chore(deps): update dependency nuxt to v3.19.0 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
nuxt (source)	3.9.1 -> 3.19.0

GitHub Vulnerability Alerts

CVE-2024-34344

Summary

Due to the insufficient validation of the path parameter in the NuxtTestComponentWrapper, an attacker can execute arbitrary JavaScript on the server side, which allows them to execute arbitrary commands.

Details

While running the test, a special component named NuxtTestComponentWrapper is available.
https://github.com/nuxt/nuxt/blob/4779f5906fa4d3c784c2e2d6fe5a5c5f181faaec/packages/nuxt/src/app/components/nuxt-root.vue#L42-L43

This component loads the specified path as a component and renders it.

https://github.com/nuxt/nuxt/blob/4779f5906fa4d3c784c2e2d6fe5a5c5f181faaec/packages/nuxt/src/app/components/test-component-wrapper.ts#L9-L27

There is a validation for the path parameter to check whether the path traversal is performed, but this check is not sufficient.

https://github.com/nuxt/nuxt/blob/4779f5906fa4d3c784c2e2d6fe5a5c5f181faaec/packages/nuxt/src/app/components/test-component-wrapper.ts#L15-L19

Since import(...) uses query.path instead of the normalized path, a non-normalized URL can reach the import(...) function.
For example, passing something like ./components/test normalizes path to /root/directory/components/test, but import(...) still receives ./components/test.

By using this behavior, it's possible to load arbitrary JavaScript by using the path like the following:

data:text/javascript;base64,Y29uc29sZS5sb2coMSk

Since resolve(...) resolves the filesystem path, not the URI, the above URI is treated as a relative path, but import(...) sees it as an absolute URI, and loads it as a JavaScript.

PoC

1. Create a nuxt project and run it in the test mode:

npx nuxi@latest init test
cd test
TEST=true npm run dev

2. Open the following URL:

http://localhost:3000/__nuxt_component_test__/?path=data%3Atext%2Fjavascript%3Bbase64%2CKGF3YWl0IGltcG9ydCgnZnMnKSkud3JpdGVGaWxlU3luYygnL3RtcC90ZXN0JywgKGF3YWl0IGltcG9ydCgnY2hpbGRfcHJvY2VzcycpKS5zcGF3blN5bmMoIndob2FtaSIpLnN0ZG91dCwgJ3V0Zi04Jyk

3. Confirm that the output of whoami is written to /tmp/test

Demonstration video: https://www.youtube.com/watch?v=FI6mN8WbcE4

Impact

Users who open a malicious web page in the browser while running the test locally are affected by this vulnerability, which results in the remote code execution from the malicious web page.
Since web pages can send requests to arbitrary addresses, a malicious web page can repeatedly try to exploit this vulnerability, which then triggers the exploit when the test server starts.

CVE-2024-34343

Summary

The navigateTo function attempts to blockthe javascript: protocol, but does not correctly use API's provided by unjs/ufo. This library also contains parsing discrepancies.

Details

The function first tests to see if the specified URL has a protocol. This uses the unjs/ufo package for URL parsing. This function works effectively, and returns true for a javascript: protocol.

After this, the URL is parsed using the parseURL function. This function will refuse to parse poorly formatted URLs. Parsing javascript:alert(1) returns null/"" for all values.

Next, the protocol of the URL is then checked using the isScriptProtocol function. This function simply checks the input against a list of protocols, and does not perform any parsing.

The combination of refusing to parse poorly formatted URLs, and not performing additional parsing means that script checks fail as no protocol can be found. Even if a protocol was identified, whitespace is not stripped in the parseURL implementation, bypassing the isScriptProtocol checks.

Certain special protocols are identified at the top of parseURL. Inserting a newline or tab into this sequence will block the special protocol check, and bypass the latter checks.

PoC

POC - https://stackblitz.com/edit/nuxt-xss-navigateto?file=app.vue

Attempt payload X, then attempt payload Y.

Impact

XSS, access to cookies, make requests on user's behalf.

Recommendations

As always with these bugs, the URL constructor provided by the browser is always the safest method of parsing a URL.

Given the cross-platform requirements of nuxt/ufo a more appropriate solution is to make parsing consistent between functions, and to adapt parsing to be more consistent with the WHATWG URL specification.

Note

I've reported this vulnerability here as it is unclear if this is a bug in ufo or a misuse of the ufo library.

