Closed renovate[bot] closed 2 months ago
Name | Link |
---|---|
Latest commit | b356f36eb2a7dd7c0e46211597e00a6b3eed2fa7 |
Latest deploy log | https://app.netlify.com/sites/n3-supabase/deploys/66b1535c3b2c0f0008fde15c |
Because you closed this PR without merging, Renovate will ignore this update (^3.11.2
). You will get a PR once a newer version is released. To ignore this dependency forever, add it to the ignoreDeps
array of your Renovate config.
If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.
This PR contains the following updates:
3.11.2
->3.12.4
GitHub Vulnerability Alerts
CVE-2024-34344
Summary
Due to the insufficient validation of the
path
parameter in the NuxtTestComponentWrapper, an attacker can execute arbitrary JavaScript on the server side, which allows them to execute arbitrary commands.Details
While running the test, a special component named
NuxtTestComponentWrapper
is available. https://github.com/nuxt/nuxt/blob/4779f5906fa4d3c784c2e2d6fe5a5c5f181faaec/packages/nuxt/src/app/components/nuxt-root.vue#L42-L43This component loads the specified path as a component and renders it.
https://github.com/nuxt/nuxt/blob/4779f5906fa4d3c784c2e2d6fe5a5c5f181faaec/packages/nuxt/src/app/components/test-component-wrapper.ts#L9-L27
There is a validation for the
path
parameter to check whether the path traversal is performed, but this check is not sufficient.https://github.com/nuxt/nuxt/blob/4779f5906fa4d3c784c2e2d6fe5a5c5f181faaec/packages/nuxt/src/app/components/test-component-wrapper.ts#L15-L19
Since
import(...)
usesquery.path
instead of the normalizedpath
, a non-normalized URL can reach theimport(...)
function. For example, passing something like./components/test
normalizespath
to/root/directory/components/test
, butimport(...)
still receives./components/test
.By using this behavior, it's possible to load arbitrary JavaScript by using the path like the following:
Since
resolve(...)
resolves the filesystem path, not the URI, the above URI is treated as a relative path, butimport(...)
sees it as an absolute URI, and loads it as a JavaScript.PoC
whoami
is written to/tmp/test
Demonstration video: https://www.youtube.com/watch?v=FI6mN8WbcE4
Impact
Users who open a malicious web page in the browser while running the test locally are affected by this vulnerability, which results in the remote code execution from the malicious web page. Since web pages can send requests to arbitrary addresses, a malicious web page can repeatedly try to exploit this vulnerability, which then triggers the exploit when the test server starts.
CVE-2024-34343
Summary
The
navigateTo
function attempts to blockthejavascript:
protocol, but does not correctly use API's provided byunjs/ufo
. This library also contains parsing discrepancies.Details
The function first tests to see if the specified URL has a protocol. This uses the unjs/ufo package for URL parsing. This function works effectively, and returns true for a
javascript:
protocol.After this, the URL is parsed using the
parseURL
function. This function will refuse to parse poorly formatted URLs. Parsingjavascript:alert(1)
returns null/"" for all values.Next, the protocol of the URL is then checked using the
isScriptProtocol
function. This function simply checks the input against a list of protocols, and does not perform any parsing.The combination of refusing to parse poorly formatted URLs, and not performing additional parsing means that script checks fail as no protocol can be found. Even if a protocol was identified, whitespace is not stripped in the
parseURL
implementation, bypassing theisScriptProtocol
checks.Certain special protocols are identified at the top of
parseURL
. Inserting a newline or tab into this sequence will block the special protocol check, and bypass the latter checks.PoC
POC - https://stackblitz.com/edit/nuxt-xss-navigateto?file=app.vue
Attempt payload X, then attempt payload Y.
Impact
XSS, access to cookies, make requests on user's behalf.
Recommendations
As always with these bugs, the
URL
constructor provided by the browser is always the safest method of parsing a URL.Given the cross-platform requirements of nuxt/ufo a more appropriate solution is to make parsing consistent between functions, and to adapt parsing to be more consistent with the WHATWG URL specification.
