{
  "$schema": "https://changespec.org/schema/v1/vendor.json",
  "specversion": "1.0",
  "generated_at": "2026-05-12T10:23:48Z",
  "vendor": {
    "slug": "cloudflare",
    "name": "Cloudflare",
    "url": "https://www.cloudflare.com",
    "docs_url": "https://developers.cloudflare.com",
    "changelog_url": "https://developers.cloudflare.com/changelog/",
    "rss_url": "https://changespec.com/v/cloudflare.rss",
    "description": "Cloud connectivity and security platform. CDN, Workers serverless runtime, R2 storage, Zero Trust access.",
    "canonical_url": "https://changespec.com/v/cloudflare",
    "json_url": "https://changespec.com/data/vendors/cloudflare.json"
  },
  "count": 5,
  "events": [
    {
      "id": "cs_01HY3KXCLOUDFLARE001",
      "category": "api_breaking",
      "severity": "high",
      "title": "Workers runtime V8 version bump - setTimeout now enforces 30s max",
      "summary": "Cloudflare Workers updated the underlying V8 runtime. As part of this update, setTimeout and setInterval now enforce a maximum delay of 30,000ms. Previously, delays longer than 30s were silently clamped but not documented. Workers relying on delays longer than 30s must be refactored to use Durable Object alarms, which support arbitrary future scheduling.",
      "published_at": "2026-04-08T10:00:00Z",
      "effective_date": "2026-04-14",
      "source_type": "crawled",
      "confidence_score": 0.89,
      "source_url": "https://developers.cloudflare.com/workers/runtime-apis/timers/",
      "migration_hint": "Replace setTimeout calls with delays over 30 seconds with Durable Object alarms. Alarms support arbitrary future scheduling and survive Worker restarts.",
      "migration_url": "https://developers.cloudflare.com/durable-objects/api/alarms/",
      "action_required": true,
      "recommended_reviewers": [
        "engineering"
      ],
      "affected_systems": [
        "Workers",
        "Durable Objects"
      ],
      "tags": [
        "workers",
        "runtime",
        "settimeout",
        "breaking"
      ],
      "specversion": "1.0",
      "vendor_id": "cloudflare"
    },
    {
      "id": "cs_01HY3KXCLOUDFLARE002",
      "category": "pricing",
      "severity": "medium",
      "title": "R2 storage egress pricing introduced for high-volume tiers",
      "summary": "Cloudflare R2 introduced egress pricing for accounts transferring more than 10TB per month. Data transferred below the 10TB threshold remains free. Above the threshold, egress is billed at $0.015 per GB. This change affects the billing model of R2 for large-scale storage users. Egress to Cloudflare's own network (Workers, Pages) is always free regardless of volume.",
      "published_at": "2026-03-28T16:00:00Z",
      "effective_date": "2026-05-01",
      "source_type": "crawled",
      "confidence_score": 0.95,
      "source_url": "https://developers.cloudflare.com/r2/pricing/",
      "action_required": false,
      "recommended_reviewers": [
        "procurement",
        "engineering"
      ],
      "affected_systems": [
        "R2 Object Storage"
      ],
      "tags": [
        "r2",
        "pricing",
        "egress",
        "storage"
      ],
      "specversion": "1.0",
      "vendor_id": "cloudflare"
    },
    {
      "id": "cs_01HY3KXCLOUDFLARE003",
      "category": "api_deprecation",
      "severity": "medium",
      "title": "Workers Sites deprecated in favor of Cloudflare Pages",
      "summary": "Workers Sites, the original static site deployment mechanism for Workers, is deprecated. New projects should use Cloudflare Pages, which offers equivalent functionality with improved DX and automatic preview deployments. Workers Sites will continue to work for existing deployments until 2027-06-01. The wrangler site CLI commands are deprecated but functional.",
      "published_at": "2026-03-12T09:00:00Z",
      "effective_date": "2026-03-12",
      "sunset_date": "2027-06-01",
      "source_type": "crawled",
      "confidence_score": 0.92,
      "source_url": "https://developers.cloudflare.com/pages/migrations/migrating-from-workers-sites/",
      "migration_hint": "Migrate Workers Sites projects to Cloudflare Pages. The migration guide covers wrangler.toml conversion and build configuration differences.",
      "action_required": false,
      "recommended_reviewers": [
        "engineering"
      ],
      "affected_systems": [
        "Workers Sites",
        "Wrangler CLI"
      ],
      "tags": [
        "workers-sites",
        "pages",
        "deprecation"
      ],
      "specversion": "1.0",
      "vendor_id": "cloudflare"
    },
    {
      "id": "cs_01HY3KXCLOUDFLARE004",
      "category": "security",
      "severity": "critical",
      "title": "Zero Trust WARP client update required - CVE-2026-2141",
      "summary": "A privilege escalation vulnerability (CVE-2026-2141) was identified in the Cloudflare WARP client for Windows versions below 2024.12.0. An attacker with local code execution can escalate to SYSTEM privileges. The vulnerability is in the WARP service IPC handler. Update all Windows WARP installations to 2024.12.0 or later immediately. macOS and Linux clients are not affected.",
      "published_at": "2026-04-03T14:00:00Z",
      "effective_date": "2026-04-03",
      "source_type": "crawled",
      "confidence_score": 0.97,
      "cve_id": "CVE-2026-2141",
      "cvss_score": 9.3,
      "cvss_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
      "fixed_in_version": "2024.12.0",
      "source_url": "https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/download-warp/",
      "migration_hint": "Deploy WARP 2024.12.0 to all Windows endpoints via MDM. MDM deployment guide linked in source URL. Verify version via warp-cli --version.",
      "action_required": true,
      "recommended_reviewers": [
        "security",
        "engineering"
      ],
      "affected_systems": [
        "Zero Trust",
        "WARP Client"
      ],
      "tags": [
        "zero-trust",
        "warp",
        "cve",
        "windows",
        "critical"
      ],
      "specversion": "1.0",
      "vendor_id": "cloudflare"
    },
    {
      "id": "cs_01HY3KXCLOUDFLARE005",
      "category": "data_handling",
      "severity": "low",
      "title": "Workers Logs retention period changed from 7 days to 72 hours on free tier",
      "summary": "Workers Logs retention on the free tier has been reduced from 7 days to 72 hours. Paid tier retention is unchanged at 7 days. The Workers Analytics API is unaffected. Teams on free tier who rely on the logs UI for debugging have a narrower window to review errors.",
      "published_at": "2026-03-20T12:00:00Z",
      "effective_date": "2026-03-20",
      "source_type": "crawled",
      "confidence_score": 0.83,
      "source_url": "https://developers.cloudflare.com/workers/observability/logs/workers-logs/",
      "action_required": false,
      "recommended_reviewers": [
        "engineering"
      ],
      "affected_systems": [
        "Workers Logs",
        "Observability"
      ],
      "tags": [
        "logs",
        "retention",
        "free-tier",
        "workers"
      ],
      "specversion": "1.0",
      "vendor_id": "cloudflare"
    }
  ]
}