chore(deps): update dependency nuxt to v4.1.0 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
nuxt (source)	4.0.2 -> 4.1.0

GitHub Vulnerability Alerts

CVE-2025-59414

Summary

A client-side path traversal vulnerability in Nuxt's Island payload revival mechanism allowed attackers to manipulate client-side requests to different endpoints within the same application domain when specific prerendering conditions are met.

Technical Details

The vulnerability occurs in the client-side payload revival process (revive-payload.client.ts) where Nuxt Islands are automatically fetched when encountering serialized __nuxt_island objects. The issue affects the following flow:

1. During prerendering, if an API endpoint returns user-controlled data containing a crafted __nuxt_island object
2. This data gets serialized with devalue.stringify and stored in the prerendered page
3. When a client navigates to the prerendered page, devalue.parse deserializes the payload
4. The Island reviver attempts to fetch /__nuxt_island/${key}.json where key could contain path traversal sequences

Prerequisites for Exploitation

This vulnerability requires all of the following conditions:

1. Prerendered pages: The application must use Nuxt's prerendering feature (nitro.prerender)
2. Attacker-controlled API responses: The attacker must be able to control the response content of an API endpoint that is called during prerendering via useFetch, useAsyncData, or similar composables
3. Client-side navigation: A user must navigate to the prerendered page (not during initial SSR hydration)

Attack Scenario

// Malicious API response during prerendering
{
  "__nuxt_island": {
    "key": "../../../../internal/service",
    "params": { "action": "probe" }
  }
}

This could cause the client to make requests to /__nuxt_island/../../../../internal/service.json if path traversal is not properly handled by the server.

Impact Assessment

• Limited Impact: The vulnerability has a low severity due to the highly specific prerequisites
• No Direct Data Exfiltration: The vulnerability does not directly expose sensitive data
• Client-Side Only: Requests originate from the client, not the server

Mitigation

Action Required:

• Update to Nuxt 3.19.0+ or 4.1.0+ immediately
• Review any prerendered pages that fetch external or user-controlled data

Temporary Workarounds (if immediate update is not possible):

1. Disable prerendering for pages that fetch user-controlled data
2. Implement strict input validation on API endpoints used during prerendering
3. Use allowlists for API response structures during prerendering

Fix Details

The fix implemented validation for Island keys in revive-payload.server.ts:

• Island keys must match the pattern /^[a-z][a-z\d-]*_[a-z\d]+$/i
• Maximum length of 100 characters
• Prevents path traversal and special characters

---

Release Notes

nuxt/nuxt (nuxt)

v4.1.0

Compare Source

👀 Highlights

🔥 Build and Performance Improvements

🍫 Enhanced Chunk Stability

Build stability has been significantly improved with import maps (#​33075). This prevents cascading hash changes that could invalidate large portions of your build when small changes are made:

<!-- Automatically injected import map -->
<script type="importmap">{"imports":{"#entry":"/_nuxt/DC5HVSK5.js"}}</script>

By default, JS chunks emitted in a Vite build are hashed, which means they can be cached immutably. However, this can cause a significant issue: a change to a single component can cause every hash to be invalidated, massively increasing the chance of 404s.

In short:

1. a component is changed slightly - the hash of its JS chunk changes
2. the page which uses the component has to be updated to reference the new file name
3. the entry now has its hash changed because it dynamically imports the page
4. every other file which imports the entry has its hash changed because the entry file name is changed

Obviously this wasn't optimal. With this new feature, the hash of (otherwise) unchanged files which import the entry won't be affected.

This feature is automatically enabled and helps maintain better cache efficiency in production. It does require native import map support, but Nuxt will automatically disable it if you have configured vite.build.target to include a browser that doesn't support import maps.

And of course you can disable it if needed:

export default defineNuxtConfig({
  experimental: {
    entryImportMap: false
  }
})

🦀 Experimental Rolldown Support

Nuxt now includes experimental support for rolldown-vite (#​31812), bringing Rust-powered bundling for potentially faster builds.

To try Rolldown in your Nuxt project, you need to override Vite with the rolldown-powered version since Vite is a dependency of Nuxt. Add the following to your package.json:

npm:

{
  "overrides": {
    "vite": "npm:rolldown-vite@latest"
  }
}

pnpm:

{
  "pnpm": {
    "overrides": {
      "vite": "npm:rolldown-vite@latest"
    }
  }
}

yarn:

{
  "resolutions": {
    "vite": "npm:rolldown-vite@latest"
  }
}

bun:

{
  "overrides": {
    "vite": "npm:rolldown-vite@latest"
  }
}

After adding the override, reinstall your dependencies. Nuxt will automatically detect when Rolldown is available and adjust its build configuration accordingly.

For more details on Rolldown integration, see the Vite Rolldown guide.

[!NOTE]
This is experimental and may have some limitations, but offers a glimpse into the future of high-performance bundling in Nuxt.

🧪 Improved Lazy Hydration

Lazy hydration macros now work without auto-imports (#​33037), making them more reliable when component auto-discovery is disabled:

<script setup>
// Works even with components: false
const LazyComponent = defineLazyHydrationComponent(
  'visible',
  () => import('./MyComponent.vue')
)
</script>

This ensures that components that are not "discovered" through Nuxt (e.g., because components is set to false in the config) can still be used in lazy hydration macros.

📄 Enhanced Page Rules

If you have enabled experimental extraction of route rules, these are now exposed on a dedicated rules property on NuxtPage objects (#​32897), making them more accessible to modules and improving the overall architecture:

// In your module
nuxt.hook('pages:extend', pages => {
  pages.push({
    path: '/api-docs',
    rules: { 
      prerender: true,
      cors: true,
      headers: { 'Cache-Control': 's-maxage=31536000' }
    }
  })
})

The defineRouteRules function continues to work exactly as before, but now provides better integration possibilities for modules.

🚀 Module Development Enhancements

🪾 Module Dependencies and Integration

Modules can now specify dependencies and modify options for other modules (#​33063). This enables better module integration and ensures proper setup order:

export default defineNuxtModule({
  meta: {
    name: 'my-module',
  },
  moduleDependencies: {
    'some-module': {
      // You can specify a version constraint for the module
      version: '>=2',
      // By default moduleDependencies will be added to the list of modules 
      // to be installed by Nuxt unless `optional` is set.
      optional: true,
      // Any configuration that should override `nuxt.options`.
      overrides: {},
      // Any configuration that should be set. It will override module defaults but
      // will not override any configuration set in `nuxt.options`.
      defaults: {}
    }
  },
  setup (options, nuxt) {
    // Your module setup logic
  }
})

This replaces the deprecated installModule function and provides a more robust way to handle module dependencies with version constraints and configuration merging.

🪝 Module Lifecycle Hooks

Module authors now have access to two new lifecycle hooks: onInstall and onUpgrade (#​32397). These hooks allow modules to perform additional setup steps when first installed or when upgraded to a new version:

export default defineNuxtModule({
  meta: {
    name: 'my-module',
    version: '1.0.0',
  },

  onInstall(nuxt) {
    // This will be run when the module is first installed
    console.log('Setting up my-module for the first time!')
  },

  onUpgrade(inlineOptions, nuxt, previousVersion) {
    // This will be run when the module is upgraded
    console.log(`Upgrading my-module from v${previousVersion}`)
  }
})

The hooks are only triggered when both name and version are provided in the module metadata. Nuxt uses the .nuxtrc file internally to track module versions and trigger the appropriate hooks. (If you haven't come across it before, the .nuxtrc file should be committed to version control.)

[!TIP]
This means module authors can begin implementing their own 'setup wizards' to provide a better experience when some setup is required after installing a module.

🙈 Enhanced File Resolution

The new ignore option for resolveFiles (#​32858) allows module authors to exclude specific files based on glob patterns:

// Resolve all .vue files except test files
const files = await resolveFiles(srcDir, '**/*.vue', {
  ignore: ['**/*.test.vue', '**/__tests__/**']
})

📂 Layer Directories Utility

A new getLayerDirectories utility (#​33098) provides a clean interface for accessing layer directories without directly accessing private APIs:

import { getLayerDirectories } from '@​nuxt/kit'

const layerDirs = await getLayerDirectories(nuxt)
// Access key directories:
// layerDirs.app        - /app/ by default
// layerDirs.appPages   - /app/pages by default
// layerDirs.server     - /server by default
// layerDirs.public     - /public by default

✨ Developer Experience Improvements

🎱 Simplified Kit Utilities

Several kit utilities have been improved for better developer experience:

• addServerImports now supports single imports (#​32289):

// Before: required array
addServerImports([{ from: 'my-package', name: 'myUtility' }])

// Now: can pass directly
addServerImports({ from: 'my-package', name: 'myUtility' })

🔥 Performance Optimizations

This release includes several internal performance optimizations:

• Improved route rules cache management (#​32877)
• Optimized app manifest watching (#​32880)
• Better TypeScript processing for page metadata (#​32920)

🐛 Notable Fixes

• Improved useFetch hook typing (#​32891)
• Better handling of TypeScript expressions in page metadata (#​32902, #​32914)
• Enhanced route matching and synchronization (#​32899)
• Reduced verbosity of Vue server warnings in development (#​33018)
• Better handling of relative time calculations in <NuxtTime> (#​32893)

✅ Upgrading

As usual, our recommendation for upgrading is to run:

npx nuxt upgrade --dedupe

This will refresh your lockfile and pull in all the latest dependencies that Nuxt relies on, especially from the unjs ecosystem.

👉 Changelog

compare changes

🚀 Enhancements

• kit: Add ignore option to resolveFiles (#​32858)
• kit: Add onInstall and onUpgrade module hooks (#​32397)
• nuxt,vite: Add experimental support for rolldown-vite (#​31812)
• nuxt: Extract defineRouteRules to page rules property (#​32897)
• nuxt,vite: Use importmap to increase chunk stability (#​33075)
• nuxt: Lazy hydration macros without auto-imports (#​33037)
• kit,nuxt,schema: Allow modules to specify dependencies (#​33063)
• kit,nuxt: Add getLayerDirectories util and refactor to use it (#​33098)

🔥 Performance

• nuxt: Clear inline route rules cache when pages change (#​32877)
• nuxt: Stop watching app manifest once a change has been detected (#​32880)

🩹 Fixes

• nuxt: Handle satisfies in page augmentation (#​32902)
• nuxt: Type response in useFetch hooks (#​32891)
• nuxt: Add TS parenthesis and as expression for page meta extraction (#​32914)
• nuxt: Use correct unit thresholds for relative time (#​32893)
• nuxt: Handle uncached current build manifests (#​32913)
• kit: Resolve directories in resolvePath and normalize file extensions (#​32857)
• schema,vite: Bump requestTimeout + allow configuration (#​32874)
• nuxt: Deep merge extracted route meta (#​32887)
• nuxt: Do not expose app components until fully resolved (#​32993)
• kit: Only exclude node_modules/ if no custom srcDir (#​32987)
• nuxt: Transform ts before page meta extraction (#​32920)
• nuxt: Compare final matched routes when syncing route object (#​32899)
• nuxt: Make vue server warnings much less verbose in dev mode (#​33018)
• schema: Allow disabling cssnano/autoprefixer postcss plugins (#​33016)
• kit: Ensure local layers are prioritised alphabetically (#​33030)
• kit,nuxt: Expose global types to vue compiler (#​33026)
• deps: Bump devalue (#​33072)
• nuxt: Support config type inference for defineNuxtModule().with() (#​33081)
• nuxt: Search for colliding names in route children (b58c139d2)
• nuxt: Delete nuxtApp._runningTransition on resolve (#​33025)
• nuxt: Add validation for nuxt island reviver key (#​33069)

💅 Refactors

• nuxt: Simplify page segment parsing (#​32901)
• nuxt: Remove unnecessary async/await in afterEach (#​32999)
• vite: Simplify inline chunk iteration (6f4da1b8c)
• kit,nuxt,ui-templates,vite: Address deprecations + improve regexp perf (#​33093)

📖 Documentation

• Switch example to use vitest projects (#​32863)
• Update testing setupTimeout and add teardownTimeout (#​32868)
• Update webRoot to use new app directory (df7177bff)
• Add middleware to layers guide (6fc25ff79)
• Use app/ directory in layer guide (eee55ea41)
• Add documentation for --nightly command (#​32907)
• Update package information in roadmap section (#​32881)
• Add more info about nuxt spa loader element attributes (#​32871)
• Update features.inlineStyles default value (6ff3fbebb)
• Correct filename in example (#​33000)
• Add more information about using useRoute and accessing route in middleware (#​33004)
• Avoid variable shadowing in locale example (#​33031)
• Add documentation for module lifecycle hooks (#​33115)

🏡 Chore

• config: Migrate renovate config (#​32861)
• Remove stray test file (ca84285cc)
• Ignore webpagetest.org when scanning links (6c974f0be)
• Add type: 'module' in playground (#​33099)

✅ Tests

• Add failing test for link component duplication (#​32792)
• Simplify module hook tests (#​32950)
• Refactor stubbing of import.meta.dev (#​33023)
• Use findWorkspaceDir rather than relative paths to repo root (a6dec5bd9)
• Improve router test for global transitions (5d783662c)
• Use expect.poll (53fb61d5d)
• Use expect.poll instead of expectWithPolling (357492ca7)
• Use vi.waitUntil instead of custom retry logic (611e66a47)

🤖 CI

• Remove double set of tests for docs prs (6bc9dccf4)
• Add workflow for discord team discussion threads (bc656a24d)
• Fix some syntax issues with discord + github integrations (f5f01b8c1)
• Use token for adding issue to project (66afbe0a2)
• Use discord bot to create thread automatically (618a3cd40)
• Only use discord bot (bfd30d8ce)
• Update format of discord message (eb79a2f07)
• Try bolding entire line (c66124d7b)
• Oops (38644b933)
• Add delay after adding each reaction (ecb49019f)
• Use last lts node version for testing (e06e37d02)
• Try npm trusted publisher (85f1e05eb)
• Use npm trusted publisher for main releases (abf5d9e9f)
• Change wording (#​32979)
• Add github ai moderator (#​33077)

❤️ Contributors

• Daniel Roe (@​danielroe)
• abeer0 (@​iiio2)
• Julien Huang (@​huang-julien)
• kyumoon (@​kyumoon)
• Alexander Lichter (@​TheAlexLichter)
• Bobbie Goede (@​BobbieGoede)
• Rich Harris (@​Rich-Harris)
• mustafa60x (@​mustafa60x)
• Matej Černý (@​cernymatej)
• Alex Liu (@​Mini-ghost)
• Amitav Chris Mostafa (@​semibroiled)
• Romain Hamel (@​romhml)
• Jacky Lam (@​jackylamhk)
• Mukund Shah (@​mukundshah)
• Luke Nelson (@​luc122c)
• letianpailove (@​letianpailove)
• Erwan Jugand (@​erwanjugand)
• Alexander (@​TheColorman)
• Ryota Watanabe (@​wattanx)
• Yizack Rangel (@​Yizack)

v4.0.3

Compare Source

4.0.3 is a regularly scheduled patch release.

👉 Changelog

compare changes

🔥 Performance

• kit: Get absolute path from tinyglobby in resolveFiles (#​32846)

🩹 Fixes

• nuxt: Do not throw undefined error variable (#​32807)
• vite: Include tsconfig references during typeCheck (#​32835)
• nuxt: Add sourcemap path transformation for client builds (#​32313)
• nuxt: Add warning for lazy-hydration missing prefix (#​32832)
• nuxt: Trigger call once navigation even when no suspense (#​32827)
• webpack: Handle null result from webpack call (84816d8a1)
• kit,nuxt: Use reverseResolveAlias for better errors (#​32853)

📖 Documentation

• Fix publicDir alias (#​32841)
• Mention bun.lock for lockfile (#​32820)
• Add a section about augmenting types with TS project references (#​32843)
• Improve explanation of global middleware (#​32855)

🏡 Chore

• Update reproduction help text links (#​32803)
• Update pnpm ignored build scripts (#​32849)
• Improve internal types (052b98a35)

✅ Tests

• Move tests for defineNuxtComponent out of e2e test (#​32848)

🤖 CI

• Move nightly releases into different concurrency group (664041be7)

❤️ Contributors

• RDistinct (@​RDistinct)
• Daniel Roe (@​danielroe)
• Oskar Lebuda (@​OskarLebuda)
• Peter Budai (@​peterbud)
• Matej Černý (@​cernymatej)
• Damian Głowala (@​DamianGlowala)
• Bobbie Goede (@​BobbieGoede)
• Robin (@​OrbisK)
• abeer0 (@​iiio2)
• Julien Huang (@​huang-julien)

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Comments	Updated (UTC)
mixte	Ready	Preview	Comment	Oct 30, 2025 2:43pm

1 Skipped Deployment

Project	Deployment	Preview	Comments	Updated (UTC)
mixte-dev-branch	Ignored			Oct 30, 2025 2:43pm

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: package.json

Post-upgrade command 'npx nuxi@latest upgrade --force' has not been added to the allowed list in allowedCommands

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 98.53%. Comparing base (afa30fe) to head (7962b00).

Additional details and impacted files

@@           Coverage Diff           @@
##              dev     #251   +/-   ##
=======================================
  Coverage   98.53%   98.53%           
=======================================
  Files          69       69           
  Lines        2253     2253           
  Branches      582      582           
=======================================
  Hits         2220     2220           
  Misses         33       33           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.