Skip to content

Comments

[Snyk] Upgrade vue from 3.3.4 to 3.5.27#14

Open
snyk-io[bot] wants to merge 1 commit intomainfrom
snyk-upgrade-58682ab54422d38b908556c904b6591a
Open

[Snyk] Upgrade vue from 3.3.4 to 3.5.27#14
snyk-io[bot] wants to merge 1 commit intomainfrom
snyk-upgrade-58682ab54422d38b908556c904b6591a

Conversation

@snyk-io
Copy link

@snyk-io snyk-io bot commented Feb 18, 2026

snyk-top-banner

Snyk has created this PR to upgrade vue from 3.3.4 to 3.5.27.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.


  • The recommended version is 96 versions ahead of your current version.

  • The recommended version was released a month ago.

Issues fixed by the recommended upgrade:

Issue Score Exploit Maturity
high severity Prototype Pollution
SNYK-JS-AXIOS-15252993
111 Proof of Concept
high severity Cross-site Request Forgery (CSRF)
SNYK-JS-AXIOS-6032459
111 Proof of Concept
high severity Prototype Pollution
SNYK-JS-AXIOS-6144788
111 No Known Exploit
high severity Server-side Request Forgery (SSRF)
SNYK-JS-AXIOS-7361793
111 Proof of Concept
high severity Improper Handling of Extra Parameters
SNYK-JS-FOLLOWREDIRECTS-6141137
111 Proof of Concept
medium severity Allocation of Resources Without Limits or Throttling
SNYK-JS-AXIOS-12613773
111 Proof of Concept
medium severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-AXIOS-6124857
111 Proof of Concept
medium severity Server-side Request Forgery (SSRF)
SNYK-JS-AXIOS-9292519
111 Proof of Concept
medium severity Server-side Request Forgery (SSRF)
SNYK-JS-AXIOS-9403194
111 No Known Exploit
medium severity Information Exposure
SNYK-JS-FOLLOWREDIRECTS-6444610
111 Proof of Concept
critical severity Predictable Value Range from Previous Values
SNYK-JS-FORMDATA-10841150
111 Proof of Concept
medium severity Improper Input Validation
SNYK-JS-NANOID-8492085
111 No Known Exploit
medium severity Improper Input Validation
SNYK-JS-POSTCSS-5926692
111 No Known Exploit

Breaking Change Risk

Merge Risk: High

Notice: This assessment is enhanced by AI.

Release notes
Package name: vue
  • 3.5.27 - 2026-01-19

    For stable releases, please refer to CHANGELOG.md for details.
    For pre-releases, please refer to CHANGELOG.md of the minor branch.

  • 3.5.26 - 2025-12-18

    For stable releases, please refer to CHANGELOG.md for details.
    For pre-releases, please refer to CHANGELOG.md of the minor branch.

  • 3.5.25 - 2025-11-24

    For stable releases, please refer to CHANGELOG.md for details.
    For pre-releases, please refer to CHANGELOG.md of the minor branch.

  • 3.5.24 - 2025-11-07
  • 3.5.23 - 2025-11-06
  • 3.5.22 - 2025-09-25
  • 3.5.21 - 2025-09-02
  • 3.5.20 - 2025-08-25
  • 3.5.19 - 2025-08-21
  • 3.5.18 - 2025-07-23
  • 3.5.17 - 2025-06-18
  • 3.5.16 - 2025-05-29
  • 3.5.15 - 2025-05-26
  • 3.5.14 - 2025-05-15
  • 3.5.13 - 2024-11-15
  • 3.5.12 - 2024-10-11
  • 3.5.11 - 2024-10-03
  • 3.5.10 - 2024-09-27
  • 3.5.9 - 2024-09-26
  • 3.5.8 - 2024-09-22
  • 3.5.7 - 2024-09-20
  • 3.5.6 - 2024-09-16
  • 3.5.5 - 2024-09-13
  • 3.5.4 - 2024-09-10
  • 3.5.3 - 2024-09-06
  • 3.5.2 - 2024-09-05
  • 3.5.1 - 2024-09-04
  • 3.5.0 - 2024-09-03
  • 3.5.0-rc.1 - 2024-08-29
  • 3.5.0-beta.3 - 2024-08-20
  • 3.5.0-beta.2 - 2024-08-15
  • 3.5.0-beta.1 - 2024-08-08
  • 3.5.0-alpha.5 - 2024-07-31
  • 3.5.0-alpha.4 - 2024-07-24
  • 3.5.0-alpha.3 - 2024-07-19
  • 3.5.0-alpha.2 - 2024-05-04
  • 3.5.0-alpha.1 - 2024-04-29
  • 3.4.38 - 2024-08-15
  • 3.4.37 - 2024-08-08
  • 3.4.36 - 2024-08-06
  • 3.4.35 - 2024-07-31
  • 3.4.34 - 2024-07-24
  • 3.4.33 - 2024-07-19
  • 3.4.32 - 2024-07-17
  • 3.4.31 - 2024-06-28
  • 3.4.30 - 2024-06-22
  • 3.4.29 - 2024-06-14
  • 3.4.28 - 2024-06-14
  • 3.4.27 - 2024-05-07
  • 3.4.26 - 2024-04-29
  • 3.4.25 - 2024-04-24
  • 3.4.24 - 2024-04-22
  • 3.4.23 - 2024-04-16
  • 3.4.22 - 2024-04-15
  • 3.4.21 - 2024-02-28
  • 3.4.20 - 2024-02-26
  • 3.4.19 - 2024-02-13
  • 3.4.18 - 2024-02-09
  • 3.4.17 - 2024-02-09
  • 3.4.16 - 2024-02-08
  • 3.4.15 - 2024-01-18
  • 3.4.14 - 2024-01-15
  • 3.4.13 - 2024-01-13
  • 3.4.12 - 2024-01-13
  • 3.4.11 - 2024-01-12
  • 3.4.10 - 2024-01-11
  • 3.4.9 - 2024-01-11
  • 3.4.8 - 2024-01-10
  • 3.4.7 - 2024-01-09
  • 3.4.6 - 2024-01-08
  • 3.4.5 - 2024-01-04
  • 3.4.4 - 2024-01-03
  • 3.4.3 - 2023-12-30
  • 3.4.2 - 2023-12-30
  • 3.4.1 - 2023-12-30
  • 3.4.0 - 2023-12-29
  • 3.4.0-rc.3 - 2023-12-27
  • 3.4.0-rc.2 - 2023-12-26
  • 3.4.0-rc.1 - 2023-12-25
  • 3.4.0-beta.4 - 2023-12-19
  • 3.4.0-beta.3 - 2023-12-16
  • 3.4.0-beta.2 - 2023-12-14
  • 3.4.0-beta.1 - 2023-12-13
  • 3.4.0-alpha.4 - 2023-12-04
  • 3.4.0-alpha.3 - 2023-11-28
  • 3.4.0-alpha.2 - 2023-11-27
  • 3.4.0-alpha.1 - 2023-10-28
  • 3.3.13 - 2023-12-19
  • 3.3.12 - 2023-12-16
  • 3.3.11 - 2023-12-08
  • 3.3.10 - 2023-12-04
  • 3.3.9 - 2023-11-25
  • 3.3.8 - 2023-11-06
  • 3.3.7 - 2023-10-24
  • 3.3.6 - 2023-10-20
  • 3.3.5 - 2023-10-20
  • 3.3.4 - 2023-05-18
from vue GitHub release notes

Important

  • Check the changes in this PR to ensure they won't cause issues with your project.
  • This PR was automatically created by Snyk using the credentials of a real user.
  • Max score is 1000. Note that the real score may have changed since the PR was raised.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

@snyk-io snyk-io bot requested a review from a team as a code owner February 18, 2026 17:03
@snyk-io
Copy link
Author

snyk-io bot commented Feb 18, 2026

Merge Risk: High

This upgrade from Vue 3.3.4 to 3.5.27 crosses a minor version boundary (v3.4) that includes several breaking changes. While v3.5 is non-breaking, the changes in v3.4 require developer action.

Breaking Changes in v3.4

  • Global JSX Namespace Removed: To prevent conflicts with React, Vue no longer registers the global JSX namespace. This will break builds using TSX.
  • Removed Deprecated Features: Features deprecated in v3.3 are now removed and will cause errors:
    • The v-is directive is removed. Use the is attribute with the vue: prefix instead.
    • @vnodeXXX event listeners are a compiler error. Use @vue:XXX listeners instead.
    • app.config.unwrapInjectedRef has been removed.
  • Reactivity Transform Removed: This experimental feature (using $ref(), $$()) has been removed. Projects using it must migrate away or use the Vue Macros plugin.

Highlights in v3.5

  • No Breaking Changes: The v3.5 release is focused on performance and new features, with no documented breaking changes.
  • Performance: Includes a major reactivity system refactor for significantly lower memory usage (~56%) and up to 10x faster operations on large reactive arrays.
  • New Features: defineModel is now stable, and Reactive Props Destructuring is enabled by default, simplifying component definitions.

Recommendation: Before merging, developers must verify if the project uses TS

Notice 🤖: This content was augmented using artificial intelligence. AI-generated content may contain errors and should be reviewed for accuracy before use.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Development

Successfully merging this pull request may close these issues.

0 participants