Skip to content

[wrangler] Add dependency metadata to worker uploads#14591

Open
dario-piotrowicz wants to merge 6 commits into
mainfrom
dario/DEVX-2621/upload-packages-instrumentation-data
Open

[wrangler] Add dependency metadata to worker uploads#14591
dario-piotrowicz wants to merge 6 commits into
mainfrom
dario/DEVX-2621/upload-packages-instrumentation-data

Conversation

@dario-piotrowicz

@dario-piotrowicz dario-piotrowicz commented Jul 7, 2026

Copy link
Copy Markdown
Member

Fixes https://jira.cfdata.org/browse/DEVX-2621

This PR updates Wrangler to collect limited information about the public npm packages a built project depends on (dependency's name, the version range declared in package.json, and the exact version installed) at deploy/version-upload time and includes it in the upload metadata.

This lets us understand what versions of what packages are being deployed to us, so that we can identify ways to better protect customers given the recent wave of supply-chain attacks in the JS ecosystem, and add appropriate WAF rules (eg. https://developers.cloudflare.com/changelog/post/2026-05-06-react-nextjs-vulnerabilities/)

Users can opt out of by setting dependencies_instrumentation to false in their Wrangler config file.


A picture of a cute animal (not mandatory, but encouraged)


Open in Devin Review

@changeset-bot

changeset-bot Bot commented Jul 7, 2026

Copy link
Copy Markdown

🦋 Changeset detected

Latest commit: 7ea3c18

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 8 packages
Name Type
@cloudflare/deploy-helpers Minor
@cloudflare/workers-utils Minor
wrangler Minor
@cloudflare/autoconfig Patch
@cloudflare/cli-shared-helpers Patch
@cloudflare/vite-plugin Patch
@cloudflare/vitest-pool-workers Patch
@cloudflare/workers-auth Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@github-project-automation github-project-automation Bot moved this to Untriaged in workers-sdk Jul 7, 2026
@workers-devprod workers-devprod requested review from a team and jamesopstad and removed request for a team July 7, 2026 18:17
@workers-devprod

workers-devprod commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

Codeowners approval required for this PR:

  • @cloudflare/wrangler
Show detailed file reviewers
  • .changeset/move-package-dependencies-to-deploy-helpers.md: [@cloudflare/wrangler]
  • .changeset/move-package-resolution-to-workers-utils.md: [@cloudflare/wrangler]
  • .changeset/package-dependencies-instrumentation.md: [@cloudflare/wrangler]
  • packages/autoconfig/src/frameworks/utils/packages.ts: [@cloudflare/wrangler]
  • packages/autoconfig/src/index.ts: [@cloudflare/wrangler]
  • packages/deploy-helpers/src/deploy/deploy.ts: [@cloudflare/wrangler]
  • packages/deploy-helpers/src/deploy/helpers/create-worker-upload-form.ts: [@cloudflare/wrangler]
  • packages/deploy-helpers/src/deploy/helpers/package-dependencies.ts: [@cloudflare/wrangler]
  • packages/deploy-helpers/src/deploy/versions-upload.ts: [@cloudflare/wrangler]
  • packages/deploy-helpers/src/index.ts: [@cloudflare/wrangler]
  • packages/deploy-helpers/tests/package-dependencies.test.ts: [@cloudflare/wrangler]
  • packages/workers-utils/src/config/config.ts: [@cloudflare/wrangler]
  • packages/workers-utils/src/config/validation.ts: [@cloudflare/wrangler]
  • packages/workers-utils/src/index.ts: [@cloudflare/wrangler]
  • packages/workers-utils/src/package-resolution.ts: [@cloudflare/wrangler]
  • packages/workers-utils/src/parse.ts: [@cloudflare/wrangler]
  • packages/workers-utils/src/types.ts: [@cloudflare/wrangler]
  • packages/workers-utils/src/worker.ts: [@cloudflare/wrangler]
  • packages/workers-utils/tests/config/validation/normalize-and-validate-config.test.ts: [@cloudflare/wrangler]
  • packages/wrangler/src/tests/versions/versions.upload.test.ts: [@cloudflare/wrangler]

@github-actions

github-actions Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

✅ All changesets look good

devin-ai-integration[bot]

This comment was marked as resolved.

@dario-piotrowicz dario-piotrowicz changed the title Dario/devx 2621/upload packages instrumentation data [wrangler] Add dependency metadata to worker uploads Jul 7, 2026
ask-bonk[bot]

This comment was marked as resolved.

