows on Windows

  On Windows, detached: true in child_process.spawn() gives each child process its own visible console window, causing many windows to flash open during wrangler deploy with [[containers]]. The detached option is now only set on non-Windows platforms (where it is needed for process group cleanup), and windowsHide: true is added to further suppress console windows on Windows.

• #​12996 f6cdab2 Thanks @​guybedford! - Fix source phase imports in bundled and non-bundled Workers

  Wrangler now preserves import source syntax when it runs esbuild, including module format detection and bundled deploy output. This fixes both --no-bundle and bundled deployments for Workers that import WebAssembly using source phase imports.

• #​12931 ce65246 Thanks @​dario-piotrowicz! - Improve error message when modules cannot be resolved during bundling

  When a module cannot be resolved during bundling, Wrangler now suggests using the alias configuration option to substitute it with an alternative implementation. This replaces esbuild's default suggestion to "mark the path as external", which is not a supported option in Wrangler.

  For example, if you try to import a module that doesn't exist:

  import foo from "some-missing-module";

  Wrangler will now suggest:

  To fix this, you can add an entry to "alias" in your Wrangler configuration
  to substitute "some-missing-module" with an alternative implementation.
  See https://developers.cloudflare.com/workers/wrangler/configuration/#bundling-issues
  

  This provides actionable guidance for resolving import errors.

• #​13049 7a5be20 Thanks @​nikitassharma! - add library-push flag to containers registries credentials

  This flag is not available for public use.

• #​13018 9c5ebf5 Thanks @​tgarg-cf! - Validate that queue consumers in wrangler config only use the "worker" type

  Previously, non-worker consumer types (e.g. http_pull) could be specified in the queues.consumers config. Now, wrangler will error if a consumer type other than "worker" is specified in the config file.

  To configure non-worker consumer types, use the wrangler queues consumer CLI commands instead (e.g. wrangler queues consumer http-pull add).

• Updated dependencies [9fcdfca, 1faff35, f4ea4ac, 0386553]:

  • miniflare@​4.20260317.3

v4.77.0

Compare Source

Minor Changes

• #​13023 593c4db Thanks @​jamesopstad! - Add wrangler versions upload support for the experimental secrets configuration property

  When the new secrets property is defined, wrangler versions upload now validates that all secrets declared in secrets.required are configured on the Worker before the upload succeeds. If any required secrets are missing, the upload fails with a clear error listing which secrets need to be set.

  When secrets is not defined, the existing behavior is unchanged.

  // wrangler.jsonc
  {
    "secrets": {
      "required": ["API_KEY", "DB_PASSWORD"]
    }
  }

• #​12732 c2e9163 Thanks @​jamesopstad! - Add deploy support for the experimental secrets configuration property

  When the new secrets property is defined, wrangler deploy now validates that all secrets declared in secrets.required are configured on the Worker before the deploy succeeds. If any required secrets are missing, the deploy fails with a clear error listing which secrets need to be set.

  When secrets is not defined, the existing behavior is unchanged.

  // wrangler.jsonc
  {
    "secrets": {
      "required": ["API_KEY", "DB_PASSWORD"]
    }
  }

Patch Changes

• #​12896 451dae3 Thanks @​petebacondarwin! - fix: Add retry and timeout protection to remote preview API calls

  Remote preview sessions (wrangler dev --remote) now automatically retry transient 5xx API errors (up to 3 attempts with linear backoff) and enforce a 30-second per-request timeout. Previously, a single hung or failed API response during session creation or worker upload could block the dev session reload indefinitely.

• #​12569 379f2a2 Thanks @​MattieTK! - Use qwik add cloudflare-workers instead of qwik add cloudflare-pages for Workers targets

  Both the wrangler autoconfig and C3 Workers template for Qwik were running qwik add cloudflare-pages even when targeting Cloudflare Workers. This caused the wrong adapter directory structure to be scaffolded (adapters/cloudflare-pages/ instead of adapters/cloudflare-workers/), and required post-hoc cleanup of Pages-specific files like _routes.json.