This ONLY has impact after SSR has occurred, the javascript: protocol within a location header does not trigger XSS.

CVE-2025-27415

Summary

By sending a crafted HTTP request to a server behind an CDN, it is possible in some circumstances to poison the CDN cache and highly impacts the availability of a site.

It is possible to craft a request, such as https://mysite.com/?/_payload.json which will be rendered as JSON. If the CDN in front of a Nuxt site ignores the query string when determining whether to cache a route, then this JSON response could be served to future visitors to the site.

Impact

An attacker can perform this attack to a vulnerable site in order to make a site unavailable indefinitely. It is also possible in the case where the cache will be reset to make a small script to send a request each X seconds (=caching duration) so that the cache is permanently poisoned making the site completely unavailable.

Conclusion :

This is similar to a vulnerability in Next.js that resulted in CVE-2024-46982 (and see this article, in particular the "Internal URL parameter and pageProps" part, the latter being very similar to the one concerning us here.)

CVE-2025-59414

Summary

A client-side path traversal vulnerability in Nuxt's Island payload revival mechanism allowed attackers to manipulate client-side requests to different endpoints within the same application domain when specific prerendering conditions are met.

Technical Details

The vulnerability occurs in the client-side payload revival process (revive-payload.client.ts) where Nuxt Islands are automatically fetched when encountering serialized __nuxt_island objects. The issue affects the following flow:

1. During prerendering, if an API endpoint returns user-controlled data containing a crafted __nuxt_island object
2. This data gets serialized with devalue.stringify and stored in the prerendered page
3. When a client navigates to the prerendered page, devalue.parse deserializes the payload
4. The Island reviver attempts to fetch /__nuxt_island/${key}.json where key could contain path traversal sequences

Prerequisites for Exploitation

This vulnerability requires all of the following conditions:

1. Prerendered pages: The application must use Nuxt's prerendering feature (nitro.prerender)
2. Attacker-controlled API responses: The attacker must be able to control the response content of an API endpoint that is called during prerendering via useFetch, useAsyncData, or similar composables
3. Client-side navigation: A user must navigate to the prerendered page (not during initial SSR hydration)

Attack Scenario

// Malicious API response during prerendering
{
  "__nuxt_island": {
    "key": "../../../../internal/service",
    "params": { "action": "probe" }
  }
}

This could cause the client to make requests to /__nuxt_island/../../../../internal/service.json if path traversal is not properly handled by the server.

Impact Assessment

• Limited Impact: The vulnerability has a low severity due to the highly specific prerequisites
• No Direct Data Exfiltration: The vulnerability does not directly expose sensitive data
• Client-Side Only: Requests originate from the client, not the server

Mitigation

Action Required:

• Update to Nuxt 3.19.0+ or 4.1.0+ immediately
• Review any prerendered pages that fetch external or user-controlled data

Temporary Workarounds (if immediate update is not possible):

1. Disable prerendering for pages that fetch user-controlled data
2. Implement strict input validation on API endpoints used during prerendering
3. Use allowlists for API response structures during prerendering

Fix Details

The fix implemented validation for Island keys in revive-payload.server.ts:

• Island keys must match the pattern /^[a-z][a-z\d-]*_[a-z\d]+$/i
• Maximum length of 100 characters
• Prevents path traversal and special characters

---

Release Notes

nuxt/nuxt (nuxt)

v3.19.0

Compare Source

👀 Highlights

Please see the release notes for Nuxt v4.1 for full details on the features and fixes in Nuxt v3.19.

✅ Upgrading

As usual, our recommendation for upgrading is to run:

npx nuxt upgrade --dedupe

This will refresh your lockfile and pull in all the latest dependencies that Nuxt relies on, especially from the unjs ecosystem.

