build(deps-dev): bump the actions-deps group across 1 directory with 2 updates

[dependabot]

Bumps the actions-deps group with 2 updates in the / directory: esbuild and wrangler.

Updates esbuild from 0.25.8 to 0.25.9

Release notes

Sourced from esbuild's releases.

v0.25.9

• Better support building projects that use Yarn on Windows (#3131, #3663)

  With this release, you can now use esbuild to bundle projects that use Yarn Plug'n'Play on Windows on drives other than the C: drive. The problem was as follows:

  1. Yarn in Plug'n'Play mode on Windows stores its global module cache on the C: drive
  2. Some developers put their projects on the D: drive
  3. Yarn generates relative paths that use ../.. to get from the project directory to the cache directory
  4. Windows-style paths don't support directory traversal between drives via .. (so D:\.. is just D:)
  5. I didn't have access to a Windows machine for testing this edge case

  Yarn works around this edge case by pretending Windows-style paths beginning with C:\ are actually Unix-style paths beginning with /C:/, so the ../.. path segments are able to navigate across drives inside Yarn's implementation. This was broken for a long time in esbuild but I finally got access to a Windows machine and was able to debug and fix this edge case. So you should now be able to bundle these projects with esbuild.

• Preserve parentheses around function expressions (#4252)

  The V8 JavaScript VM uses parentheses around function expressions as an optimization hint to immediately compile the function. Otherwise the function would be lazily-compiled, which has additional overhead if that function is always called immediately as lazy compilation involves parsing the function twice. You can read V8's blog post about this for more details.

  Previously esbuild did not represent parentheses around functions in the AST so they were lost during compilation. With this change, esbuild will now preserve parentheses around function expressions when they are present in the original source code. This means these optimization hints will not be lost when bundling with esbuild. In addition, esbuild will now automatically add this optimization hint to immediately-invoked function expressions. Here's an example:

  // Original code
  const fn0 = () => 0
  const fn1 = (() => 1)
  console.log(fn0, function() { return fn1() }())
  // Old output
  const fn0 = () => 0;
  const fn1 = () => 1;
  console.log(fn0, function() {
  return fn1();
  }());
  // New output
  const fn0 = () => 0;
  const fn1 = (() => 1);
  console.log(fn0, (function() {
  return fn1();
  })());

  Note that you do not want to wrap all function expressions in parentheses. This optimization hint should only be used for functions that are called on initial load. Using this hint for functions that are not called on initial load will unnecessarily delay the initial load. Again, see V8's blog post linked above for details.

• Update Go from 1.23.10 to 1.23.12 (#4257, #4258)

  This should have no effect on existing code as this version change does not change Go's operating system support. It may remove certain false positive reports (specifically CVE-2025-4674 and CVE-2025-47907) from vulnerability scanners that only detect which version of the Go compiler esbuild uses.

Changelog

Sourced from esbuild's changelog.

0.25.9

• Better support building projects that use Yarn on Windows (#3131, #3663)

  With this release, you can now use esbuild to bundle projects that use Yarn Plug'n'Play on Windows on drives other than the C: drive. The problem was as follows:

  1. Yarn in Plug'n'Play mode on Windows stores its global module cache on the C: drive
  2. Some developers put their projects on the D: drive
  3. Yarn generates relative paths that use ../.. to get from the project directory to the cache directory
  4. Windows-style paths don't support directory traversal between drives via .. (so D:\.. is just D:)
  5. I didn't have access to a Windows machine for testing this edge case

  Yarn works around this edge case by pretending Windows-style paths beginning with C:\ are actually Unix-style paths beginning with /C:/, so the ../.. path segments are able to navigate across drives inside Yarn's implementation. This was broken for a long time in esbuild but I finally got access to a Windows machine and was able to debug and fix this edge case. So you should now be able to bundle these projects with esbuild.

• Preserve parentheses around function expressions (#4252)

  The V8 JavaScript VM uses parentheses around function expressions as an optimization hint to immediately compile the function. Otherwise the function would be lazily-compiled, which has additional overhead if that function is always called immediately as lazy compilation involves parsing the function twice. You can read V8's blog post about this for more details.

