Bump wrangler from 4.101.0 to 4.102.0

[dependabot]

Bumps wrangler from 4.101.0 to 4.102.0.

Release notes

Sourced from wrangler's releases.

wrangler@4.102.0

Minor Changes

• #14340 f6e49dd Thanks @​emily-shen! - Add cf-wrangler build delegate support

  The experimental cf-wrangler delegate binary now accepts build and emits the Build Output API directory through Wrangler's new-config build path. This lets parent tools invoke Wrangler's build-output implementation with cf-wrangler build instead of shelling out through the public Wrangler CLI.

• #14324 36777db Thanks @​jamesopstad! - Add experimental --experimental-cf-build-output flag to wrangler build

  When used alongside --experimental-new-config, wrangler build now emits a self-contained Build Output API directory under .cloudflare/output/v0/ instead of delegating to wrangler deploy --dry-run.

Patch Changes

• #14347 673b09e Thanks @​jamesopstad! - Update undici from 7.24.8 to 7.28.0

• #14346 e930bd4 Thanks @​haidargit! - Bump ws from 8.20.1 to 8.21.0 to address GHSA-96hv-2xvq-fx4p

  GHSA-96hv-2xvq-fx4p / CVE-2026-48779 (high severity) reports a remote memory-exhaustion DoS in ws@<8.21.0: a peer sending a high volume of tiny fragments and data chunks over modest network traffic can crash a ws server or client via OOM. The fix shipped in ws@8.21.0 (commit 2b2abd45, released 2026-05-22), which also introduces the maxBufferedChunks and maxFragments options. This change bumps the workspace catalog entry so that miniflare, wrangler, and @cloudflare/vite-plugin all pick up the patched release.

• #14314 5c3bb11 Thanks @​harryzcy! - Bump esbuild to 0.28.1

  This update includes several bug fixes from esbuild versions 0.27.3 through 0.28.1. See the esbuild changelog for details.

• #14331 296ad65 Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260616.1	1.20260617.1

• #14275 594544d Thanks @​alsuren! - Resolve auto-provisioned D1 bindings via the API in remote subcommands

  Remote D1 subcommands (d1 execute --remote, d1 export --remote, d1 info, d1 insights, d1 delete, d1 migrations apply --remote, d1 migrations list --remote, d1 time-travel) previously failed with:

  Found a database with name or binding DB but it is missing a database_id, which is needed for operations on remote resources.

  when the [[d1_databases]] config entry only had binding and database_name (the shape wrangler deploy writes for automatically-provisioned bindings). They now resolve the real database UUID via GET /accounts/:accountId/d1/database/:name?fields=uuid and proceed as if database_id had been set in config.

  If the config entry only has a binding (no database_name, no database_id), the lookup uses the same name wrangler deploy would create via auto provisioning (<worker name>-<binding-lowercased-with-dashes>).

  Non-404 API failures (auth, rate-limit, server errors) now propagate verbatim instead of being masked as "database not found".

• #14315 a79b899 Thanks @​matingathani! - Respect find_additional_modules = false when no_bundle is set

  When using no_bundle = true, wrangler was always scanning for and attaching additional modules even if find_additional_modules was explicitly set to false in the config. Additional modules are now only collected when find_additional_modules is not false, consistent with the bundled code path.

• #14269 5dfb788 Thanks @​mattjohnsonpint! - Support dev.plugin on typed services bindings

  Wrangler only honored dev.plugin on unsafe.bindings entries, so users authoring a service binding via services[] could not wire it to a local Miniflare plugin during wrangler dev — they had to fall back to unsafe.bindings and accept a "directly supported by wrangler" warning. Typed services bindings now accept the same dev: { plugin, options? } shape, route the binding through Miniflare's external-plugin pathway in wrangler dev, and strip the field at deploy time. Validation rejects malformed dev shapes.

... (truncated)

Commits

• dd7e101 Version Packages (#14327)
• 5dfb788 Support dev.plugin on typed services bindings (#14269)
• 296ad65 Bump the workerd-and-workers-types group across 1 directory with 2 updates (#...
• f6e49dd add build command to cf-wrangler (#14340)
• 36777db Wrangler support for experimental Build Output API (#14324)
• a79b899 [wrangler] fix: respect find_additional_modules when no_bundle is set (#14315)
• 5c3bb11 Bump esbuild to 0.28.1 (#14314)
• ca61558 [wrangler] Mention temporary preview accounts in whoami when unauthenticated ...
• 594544d D1 subcommands resolve auto-provisioned bindings via API (#14275)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)