👉 Changelog

compare changes

🚀 Enhancements

• kit: Add ignore option to resolveFiles (#​32858)
• kit: Add onInstall and onUpgrade module hooks (#​32397)
• nuxt,vite: Add experimental support for rolldown-vite (#​31812)
• nuxt: Extract defineRouteRules to page rules property (#​32897)
• nuxt,vite: Use importmap to increase chunk stability (#​33075)
• nuxt: Lazy hydration macros without auto-imports (#​33037)
• kit,nuxt,schema: Allow modules to specify dependencies (#​33063)
• kit,nuxt: Add getLayerDirectories util and refactor to use it (#​33098)

🔥 Performance

• nuxt: Clear inline route rules cache when pages change (#​32877)
• nuxt: Stop watching app manifest once a change has been detected (#​32880)

🩹 Fixes

• nuxt: Handle satisfies in page augmentation (#​32902)
• nuxt: Type response in useFetch hooks (#​32891)
• nuxt: Add TS parenthesis and as expression for page meta extraction (#​32914)
• nuxt: Use correct unit thresholds for relative time (#​32893)
• nuxt: Handle uncached current build manifests (#​32913)
• kit: Resolve directories in resolvePath and normalize file extensions (#​32857)
• schema,vite: Bump requestTimeout + allow configuration (#​32874)
• nuxt: Deep merge extracted route meta (#​32887)
• nuxt: Do not expose app components until fully resolved (#​32993)
• kit: Only exclude node_modules/ if no custom srcDir (#​32987)
• nuxt: Compare final matched routes when syncing route object (#​32899)
• nuxt: Make vue server warnings much less verbose in dev mode (#​33018)
• schema: Allow disabling cssnano/autoprefixer postcss plugins (#​33016)
• kit: Ensure local layers are prioritised alphabetically (#​33030)
• kit,nuxt: Expose global types to vue compiler (#​33026)
• nuxt: Support config type inference for defineNuxtModule().with() (#​33081)
• nuxt: Search for colliding names in route children (31a9282c2)
• nuxt: Delete nuxtApp._runningTransition on resolve (#​33025)
• nuxt: Add validation for nuxt island reviver key (#​33069)
• kit: Prioritise local layers over extended layers (ae8b0d2b8)
• kit: Address merge conflict (89ccbbebb)
• kit: Do not resolve public dir aliases (5d87d3a80)

💅 Refactors

• nuxt: Simplify page segment parsing (#​32901)
• nuxt: Remove unnecessary async/await in afterEach (#​32999)
• vite: Simplify inline chunk iteration (9ea90fc33)
• kit,nuxt,ui-templates,vite: Address deprecations + improve regexp perf (#​33093)

📖 Documentation

• Add a section about augmenting types with TS project references (#​32843)
• Switch example to use vitest projects (#​32863)
• Update testing setupTimeout and add teardownTimeout (#​32868)
• Add middleware to layers guide (fa516d440)
• Add documentation for --nightly command (#​32907)
• Update package information in roadmap section (#​32881)
• Add more info about nuxt spa loader element attributes (#​32871)
• Correct filename in example (#​33000)
• Add more information about using useRoute and accessing route in middleware (#​33004)
• Avoid variable shadowing in locale example (#​33031)

🏡 Chore

• Remove stray test file (42fd247a4)
• Ignore webpagetest.org when scanning links (cb18f4960)
• Add type: 'module' in playground (#​33099)

✅ Tests

• Add failing test for link component duplication (#​32792)
• Simplify module hook tests (#​32950)
• Refactor stubbing of import.meta.dev (#​33023)
• Use findWorkspaceDir rather than relative paths to repo root (c4c3ada96)
• Improve router test for global transitions (7e6a6fc35)
• Use expect.poll (f4354203a)
• Use expect.poll instead of expectWithPolling (15ca5be95)
• Use vi.waitUntil instead of custom retry logic (4c8c13090)
• Update test for app creation (9a3b44515)
• Update bundle size snapshot (76988ce97)

🤖 CI

• Remove double set of tests for docs prs (14c006ac4)
• Add workflow for discord team discussion threads (f14854fc3)
• Fix some syntax issues with discord + github integrations (c059f7cd1)
• Use token for adding issue to project (51661bac3)
• Use discord bot to create thread automatically (37f9eb27b)
• Only use discord bot (38ce2dcbb)
• Update format of discord message (0047b3059)
• Try bolding entire line (6e9f40eb9)
• Oops (8b044cad2)
• Add delay after adding each reaction (37b7e2108)
• Use last lts node version for testing (98719c065)
• Try npm trusted publisher (ea33502c3)
• Use npm trusted publisher for main releases (31a55437f)
• Change wording (#​32979)
• Add github ai moderator (#​33077)

