chore(deps): bump @cloudflare/sandbox from 0.7.21 to 0.9.0

[dependabot]

Bumps @cloudflare/sandbox from 0.7.21 to 0.9.0.

Release notes

Sourced from @​cloudflare/sandbox's releases.

@​cloudflare/sandbox@​0.9.0

Minor Changes

• #633 4e628ae Thanks @​whoiskatrin! - Handle shell exits with SessionTerminatedError, and let the same session id recover on the next call.

  import { SessionTerminatedError } from '@cloudflare/sandbox';
  const session = await sandbox.createSession({ id: 'build' });
  try {
  await session.exec('exit 42');
  } catch (error) {
  if (error instanceof SessionTerminatedError) {
  console.log(error.exitCode); // 42
  await session.exec('echo fresh shell');
  }
  }

  If a session's shell exits, the failing call now returns SESSION_TERMINATED (HTTP 410) with the observed exit code instead of a generic internal error. Retrying with the same session id, or calling createSession({ id }), starts a fresh session without destroying the whole sandbox. Session-local state such as the working directory, environment variables, shell functions, and background jobs is lost when the shell exits.

@​cloudflare/sandbox@​0.8.14

Patch Changes

• #613 174313f Thanks @​ghostwriternr! - Avoid duplicate session-create calls when parallel operations hit a fresh sandbox. Parallel callers now share one setup call instead of each issuing their own. Sequential operations are unaffected.

  Session setup also now retries cleanly on the next operation if it is interrupted partway through — including by a container stop during first use — instead of leaving the sandbox in a state that looks initialized but references a session the container no longer has.

• #624 bbdfd95 Thanks @​ghostwriternr! - Fix sandboxes staying alive past their configured sleepAfter value.

  Workers that passed configuration options to getSandbox() on every request (sleepAfter, keepAlive, or containerTimeouts) could unintentionally extend sandbox lifetimes. The SDK's internal reapply path treated identical reapplied values as activity, resetting the sleep timer each time. Under sustained traffic, sandboxes would never sleep at all.

  After updating, reapplying the same configuration value is a true no-op. Your getSandbox() calls continue to work exactly as before; sandboxes now respect their configured sleep timers regardless of how often configuration is reapplied.

  This release also removes the unused baseUrl option from SandboxOptions, along with the setBaseUrl RPC method on the Sandbox Durable Object. The option had no effect on runtime behavior; preview URLs are driven by the hostname passed to preview-URL APIs. If you were setting baseUrl on getSandbox(), you can safely remove it. Directly invoking the undocumented setBaseUrl RPC method will now error.

• #629 34e3a96 Thanks @​aron-cf! - Improve reliability of desktop.stop() as well as general isolation of the desktop processes by running them in a subprocess. This should ensure that processes are cleaned up when calling desktop.stop() and crashes should not impact the sandbox container service.

... (truncated)

Commits

• e6ef054 Version Packages (#638)
• dee2533 Redeploy release E2E on workflow changes (#637)
• 54a0547 Use ci image tag over main (#635)
• 4e628ae Surface SESSION_TERMINATED when a session's shell exits (#633)
• 2536a91 Remove legacy support for transport in generate_config.sh
• 60f767c Use TEST_SANDBOX_ID in generated ids
• a9a0765 Ensure generate-config.sh is backwards compatible for now
• e3d938b Update GitHub actions to simplify transport
• 44bfe5e Bump astro from 5.18.1 to 6.1.6 (#609)
• 82a8ba7 ci: add Semgrep OSS scanning workflow (#631)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[dependabot]

Superseded by #24.