  Previously esbuild did not represent parentheses around functions in the AST so they were lost during compilation. With this change, esbuild will now preserve parentheses around function expressions when they are present in the original source code. This means these optimization hints will not be lost when bundling with esbuild. In addition, esbuild will now automatically add this optimization hint to immediately-invoked function expressions. Here's an example:

  // Original code
  const fn0 = () => 0
  const fn1 = (() => 1)
  console.log(fn0, function() { return fn1() }())
  // Old output
  const fn0 = () => 0;
  const fn1 = () => 1;
  console.log(fn0, function() {
  return fn1();
  }());
  // New output
  const fn0 = () => 0;
  const fn1 = (() => 1);
  console.log(fn0, (function() {
  return fn1();
  })());

  Note that you do not want to wrap all function expressions in parentheses. This optimization hint should only be used for functions that are called on initial load. Using this hint for functions that are not called on initial load will unnecessarily delay the initial load. Again, see V8's blog post linked above for details.

• Update Go from 1.23.10 to 1.23.12 (#4257, #4258)

  This should have no effect on existing code as this version change does not change Go's operating system support. It may remove certain false positive reports (specifically CVE-2025-4674 and CVE-2025-47907) from vulnerability scanners that only detect which version of the Go compiler esbuild uses.

Commits

• 195e05c publish 0.25.9 to npm
• 3dac33f fix #3131, fix #3663: yarnpnp + windows + D drive
• 0f2c5c8 mock fs now supports multiple volumes on windows
• 100a51e split out yarnpnp snapshot tests
• 13aace3 remove C: assumption from windows snapshot tests
• f1f413f fix #4252: preserve parentheses around functions
• 1bc8091 fix #4257, close #4258: go 1.23.10 => 1.23.12
• bc52135 move the go compiler version to go.version
• a0af5d1 makefile: use ESBUILD_VERSION consistently
• See full diff in compare view

Updates wrangler from 4.28.1 to 4.29.0

Release notes

Sourced from wrangler's releases.

[email protected]

Minor Changes

• #10283 80960b9 Thanks @​WillTaylorDev! - Support long branch names in generation of branch aliases in WCI.

• #10312 bd8223d Thanks @​devin-ai-integration! - Added --domain flag to wrangler deploy command for deploying to custom domains. Use --domain example.com to deploy directly to a custom domain without manually configuring routes.

• #8318 8cf47f9 Thanks @​gnekich! - Introduce json output flag for wrangler pages deployment list

Patch Changes

• #10232 e7cae16 Thanks @​emily-shen! - fix: validate wrangler containers delete ID to ensure a valid ID has been provided. Previously if you provided the container name (or any non-ID shaped string) you would get an auth error instead of a 404.

• #10139 3b6ab8a Thanks @​dom96! - Removes mention of cf-requirements when Python Workers are enabled

• #10259 c58a05c Thanks @​dario-piotrowicz! - Ensure that maybeStartOrUpdateRemoteProxySession considers the potential account_id from the user's wrangler config

  Currently if the user has an account_id in their wrangler config file, such id won't be taken into consideration for the remote proxy session, the changes here make sure that it is (note that the auth option of maybeStartOrUpdateRemoteProxySession, if provided, takes precedence over this id value).

  The changes here also fix the same issue for wrangler dev and getPlatformProxy (since they use maybeStartOrUpdateRemoteProxySession under the hook).

• #10288 42aafa3 Thanks @​tgarg-cf! - Do not attempt to update queue producer settings when deploying a Worker with a queue binding

  Previously, each deployed Worker would update a subset of the queue producer's settings for each queue binding, which could result in broken queue producers or at least conflicts where different Workers tried to set different producer settings on a shared queue.

• #10242 70bd966 Thanks @​devin-ai-integration! - Add experimental API to expose Wrangler command tree structure for documentation generation

• #10258 d391076 Thanks @​nikitassharma! - Add the option to allow all tiers when creating a container

• #10248 422ae22 Thanks @​emily-shen! - fix: re-push container images on deploy even if the only change was to the Dockerfile

• #10179 5d5ecd5 Thanks @​pombosilva! - Prevent defining multiple workflows with the same "name" property in the same wrangler file

• #10232 e7cae16 Thanks @​emily-shen! - include containers API calls in output of WRANGLER_LOG=debug

• #10243 d481901 Thanks @​devin-ai-integration! - Remove async_hooks polyfill - now uses native workerd implementation

  The async_hooks module is now provided natively by workerd, making the polyfill unnecessary. This improves performance and ensures better compatibility with Node.js async_hooks APIs.

• #10060 9aad334 Thanks @​edmundhung! - refactor: switch getPlatformProxy() to use Miniflare's dev registry implementation

  Updated getPlatformProxy() to use Miniflare's dev registry instead of Wrangler's implementation. Previously, you had to start a wrangler or vite dev session before accessing the proxy bindings to connect to those workers. Now the order doesn't matter.