@pkg-pr-new

pkg-pr-new Bot commented Jul 7, 2026

Copy link
Copy Markdown
@cloudflare/autoconfig

npm i https://pkg.pr.new/@cloudflare/autoconfig@14591

create-cloudflare

npm i https://pkg.pr.new/create-cloudflare@14591

@cloudflare/deploy-helpers

npm i https://pkg.pr.new/@cloudflare/deploy-helpers@14591

@cloudflare/kv-asset-handler

npm i https://pkg.pr.new/@cloudflare/kv-asset-handler@14591

miniflare

npm i https://pkg.pr.new/miniflare@14591

@cloudflare/pages-shared

npm i https://pkg.pr.new/@cloudflare/pages-shared@14591

@cloudflare/unenv-preset

npm i https://pkg.pr.new/@cloudflare/unenv-preset@14591

@cloudflare/vite-plugin

npm i https://pkg.pr.new/@cloudflare/vite-plugin@14591

@cloudflare/vitest-pool-workers

npm i https://pkg.pr.new/@cloudflare/vitest-pool-workers@14591

@cloudflare/workers-auth

npm i https://pkg.pr.new/@cloudflare/workers-auth@14591

@cloudflare/workers-editor-shared

npm i https://pkg.pr.new/@cloudflare/workers-editor-shared@14591

@cloudflare/workers-utils

npm i https://pkg.pr.new/@cloudflare/workers-utils@14591

wrangler

npm i https://pkg.pr.new/wrangler@14591

commit: 7ea3c18

@ask-bonk

This comment was marked as resolved.

devin-ai-integration[bot]

This comment was marked as resolved.

@dario-piotrowicz dario-piotrowicz force-pushed the dario/DEVX-2621/upload-packages-instrumentation-data branch 2 times, most recently from 21e45a2 to 8d63eaa Compare July 7, 2026 19:06
devin-ai-integration[bot]

This comment was marked as resolved.

@dario-piotrowicz dario-piotrowicz force-pushed the dario/DEVX-2621/upload-packages-instrumentation-data branch from 8d63eaa to 9a414f5 Compare July 7, 2026 19:12
@dario-piotrowicz dario-piotrowicz force-pushed the dario/DEVX-2621/upload-packages-instrumentation-data branch from 9a414f5 to c1c1703 Compare July 7, 2026 20:45
Comment thread packages/deploy-helpers/src/deploy/helpers/package-dependencies.ts Outdated
Comment thread packages/deploy-helpers/src/deploy/helpers/package-dependencies.ts Outdated

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I assume this has basically been copied verbatim from autoconfig?

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes this is the code from autoconfig, but it's not been copied but actually completely moved and autoconfig uses this code from workers-uitls now

Comment thread packages/deploy-helpers/src/deploy/helpers/package-dependencies.ts Outdated
Comment on lines +90 to +93
if (isPackagePrivate(dependencyName, projectPath)) {
continue;
}

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm slightly concerned about the potential performance impact here. This will be multiple filesystem calls for every installed package on a deploy.

What is this mitigating?

@Cherry Cherry Jul 8, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Many of the concerns raised in the original PR: #12708.

I imagine if this is now directly tied to an account, and treated as private account data similar to my worker contents, rather than general telemetry analytics, this would be less of a concern.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think filtering out packages marked with private: true is actually going to limit uploading the names of private packages. I imagine most internal packages will be published to private registries, but not necessarily marked as private: true? Because of that, I don't think this check adds enough value for the cost.

(Also, these package names will probably be included as comments by esbuild in the Worker bundle that's uploaded anyway)

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lots of orgs do use npm private packages on the public registry, so this does add value in that case. But yes - if this is data that's inherently tied to a user account and under the same protections like my worker code, vs the previous implementation as "anonymous" telemetry, then this seems okay.

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@penalosa yes this logic is best effort we did attempt a more airtight solution in 12708 but it has its own issues

I feel like this is probably better than nothing though and given that project are not going to have dependencies in the order of the thousands I think the performance impact here should be quite limited

Do you strongly think we should remove this logic?

* @returns An array of package dependency entries, or `undefined` if package.json
* cannot be read or no valid dependencies are found
*/
export function collectPackageDependencies(

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this should be async, and we should make all the filesystem operations async. It doesn't matter loads in Wrangler though, I suppose

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yeah I suspect that it won't make too much of a difference in wrangler since that even if this was async it'd still block wrangler from progressing anyways (and the code is simpler as sync)

but I'll see if it can be converted without too many issues 👍

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I converted the function to async (16dd01e)

however it doesn't change too much since this function reuses a bunch of autoconfig code that is sync right now, to convert the whole thing sync would require a bunch of refactoring 😓 , I think this is something we might want to do as a followup, what do you think? 🙂

devin-ai-integration[bot]

This comment was marked as resolved.

devin-ai-integration[bot]

This comment was marked as resolved.

devin-ai-integration[bot]

This comment was marked as resolved.

@dario-piotrowicz dario-piotrowicz requested a review from penalosa July 9, 2026 09:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

Status: Untriaged

Development

Successfully merging this pull request may close these issues.

4 participants