Note
I've reported this vulnerability here as it is unclear if this is a bug in ufo or a misuse of the ufo library.
This ONLY has impact after SSR has occured, the
javascript:
protocol within a location header does not trigger XSS.Release Notes
nuxt/nuxt (nuxt)
### [`v3.12.4`](https://togithub.com/nuxt/nuxt/releases/tag/v3.12.4) [Compare Source](https://togithub.com/nuxt/nuxt/compare/v3.12.3...v3.12.4) > 3.12.4 is the next regularly scheduled patch release. #### ๐ Changelog [compare changes](https://togithub.com/nuxt/nuxt/compare/v3.12.3...v3.12.4) ##### ๐ฅ Performance - **vite:** Start warmups after nitro build ([#27963](https://togithub.com/nuxt/nuxt/pull/27963)) - **vite:** Avoid extra resolve call for `resolveId` in layers ([#27971](https://togithub.com/nuxt/nuxt/pull/27971)) - **kit,nuxt,schema,vite,webpack:** Use explicit exports ([#27998](https://togithub.com/nuxt/nuxt/pull/27998)) ##### ๐ฉน Fixes - **schema:** Resolve public alias correctly ([#27975](https://togithub.com/nuxt/nuxt/pull/27975)) - **nuxt:** Omit rendering payload prefetch when `noScripts` ([#27972](https://togithub.com/nuxt/nuxt/pull/27972)) - **nuxt:** Add `/` as fallback if page can't be identified ([e6109b226](https://togithub.com/nuxt/nuxt/commit/e6109b226)) - **ui-templates:** Validate templates with `html-validate` ([#28024](https://togithub.com/nuxt/nuxt/pull/28024)) - **schema:** Don't constrain postcss plugin options ([#28045](https://togithub.com/nuxt/nuxt/pull/28045)) - **kit:** Remove exports from v4 branch ([5c8312e9b](https://togithub.com/nuxt/nuxt/commit/5c8312e9b)) - **nuxt:** Use `unhead` key for ad-hoc module options ([#28088](https://togithub.com/nuxt/nuxt/pull/28088)) - **nuxt:** Use native vue-router composables ([#28114](https://togithub.com/nuxt/nuxt/pull/28114)) - **kit:** Ensure `getNuxtVersion` returns `string` ([#28125](https://togithub.com/nuxt/nuxt/pull/28125)) - **nuxt:** Always prerender at least one page with crawler ([#28131](https://togithub.com/nuxt/nuxt/pull/28131)) - **nuxt:** Consider doc `scroll-padding-top` in scrollBehavior ([#28083](https://togithub.com/nuxt/nuxt/pull/28083)) - **nuxt:** Only warn when `useAsyncData` returns undefined ([#28154](https://togithub.com/nuxt/nuxt/pull/28154)) - **nuxt:** Revert change to `getCachedData` null response ([d10cea11b](https://togithub.com/nuxt/nuxt/commit/d10cea11b)) - **schema:** Don't use `app/` as `srcDir` if it doesn't exist ([#28176](https://togithub.com/nuxt/nuxt/pull/28176)) - **kit:** Normalise `serverDir` within layers using v4 compat ([#28177](https://togithub.com/nuxt/nuxt/pull/28177)) - **nuxt:** Allow `getCachedData` to return undefined ([#28187](https://togithub.com/nuxt/nuxt/pull/28187)) - **nuxt:** Use `addEventListener` to register cookie store listener ([#28193](https://togithub.com/nuxt/nuxt/pull/28193)) - **nuxt:** Merge route meta properties with scanned meta ([#28170](https://togithub.com/nuxt/nuxt/pull/28170)) - **nuxt:** Prevent duplicate `set-cookie` headers ([#28211](https://togithub.com/nuxt/nuxt/pull/28211)) ##### ๐ Refactors - **schema,vite,webpack:** Rework `postcss` module loading ([#27946](https://togithub.com/nuxt/nuxt/pull/27946)) - **nuxt:** Remove `_registeredComponents` from ssrContext ([#27819](https://togithub.com/nuxt/nuxt/pull/27819)) - **nuxt:** Use `errx` to handle dev log traces ([#28027](https://togithub.com/nuxt/nuxt/pull/28027)) ##### ๐ Documentation - Fix link ([83bd4fde9](https://togithub.com/nuxt/nuxt/commit/83bd4fde9)) - Fix Cloudflare spelling ([#27989](https://togithub.com/nuxt/nuxt/pull/27989)) - Update example to use `nuxtApp.runWithContext` ([#28000](https://togithub.com/nuxt/nuxt/pull/28000)) - Remove deprecated `pending` variable from data fetching docs ([#28011](https://togithub.com/nuxt/nuxt/pull/28011)) - Clarify xrsp danger ([#28053](https://togithub.com/nuxt/nuxt/pull/28053)) - Deprecate pending and emphasis undefined ([#28113](https://togithub.com/nuxt/nuxt/pull/28113)) - Update phrasing in route announcer ([#28108](https://togithub.com/nuxt/nuxt/pull/28108)) - Use code groups for install commands in module guide ([#28094](https://togithub.com/nuxt/nuxt/pull/28094)) - Capitalize text ([#28056](https://togithub.com/nuxt/nuxt/pull/28056)) - Mention content in upgrade guide v4 folder structure ([#28090](https://togithub.com/nuxt/nuxt/pull/28090)) - Remove a resolved issue from view transition docs ([#28091](https://togithub.com/nuxt/nuxt/pull/28091)) - Clarify navigateTo is not for nitro routes ([#28092](https://togithub.com/nuxt/nuxt/pull/28092)) - Warn about nested islands ([#28062](https://togithub.com/nuxt/nuxt/pull/28062)) - Add info about `layers/` directory ([#28128](https://togithub.com/nuxt/nuxt/pull/28128)) - Codemods for migrating to Nuxt 4 ([#28072](https://togithub.com/nuxt/nuxt/pull/28072)) ##### โ Tests - Add `typeCheck` test in minimal build ([#28166](https://togithub.com/nuxt/nuxt/pull/28166)) ##### ๐ค CI - Run prepare step before linting docs ([f8fbefb42](https://togithub.com/nuxt/nuxt/commit/f8fbefb42)) - Run prepare step before linting docs ([d629b82b3](https://togithub.com/nuxt/nuxt/commit/d629b82b3)) ##### โค๏ธ Contributors - Daniel Roe ([@danielroe](https://togithub.com/danielroe)) - arshcodemod ([@arshcodemod](https://togithub.com/arshcodemod)) - xjccc ([@xjccc](https://togithub.com/xjccc)) - Julien Huang ([@huang-julien](https://togithub.com/huang-julien)) - BoogieBen ([@boogie-ben](https://togithub.com/boogie-ben)) - Santiago A ([@santiagoaloi](https://togithub.com/santiagoaloi)) - Bobbie Goede ([@BobbieGoede](https://togithub.com/BobbieGoede)) - John Tanzer ([@moshetanzer](https://togithub.com/moshetanzer)) - Thomas ([@ThomasWT](https://togithub.com/ThomasWT)) - [@beer](https://togithub.com/beer) ([@iiio2](https://togithub.com/iiio2)) - Dominic ([@rexhent](https://togithub.com/rexhent)) - Alex Liu ([@Mini-ghost](https://togithub.com/Mini-ghost)) - Florian Metz ([@Timeraa](https://togithub.com/Timeraa)) - Liran Tal ([@lirantal](https://togithub.com/lirantal)) - Daniel Kelly ([@danielkellyio](https://togithub.com/danielkellyio)) - Daniel Flanagan ([@FlantasticDan](https://togithub.com/FlantasticDan)) - ๅฑฑๅน่ฒๅพกๅฎ ([@KazariEX](https://togithub.com/KazariEX)) - izzy goldman ([@izzygld](https://togithub.com/izzygld)) - Anthony Fu ([@antfu](https://togithub.com/antfu)) ### [`v3.12.3`](https://togithub.com/nuxt/nuxt/releases/tag/v3.12.3) [Compare Source](https://togithub.com/nuxt/nuxt/compare/v3.12.2...v3.12.3) > 3.12.3 is the next regularly scheduled patch release. #### ๐ Changelog [compare changes](https://togithub.com/nuxt/nuxt/compare/v3.12.2...v3.12.3) ##### ๐ฅ Performance - **nuxt,vite:** Use native fs utils rather than `fs-extra` ([#27787](https://togithub.com/nuxt/nuxt/pull/27787)) - **schema:** Use `chokidar` when a custom `srcDir` is provided ([#27871](https://togithub.com/nuxt/nuxt/pull/27871)) - **nuxt:** Ensure `prefetchComponents` is treeshaken on server ([#27905](https://togithub.com/nuxt/nuxt/pull/27905)) ##### ๐ฉน Fixes - **nuxt:** Flag async data promise as cancelled only if defined ([#27690](https://togithub.com/nuxt/nuxt/pull/27690)) - **schema:** Handle backwards compat for `dir.app` ([0c73cb734](https://togithub.com/nuxt/nuxt/commit/0c73cb734)) - **nuxt:** Support hoisting types of subpath imports ([#27720](https://togithub.com/nuxt/nuxt/pull/27720)) - **nuxt:** Resolve routes when `navigateTo` called with `open` ([#27742](https://togithub.com/nuxt/nuxt/pull/27742)) - **nuxt:** Handle subpaths more correctly ([d7402a799](https://togithub.com/nuxt/nuxt/commit/d7402a799)) - **nuxt:** Delay navigation until user input is acknowledged ([#27743](https://togithub.com/nuxt/nuxt/pull/27743)) - **nuxt:** Resolve aliases used in nitro plugin paths ([#27741](https://togithub.com/nuxt/nuxt/pull/27741)) - **schema:** Do not use full path assets/public aliases ([d0518650f](https://togithub.com/nuxt/nuxt/commit/d0518650f)) - **nuxt:** Defer registering inp handler until nuxt is mounted ([866a5319a](https://togithub.com/nuxt/nuxt/commit/866a5319a)) - **nuxt:** Add `refresh` type in server component refs ([#27778](https://togithub.com/nuxt/nuxt/pull/27778)) - **nuxt:** Extract all-literal page meta ([#27821](https://togithub.com/nuxt/nuxt/pull/27821)) - **kit:** Handle loading nuxt 4+ ([cf251bd48](https://togithub.com/nuxt/nuxt/commit/cf251bd48)) - **nuxt:** Handle external links to named route objects ([#27829](https://togithub.com/nuxt/nuxt/pull/27829)) - **nuxt:** Use URL to encode redirected URLs ([#27822](https://togithub.com/nuxt/nuxt/pull/27822)) - **nuxt:** Don't use app version when verifying nuxt deps ([#27864](https://togithub.com/nuxt/nuxt/pull/27864)) - **nuxt:** Prompt to set compatibility date with latest nitro ([#27893](https://togithub.com/nuxt/nuxt/pull/27893)) - **nuxt:** Add `#vue-router` alias for backwards compat ([#27896](https://togithub.com/nuxt/nuxt/pull/27896)) - **nuxt:** Move app augments to core `nuxt` types ([#27900](https://togithub.com/nuxt/nuxt/pull/27900)) - **nuxt:** Pass augmented pages to child paths ([ecb35d3a2](https://togithub.com/nuxt/nuxt/commit/ecb35d3a2)) - **nuxt:** Use pascal name when loading server component ([#27928](https://togithub.com/nuxt/nuxt/pull/27928)) - **nuxt:** Improve async data warning ([#27874](https://togithub.com/nuxt/nuxt/pull/27874), [#27934](https://togithub.com/nuxt/nuxt/pull/27934)) - **nuxt:** Allow configuring server components in modules ([#27936](https://togithub.com/nuxt/nuxt/pull/27936)) - **vite:** Omit css `?raw` from head when in dev mode ([#27940](https://togithub.com/nuxt/nuxt/pull/27940)) - **kit,nuxt:** Ensure webworker types are available ([4cab71d66](https://togithub.com/nuxt/nuxt/commit/4cab71d66)) - **nuxt:** Seed crawler when prerendering pages ([#27955](https://togithub.com/nuxt/nuxt/pull/27955)) - **vite:** Fix type issue with legacy dev bundler ([f9fa1a3e9](https://togithub.com/nuxt/nuxt/commit/f9fa1a3e9)) - **nuxt:** Improve dx around compatibility date prompt ([#27965](https://togithub.com/nuxt/nuxt/pull/27965)) ##### ๐ Refactors - **kit,nuxt:** Use `performance.now` to measure time ([d14f7ec46](https://togithub.com/nuxt/nuxt/commit/d14f7ec46)) ##### ๐ Documentation - Add referral query variable to Vue School Links ([#27670](https://togithub.com/nuxt/nuxt/pull/27670)) - Fix variable name ([#27675](https://togithub.com/nuxt/nuxt/pull/27675)) - Clarify how transitions are configured globally ([#27679](https://togithub.com/nuxt/nuxt/pull/27679)) - Remove outdated recommendation ([#27691](https://togithub.com/nuxt/nuxt/pull/27691)) - Add `refreshCookie` on `useCookie` doc page ([#27744](https://togithub.com/nuxt/nuxt/pull/27744)) - Sync changes from `main` branch ([e7fbc9f81](https://togithub.com/nuxt/nuxt/commit/e7fbc9f81)) - Remove outdated tip ([#27773](https://togithub.com/nuxt/nuxt/pull/27773)) - Warn about awaiting `useFetch`/`AsyncData` in wrappers ([#27785](https://togithub.com/nuxt/nuxt/pull/27785)) - Update some code groups with package manager examples ([#27791](https://togithub.com/nuxt/nuxt/pull/27791)) - Hint to use runtime config ([#27859](https://togithub.com/nuxt/nuxt/pull/27859)) - Use internal link ([#27883](https://togithub.com/nuxt/nuxt/pull/27883)) - Update links to `vue-router` docs ([#27895](https://togithub.com/nuxt/nuxt/pull/27895)) - Use internal link ([#27894](https://togithub.com/nuxt/nuxt/pull/27894)) - Remove warning about type checking ([#27911](https://togithub.com/nuxt/nuxt/pull/27911)) - `compatibilityVersion` is available in the latest release ([#27919](https://togithub.com/nuxt/nuxt/pull/27919)) - Update roadmap + readme ([748bc751d](https://togithub.com/nuxt/nuxt/commit/748bc751d)) - Update `Nuxt 3` -> `Nuxt` or `Nuxt 3+` ([3c16c890c](https://togithub.com/nuxt/nuxt/commit/3c16c890c)) - Update reference to nightly release for testing nuxt 4 ([5d2dc9714](https://togithub.com/nuxt/nuxt/commit/5d2dc9714)) - Remove duplicate server-side notice in runtime config ([#27929](https://togithub.com/nuxt/nuxt/pull/27929)) - Warn about ref unwrapping when auto-importing `ref`s ([#27933](https://togithub.com/nuxt/nuxt/pull/27933)) - Mention layers in directory guide ([c222fe7aa](https://togithub.com/nuxt/nuxt/commit/c222fe7aa)) ##### ๐ก Chore - Use absolute urls for sources to assets in readme ([5ef305cec](https://togithub.com/nuxt/nuxt/commit/5ef305cec)) - Use relative links and update in build script ([7dd15186e](https://togithub.com/nuxt/nuxt/commit/7dd15186e)) - Use backup file extension ([a42a3869b](https://togithub.com/nuxt/nuxt/commit/a42a3869b)) - Allow changelogs with breaking changes ([e11587189](https://togithub.com/nuxt/nuxt/commit/e11587189)) - Allow major bumps ([dea0b86c7](https://togithub.com/nuxt/nuxt/commit/dea0b86c7)) - Add `4x` tag for v4 nightly releases ([9d5dd5494](https://togithub.com/nuxt/nuxt/commit/9d5dd5494)) - **vite:** Restore utils required for `dev-bundler` ([e3448fa0d](https://togithub.com/nuxt/nuxt/commit/e3448fa0d)) - Remove