
Security News
npm v12 Ships With Install Scripts Off by Default, Begins Deprecating 2FA-Bypass Tokens
npm v12 is generally available, turning install scripts off by default and beginning the deprecation of 2FA-bypass publishing tokens.
@cloudflare/workers-types
Advanced tools
Note
We now recommend using the Wrangler CLI and the
wrangler typescommand to generate types based on your compatibility date and compatibility flags. You can learn more about this, and how to migrate from @cloudflare/workers-types here in our docs.@cloudflare/workers-types will continue to be published on the same schedule.
npm install -D @cloudflare/workers-types
-- Or
yarn add -D @cloudflare/workers-types
The following is a minimal tsconfig.json for use alongside this package:
tsconfig.json
{
"compilerOptions": {
"target": "esnext",
"module": "esnext",
"lib": ["esnext"],
"types": ["@cloudflare/workers-types"]
}
}
The Cloudflare Workers runtime manages backwards compatibility through the use of Compatibility Dates. The @cloudflare/workers-types package provides a typing environment that corresponds to the latest version of the Cloudflare Workers runtime. The @cloudflare/workers-types/experimental entrypoint is also available for APIs guarded by experimental compatibility flags. Instead of using @cloudflare/workers-types directly, we recommend following the Typescript language documentation for Cloudflare Workers to generate a runtime typing environment that corresponds exactly to your compatibility date and flags.
It's not always possible (or desirable) to modify the tsconfig.json settings for a project to include all the Cloudflare Workers types. For use cases like that, this package provides importable versions of its types, which are usable with no additional tsconfig.json setup. For example:
import type { Request as WorkerRequest, ExecutionContext } from "@cloudflare/workers-types"
export default {
fetch(request: WorkerRequest, env: unknown, ctx: ExecutionContext) {
return new Response("OK")
}
}
It's recommended that you create a type file for any bindings your Worker uses. Create a file named
worker-configuration.d.ts in your src directory.
If you're using Module Workers, it should look like this:
// worker-configuration.d.ts
interface Env {
MY_ENV_VAR: string;
MY_SECRET: string;
myKVNamespace: KVNamespace;
}
For Service Workers, it should augment the global scope:
// worker-configuration.d.ts
declare global {
const MY_ENV_VAR: string;
const MY_SECRET: string;
const myKVNamespace: KVNamespace;
}
export {}
Wrangler can also generate this for you automatically from your wrangler.toml configuration file, using the wrangler types command.
@types/aws-lambda provides TypeScript type definitions for AWS Lambda, another serverless computing platform. While it offers type safety for AWS Lambda functions, it does not cover Cloudflare-specific features.
@types/express provides TypeScript type definitions for Express.js, a web application framework for Node.js. While it helps in building server-side applications, it does not offer the serverless and edge computing capabilities of Cloudflare Workers.
FAQs
TypeScript typings for Cloudflare Workers
The npm package @cloudflare/workers-types receives a total of 4,781,697 weekly downloads. As such, @cloudflare/workers-types popularity was classified as popular.
We found that @cloudflare/workers-types demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 5 open source maintainers collaborating on the project.
Did you know?

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Security News
npm v12 is generally available, turning install scripts off by default and beginning the deprecation of 2FA-bypass publishing tokens.

Research
/Security News
Socket tracks the activity as Operation “Muck and Load”: a threat actor uses commit-farming workflows, public dead drops, and protected archives to stage Windows RAT and infostealer malware.

Security News
pnpm 11.10 hardens registry auth to block token redirection, tightens pack-app and deploy, and makes the Rust port (v12) installable.