chore(nuxt): Update [DEV] minor & patch dependencies to ^4.4.7

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
nuxt (source)	^4.4.4 → ^4.4.7

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

nuxt/nuxt (nuxt)

v4.4.7

Compare Source

4.4.7 is a security hotfix release.

👉 make sure to check https://github.com/nuxt/nuxt/security/advisories to view open advisories resolved by this release.

👉 Changelog

compare changes

🩹 Fixes

• nitro: Assign noSSR before deciding payload extraction (#​35108)
• vite: Avoid filtering out dirs with shared prefix from allowDirs (#​35112)
• nuxt: Use resolve from pathe for buildCache path boundary check (#​35111)
• nuxt: Prevent sibling-directory traversal in test component wrapper (#​35110)
• nitro: Pass event data to isValid in dev clipboard-copy listener (#​35109)
• nuxt: Validate protocols in reloadNuxtApp path before reload (#​35115)
• vite: Prefix public asset virtuals with null byte (9e303b438)
• nuxt: Re-run getCachedData after initial fetch (#​35122)
• nuxt: Propagate useFetch/useAsyncData factory types (#​35133)
• vite: Close vite dev server on nuxt close (a10a68abc)
• kit,nuxt: Handle cancelling prompts to install packages (e84813229)
• kit: Avoid excluding node-context files in legacy tsconfig (#​35152)
• nuxt: Handle missing payload in chunkError listener (#​35155)
• nuxt: Await in-lifght template generation when closing nuxt (#​35181)
• nuxt: Clarify page and layout usage warnings (#​35184)
• webpack: Surface compilation errors when stats.toString is empty (073b07851)
• nuxt: Reject prototype-chain keys in the island registry (#​35205)
• nuxt: Apply isScriptProtocol guard to navigateTo open option (#​35206)
• nuxt: Prevent server-only page island from recursing via <NuxtPage> (#​35198)
• rspack,webpack: Require loopback host when missing same-origin signals (#​35200)
• nitro: Gate chrome devtools workspace endpoint to local requests (#​35201)
• nuxt: Escape props in <NuxtClientFallback> ssr output (#​35199)
• kit: Improve TS extension stripping/substitutions (#​35233)
• nuxt: Preserve .d.mts/.d.cts in resolveTypePaths (#​35235)
• nuxt: Escape <NoScript> slot content (4b054e9d9)
• nuxt: Match route rules case-insensitively to mirror vue-router (07e39cd6f)
• nuxt: Reject script-capable protocols in <NuxtLink> href (0103ce06f)
• nuxt: Block path-normalization open redirect in navigateTo (2cce6fb02)
• nuxt: Reject cross-origin paths in reloadNuxtApp (e447a793c)
• vite: Bind vite-node IPC to a permissioned filesystem socket (1f9f4767a)

💅 Refactors

• kit,nuxt,vite: Use es2023 array methods (#​34980)
• nuxt: Replace runInNewContext with AST walker (d72a89ef4)

📖 Documentation

• Document vite client and server options (#​35090)
• Add dedicated module dependencies page (#​35171)
• Add nodeTsConfig and sharedTsConfig options (#​35231)
• Edit for clarity and grammar (#​35214)

🏡 Chore

• Use execFileSync for safety in release scripts (1d7baaf01)
• Assert there is always a tag (e98c47c3c)
• Add autofix action tag in comment (ffa5c0098)
• Fix type in test (a549652e2)
• Update renovate minimum release age (d12d5e58a)
• Fix lychee dynamic composable exclude (#​35119)
• Update lockfile (91186dc51)
• Lint (dbc58965c)

✅ Tests

• Update test for js payload rendering (bdcb81536)
• Cover add regression test for hmr in sibling local layers (#​35125)
• Improve reliability of hmr test (1d709b3cc)

🤖 CI

• Always run all tests for 4.x/3.x (0dc4665cf)
• Migrate from tibdex (ded29dc0f)
• Add zizmor github actions check (#​35089)
• Update to agentscan v1.8.0 (#​35120)
• Automatically close PRs from automated accounts (#​35161)
• Disable provenance-change enforcement in dependency-review (a2cf43e68)

❤️ Contributors

• Daniel Roe (@​danielroe)
• David Stack (@​davidstackio)
• David De Sloovere (@​DavidDeSloovere)
• anton-gor-dev (@​anton-gor-dev)
• Noah3521 (@​Noah3521)
• Shahar Aviram (@​ShaharAviram1)
• Matej Černý (@​cernymatej)
• Mohit Kumar (@​mohitkum4r)
• Matteo Gabriele (@​MatteoGabriele)
• Julien Huang (@​huang-julien)
• Damian Głowala (@​DamianGlowala)

v4.4.6

Compare Source

4.4.6 is the next patch release.

👉 Changelog

compare changes

🩹 Fixes

• vite: Use spa entry for vite-node fallback (#​35037)
• vite: Invalidate SSR module cache when modules are invalidated via plugin hooks (a86657a0e)
• nuxt: Match deduplicated resolveComponent calls in jsx blocks (#​35028)
• nuxt: Prefer our own builder/server deps (#​35029)
• nuxt: Update useFetch key even with watch: false (#​35002)
• nitro: Mark @babel/plugin-syntax-typescript as optional peer dep (#​35041)
• nitro: Add json extension to payload cache items (#​35043)
• nuxt: Handle errors fetching app manifest (#​35050)
• nuxt: Encode html-significant characters in external redirect body (#​35052)
• nuxt: Preserve setPageLayout props on same-path navigation (#​35055)
• vite: Don't strip buildAssetsDir from vite-node SSR ids (#​35040)
• nuxt: Mark useLoadingIndicator properties as readonly (#​35062)
• vite: Strip queries in css inline styles map (#​35067)
• nitro: Validate island request hash matches props (#​35077)
• nitro: Use regexp to strip query (163e18d4b)
• nitro: Use statusCode for nitro v2 compatibility (952f6841e)
• nitro-server: Re-export h3 named symbols statically (cd99001c8)
• nuxt: Render component-less parent routes during client-side nav (#​35036)
• kit: Respect tsConfig.exclude in legacy tsconfig.json (#​35079)
• nuxt: Run middleware for page islands (#​35092)

💅 Refactors

• rspack,webpack: Extract same-origin check for dev middleware (#​35051)

📖 Documentation

• Remove CSB, set node 22 and use steps for clarity (#​35066)

🏡 Chore

• One more type, one more (50dcf15bb)
• Remove unneeded (?) overrides (6997093af)
• Use explicit versions for fixture dependencies (294a734d4)
• Ignore link-like syntax in code (2584a549c)
• Narrow engines.node in test (5bb17fb47)
• Remove unused import (a52d78626)

✅ Tests

• Relax relative time assertion (c3dcd16f9)
• Add type (732d844ad)
• Drop h3 v2 types (8286e5fcd)

🤖 CI

• Clean up agent-scan workflow (ab8317547)
• Continue autofix workflow when test:engines fails (3025e561e)
• Improve workflows (#​35088)

❤️ Contributors

• Daniel Roe (@​danielroe)
• Tim (@​timhn-bm)
• Julien Huang (@​huang-julien)
• Damian Głowala (@​DamianGlowala)
• Sébastien Chopin (@​atinux)
• Adrien Foulon (@​Tofandel)
• Sami El Achi (@​samiashi)

v4.4.5

Compare Source

4.4.5 is the next patch release.

👉 Changelog

compare changes

🔥 Performance

• kit: Cache layer roots and short-circuit isIgnored relative (#​35015)

🩹 Fixes

• vite: Resolve vite clientServer with ssr: false (#​34959)
• nitro: Correct payload route rule for / + override ssr: true (#​34990)
• nitro: Break recursive rendering deadlocks during prerender (#​34939)
• vite: Drop redundant css link when entry styles are inlined (#​34950)
• vite: Sort optimizeDeps.include in pre-bundle hint (#​34976)
• nuxt: Only force suspense remount after first resolve (#​34949)
• kit: Read .env before resolving nuxt schema (#​34958)
• nitro: Preserve serverHandlers array after nitro:config (#​34985)
• nuxt: Cast partial nitro handlers when prepending to server arrays (61dcde4db)
• vite: Only consider CSS inlined when styles are actually emitted (#​35006)
• nuxt: Dedupe getCachedData for concurrent callers sharing a key (#​34999)
• nuxt: Respect factory fetch/baseURL options in server useFetch (#​35003)
• nuxt: Handle string presets in auto-imports (#​35013)
• nuxt: Correct island transform for server pages and 'deep' mode (#​35005)
• vite: Inline css for non-island children of server components (#​35001)
• nuxt: Defer head DOM updates until page transition finishes (#​35016)
• nuxt: Explicitly freeze head during island plugin phase (#​35010)
• vite: Inline css imported from non-vue js modules (#​35020)

📖 Documentation

• Add warning about routing in server components (#​34994)

🏡 Chore

• Fix lockfile (c3ee07801)
• Pin jiti (c8102228f)
• Lint (39422b6d2)
• Pin @vue/compiler-sfc (cd404a14c)
• Ignore pnpm cyclic workspace deps warn (#​34998)
• Remove jiti from build steps (#​35004)

✅ Tests

• Extract server components fixture + add some failing tests (#​34995)
• Isolate buildDir per matrix project for shared fixtures (#​35007)
• Remove tests for 5.x runtimeBaseURL fature (816c25487)

❤️ Contributors

• Daniel Roe (@​danielroe)
• Harlan Wilton (@​harlan-zw)
• Jonazzzz (@​Bombastickj)
• Damian Głowala (@​DamianGlowala)
• Florian Heuberger (@​Flo0806)

---

Configuration

📅 Schedule: (in timezone GMT)

• Branch creation
  • "before 7am on the first day of the week"
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
clerk-js-sandbox	Ready	Preview, Comment	Jun 7, 2026 1:17am

[changeset-bot]

⚠️ No Changeset found

Latest commit: 0c07ea5

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[pkg-pr-new]

Open in StackBlitz

@clerk/astro

npm i https://pkg.pr.new/@clerk/astro@8575

@clerk/backend

npm i https://pkg.pr.new/@clerk/backend@8575

@clerk/chrome-extension

npm i https://pkg.pr.new/@clerk/chrome-extension@8575

@clerk/clerk-js

npm i https://pkg.pr.new/@clerk/clerk-js@8575

@clerk/expo

npm i https://pkg.pr.new/@clerk/expo@8575

@clerk/expo-passkeys

npm i https://pkg.pr.new/@clerk/expo-passkeys@8575

@clerk/express

npm i https://pkg.pr.new/@clerk/express@8575

@clerk/fastify

npm i https://pkg.pr.new/@clerk/fastify@8575

@clerk/hono

npm i https://pkg.pr.new/@clerk/hono@8575

@clerk/localizations

npm i https://pkg.pr.new/@clerk/localizations@8575

@clerk/nextjs

npm i https://pkg.pr.new/@clerk/nextjs@8575

@clerk/nuxt

npm i https://pkg.pr.new/@clerk/nuxt@8575

@clerk/react

npm i https://pkg.pr.new/@clerk/react@8575

@clerk/react-router

npm i https://pkg.pr.new/@clerk/react-router@8575

@clerk/shared

npm i https://pkg.pr.new/@clerk/shared@8575

@clerk/tanstack-react-start

npm i https://pkg.pr.new/@clerk/tanstack-react-start@8575

@clerk/testing

npm i https://pkg.pr.new/@clerk/testing@8575

@clerk/ui

npm i https://pkg.pr.new/@clerk/ui@8575

@clerk/upgrade

npm i https://pkg.pr.new/@clerk/upgrade@8575

@clerk/vue

npm i https://pkg.pr.new/@clerk/vue@8575

commit: 0c07ea5

[github-actions]

API Changes Report

Generated by Break Check on 2026-06-07T01:20:18.460Z

Summary

Metric	Count
Packages analyzed	19
Packages with changes	1
🔴 Breaking changes	0
🟡 Non-breaking changes	1
🟢 Additions	0

🤖 This report was reviewed by claude-sonnet-4-6.

Note
Break Check could not snapshot 3 subpaths; the diff below excludes them.

• @clerk/astro ./env: Internal Error: Unable to determine module for: /home/runner/_work/javascript/javascript/packages/astro/env.d.ts You have encountered a software defect. Please consider reporting the issue to the maintainers of this application.
• @clerk/shared ./cookie: Internal Error: Unable to follow symbol for "Cookies" You have encountered a software defect. Please consider reporting the issue to the maintainers of this application.
• @clerk/testing ./cypress: Symbol not found for identifier: Cypress

---

@clerk/shared

Current version: 4.15.0
Recommended bump: MINOR → 4.16.0

Subpath ./apiUrlFromPublishableKey

🟡 Non-breaking Changes (1)

Modified: apiUrlFromPublishableKey

- apiUrlFromPublishableKey: (publishableKey: string) => "https://api.clerk.com" | "https://api.lclclerk.com" | "https://api.clerkstage.dev"
+ apiUrlFromPublishableKey: (publishableKey: string) => "https://api.lclclerk.com" | "https://api.clerkstage.dev" | "https://api.clerk.com"

Static analyzer: Breaking change in function apiUrlFromPublishableKey: Return type changed: "https://api.clerk.com"|"https://api.lclclerk.com"|"https://api.clerkstage.dev" → "https://api.lclclerk.com"|"https://api.clerkstage.dev"|"https://api.clerk.com"

🤖 AI review (reclassified as non-breaking) (99%): The return type is a union of the exact same three string literal members; reordering union members is structurally identical in TypeScript and has no effect on well-typed consumers.

---

Report generated by Break Check

_{Last ran on 0c07ea5. Pushes that change no tracked declarations (no API surface change vs. base) are skipped and don't update this comment.}