Skip to content

chore(deps-dev): bump nuxt from 2.18.1 to 3.21.7#1854

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/nuxt-3.21.7
Open

chore(deps-dev): bump nuxt from 2.18.1 to 3.21.7#1854
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/nuxt-3.21.7

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 20, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Bumps nuxt from 2.18.1 to 3.21.7.

Release notes

Sourced from nuxt's releases.

v3.21.7

3.21.7 is the a security hotfix release.

👉 make sure to check https://github.com/nuxt/nuxt/security/advisories to view open advisories resolved by this release.

👉 Changelog

compare changes

🩹 Fixes

  • nitro: Assign noSSR before deciding payload extraction (#35108)
  • vite: Avoid filtering out dirs with shared prefix from allowDirs (#35112)
  • nuxt: Use resolve from pathe for buildCache path boundary check (#35111)
  • nuxt: Prevent sibling-directory traversal in test component wrapper (#35110)
  • nitro: Pass event data to isValid in dev clipboard-copy listener (#35109)
  • nuxt: Validate protocols in reloadNuxtApp path before reload (#35115)
  • vite: Resolve vite clientServer with ssr: false (#34959)
  • vite: Prefix public asset virtuals with null byte (38d330179)
  • nuxt: Handle missing payload in chunkError listener (#35155)
  • vite: Close vite dev server on nuxt close (d007d7060)
  • kit,nuxt: Handle cancelling prompts to install packages (59821a5ca)
  • nuxt: Await in-lifght template generation when closing nuxt (#35181)
  • webpack: Surface compilation errors when stats.toString is empty (71dccff2b)
  • kit: Improve TS extension stripping/substitutions (#35233)
  • nuxt: Preserve .d.mts/.d.cts in resolveTypePaths (#35235)
  • nuxt: Reject prototype-chain keys in the island registry (#35205)
  • nitro: Gate chrome devtools workspace endpoint to local requests (#35201)
  • nuxt: Escape props in <NuxtClientFallback> ssr output (#35199)
  • nuxt: Apply isScriptProtocol guard to navigateTo open option (#35206)
  • rspack,webpack: Require loopback host when missing same-origin signals (#35200)
  • nuxt: Absolutely resolve defu in app config template (40bedf0db)
  • nuxt: Match route rules case-insensitively to mirror vue-router (3f3e3fa7b)
  • nuxt: Escape <NoScript> slot content (7fea9fd68)
  • nuxt: Block path-normalization open redirect in navigateTo (1f2dd5e78)
  • nuxt: Reject cross-origin paths in reloadNuxtApp (6497d99dd)
  • vite: Bind vite-node IPC to a permissioned filesystem socket (c293bf950)
  • nuxt: Reject script-capable protocols in <NuxtLink> href (53284043d)
  • nuxt: Clarify page and layout usage warnings (#35184)
  • nuxt: Do not absolutely resolve defu (d11d7b1b5)

📖 Documentation

  • Edit for clarity and grammar (#35214)
  • Add dedicated module dependencies page (#35171)

🏡 Chore

  • Use execFileSync for safety in release scripts (9a455a658)
  • Assert there is always a tag (8da21fba8)
  • Fix type in test (bc2837125)
  • Fix lychee dynamic composable exclude (#35119)
  • Add autofix action tag in comment (70eba297f)
  • Update renovate minimum release age (27a6821a1)

✅ Tests

  • Update test for js payload rendering (b51a80840)

... (truncated)

Commits
  • fd806be v3.21.7
  • d11d7b1 fix(nuxt): do not absolutely resolve defu
  • 13e177e fix(nuxt): clarify page and layout usage warnings (#35184)
  • 5328404 fix(nuxt): reject script-capable protocols in \<NuxtLink> href
  • 6497d99 fix(nuxt): reject cross-origin paths in reloadNuxtApp
  • 1f2dd5e fix(nuxt): block path-normalization open redirect in navigateTo
  • 7fea9fd fix(nuxt): escape \<NoScript> slot content
  • 3f3e3fa fix(nuxt): match route rules case-insensitively to mirror vue-router
  • 40bedf0 fix(nuxt): absolutely resolve defu in app config template
  • 62fc32e fix(nuxt): apply isScriptProtocol guard to navigateTo open option (#35206)
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for nuxt since your current version.

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jun 20, 2026
@dependabot dependabot Bot requested a review from wattanx as a code owner June 20, 2026 06:00
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jun 20, 2026
@socket-security

socket-security Bot commented Jun 20, 2026
edited
Loading

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Addednuxt@​3.21.79810010096100

View full report

@socket-security

socket-security Bot commented Jun 20, 2026
edited
Loading

Copy link
Copy Markdown

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Warn High
Obfuscated code: npm seroval is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: pnpm-lock.yamlnpm/nuxt@3.21.7npm/seroval@1.5.4

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/seroval@1.5.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

@pkg-pr-new

pkg-pr-new Bot commented Jun 20, 2026
edited
Loading

Copy link
Copy Markdown

Open in StackBlitz

npm i https://pkg.pr.new/@nuxt/bridge@1854

npm i https://pkg.pr.new/@nuxt/bridge-schema@1854

commit: fe08271

@dependabot
chore(deps-dev): bump nuxt from 2.18.1 to 3.21.7
fe08271 
Bumps [nuxt](https://github.com/nuxt/nuxt/tree/HEAD/packages/nuxt) from 2.18.1 to 3.21.7.
- [Release notes](https://github.com/nuxt/nuxt/releases)
- [Commits](https://github.com/nuxt/nuxt/commits/v3.21.7/packages/nuxt)

---
updated-dependencies:
- dependency-name: nuxt
  dependency-version: 3.21.7
  dependency-type: direct:development
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/nuxt-3.21.7 branch from b57c357 to fe08271 Compare June 21, 2026 13:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@wattanx wattanx Awaiting requested review from wattanx wattanx is a code owner

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants