@nuxt/kit 3.21.7

on Node.js NPM

3.21.7 is the a security hotfix release.

👉 make sure to check https://github.com/nuxt/nuxt/security/advisories to view open advisories resolved by this release.

👉 Changelog

compare changes

🩹 Fixes

• nitro: Assign noSSR before deciding payload extraction (#35108)
• vite: Avoid filtering out dirs with shared prefix from allowDirs (#35112)
• nuxt: Use resolve from pathe for buildCache path boundary check (#35111)
• nuxt: Prevent sibling-directory traversal in test component wrapper (#35110)
• nitro: Pass event data to isValid in dev clipboard-copy listener (#35109)
• nuxt: Validate protocols in reloadNuxtApp path before reload (#35115)
• vite: Resolve vite clientServer with ssr: false (#34959)
• vite: Prefix public asset virtuals with null byte (38d330179)
• nuxt: Handle missing payload in chunkError listener (#35155)
• vite: Close vite dev server on nuxt close (d007d7060)
• kit,nuxt: Handle cancelling prompts to install packages (59821a5ca)
• nuxt: Await in-lifght template generation when closing nuxt (#35181)
• webpack: Surface compilation errors when stats.toString is empty (71dccff2b)
• kit: Improve TS extension stripping/substitutions (#35233)
• nuxt: Preserve .d.mts/.d.cts in resolveTypePaths (#35235)
• nuxt: Reject prototype-chain keys in the island registry (#35205)
• nitro: Gate chrome devtools workspace endpoint to local requests (#35201)
• nuxt: Escape props in <NuxtClientFallback> ssr output (#35199)
• nuxt: Apply isScriptProtocol guard to navigateTo open option (#35206)
• rspack,webpack: Require loopback host when missing same-origin signals (#35200)
• nuxt: Absolutely resolve defu in app config template (40bedf0db)
• nuxt: Match route rules case-insensitively to mirror vue-router (3f3e3fa7b)
• nuxt: Escape <NoScript> slot content (7fea9fd68)
• nuxt: Block path-normalization open redirect in navigateTo (1f2dd5e78)
• nuxt: Reject cross-origin paths in reloadNuxtApp (6497d99dd)
• vite: Bind vite-node IPC to a permissioned filesystem socket (c293bf950)
• nuxt: Reject script-capable protocols in <NuxtLink> href (53284043d)
• nuxt: Clarify page and layout usage warnings (#35184)
• nuxt: Do not absolutely resolve defu (d11d7b1b5)

📖 Documentation

• Edit for clarity and grammar (#35214)
• Add dedicated module dependencies page (#35171)

🏡 Chore

• Use execFileSync for safety in release scripts (9a455a658)
• Assert there is always a tag (8da21fba8)
• Fix type in test (bc2837125)
• Fix lychee dynamic composable exclude (#35119)
• Add autofix action tag in comment (70eba297f)
• Update renovate minimum release age (27a6821a1)

✅ Tests

• Update test for js payload rendering (b51a80840)
• Improve reliability of hmr test (0078499f0)

🤖 CI

• Always run all tests for 4.x/3.x (0519c0ade)
• Update to agentscan v1.8.0 (#35120)
• Automatically close PRs from automated accounts (#35161)
• Migrate from tibdex (6277aedcb)
• Disable provenance-change enforcement in dependency-review (1d4910eed)
• Add zizmor github actions check (#35089)

❤️ Contributors

• Daniel Roe (@danielroe)
• Matej Černý (@cernymatej)
• anton-gor-dev (@anton-gor-dev)
• Julien Huang (@huang-julien)
• David Stack (@davidstackio)
• Noah3521 (@Noah3521)
• Matteo Gabriele (@MatteoGabriele)
• Mohit Kumar (@mohitkum4r)
• Florian Heuberger (@Flo0806)