  Qwik now provides a dedicated cloudflare-workers adapter that generates the correct Workers configuration, including wrangler.jsonc with main and assets fields, a public/.assetsignore file, and the correct adapters/cloudflare-workers/vite.config.ts.

  Also adds --skipConfirmation=true to all qwik add invocations so the interactive prompt is skipped in automated contexts.

• #​11899 9a1cf29 Thanks @​hoodmane! - Remove cf-requirements support for Python workers. It hasn't worked with the runtime for a while now.

• #​11800 875da60 Thanks @​southpolesteve! - Add upgrade hint to unexpected configuration field warnings when an update is available

  When Wrangler encounters unexpected fields in the configuration file and a newer version of Wrangler is available, it now displays a message suggesting to update. This helps users who may be using configuration options that were added in a newer version of Wrangler.

• Updated dependencies [b8f3309, 5aaaab2, 5aaaab2, f8516dd, 9c9fe30, 6a6449e]:

  • miniflare@​4.20260317.2

v4.76.0

Compare Source

Minor Changes

• #​12893 782df44 Thanks @​gpanders! - Rewrite wrangler containers list to use the paginated Dash API endpoint

  wrangler containers list now fetches from the /dash/applications endpoint instead of /applications, displaying results in a paginated table with columns for ID, Name, State, Live Instances, and Last Modified. Container state is derived from health instance counters (active, degraded, provisioning, ready).

  The command supports --per-page (default 25) for interactive pagination with Enter to load more and q/Esc to quit, and --json for machine-readable output. Non-interactive environments load all results in a single request.

• #​12957 62545c9 Thanks @​natewong1313! - Add Stream binding support to Wrangler and workers-utils

  Wrangler and workers-utils now recognize the stream binding in configuration, deployment metadata, and generated worker types. This enables projects to declare Stream bindings in wrangler.json and have the binding represented consistently across validation, metadata mapping, and type generation.

• #​12848 ce48b77 Thanks @​emily-shen! - Enable local explorer by default

  This ungates the local explorer, a UI that lets you inspect the state of D1, DO and KV resources locally by visiting /cdn-cgi/explorer during local development.

  Note: this feature is still experimental, and can be disabled by setting the env var X_LOCAL_EXPLORER=false.

Patch Changes

• #​12938 71ab981 Thanks @​dario-piotrowicz! - Add backward-compatible autoconfig support for Astro v5 and v4 projects

  The astro add cloudflare command in older Astro versions installs the latest adapter version, which causes compatibility issues. This change adds manual configuration logic for projects using Astro versions before 6.0.0:

  • Astro 6.0.0+: Uses the native astro add cloudflare command (unchanged behavior)
  • Astro 5.x: Installs @astrojs/cloudflare@12 and manually configures the adapter
  • Astro 4.x: Installs @astrojs/cloudflare@11 and manually configures the adapter
  • Astro < 4.0.0: Returns an error prompting the user to upgrade

• #​11892 7c3c6c6 Thanks @​staticpayload! - Handle registry ports when matching container image digests

  Wrangler now strips tags without breaking registry ports when comparing local images to remote digests. This prevents unnecessary pushes for tags like localhost:5000/app:tag.

• Updated dependencies [3c988e2, d028ffb, cb71403, 3a1c149, ce48b77, 8729f3d]:

  • miniflare@​4.20260317.1
  • @​cloudflare/unenv-preset@​2.16.0

---

Configuration

📅 Schedule: Branch creation - "on wednesday" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[auto-maid]

Documentation Preview

Latest Commit SHA	e128ed7
Preview URL	https://b581dc11-forui-docs-dev.duobase.workers.dev/docs

You're seeing this because the docs/samples were updated.

[kawaijoe]

preview is throwing an error.

[kawaijoe]

Update of nextjs is blocked by: opennextjs/opennextjs-cloudflare#1157

Upgrading other smaller dependencies in a separate pr for the time being: #931