• #10219 28494f4 Thanks @​dario-piotrowicz! - fix NonRetryableError thrown with an empty error message not stopping workflow retries locally

• Updated dependencies [1479fd0, 05c5b28, e3d9703, d481901]:

  • [email protected]
  • @​cloudflare/unenv-preset@​2.6.1

Changelog

Sourced from wrangler's changelog.

4.29.0

Minor Changes

• #10283 80960b9 Thanks @​WillTaylorDev! - Support long branch names in generation of branch aliases in WCI.

• #10312 bd8223d Thanks @​devin-ai-integration! - Added --domain flag to wrangler deploy command for deploying to custom domains. Use --domain example.com to deploy directly to a custom domain without manually configuring routes.

• #8318 8cf47f9 Thanks @​gnekich! - Introduce json output flag for wrangler pages deployment list

Patch Changes

• #10232 e7cae16 Thanks @​emily-shen! - fix: validate wrangler containers delete ID to ensure a valid ID has been provided. Previously if you provided the container name (or any non-ID shaped string) you would get an auth error instead of a 404.

• #10139 3b6ab8a Thanks @​dom96! - Removes mention of cf-requirements when Python Workers are enabled

• #10259 c58a05c Thanks @​dario-piotrowicz! - Ensure that maybeStartOrUpdateRemoteProxySession considers the potential account_id from the user's wrangler config

  Currently if the user has an account_id in their wrangler config file, such id won't be taken into consideration for the remote proxy session, the changes here make sure that it is (note that the auth option of maybeStartOrUpdateRemoteProxySession, if provided, takes precedence over this id value).

  The changes here also fix the same issue for wrangler dev and getPlatformProxy (since they use maybeStartOrUpdateRemoteProxySession under the hook).

• #10288 42aafa3 Thanks @​tgarg-cf! - Do not attempt to update queue producer settings when deploying a Worker with a queue binding

  Previously, each deployed Worker would update a subset of the queue producer's settings for each queue binding, which could result in broken queue producers or at least conflicts where different Workers tried to set different producer settings on a shared queue.

• #10242 70bd966 Thanks @​devin-ai-integration! - Add experimental API to expose Wrangler command tree structure for documentation generation

• #10258 d391076 Thanks @​nikitassharma! - Add the option to allow all tiers when creating a container

• #10248 422ae22 Thanks @​emily-shen! - fix: re-push container images on deploy even if the only change was to the Dockerfile

• #10179 5d5ecd5 Thanks @​pombosilva! - Prevent defining multiple workflows with the same "name" property in the same wrangler file

• #10232 e7cae16 Thanks @​emily-shen! - include containers API calls in output of WRANGLER_LOG=debug

• #10243 d481901 Thanks @​devin-ai-integration! - Remove async_hooks polyfill - now uses native workerd implementation

  The async_hooks module is now provided natively by workerd, making the polyfill unnecessary. This improves performance and ensures better compatibility with Node.js async_hooks APIs.

• #10060 9aad334 Thanks @​edmundhung! - refactor: switch getPlatformProxy() to use Miniflare's dev registry implementation

  Updated getPlatformProxy() to use Miniflare's dev registry instead of Wrangler's implementation. Previously, you had to start a wrangler or vite dev session before accessing the proxy bindings to connect to those workers. Now the order doesn't matter.

• #10219 28494f4 Thanks @​dario-piotrowicz! - fix NonRetryableError thrown with an empty error message not stopping workflow retries locally

• Updated dependencies [1479fd0, 05c5b28, e3d9703, d481901]:

  • [email protected]
  • @​cloudflare/unenv-preset@​2.6.1

Commits

• 1b0b22b Version Packages (#10263)
• bd8223d feat: add --domain flag to deploy command for custom domains (#10312)
• 42aafa3 fix(wrangler) remove putQueue call when deploying a worker with queue produce...
• 9de2825 cleanup debugs and mocking (#10316)
• 70bd966 feat: add experimental API to expose Wrangler command tree structure (#10242)
• 422ae22 check for config (dockerfile) changes (#10248)
• 3b6ab8a Remove mention of cf-requirements when Python Worker is enabled (#10139)
• 8cf47f9 feat: ✨ introduce json output for cf pages deployment list (#8318)
• 026b485 test: reduce flakes on pages-dev e2e tests (#10280)
• 80960b9 feat(wrangler): support long branch names in preview alias generation (#10283)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[coderabbitai]

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

---

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Join our Discord community for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbitai help to get the list of available commands.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Status, Documentation and Community

• Visit our Status Page to check the current availability of CodeRabbit.
• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[dependabot]

Looks like these dependencies are no longer updatable, so this is no longer needed.