code · pull · Jan 23, 2026 · Jan 23, 2026 · Jan 23, 2026 · Jan 23, 2026
diff --git a/.changeset/slick-hands-change.md b/.changeset/slick-hands-change.md
@@ -0,0 +1,5 @@
+---
+"create-cloudflare": patch
+---
+
+Remove duplicate references to `./worker-configuration.d.ts` in the React template's `tsconfig.worker.json` file.
diff --git a/.changeset/warm-numbers-smell.md b/.changeset/warm-numbers-smell.md
@@ -0,0 +1,22 @@
+---
+"miniflare": patch
+"@cloudflare/vitest-pool-workers": patch
+---
+
+Bundle the `zod` dependency to reduce supply chain attack surface
+
+In order to prevent possible npm vulnerability attacks, the team's policy is to bundle
+dependencies in our packages where possible. This helps ensure that only trusted code
+runs on the user's system, even if compromised packages are later published to npm.
+
+This change bundles `zod` (a pure JavaScript validation library with no native dependencies)
+into miniflare and @cloudflare/vitest-pool-workers.
+
+Other dependencies remain external for technical reasons:
+
+- `sharp`: Native binary with platform-specific builds
+- `undici`: Dynamically required at runtime in worker threads
+- `ws`: Has optional native bindings for performance
+- `workerd`: Native binary (Cloudflare's JavaScript runtime)
+- `@cspotcode/source-map-support`: Uses require.cache manipulation at runtime
+- `youch`: Dynamically required for lazy loading
diff --git a/.gitignore b/.gitignore
@@ -231,4 +231,5 @@ dist/**
 !.env.example
 .node-cache/
 
-AGENTS.local.md
+AGENTS.local.md
+.opencode/plans/
diff --git a/packages/create-cloudflare/templates/react/workers/ts/tsconfig.worker.json b/packages/create-cloudflare/templates/react/workers/ts/tsconfig.worker.json
@@ -4,5 +4,5 @@
     "tsBuildInfoFile": "./node_modules/.tmp/tsconfig.worker.tsbuildinfo",
     "types": ["./worker-configuration.d.ts", "vite/client"],
   },
-  "include": ["./worker-configuration.d.ts", "./worker"]
+  "include": ["worker"]
 }
diff --git a/packages/miniflare/package.json b/packages/miniflare/package.json
@@ -48,8 +48,7 @@
 		"undici": "catalog:default",
 		"workerd": "1.20260123.0",
 		"ws": "catalog:default",
-		"youch": "4.1.0-beta.10",
-		"zod": "^3.25.76"
+		"youch": "4.1.0-beta.10"
 	},
 	"devDependencies": {
 		"@cloudflare/cli": "workspace:*",
@@ -100,7 +99,8 @@
 		"typescript": "catalog:default",
 		"vitest": "catalog:default",
 		"which": "^2.0.2",
-		"xdg-app-paths": "^8.3.0"
+		"xdg-app-paths": "^8.3.0",
+		"zod": "^3.25.76"
 	},
 	"engines": {
 		"node": ">=18.0.0"

diff --git a/packages/miniflare/scripts/deps.ts b/packages/miniflare/scripts/deps.ts
@@ -12,22 +12,18 @@ export const EXTERNAL_DEPENDENCIES = [
 	// Native binary with platform-specific builds - cannot be bundled
 	"sharp",
 
-	// Large HTTP client with optional native dependencies; commonly shared
-	// with other packages to avoid version conflicts and duplication
+	// Must be external - dynamically required at runtime in worker threads via
+	// require("undici") for synchronous fetch operations (see fetch-sync.ts)
 	"undici",
 
 	// Native binary - Cloudflare's JavaScript runtime cannot be bundled
 	"workerd",
 
 	// Has optional native bindings (bufferutil, utf-8-validate) for performance;
-	// commonly shared with other packages to avoid duplication
+	// bundling would lose these optimizations and fall back to JS implementations
 	"ws",
 
 	// Must be external - dynamically required at runtime via require("youch")
 	// for lazy loading of pretty error pages
 	"youch",
-
-	// Large validation library; commonly shared as a dependency
-	// to avoid version conflicts and bundle size duplication
-	"zod",
 ];
diff --git a/packages/vitest-pool-workers/package.json b/packages/vitest-pool-workers/package.json
@@ -56,8 +56,7 @@
 		"cjs-module-lexer": "^1.2.3",
 		"esbuild": "catalog:default",
 		"miniflare": "workspace:*",
-		"wrangler": "workspace:*",
-		"zod": "^3.25.76"
+		"wrangler": "workspace:*"
 	},
 	"devDependencies": {
 		"@cloudflare/eslint-config-shared": "workspace:*",
@@ -78,7 +77,8 @@
 		"ts-dedent": "^2.2.0",
 		"typescript": "catalog:default",
 		"undici": "catalog:default",
-		"vitest": "catalog:default"
+		"vitest": "catalog:default",
+		"zod": "^3.25.76"
 	},
 	"peerDependencies": {
 		"@vitest/runner": "2.0.x - 3.2.x",

diff --git a/packages/vitest-pool-workers/scripts/bundle.mjs b/packages/vitest-pool-workers/scripts/bundle.mjs
@@ -100,7 +100,6 @@ const commonOptions = {
 		// External dependencies (see scripts/deps.ts for rationale)
 		"cjs-module-lexer",
 		"esbuild",
-		"zod",
 		// Workspace dependencies
 		"miniflare",
 		"wrangler",

diff --git a/packages/vitest-pool-workers/scripts/deps.ts b/packages/vitest-pool-workers/scripts/deps.ts
@@ -10,8 +10,4 @@ export const EXTERNAL_DEPENDENCIES = [
 
 	// Native binary - cannot be bundled, used to bundle test files at runtime
 	"esbuild",
-
-	// Large validation library; commonly shared as a dependency
-	// to avoid version conflicts and bundle size duplication
-	"zod",
 ];
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml