Skip to content

chore(deps): bump wrangler to 4.110.0 to match workers-types v5#4102

Open
waynesun09 wants to merge 2 commits into
mainfrom
fix-wrangler-workers-types-peer
Open

chore(deps): bump wrangler to 4.110.0 to match workers-types v5#4102
waynesun09 wants to merge 2 commits into
mainfrom
fix-wrangler-workers-types-peer

Conversation

@waynesun09

Copy link
Copy Markdown
Member

Summary

The Deploy Site workflow's npm ci step has been failing since ~03:13 UTC today with an ERESOLVE peer dependency conflict. This fixes an internally inconsistent version pin in package.json left over from #4002.

Related Issue

None filed — root cause identified from the failing Deploy Site run.

Changes

  • package.json / package-lock.json: bump wrangler devDependency from ^4.36.0 to ^4.110.0.
  • .github/workflows/site-deploy.yml: bump the two wranglerVersion inputs and the two inline npx wrangler@ invocations in preCommands from 4.36.0 to 4.110.0, so the wrangler-action install step stays consistent with the npm-resolved version.

Root cause

#4002 bumped @cloudflare/workers-types from ^4.x to ^5.20260708.1 in package.json to satisfy the peer requirement of wrangler@4.110.0, which is pulled in transitively via @cloudflare/vitest-pool-workers@0.18.4. That PR did not also bump the direct wrangler devDependency, which stayed at ^4.36.0 — and wrangler@4.36.0's own peer dependency wants @cloudflare/workers-types@^4.x. This left the root project simultaneously requiring v4 and v5 of @cloudflare/workers-types, which npm ci correctly refuses to resolve. The conflict was latent until a new @cloudflare/workers-types 5.x patch published today and the floating ^5.20260708.1 range diverged from what was in the lockfile, turning it into a hard failure.

Note: the renovate/cloudflare-workers grouping rule added in #4007 doesn't cover this — #4002 was a manual/agent-assisted bump that didn't go through Renovate, so the two Cloudflare packages drifted apart in the same commit despite the grouping rule.

Testing

  • make lint passes (staged changes first)
  • npm ci succeeds cleanly (previously failed with ERESOLVE)
  • npx wrangler --version resolves to 4.110.0
  • Tests added/updated for new or modified logic — not applicable, dependency version bump only

Checklist

  • PR title follows Conventional Commits (correct type, ! for breaking changes)
  • Commits are signed off (DCO) — human and human-directed agent sessions only
  • I wrote this contribution myself and can explain all changes in it

The root package.json declares @cloudflare/workers-types@^5.20260708.1
(bumped in #4002 to satisfy the wrangler@4.110.0 peer requirement
pulled in transitively via @cloudflare/vitest-pool-workers), but the
direct wrangler devDependency was left at ^4.36.0, whose peer
dependency wants @cloudflare/workers-types@^4.x. npm's resolver
correctly refuses to install this combination, which broke `npm ci`
in the Deploy Site workflow once a new v5 workers-types patch
published and made the root's floating range diverge from the locked
resolution.

Bump wrangler to ^4.110.0 so its peer requirement matches the
already-pinned workers-types major version, and bump the matching
wranglerVersion pins (and inline `npx wrangler@` invocations) in
site-deploy.yml so the wrangler-action install step stays consistent.

Assisted-by: Claude
Signed-off-by: Wayne Sun <gsun@redhat.com>
@waynesun09 waynesun09 requested a review from a team as a code owner July 11, 2026 12:31
@fullsend-ai-review

fullsend-ai-review Bot commented Jul 11, 2026

Copy link
Copy Markdown

🤖 Review · ⚠️ Cancelled · Started 12:32 PM UTC · Ended 12:37 PM UTC
Commit: 2941769 · View workflow run →

@qodo-code-review

Copy link
Copy Markdown

PR Summary by Qodo

Fix Cloudflare Wrangler peer-dep mismatch by bumping wrangler to 4.110.0

🐞 Bug fix ⚙️ Configuration changes 🕐 10-20 Minutes

Grey Divider

AI Description

• Bump project wrangler devDependency to align with workers-types v5 peer requirements.
• Update site deploy workflow to use wrangler 4.110.0 consistently in action + preCommands.
• Prevent npm ci ERESOLVE failures caused by conflicting Cloudflare peer dependency ranges.
Diagram

graph TD
  A[".github/workflows/site-deploy.yml"] --> B["wrangler-action"] --> C["wrangler@4.110.0"] --> D["@cloudflare/workers-types v5"]
  A --> E["npx wrangler@4.110.0"] --> C
  F["package.json"] --> C
Loading
High-Level Assessment

The following are alternative approaches to this PR:

