3.21.7 is the a security hotfix release.
π make sure to check https://github.com/nuxt/nuxt/security/advisories to view open advisories resolved by this release.
π Changelog
π©Ή Fixes
- nitro: Assign
noSSRbefore deciding payload extraction (#35108) - vite: Avoid filtering out dirs with shared prefix from
allowDirs(#35112) - nuxt: Use resolve from
pathefor buildCache path boundary check (#35111) - nuxt: Prevent sibling-directory traversal in test component wrapper (#35110)
- nitro: Pass event data to
isValidin dev clipboard-copy listener (#35109) - nuxt: Validate protocols in
reloadNuxtApppath before reload (#35115) - vite: Resolve vite
clientServerwithssr: false(#34959) - vite: Prefix public asset virtuals with null byte (38d330179)
- nuxt: Handle missing payload in chunkError listener (#35155)
- vite: Close vite dev server on nuxt close (d007d7060)
- kit,nuxt: Handle cancelling prompts to install packages (59821a5ca)
- nuxt: Await in-lifght template generation when closing nuxt (#35181)
- webpack: Surface compilation errors when stats.toString is empty (71dccff2b)
- kit: Improve TS extension stripping/substitutions (#35233)
- nuxt: Preserve
.d.mts/.d.ctsinresolveTypePaths(#35235) - nuxt: Reject prototype-chain keys in the island registry (#35205)
- nitro: Gate chrome devtools workspace endpoint to local requests (#35201)
- nuxt: Escape props in
<NuxtClientFallback>ssr output (#35199) - nuxt: Apply
isScriptProtocolguard tonavigateToopen option (#35206) - rspack,webpack: Require loopback host when missing same-origin signals (#35200)
- nuxt: Absolutely resolve
defuin app config template (40bedf0db) - nuxt: Match route rules case-insensitively to mirror
vue-router(3f3e3fa7b) - nuxt: Escape
<NoScript>slot content (7fea9fd68) - nuxt: Block path-normalization open redirect in
navigateTo(1f2dd5e78) - nuxt: Reject cross-origin paths in
reloadNuxtApp(6497d99dd) - vite: Bind vite-node IPC to a permissioned filesystem socket (c293bf950)
- nuxt: Reject script-capable protocols in
<NuxtLink>href (53284043d) - nuxt: Clarify page and layout usage warnings (#35184)
- nuxt: Do not absolutely resolve
defu(d11d7b1b5)
π Documentation
π‘ Chore
- Use
execFileSyncfor safety in release scripts (9a455a658) - Assert there is always a tag (8da21fba8)
- Fix type in test (bc2837125)
- Fix lychee dynamic composable exclude (#35119)
- Add autofix action tag in comment (70eba297f)
- Update renovate minimum release age (27a6821a1)
β Tests
π€ CI
- Always run all tests for 4.x/3.x (0519c0ade)
- Update to agentscan v1.8.0 (#35120)
- Automatically close PRs from automated accounts (#35161)
- Migrate from tibdex (6277aedcb)
- Disable provenance-change enforcement in dependency-review (1d4910eed)
- Add zizmor github actions check (#35089)
β€οΈ Contributors
- Daniel Roe (@danielroe)
- Matej ΔernΓ½ (@cernymatej)
- anton-gor-dev (@anton-gor-dev)
- Julien Huang (@huang-julien)
- David Stack (@davidstackio)
- Noah3521 (@Noah3521)
- Matteo Gabriele (@MatteoGabriele)
- Mohit Kumar (@mohitkum4r)
- Florian Heuberger (@Flo0806)