❤️ Contributors

• Daniel Roe (@​danielroe)
• abeer0 (@​iiio2)
• Julien Huang (@​huang-julien)
• kyumoon (@​kyumoon)
• Alexander Lichter (@​TheAlexLichter)
• Bobbie Goede (@​BobbieGoede)
• mustafa60x (@​mustafa60x)
• Matej Černý (@​cernymatej)
• Alex Liu (@​Mini-ghost)
• Amitav Chris Mostafa (@​semibroiled)
• Romain Hamel (@​romhml)
• Jacky Lam (@​jackylamhk)
• Mukund Shah (@​mukundshah)
• Luke Nelson (@​luc122c)
• letianpailove (@​letianpailove)
• Erwan Jugand (@​erwanjugand)
• Alexander (@​TheColorman)
• Ryota Watanabe (@​wattanx)
• Yizack Rangel (@​Yizack)

v3.18.1

Compare Source

3.18.1 is a regularly scheduled patch release.

👉 Changelog

compare changes

🔥 Performance

• kit: Get absolute path from tinyglobby in resolveFiles (#​32846)

🩹 Fixes

• nuxt: Do not throw undefined error variable (#​32807)
• vite: Include tsconfig references during typeCheck (#​32835)
• nuxt: Add sourcemap path transformation for client builds (#​32313)
• nuxt: Add warning for lazy-hydration missing prefix (#​32832)
• nuxt: Trigger call once navigation even when no suspense (#​32827)
• webpack: Handle null result from webpack call (65aa17158)
• kit,nuxt: Use reverseResolveAlias for better errors (#​32853)

📖 Documentation

• Update nightly version references (#​32776)
• Improve explanation of global middleware (#​32855)

🏡 Chore

• Update reproduction help text links (#​32803)
• Update pnpm ignored build scripts (#​32849)
• Improve internal types (f271c66c4)

✅ Tests

• Move tests for defineNuxtComponent out of e2e test (#​32848)

🤖 CI

• Move nightly releases into different concurrency group (26f9baa6a)

❤️ Contributors

• RDistinct (@​RDistinct)
• Daniel Roe (@​danielroe)
• Oskar Lebuda (@​OskarLebuda)
• Peter Budai (@​peterbud)
• Matej Černý (@​cernymatej)
• Damian Głowala (@​DamianGlowala)
• Bobbie Goede (@​BobbieGoede)
• Robin (@​OrbisK)
• Bobby (@​xanzhu)

v3.18.0

Compare Source

3.18.0 is the next minor release.

👀 Highlights

A huge thank you to everyone who's been a part of this release, which is mostly about backporting features + bugfixes from Nuxt v4.

Over the next six months, we'll continue backporting compatible v4 features and bug fixes, so please keep the feedback coming! ❤️

🧪 Lazy Hydration Macros

Building on the delayed hydration support from v3.16, we now support lazy hydration macros (#​31192)! These provide a more ergonomic way to control component hydration:

<script setup lang="ts">
const LazyHydrationMyComponent = defineLazyHydrationComponent(
  'visible',
  () => import('./components/MyComponent.vue')
)
</script>
<template>
  <div>
    <!-- 
      Hydration will be triggered when
      the element(s) is 100px away from entering the viewport.
    -->
    <LazyHydrationMyComponent :hydrate-on-visible="{ rootMargin: '100px' }" />
  </div>
</template>

These macros make it possible to use Nuxt's lazy hydration utilities alongside explicit component imports.

♿️ Accessibility Improvements

We've enhanced accessibility by including <NuxtRouteAnnouncer> in the built-in app.vue (#​32621). This means page changes will be announced to screen readers, making navigation more accessible for users with visual impairments. (This only applies if you do not have an app.vue in your project. If you do, please keep <NuxtRouteAnnouncer> in your app.vue!)

🛠️ Enhanced Development Experience

Chrome DevTools Workspace Integration

We've added Chrome DevTools workspace integration (#​32084), allowing you to edit your Nuxt source files directly from Chrome DevTools. This creates a better debugging experience where changes made in DevTools are reflected in your actual source files.

Better Component Type Safety

Component type safety has been improved with:

• Typed slots for <ClientOnly> and <DevOnly> (#​32707) - better IntelliSense and error checking
• Exported <NuxtTime> prop types (#​32547) - easier to extend and customize

New Auto-Import: onWatcherCleanup

The onWatcherCleanup function from vue is now available as an auto-import (#​32396), making it easier to clean up watchers and prevent memory leaks:

const { data } = useAsyncData('users', fetchUsers)

watch(data, (newData) => {
  const interval = setInterval(() => {
    // Some periodic task
  }, 1000)
  
  // Clean up when the watcher is stopped
  onWatcherCleanup(() => {
    clearInterval(interval)
  })
})

📊 Observability Enhancements

Page routes are now exposed to Nitro for observability (#​32617), enabling better monitoring and analytics integration with supported platforms. This allows observability tools to track page-level metrics more effectively.

🔧 Module Development Improvements

Module authors get several quality-of-life improvements:

Simplified Server Imports

The addServerImports kit utility now supports single imports (#​32289), making it easier to add individual server utilities:

// Before: had to wrap in array
addServerImports([{ from: 'my-package', name: 'myUtility' }])

// Now: can pass directly
addServerImports({ from: 'my-package', name: 'myUtility' })

TypeScript Configuration

Modules can now add to typescript.hoist (#​32601), giving them more control over TypeScript configuration and type generation.

⚡️ Performance Improvements

We've made several performance optimizations:

• Improved Vite-node communication via internal socket (#​32417) for faster development builds
• Migration to oxc-walker (#​32250) and oxc for onPrehydrate transforms (#​32045) for faster code transformations

🐛 Bug Fixes

This release also includes several important fixes:

• Improved data fetching: When computed keys change, old data is now properly retained (#​32616)
• Better scroll behavior: scrollBehaviorType is now only used for hash scrolling (#​32622)
• Fixed directory aliases: Added trailing slashes to some directory aliases for better consistency (#​32755)

✅ Upgrading

As usual, our recommendation for upgrading is to run:

npx nuxi@latest upgrade --dedupe

This refreshes your lockfile and pulls in all the latest dependencies that Nuxt relies on, especially from the unjs ecosystem.

👉 Changelog

compare changes

🚀 Enhancements

• nuxt: Expose page routes to nitro for o11y (#​32617)
• nuxt: Export <NuxtTime> prop types (#​32547)
• nuxt: Add integration with chrome devtools workspaces (#​32084)
• kit: Support single import in addServerImports (#​32289)
• nuxt: Add onWatcherCleanup to imports presets (#​32396)
• nuxt: Add route announcer to default app.vue (#​32621)
• nuxt: Support lazy hydration macros (#​31192)

🔥 Performance

• vite: Communicate with vite-node via internal socket (#​32417)
• kit: Update env expansion regex to match nitro (#​30766)

🩹 Fixes

• nuxt: Allow modules to add to typescript.hoist (#​32601)
• nuxt: Retain old data when computed key changes (#​32616)
• nuxt: Only use scrollBehaviorType for hash scrolling (#​32622)
• nuxt: Add missing async (fd312af03)
• nuxt: Fix transform/minify types + bump oxc-transform (d2ba19963)
• nuxt: Provide typed slots for <ClientOnly> and <DevOnly> (#​32707)
• kit,nuxt,schema: Add trailing slash to some dir aliases (#​32755)
• nuxt: Include source base url for remote islands (#​32772)
• vite: Use vite node server to transform requests (#​32791)
• kit: Use mlly to parse module paths (#​32386)
• nuxt: Execute all plugins after error rendering error.vue (#​32744)

💅 Refactors

• nuxt: Migrate to oxc-walker (#​32250)
• nuxt,schema: Use oxc for onPrehydrate transform (#​32045)
• nuxt: Pass file language directly to parser options (#​32665)
• nuxt: Use direct import of installNuxtModule (228e3585e)

📖 Documentation

• Pass v3 template to create nuxt examples (03182202f)
• Add reference to useNuxtData in data fetching composable pages (#​32589)
• Document the --modules flag in the init command (#​32599)
• Added new Shared folder to the example of v4 folder structure (#​32630)
• Improve grammar (#​32640)
• Typos (#​32567)
• Fix abbreviation (#​32613)
• Reference noUncheckedIndexedAccess rule change in v4 guide (#​32643)
• Fix links to Nitro docs (#​32691)
• Add best practices section (#​31609)
• Correct alias for local fonts in styling guide (#​32680)
• Update nuxt.new links to v4 (#​32639)
• Set correct default value for deep option in usefetch (#​32724)
• Fix link to issue (ca03f533f)
• Add AI-assisted contribution guidelines (#​32725)
• Update Nuxt installation command to use npm create nuxt@latest (#​32726)
• Hydration best practice (#​32746)
• Add example for module .with() (#​32757)
• Replace dead Vue Router docs links (#​32779)

🏡 Chore

• Handle missing commit details (0af98763d)
• Update reproduction links for bug-report template (#​32722)
• Update unbuild and use absolute path in dev stubs (#​32759)

✅ Tests

• Also assert status (4b4b224f7)
• Ignore vue module.exports export (ac8b02d09)
• Extend timeout when waiting for hydration (49c01ba81)
• Benchmark minimal fixture instead (#​31174)
• Add minimal pages fixture (#​30457)
• Bump bundle size (bafa953c3)

🤖 CI

• Trigger website redeploy on main branch (#​32695)
• Release pkg.pr.new for main/3.x branches as well (ca4f0b1da)
• Apply 3x tag to latest v3 release (5e8dfc150)

❤️ Contributors

• Daniel Roe (@​danielroe)
• Bobbie Goede (@​BobbieGoede)
• Damian Głowala (@​DamianGlowala)
• Dog (@​dgxo)
• Julien Huang (@​huang-julien)
• Yauheni Vasiukevich (@​EvgenyWas)
• Alex Liu (@​Mini-ghost)
• Robin (@​OrbisK)
• Mateleo (@​Mateleo)
• Stephen Jason Wang (@​stephenjason89)
• Maurits Meester (@​mmeester)
• Igor Kononenko (@​igorexa34314)
• Alex (@​hywax)
• Matej Černý (@​cernymatej)
• Alexander Lichter (@​TheAlexLichter)
• Hashim Kalam (@​hashimkalam)
• Alois Sečkár (@​AloisSeckar)
• Haythem Frikha (@​Flamenate)
• abeer0 (@​iiio2)
• Thomas (@​ThomasWT)
• Connor Pearson (@​cjpearson)
• dwood-csi (@​dwood-csi)

v3.17.7

Compare Source

3.17.7 is the last patch release before v3.18.

✅ Upgrading

Our recommendation for upgrading is to run:

npx nuxt upgrade --dedupe

This will deduplicate your lockfile as well, and help ensure that you pull in updates from other dependencies that Nuxt relies on, particularly in the unjs ecosystem.

👉 Changelog

compare changes

🩹 Fixes

• nuxt: Safe-guard extraPageMetaExtractionKeys (#​32510)
• nuxt: Expose loadBuilder error cause (8f13ce3c2)
• vite: Handle resolving string vite input (#​32527)
• nuxt: Wrap only server components with island generic (#​32540)
• vite: Ignore when client entry cannot be resolved (19a292f34)
• nuxt: Normalize segment catchall pattern before checking for parent (#​32413)
• nuxt: Update warning message to warn against null values (c1b83eab5)
• nuxt: Ensure semver.satisfies returns true for pre-release versions (#​32574)
• nuxt: Scroll to anchor if present when changing page without saved position (#​32376)
• nuxt: Handle execute being passed to watch` (#​32591)

📖 Documentation

• Update fetch types (#​32522)
• Clarify that runtime env variables must start with NUXT_ (#​32223)
• Fix key change behavior in useAsyncData and useFetch migration (#​32560)
• Change return type of async data from undefined to null in v3 docs (#​32562)
• Add section on custom hooks for Nuxt modules (#​32586)
• Provide async keyword (#​32587)
• Move augmenting hook types in hooks page (#​32595)
• Add section about module loading order (#​32597)

✅ Tests

• Reenable skipped unit tests (8fc9b9ee9)
• Update test snapshot for generateTypes (c0855439d)
• Improve page scanning test stability (84b96f3de)
• Pass timeZone in to <NuxtTime> test (#​32558)
• Add more useAsyncData + useFetch tests (#​32585)
• Avoid hard-coding async-data keys (bfca95118)

❤️ Contributors

• Daniel Roe (@​danielroe)
• Julien Huang (@​huang-julien)
• abeer0 (@​iiio2)
• Bobbie Goede (@​BobbieGoede)
• Damian Głowala (@​DamianGlowala)
• Nestor Vera (@​hacknug)
• Ezra Ashenafi (@​Eazash)
• Mike Laumann Bellika (@​MikeBellika)
• Maxime Pauvert (@​maximepvrt)
• Chriest Yu (@​jcppman)
• Andrei Hudalla (@​paranoidPhantom)
• Sigrid Huemer (@​s1gr1d)
• xjccc (@​xjccc)

v3.17.6

Compare Source

3.17.6 is a regularly scheduled patch release.

✅ Upgrading

Our recommendation for upgrading is to run:

npx nuxt upgrade --dedupe

This will deduplicate your lockfile as well, and help ensure that you pull in updates from other dependencies that Nuxt relies on, particularly in the unjs ecosystem.

👉 Changelog

compare changes

🔥 Performance

• nuxt: Decrease if checks when prerendering (#​32455)

🩹 Fixes

• nuxt: Generate correct types for async data defaults based on nuxt.config (#​32324)
• nuxt: Reload at base URL in nuxt:chunk-reload-immediate (#​32382)
• nuxt: Use rollup to calculate island component filenames (#​32421)
• nuxt: Append set-cookie headers in error handler (#​32483)
• nuxt: Ensure asyncData runs if changing key while fetcher is running (#​32466)
• nuxt: Handle pure hash link clicks with navigateTo (#​32393)
• nuxt: Skip external <NuxtLink>'s custom on click handler (#​32499)
• nuxt: Update component loader regexp for minified code (#​32298)
• nuxt: Allow camelCase for lazy hydration attributes (#​32297)
• nuxt: Respect inheritAttrs: false in createClientOnly fn (#​32323)
• kit: Do not double-urlify file urls when resolving schema (#​32354)
• nuxt: Align scroll behavior with page transition completion (#​32239)
• nuxt: Set output.generatedCode.symbols for nitro build (#​32358)
• nuxt: Lazily access runtimeConfig (#​32428)

💅 Refactors

• vite: Migrate plugins internally to vite environments (#​32461)

📖 Documentation

• Clarify where logging tag is displayed (#​32440)
• Remove kit playground auto-import note (#​32415)
• Remove webstorm warning (#​32513)
• Migrate to h3js (#​32243)
• Update the fetch clear function description (#​32287)
• defineNuxtPlugin function documentation (#​32328)
• Mention that <NuxtLink> encodes query params (#​32361)
• Enhance documentation for Nuxt composables (#​32218)
• Adjust wording to reduce confusion in lifecycle section (#​32503)
• Improve useCookie example (367b85405)
• Capitalise title (#​32426)
• Mention bun.lock for lockfile (#​32427)

🏡 Chore

• Update stackblitz reproduction link (6ab5bac66)
• Update copilot instructions (220439055)
• Rename deprecated vitest workspace to projects (#​32388)
• Remove space in URL in comment (#​32394)
• Allow setting TAG on commandline (d387e07a3)

✅ Tests

• nuxt: Add case for key only changes with immediate: false (#​32473)
• Separate nuxt legacy runtime tests (#​32481)

🤖 CI

• Set correct base branch label (#​32325)

❤️ Contributors

• Mihailo Bursac (@​djixadin)
• Daniel Roe (@​danielroe)
• abeer0 (@​iiio2)
• 翠 (@​sapphi-red)
• Robin (@​OrbisK)
• Alex Liu (@​Mini-ghost)
• Damian Głowala (@​DamianGlowala)
• Julien Huang (@​huang-julien)
• Ibrahimm (@​Ibra-cesar)
• Peter Budai (@​peterbud)
• Ali Soueidan (@​lazercaveman)
• Vachmara (@​vachmara)
• xjccc (@​xjccc)
• Paul Melero (@​paulmelero)
• David Stack (@​davidstackio)

v3.17.5

Compare Source

3.17.5 is a regularly scheduled patch release.

✅ Upgrading

Our recommendation for upgrading is to run:

npx nuxt upgrade --dedupe

This will deduplicate your lockfile as well, and help ensure that you pull in updates from other dependencies that Nuxt relies on, particularly in the unjs ecosystem.

👉 Changelog

compare changes

🔥 Performance

• nuxt: Replace remaining instance of globby (#​31688)

🩹 Fixes

• nuxt: Export useScriptRybbitAnalytics from script stubs (d275ae1a0)
• nuxt: Remove unneeded pattern from regexp (2954c092c)
• nuxt: Ensure appConfig sources are not duplicated (#​32216)
• nuxt: Wrap slot with h() in ClientOnly (#​30664)
• kit: Ensure template filename uses safe patterns (4372b24dd)
• nuxt: Access asyncData state from nuxt app instance (#​32232)
• nuxt: Make patterns relative to srcDir in buildCache (#​32260)
• nuxt: Return non-existent route component in RouteProvider (#​32266)
• nuxt: Use single asyncData watcher (#​32247)
• vite: Use arrow functions in dynamic imports (#​32285)
• webpack: Use plugin for rollup-compatible dynamic imports (#​32281)

📖 Documentation

• Update addRouteMiddleware path in example (#​32171)
• Narrow link to just middleware (#​32203)
• Use optional chaining in error example (#​32214)
• Give example of using --env-file (29f6392cd)
• Recommend nuxt command consistently (#​32237)
• Fix typos (#​30413)
• Add props to special metadata (#​29708)
• Fix wrong alert with warning in /guide/pages (#​32270)
• Update upgrade guide + roadmap (0040ee5e7)

📦 Build

• nuxt: Ensure cache is typed (33df20d17)

🏡 Chore

• Upgrade webpack dependencies separately (444d60936)
• Apply lint fixes (221ce99eb)
• Add missing dependency (720170dea)

✅ Tests

• Add regression test for useAsyncData + transition (29f7c8cb4)
• Ensure builder tests run sequentially (defa32829)

❤️ Contributors

• Daniel Roe (@​danielroe)
• Julien Huang (@​huang-julien)
• Hugo Richard (@​HugoRCD)
• mxmxmmgg (@​mxmxmmgg)
• xjccc (@​xjccc)
• Horu (@​HigherOrderLogic)
• Baptiste Leproux (@​larbish)
• Phojie Rengel (@​phojie)
• duolaameng (@​1411430556)
• David Stack (@​davidstackio)

v3.17.4

Compare Source

3.17.4 is a regularly-scheduled patch release.

✅ Upgrading

Our recommendation for upgrading is to run:

npx nuxi@latest upgrade --dedupe

This will deduplicate your lockfile as well, and help ensure that you pull in updates from other dependencies that Nuxt relies on, particularly in the unjs ecosystem.

👉 Changelog

compare changes

🔥 Performance

• nuxt: Use Set for circular dep plugin (#​32110)
• Refactor Array.includes checks to use Sets (#​32133)
• nuxt: Use shallowRef for primitive values (#​32152)
• nuxt: Skip route rules processing for empty child array (#​32166)
• nuxt: Use Intl.Collator instead of localeCompare (#​32167)

🩹 Fixes

• nuxt: Do not await lazy asyncData inside <ClientOnly> (#​32101)
• nuxt: Respect cachedData with multiple asyncData calls (#​32099)
• nuxt: Clear async data after a tick (#​32096)
• nuxt: Support reactive keys in useLazyAsyncData (#​32092)
• rspack: Use ts-checker-rspack-plugin (#​32115)
• nuxt: Clear previous head in island-renderer (#​32100)
• nuxt: Handle virtual files prefixed with / (#​32129)
• schema: Remove nitro options from DeepPartial (#​31990)
• nuxt: Ensure legacy async data remains reactive (#​32134)
• nuxt: Pass attrs down to single child of <ClientOnly> (#​32131)
• nuxt: Fix merge conflicts (7044450d4)
• nuxt: Clone vnode when passing attrs down to client-only (b3acf0c78)
• vite: Do not replace global with globalThis (#​32130)
• nuxt: Suppress client-side errors by crawlers (#​32137)
• nuxt: Use fresh route when <NuxtLayout> first renders (#​24673)
• nuxt: Add additional logging when skipping error page for bot (68c270083)
• nuxt: Add watch paths outside srcDir to parcel strategy (#​32139)

📖 Documentation

• Use emphasis instead of quotes (#​32078)
• Update useNuxtData default return to undefined (#​32054)
• Capitalise headings (#​32095)
• Prefix imports.dirs with alias (0dbf314d9)
• Mention node v20 is minimum requirement for nuxt setup (#​32148)
• Use more descriptive link text (d0b1b9d35)

🏡 Chore

• Remove unneeded JSdoc comments (#​32090)
• Use vitest workspaces for tests (#​32121)

✅ Tests

• Add universal routing tests + clean up output (64178b6f4)
• nuxt: Add un

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.