1. Downgrade workers-types back to v4
  • ➕ Avoids changing Wrangler version
  • ➕ Potentially lower risk if Wrangler 4.110.0 introduces behavior changes
  • ➖ Conflicts with transitive requirements (e.g., vitest pool / newer Wrangler peer deps)
  • ➖ Moves the project away from the already-adopted v5 types and likely reintroduces drift
2. Use npm overrides/resolutions to force a single compatible set
  • ➕ Can unblock installs without changing direct dependency declarations
  • ➕ Centralized control over transitive versions
  • ➖ More complex and less transparent than aligning the direct devDependency
  • ➖ Can mask real incompatibilities and surprise future upgrades
3. Pin workers-types to an exact patch version (avoid caret range drift)
  • ➕ Prevents sudden CI breakage when new patches publish
  • ➕ Improves reproducibility for fresh installs
  • ➖ Requires more frequent manual updates
  • ➖ Does not fix the underlying wrangler/workers-types major mismatch by itself

Recommendation: Aligning the direct wrangler devDependency with the already-required workers-types major version (and keeping the workflow pins consistent) is the simplest and most maintainable fix. It resolves npm's peer conflict at the root rather than relying on overrides, and reduces the risk of future CI drift by ensuring the action and npx invocations match the npm-resolved Wrangler version.

Files changed (2) +5 / -5

Other (2) +5 / -5
site-deploy.ymlAlign workflow Wrangler pins to 4.110.0 +4/-4

Align workflow Wrangler pins to 4.110.0

• Updates both wrangler-action inputs and the inline 'npx wrangler@...' preCommands to use 4.110.0. This keeps the workflow's installed Wrangler consistent with the repo's dependency resolution and avoids peer-dependency mismatches during CI deploys.

.github/workflows/site-deploy.yml

package.jsonBump wrangler devDependency to ^4.110.0 +1/-1

Bump wrangler devDependency to ^4.110.0

• Raises the direct 'wrangler' devDependency from ^4.36.0 to ^4.110.0 so its peer dependency expectations match '@cloudflare/workers-types' v5. This resolves the npm ERESOLVE failure caused by conflicting peer ranges.

package.json

@qodo-code-review

qodo-code-review Bot commented Jul 11, 2026

Copy link
Copy Markdown

Code Review by Qodo

🐞 Bugs (0) 📘 Rule violations (0) 📎 Requirement gaps (0) 📜 Skill insights (0)

Context used
✅ Compliance rules (platform): 54 rules

Grey Divider


Remediation recommended

1. Duplicated Wrangler version pin ✓ Resolved 🐞 Bug ⚙ Maintainability
Description
The Deploy Site workflow pins Wrangler twice (wranglerVersion for wrangler-action and a separate
npx wrangler@... in preCommands), which is easy to let drift in future edits and adds an extra
npm download per deploy run. Centralizing on a single Wrangler invocation avoids version-skew
maintenance and reduces workflow work.
Code

.github/workflows/site-deploy.yml[R136-140]

+          wranglerVersion: "4.110.0"
          workingDirectory: cloudflare_site
          apiToken: ${{ secrets.CLOUDFLARE_API_TOKEN }}
          accountId: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
-          preCommands: set -eu; secrets_file="$(mktemp)"; printf '%s\n' "GITHUB_APP_CLIENT_SECRET=${GITHUB_APP_CLIENT_SECRET}" "TURNSTILE_SECRET_KEY=${TURNSTILE_SECRET_KEY}" >"$secrets_file"; npx wrangler@4.36.0 versions secret bulk "$secrets_file" --message "Production secrets (workflow-run ${{ github.event.workflow_run.id }})"; rm -f "$secrets_file"
+          preCommands: set -eu; secrets_file="$(mktemp)"; printf '%s\n' "GITHUB_APP_CLIENT_SECRET=${GITHUB_APP_CLIENT_SECRET}" "TURNSTILE_SECRET_KEY=${TURNSTILE_SECRET_KEY}" >"$secrets_file"; npx wrangler@4.110.0 versions secret bulk "$secrets_file" --message "Production secrets (workflow-run ${{ github.event.workflow_run.id }})"; rm -f "$secrets_file"
Relevance

⭐⭐⭐ High

Team has accepted fixing version-skew/duplication for pinned tooling (e.g., shared pin to avoid
drift in #2535).

PR-#2535
PR-#2508

ⓘ Recommendations generated based on similar findings in past PRs

Evidence
The workflow sets a Wrangler version for the action but also hard-codes the same version again in an
npx wrangler@... call inside preCommands, creating two separate pins to keep in sync.

.github/workflows/site-deploy.yml[131-141]
.github/workflows/site-deploy.yml[157-166]

Agent prompt
The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
The workflow step sets `wranglerVersion`, but separately calls `npx wrangler@<version>` in `preCommands`. This duplicates the version pin and increases the chance of future drift (editing one but not the other), and it adds an extra npm download.

### Issue Context
`cloudflare/wrangler-action` already installs the specified Wrangler version via the `wranglerVersion` input.

### Fix Focus Areas
- .github/workflows/site-deploy.yml[131-173]

### Suggested change
Replace `npx wrangler@4.110.0 versions secret bulk ...` with `wrangler versions secret bulk ...` (reusing the version installed by the action), so the version is controlled only by `wranglerVersion`.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools



Informational

2. Docs reference old Wrangler ✓ Resolved 🐞 Bug ⚙ Maintainability
Description
The deployment troubleshooting doc still says the Deploy Site workflow pins Wrangler 4.36.0, but the
workflow now pins 4.110.0. This can mislead operators when debugging preview-alias or deploy
behavior.
Code

.github/workflows/site-deploy.yml[136]

+          wranglerVersion: "4.110.0"
Relevance

⭐⭐⭐ High

Docs drift fixes are commonly accepted (e.g., updating outdated labels/refs in docs in #1039 and
#242).

PR-#1039
PR-#242

ⓘ Recommendations generated based on similar findings in past PRs

Evidence
The workflow pin was updated to 4.110.0, while the troubleshooting doc still explicitly claims it is
pinned to 4.36.0.

.github/workflows/site-deploy.yml[133-141]
docs/web-admin-deployment.md[81-84]

Agent prompt
The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
The documentation references the old pinned Wrangler version (4.36.0), but the workflow now pins 4.110.0.

### Issue Context
This is troubleshooting guidance for deployment behavior.

### Fix Focus Areas
- docs/web-admin-deployment.md[81-84]

### Suggested change
Update the referenced pinned version to 4.110.0 (or reword to avoid a hard-coded version, e.g., “the deploy workflow pins a Wrangler version; see `.github/workflows/site-deploy.yml`”).

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools


Grey Divider

Qodo Logo

Comment thread .github/workflows/site-deploy.yml Outdated
Comment thread .github/workflows/site-deploy.yml
@codecov

codecov Bot commented Jul 11, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

Review feedback on the wrangler bump: the preCommands ran
`npx wrangler@<version> versions secret bulk`, which pins the
version a second time separately from `wranglerVersion`. wrangler-
action already installs the pinned version and rewrites any
command starting with `wrangler` to `npx wrangler ...` (no version),
so dropping the inline version reuses the action-installed wrangler
and removes the duplicate pin that caused this class of drift.

Also update the deployment troubleshooting doc, which still stated
the workflow pins 4.36.0.

Assisted-by: Claude
Signed-off-by: Wayne Sun <gsun@redhat.com>
@fullsend-ai-review

fullsend-ai-review Bot commented Jul 11, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 12:38 PM UTC · Completed 12:50 PM UTC
Commit: 0f14ac0 · View workflow run →

@fullsend-ai-review

Copy link
Copy Markdown

Review

Findings

High

  • [protected-path] .github/workflows/site-deploy.yml — This file is under the .github/ protected path. No linked issue exists to formally authorize the change. While the PR description provides clear rationale (fixing ERESOLVE peer dependency conflict from chore(deps): bump @cloudflare/workers-types from v4 to v5 #4002), human approval is always required for protected-path changes, and a linked issue provides traceability.
    Remediation: File an issue documenting the CI breakage and link it to this PR, or obtain explicit human approval.

Low

  • [pattern-consistency] .github/workflows/site-deploy.yml:140 — The preCommands wrangler invocation changed from an explicit version pin (npx wrangler@4.36.0) to unpinned (wrangler). The wrangler-action's wranglerVersion input installs 4.110.0 into PATH, so bare wrangler resolves correctly at runtime. The prior pattern was more defensive against potential changes in the action's install behavior.
    Remediation: Consider using npx wrangler@4.110.0 in preCommands to maintain the explicit version pin pattern.

  • [stale-version-reference] docs/superpowers/specs/2026-04-09-site-cloudflare-pages-design.md:99 — The spec states "Wrangler: pinned 4.30.0 in workflow" but the workflow now pins 4.110.0. This staleness predates this PR (the workflow was at 4.36.0 before) but is widened by it.
    Remediation: Update to "pinned 4.110.0."

@fullsend-ai-review fullsend-ai-review Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See the review comment for full details.

apiToken: ${{ secrets.CLOUDFLARE_API_TOKEN }}
accountId: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
preCommands: set -eu; secrets_file="$(mktemp)"; printf '%s\n' "GITHUB_APP_CLIENT_SECRET=${GITHUB_APP_CLIENT_SECRET}" "TURNSTILE_SECRET_KEY=${TURNSTILE_SECRET_KEY}" >"$secrets_file"; npx wrangler@4.36.0 versions secret bulk "$secrets_file" --message "Production secrets (workflow-run ${{ github.event.workflow_run.id }})"; rm -f "$secrets_file"
preCommands: set -eu; secrets_file="$(mktemp)"; printf '%s\n' "GITHUB_APP_CLIENT_SECRET=${GITHUB_APP_CLIENT_SECRET}" "TURNSTILE_SECRET_KEY=${TURNSTILE_SECRET_KEY}" >"$secrets_file"; wrangler versions secret bulk "$secrets_file" --message "Production secrets (workflow-run ${{ github.event.workflow_run.id }})"; rm -f "$secrets_file"

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[low] pattern-consistency

The preCommands wrangler invocation changed from an explicit version pin (npx wrangler@4.36.0) to unpinned (wrangler). The wrangler-action wranglerVersion input installs 4.110.0 into PATH, so bare wrangler resolves correctly at runtime. The prior pattern was more defensive against potential changes in the action install behavior.

Suggested fix: Consider using npx wrangler@4.110.0 in preCommands to maintain the explicit version pin pattern.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant