This repository has been archived by the owner on Aug 2, 2023. It is now read-only.
fix(deps): update dependency nuxt to v3 [security] - autoclosed #330
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
2.17.0
->3.4.3
GitHub Vulnerability Alerts
CVE-2023-3224
Nuxt prior to version 3.4.3 is vulnerable to code injection.
Release Notes
nuxt/nuxt
v3.4.3
Compare Source
✅ Upgrading
As usual, our recommendation for upgrading is to run:
This will refresh your lockfile as well, and ensures that you pull in updates from other dependencies that Nuxt relies on, particularly in the unjs ecosystem.
👉 Changelog
compare changes
🩹 Fixes
timeEnd
unless we're debugging (#20424)<ClientOnly>
(f1ded44e8)event.node.req
in cookie utility (#20474)devServer.https: true
(#20498)/__nuxt_error
directly (#20497)callAsync
for executing hooks with context (#20510)app:error
in SSR before rendering error page (#20511)asyncData
(#20535)#components
imports into direct component imports (#20547)RenderResponse
for redirects (#20496)📖 Documentation
vue-router
docs (#20454)✅ Tests
🤖 CI
nuxt-edge
with provenance (753c4c2a3)❤️ Contributors
v3.4.2
Compare Source
✨ What's new?
Apart from the normal bug fixes, we have a couple things we should call out.
@parcel/watcher
for the Nuxt dev watcher (#20179). This may improve performance if you're on Windows. You'll probably also want to installwatchman
in that case.✅ Upgrading
As usual, our recommendation for upgrading is to run:
This will refresh your lockfile as well, and ensures that you pull in updates from other dependencies that Nuxt relies on, particularly in the unjs ecosystem.
👉 Changelog
compare changes
🔥 Performance
@parcel/watcher
for dev watcher (#20179)🩹 Fixes
useRequestHeaders
keys as optional (#20286)@jest/globals
(#20360)rootDir
when preparing project (#20401)💅 Refactors
isJS
andisVue
utilities consistently (#20344)isFileServingAllowed
util (#20414)📖 Documentation
🏡 Chore
@ts-ignore
and fix some issues (#20273)🤖 CI
❤️ Contributors
v3.4.1
Compare Source
👉 Changelog
compare changes
🩹 Fixes
ssrContext
in spa renderer (#20216)<NuxtClientFallback>
(#20237)vue-router
normalises url (#20247)📖 Documentation
transform
/pick
(#20186)✅ Tests
❤️ Contributors
v3.4.0
Compare Source
👀 Highlights
🪄 View Transitions API Support
CleanShot.2023-04-11.at.18.00.47.mp4
You can see a demo on https://nuxt-view-transitions.surge.sh
You may have noticed that Chromium-based browsers now ship a new web platform API: the View Transitions API. This is an exciting new ability for native browser transitions which (among other things) have the ability to transition between unrelated elements on different pages.
Nuxt now ships with an experimental implementation, which will be under active development during the v3.4 release cycle. See the known issues in the linked PR.
✨ Payload Enhancements
We've merged a significant change to how Nuxt handles payloads (under an experimental flag). Payloads are used to send data from the server to the client when doing server-side rendering and avoid double data-fetching during the hydration phase.
With this new option enabled, this now means that various rich JS types are supported out-of-the-box: regular expressions, dates, Map and Set and BigInt as well as NuxtError - and Vue-specific objects like
ref
,reactive
,shallowRef
andshallowReactive
.You can find an example in our test suite.
This is all possible due to Rich-Harris/devalue#58. For a long time, Nuxt has been using our own fork of devalue owing to issues serialising Errors and other non-POJO objects, but we now have transitioned back to the original.
You can even register your own custom types with a new object-syntax Nuxt plugin:
You can read more about how this works here.
Note: this only affects payloads of the Nuxt app, that is, data stored within
useState
, returned fromuseAsyncData
or manually injected vianuxtApp.payload
. It does not affect data fetched from Nitro server routes via$fetch
oruseFetch
although this is one area I am keen to explore further.Preliminary testing shows a significant speed-up: 25% faster in total server response time for a very minimal app with a large JSON payload, but I'd urge you to run your own tests and share the results with us.
As mentioned, we're merging this behind a flag so we can test this broadly and gather feedback on the new approach. The most significant potential change is that the payload is now no longer available on
window.__NUXT__
immediately. Instead, we now need to initialise the Nuxt app to parse the payload so any code that accesses__NUXT__
will need to be run in a plugin or later in the Nuxt app lifecycle. Please feel free to raise an issue if you foresee or encounter issues in your projects.🎁 Object-syntax Nuxt plugins
We now support object-syntax Nuxt plugins for better control over plugin order and easier registration of hooks.
In future we plan to enable build optimizations based on the metadata you pass in your Nuxt plugins.
🛠️ Easier Devtools Configuration
It's even easier to enable Nuxt DevTools in your project: just set
devtools: true
in yournuxt.config
file to enable devtools.If it's not already installed, Nuxt will prompt to install it locally. This means you no longer need to have Nuxt DevTools enabled globally.
Note: the DevTools is still experimental and under active development, so do be prepared for occasional unexpected behaviour, and please report issues directly to https://github.com/nuxt/devtools 🙏
📚 Layers Improvements
We now support transforming
~
/~~
/@
/@@​
aliases within layers, meaning you now no longer need to use relative paths when importing within layers.This should mean it is much easier to use a 'normal' Nuxt project as a layer without needing to specially write it as one.
🧸 Better Context Transforms
We now transform certain keys of
definePageMeta
anddefineNuxtComponent
which means you should have fewer issues with a missing Nuxt instance. This includes support accessing the Nuxt instance after anawait
withinasyncData
andsetup
functions for those still using the Options API. And you no longer need to wrapmiddleware
andvalidate
withdefineNuxtRouteMiddleware
when using async functions.♻️ Ecosystem Updates
As usual, this release will pull in upstream improvements, including the new Consola v3 and Nitropack v2.3.3 (a new minor is expected shortly).
🚨 'Breaking fixes'
We've also taken the opportunity to do some cleanup in this minor release.
x-nuxt-no-ssr
header (undocumented) to force SPA rendering. We've now disabled this behaviour by default but you can get it back by settingexperimental.respectNoSSRHeader
to true. Alternatively, you can setevent.context.nuxt.noSSR
on the server to force SPA rendering.#head
alias and also disabled the polyfill for@vueuse/head
behaviour by default. (It can still be enabled withexperimental.polyfillVueUseHead
.)experimental.viteNode
option. It can be configured instead withvite.devBundler
.public
key. This was an undocument compatibility measure with Nuxt 2 and we plan to remove it entirely in v3.5.✅ Upgrading
As usual, our recommendation for upgrading is to run:
This will refresh your lockfile as well, and ensures that you pull in updates from other dependencies that Nuxt relies on, particularly in the unjs ecosystem.
With Nuxt v3.4.0, we now advise that you explicitly install the
@types/node
version that matches your Node version.👉 Changelog
compare changes
🚀 Enhancements
useRoute
is used in middleware (#20050)watch
withuseFetch
(#19823)~
/~~
/@
/@@​
aliases within layers (#19986)dir.pages
in page placeholder (#20079)devtools
when it's enabled (#20126)experimentalNoScripts
route rule (#19805)🔥 Performance
@vueuse/head
polyfill by default (#20131)🩹 Fixes
x-nuxt-no-ssr
header by default (#20024)$config
object (#20081)useFetch
(#20052)@types/node
as a peerDependency (#20025)any
(#20105).client
component placeholders (#20093)undefined
type foruseCookie
return value (4f0b3c722)imports.autoImport
(#20180)ignorePrefix
to be changed (#20202)💅 Refactors
experimental
options (#20112)#head
alias (#20111)📖 Documentation
imports
configuration (#20073)headers
option foruseFetch
(#20148)@pinia/nuxt
module name (#20199)🏡 Chore
overrides
(4a6f85277)overrides
(a15a9b66f)JITI_ESM_RESOLVE
(#20172)✅ Tests
🎨 Styles
sort-imports
eslint rule (#20133)🤖 CI
head_ref
for dependency deduping (ae5df72c5)❤️ Contributors
v3.3.3
Compare Source
✅ Upgrading
As usual, our recommendation for upgrading is to run:
This will refresh your lockfile as well, and ensures that you pull in updates from other dependencies that Nuxt relies on, particularly in the unjs ecosystem.
👉 Changelog
compare changes
🩹 Fixes
setResponseStatus
signature with h3 (#19987)💅 Refactors
📖 Documentation
pages:extend
example (72724076b)🏡 Chore
mkdist
to1.2.0
(a96451d2d)✅ Tests
🤖 CI
❤️ Contributors
v3.3.2
Compare Source
✅ Upgrading
As usual, our recommendation for upgrading is to run:
This will refresh your lockfile as well, and ensures that you pull in updates from other dependencies that Nuxt relies on, particularly in the unjs ecosystem.
👉 Changelog
compare changes
🔥 Performance
🩹 Fixes
performance.mark()
(#19687)h3
utilities to set response status/code (#19713)📖 Documentation
useAsyncData
(#19225)$fetch
in top-level<script setup>
(#19357)return
statement (fc7867fb0)@nuxt/kit
example with node built-ins (#19873)🏡 Chore
✅ Tests
🤖 CI
❤️ Contributors
v3.3.1
Compare Source
👀 Highlights
✨ Local module development DX
We've landed a raft of changes to enable local modules and improve DX. We now auto-scan your
~/modules
folder and register top level files there as modules in your project (https://github.com/nuxt/nuxt/pull/19394). When these files are changed, we'll automatically restart the nuxt server.export default defineNuxtConfig({ modules: [ '@​nuxtjs/tailwindcss', - '~/modules/purge-comments' ] })
We also now expose
nuxt/kit
for easy access to kit composables in your local project without having to install@nuxt/kit
(https://github.com/nuxt/nuxt/pull/19422).♻️ Restarting Nuxt
You can add files to the
watch
array to automatically restart the server (https://github.com/nuxt/nuxt/pull/19530). This is likely to be particularly useful for module authors. You can also trigger a restart of the Nuxt server with the newrestart
hook (https://github.com/nuxt/nuxt/pull/19084). We also landed a couple of fixes on restarting the Nuxt server which should improve your experience when developing.🔥 Performance improvements
We've increased static asset maxAge to 1yr as a matter of best practice (https://github.com/nuxt/nuxt/pull/19335), and support tree-shaking more of your build (https://github.com/nuxt/nuxt/pull/19508). We also now support preloading
<NuxtLink>
s with a route in object-syntax (https://github.com/nuxt/nuxt/pull/19120).We also track how long it takes each module you use to perform its setup, and warn if it takes too long. You can see all these values by running your dev server with
DEBUG=1
You can also opt-in to some of Nuxt's internal optimisations by configuring composables to be treeshaken in a particular environment (https://github.com/nuxt/nuxt/pull/19383), or to have magic keys automatically injected (https://github.com/nuxt/nuxt/pull/19490) - primarily useful for module authors.
🐛 Error handling
We now handle chunk errors by default (https://github.com/nuxt/nuxt/pull/19086), meaning if your site updates with a redeploy, we automatically handle reloading it on navigation. You can disable this and handle it yourself with the new
reloadNuxtApp
composable. You can also setexperimental.restoreState
to preserve some of your app state across reloads.We also have a new experimental error handling component:
<NuxtClientFallback>
(https://github.com/nuxt/framework/pull/8216) which can capture errors rendering on server, replace them with fallback content, and granularly trigger rerendering the part with an error on the client. This can be enabled withexperimental.clientFallback
- feedback very welcome!⚡️ Head improvements
We've migrated to use
unhead
directly (https://github.com/nuxt/nuxt/pull/19519) - and automatically tree-shake server-only head composables likeuseServerHead
from your client build (https://github.com/nuxt/nuxt/pull/19576), meaning you can have great SEO without needing to include meta tag logic that's relevant only for crawlers in your client build.There's also a new
useHeadSafe
composable that handles santising untrusted user input (https://github.com/nuxt/nuxt/pull/19548).🪵 Better logging in browser DevTools
Working with the Chrome DevTools team, we've landed a couple of features across the unjs + Nuxt ecosystem meaning we now have first-class support for hiding Nuxt internal stack traces from logs in your (Chromium-based, for now) browser (https://github.com/nuxt/nuxt/pull/19243). We also landed a couple of improvements with stacktraces involving Nuxt hooks (https://github.com/unjs/hookable/pull/69 and https://github.com/unjs/hookable/pull/68) implementing
console.createTask
.💪 Type improvements
Types for server API routes are now more correct - with non-serialisable types stripped out of the return type (https://github.com/unjs/nitro/pull/1002).
We also now type more of
NuxtApp
and correctly type unknown injections for greater type-safety (https://github.com/nuxt/nuxt/pull/19643).And if you were struggling with correct types when using
transform
+default
with Nuxt data fetching composables, fear no more - we now infer the types correctly (https://github.com/nuxt/nuxt/pull/19487).⚗️ Nitro enhancements
This release comes with Nitro v2.3, which brings lots of improvements of its own. Check out the release for more info.
We now support
useAppConfig
in nitro server routes (https://github.com/nuxt/nuxt/pull/19489) - a long-awaited change. NowuseAppConfig
is consistently available throughout your app for non-runtime configuration from layers, modules, etc.We've also added a
nitro:build:public-assets
hook to allow modifying assets output from nitro's prerender/build phase (https://github.com/nuxt/nuxt/pull/19638).🛠️ Build changes
As part of moving towards first-class support for PNP and pnpm support without
--shamefully-hoist
, we've dropped support for some internal (deprecated) utilities using CJS resolve patterns (https://github.com/nuxt/nuxt/pull/19537, https://github.com/nuxt/nuxt/pull/19608). We also now resolve dependencies likenuxt
,@nuxt/kit
and more using ESM search-paths. We'll be keeping a close eye on this.We're also preparing the groundwork for support of new TypeScript Node16 module resolution (https://github.com/nuxt/nuxt/issues/19606), and as part of this have changed the format of our runtime output (using
.js
instead of.mjs
extensions, providingtypes
fields for subpath exports, and more).🗺️ Custom config schema (advanced)
We've been testing out an experimental feature to allow modules and users to extend the Nuxt config schema (https://github.com/nuxt/nuxt/issues/15592), and we've now enabled this by default (https://github.com/nuxt/nuxt/pull/19172). We expect this will be particularly useful for module and layer/theme authors, and should result in some nicer DX for their users.
Changelog
compare changes
🚀 Enhancements
restart
hook is called (#19084)versions
to runtime nuxtApp (#19064)node_modules
and buildDir tox_google_ignoreList
(#19243)nuxt/kit
subpath for local use (#19422)~/modules
(#19394)priority
to allow overriding (#19252)trailingSlashBehavior
indefineNuxtLink
(#19458)logLevel
(#19369)<NuxtClientFallback>
component (#8216)watch
option and refactor dev server restarting (#19530)useHeadSafe
and remove layer around head imports (#19548)nitro:build:public-assets
hook (#19638)🔥 Performance
@vueuse/head
dependency (#19519)🩹 Fixes
NuxtLink
(#19379)import.meta
types (#19338)/
fromsourcemapIgnoreList
for windows support (73ade185b)kit.*
files to published package (#19430)transform
(#19487)boolean
from inline module definitions (#19621)payloadExtraction
warning only when unset (#18516)💅 Refactors
📖 Documentation
versions
and modules (#19448)routeRules
(#19455)devServer.https
example (#19486)~/server/utils
directory in~/utils
page (#19500)addComponent
jsdoc comment (#19503)--log-level
(06b9233b1)🏡 Chore
@nuxt/test-utils
package as external group (#19419)hasProtocol
options format (#19555)✅ Tests
🤖 CI
❤️ Contributors
Configuration
📅 Schedule: Branch creation - "" in timezone Asia/Tokyo, Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.