nuxt 4.4.7

on Node.js NPM

4.4.7 is the a security hotfix release.

👉 make sure to check https://github.com/nuxt/nuxt/security/advisories to view open advisories resolved by this release.

👉 Changelog

compare changes

🩹 Fixes

• nitro: Assign noSSR before deciding payload extraction (#35108)
• vite: Avoid filtering out dirs with shared prefix from allowDirs (#35112)
• nuxt: Use resolve from pathe for buildCache path boundary check (#35111)
• nuxt: Prevent sibling-directory traversal in test component wrapper (#35110)
• nitro: Pass event data to isValid in dev clipboard-copy listener (#35109)
• nuxt: Validate protocols in reloadNuxtApp path before reload (#35115)
• vite: Prefix public asset virtuals with null byte (9e303b438)
• nuxt: Re-run getCachedData after initial fetch (#35122)
• nuxt: Propagate useFetch/useAsyncData factory types (#35133)
• vite: Close vite dev server on nuxt close (a10a68abc)
• kit,nuxt: Handle cancelling prompts to install packages (e84813229)
• kit: Avoid excluding node-context files in legacy tsconfig (#35152)
• nuxt: Handle missing payload in chunkError listener (#35155)
• nuxt: Await in-lifght template generation when closing nuxt (#35181)
• nuxt: Clarify page and layout usage warnings (#35184)
• webpack: Surface compilation errors when stats.toString is empty (073b07851)
• nuxt: Reject prototype-chain keys in the island registry (#35205)
• nuxt: Apply isScriptProtocol guard to navigateTo open option (#35206)
• nuxt: Prevent server-only page island from recursing via <NuxtPage> (#35198)
• rspack,webpack: Require loopback host when missing same-origin signals (#35200)
• nitro: Gate chrome devtools workspace endpoint to local requests (#35201)
• nuxt: Escape props in <NuxtClientFallback> ssr output (#35199)
• kit: Improve TS extension stripping/substitutions (#35233)
• nuxt: Preserve .d.mts/.d.cts in resolveTypePaths (#35235)
• nuxt: Escape <NoScript> slot content (4b054e9d9)
• nuxt: Match route rules case-insensitively to mirror vue-router (07e39cd6f)
• nuxt: Reject script-capable protocols in <NuxtLink> href (0103ce06f)
• nuxt: Block path-normalization open redirect in navigateTo (2cce6fb02)
• nuxt: Reject cross-origin paths in reloadNuxtApp (e447a793c)
• vite: Bind vite-node IPC to a permissioned filesystem socket (1f9f4767a)

💅 Refactors

• kit,nuxt,vite: Use es2023 array methods (#34980)
• nuxt: Replace runInNewContext with AST walker (d72a89ef4)

📖 Documentation

• Document vite client and server options (#35090)
• Add dedicated module dependencies page (#35171)
• Add nodeTsConfig and sharedTsConfig options (#35231)
• Edit for clarity and grammar (#35214)

🏡 Chore

• Use execFileSync for safety in release scripts (1d7baaf01)
• Assert there is always a tag (e98c47c3c)
• Add autofix action tag in comment (ffa5c0098)
• Fix type in test (a549652e2)
• Update renovate minimum release age (d12d5e58a)
• Fix lychee dynamic composable exclude (#35119)
• Update lockfile (91186dc51)
• Lint (dbc58965c)

✅ Tests

• Update test for js payload rendering (bdcb81536)
• Cover add regression test for hmr in sibling local layers (#35125)
• Improve reliability of hmr test (1d709b3cc)

🤖 CI

• Always run all tests for 4.x/3.x (0dc4665cf)
• Migrate from tibdex (ded29dc0f)
• Add zizmor github actions check (#35089)
• Update to agentscan v1.8.0 (#35120)
• Automatically close PRs from automated accounts (#35161)
• Disable provenance-change enforcement in dependency-review (a2cf43e68)

❤️ Contributors

• Daniel Roe (@danielroe)
• David Stack (@davidstackio)
• David De Sloovere (@DavidDeSloovere)
• anton-gor-dev (@anton-gor-dev)
• Noah3521 (@Noah3521)
• Shahar Aviram (@ShaharAviram1)
• Matej Černý (@cernymatej)
• Mohit Kumar (@mohitkum4r)
• Matteo Gabriele (@MatteoGabriele)
• Julien Huang (@huang-julien)
• Damian Głowala (@DamianGlowala)