nitro/h3 from renovate, and reenable vitejs/vue ([9037b0d2c](https://togithub.com/nuxt/nuxt/commit/9037b0d2c)) - Improve type safety with indexed access ([#27626](https://togithub.com/nuxt/nuxt/pull/27626)) - Add [@danielroe](https://togithub.com/danielroe) to code owners ([7fa957729](https://togithub.com/nuxt/nuxt/commit/7fa957729)) - Remove renovate configuration from `2.x` branch ([8003cf72f](https://togithub.com/nuxt/nuxt/commit/8003cf72f)) - Remove issue template for 2.x ([9f9fb9251](https://togithub.com/nuxt/nuxt/commit/9f9fb9251)) - Remove unused variable ([f07969d88](https://togithub.com/nuxt/nuxt/commit/f07969d88)) ##### โ Tests - **schema:** Normalize snapshot paths for windows ([#27654](https://togithub.com/nuxt/nuxt/pull/27654)) - **nuxt:** Normalize paths for windows ([#27653](https://togithub.com/nuxt/nuxt/pull/27653)) - Bump timeout for node-compat test ([228b8b889](https://togithub.com/nuxt/nuxt/commit/228b8b889)) - Slightly improve test reliability ([#27811](https://togithub.com/nuxt/nuxt/pull/27811)) ##### ๐ค CI - Update changelog from 3.x branch updates ([2b6967fbb](https://togithub.com/nuxt/nuxt/commit/2b6967fbb)) - Add 3x tag instead ([c0ef279f2](https://togithub.com/nuxt/nuxt/commit/c0ef279f2)) - Run workflows against 3.x branch as well ([31255a14d](https://togithub.com/nuxt/nuxt/commit/31255a14d)) - Use correct SHA calculation for release-pr action ([#27604](https://togithub.com/nuxt/nuxt/pull/27604)) - Resolve bash syntax error ([#27789](https://togithub.com/nuxt/nuxt/pull/27789)) - Only run scorecards against `main` branch ([7abd982f8](https://togithub.com/nuxt/nuxt/commit/7abd982f8)) - Raise renovate prs against 3.x branch too ([f176c150a](https://togithub.com/nuxt/nuxt/commit/f176c150a)) - Ignore `@vitejs/plugin-vue` again ([56660cbdd](https://togithub.com/nuxt/nuxt/commit/56660cbdd)) - Prevent more than one release from occurring at same time ([71705550f](https://togithub.com/nuxt/nuxt/commit/71705550f)) - Don't run changelog update on 2.x branch ([1be639364](https://togithub.com/nuxt/nuxt/commit/1be639364)) ##### โค๏ธ Contributors - Daniel Roe ([@danielroe](https://togithub.com/danielroe)) - Typed SIGTERM ([@typed-sigterm](https://togithub.com/typed-sigterm)) - Seno ([@s-en-o](https://togithub.com/s-en-o)) - Julien Huang ([@huang-julien](https://togithub.com/huang-julien)) - Michael Brevard ([@GalacticHypernova](https://togithub.com/GalacticHypernova)) - Ryota Watanabe ([@wattanx](https://togithub.com/wattanx)) - Martin Masevski ([@Archetipo95](https://togithub.com/Archetipo95)) - Alex Liu ([@Mini-ghost](https://togithub.com/Mini-ghost)) - Bochkarev Ivan ([@Ibochkarev](https://togithub.com/Ibochkarev)) - Alexander Lichter ([@manniL](https://togithub.com/manniL)) - Dominic ([@rexhent](https://togithub.com/rexhent)) - Aviv Keller ([@RedYetiDev](https://togithub.com/RedYetiDev)) - Maxime Pauvert ([@maximepvrt](https://togithub.com/maximepvrt)) - Daniel Kelly ([@danielkellyio](https://togithub.com/danielkellyio)) - Damian Gลowala ([@DamianGlowala](https://togithub.com/DamianGlowala)) - Idorenyin Udoh ([@idorenyinudoh](https://togithub.com/idorenyinudoh)) ### [`v3.12.2`](https://togithub.com/nuxt/nuxt/releases/tag/v3.12.2) [Compare Source](https://togithub.com/nuxt/nuxt/compare/v3.12.1...v3.12.2) > 3.12.2 is the a regularly scheduled patch release. #### โ Upgrading As usual, our recommendation for upgrading is to run: ```sh npx nuxi@latest upgrade --force ``` This will refresh your lockfile as well, and ensures that you pull in updates from other dependencies that Nuxt relies on, particularly in the unjs ecosystem. #### ๐ Changelog [compare changes](https://togithub.com/nuxt/nuxt/compare/v3.12.1...v3.12.2) ##### ๐ฅ Performance - **kit:** Deduplicate layers before resolving config ([#27582](https://togithub.com/nuxt/nuxt/pull/27582)) - **webpack:** Decrease assets map iterations ([d929cd4ef](https://togithub.com/nuxt/nuxt/commit/d929cd4ef)) - **kit:** Various performance improvements ([#27600](https://togithub.com/nuxt/nuxt/pull/27600)) - **vite:** Various performance improvements ([#27601](https://togithub.com/nuxt/nuxt/pull/27601)) - **nuxt:** Don't wait for key deps check ([#27638](https://togithub.com/nuxt/nuxt/pull/27638)) ##### ๐ฉน Fixes - **nuxt:** Call `onNuxtReady` callback without arguments ([#27428](https://togithub.com/nuxt/nuxt/pull/27428)) - **schema:** Don't narrow head string types to literals ([#27540](https://togithub.com/nuxt/nuxt/pull/27540)) - **schema:** `app/` dir backwards compatibility ([#27529](https://togithub.com/nuxt/nuxt/pull/27529)) - **nuxt:** Manually assign payload reactivity when `ssr: false` ([#27542](https://togithub.com/nuxt/nuxt/pull/27542)) - **nuxt:** Only log warning once per `runtimeConfig` key ([9e56b60c6](https://togithub.com/nuxt/nuxt/commit/9e56b60c6)) - **nuxt:** Overwrite `#app/defaults` rather than augmenting ([#27567](https://togithub.com/nuxt/nuxt/pull/27567)) - **nuxt:** Export `useRouteAnnouncer` ([#27562](https://togithub.com/nuxt/nuxt/pull/27562)) - **nuxt:** Remove backticks around runtimeConfig warning log ([#27549](https://togithub.com/nuxt/nuxt/pull/27549)) - **nuxt:** Close top-level watcher on nuxt 'close' ([#27571](https://togithub.com/nuxt/nuxt/pull/27571)) - **nuxt:** Handle tsx code when extracting pageMeta/routeRules ([#27583](https://togithub.com/nuxt/nuxt/pull/27583)) - **nuxt:** Handle more edge cases with external/custom links ([#27487](https://togithub.com/nuxt/nuxt/pull/27487)) - **nuxt:** Preserve route metadata assigned outside page ([#27587](https://togithub.com/nuxt/nuxt/pull/27587)) - **nuxt:** Use portal to sync nitro/nuxt runtimeConfig + routeRules ([#27596](https://togithub.com/nuxt/nuxt/pull/27596)) - **nuxt,schema:** Add types for `_installedModules` ([e4bfea642](https://togithub.com/nuxt/nuxt/commit/e4bfea642)) - **nuxt:** Include build-time pages in prerender routes ([#27569](https://togithub.com/nuxt/nuxt/pull/27569)) - **nuxt:** Warn when async data doesn't return a value ([#27599](https://togithub.com/nuxt/nuxt/pull/27599)) - **nuxt:** Replace deprecated `app.rootId` with `app.rootAttrs.id` ([#27630](https://togithub.com/nuxt/nuxt/pull/27630)) - **nuxt:** Add `mergeProps` import in islands transform ([#27622](https://togithub.com/nuxt/nuxt/pull/27622)) - **nuxt:** Reset cookie timeoutLength after expiration ([#27632](https://togithub.com/nuxt/nuxt/pull/27632)) - **nuxt:** Add missing island uid for selective client components ([#27633](https://togithub.com/nuxt/nuxt/pull/27633)) - **schema,vite:** Respect `vite.cacheDir` if defined ([#27628](https://togithub.com/nuxt/nuxt/pull/27628)) - **nuxt:** Unregister hooks the moment `close` is called ([#27637](https://togithub.com/nuxt/nuxt/pull/27637)) - **nuxt:** Add missing script stubs ([#27640](https://togithub.com/nuxt/nuxt/pull/27640)) - **nuxt:** Only inject root path in prerender ([44cada95a](https://togithub.com/nuxt/nuxt/commit/44cada95a)) - **nuxt:** Reduce usage of cjs utilities ([#27642](https://togithub.com/nuxt/nuxt/pull/27642)) - **nuxt:** Add `/` even if pages module isn't enabled ([dabcb5ecc](https://togithub.com/nuxt/nuxt/commit/dabcb5ecc)) ##### ๐ Documentation - Add warning about bridge migration with `head` ([#27575](https://togithub.com/nuxt/nuxt/pull/27575)) - Update compatibility example ([4b28d2628](https://togithub.com/nuxt/nuxt/commit/4b28d2628)) - Document new `clear()` function added in 3.11 ([#27615](https://togithub.com/nuxt/nuxt/pull/27615)) - String vs object errors + accessing data of server-thrown errors ([#27398](https://togithub.com/nuxt/nuxt/pull/27398)) - Correct Cloudflare deployment recommendations ([#27641](https://togithub.com/nuxt/nuxt/pull/27641)) ##### ๐ก Chore - Add extra types for empty array definitions ([02945b9fa](https://togithub.com/nuxt/nuxt/commit/02945b9fa)) - Remove stub types file for `webpack-virtual-modules` ([58dd7f3a6](https://togithub.com/nuxt/nuxt/commit/58dd7f3a6)) - Lint ([cb77ddc30](https://togithub.com/nuxt/nuxt/commit/cb77ddc30)) ##### โ Tests - Add type test for nuxt module resolved types ([115fc2d18](https://togithub.com/nuxt/nuxt/commit/115fc2d18)) ##### ๐ค CI - Improve generated changelog ([d20266961](https://togithub.com/nuxt/nuxt/commit/d20266961)) ##### โค๏ธ Contributors - Daniel Roe ([@danielroe](https://togithub.com/danielroe)) - Julien Huang ([@huang-julien](https://togithub.com/huang-julien)) - Alexandru Ungureanu ([@unguul](https://togithub.com/unguul)) - Josh Dean ([@jdbdnz](https://togithub.com/jdbdnz)) - Yusuf Mansur รzer ([@ymansurozer](https://togithub.com/ymansurozer)) - Matteo Rigoni ([@Rigo-m](https://togithub.com/Rigo-m)) - Leo Osa ([@leoosa](https://togithub.com/leoosa)) - Levi (Nguyแป n Lฦฐฦกng Huy) ([@huynl-96](https://togithub.com/huynl-96)) - David Nahodyl ([@Smef](https://togithub.com/Smef)) - Michael Brevard ([@GalacticHypernova](https://togithub.com/GalacticHypernova)) - garthreckers ([@garthreckers](https://togithub.com/garthreckers)) - Valerii Strilets ([@letstri](https://togithub.com/letstri)) - Okuto Oyama ([@yamanoku](https://togithub.com/yamanoku)) - Harlan Wilton ([@harlan-zw](https://togithub.com/harlan-zw)) ### [`v3.12.1`](https://togithub.com/nuxt/nuxt/releases/tag/v3.12.1) [Compare Source](https://togithub.com/nuxt/nuxt/compare/v3.12.0...v3.12.1) > 3.12.1 is a hotfix release to address a typo in the nuxt/script stub auto-imports. #### ๐ Changelog [compare changes](https://togithub.com/nuxt/nuxt/compare/v3.12.0...v3.12.1) ##### ๐ฉน Fixes - **nuxt:** Update registry list for `@nuxt/scripts` ([0252000d7](https://togithub.com/nuxt/nuxt/commit/0252000d7)) ##### ๐ Refactors - **schema:** Use `CompatibilityDateSpec` ([#27521](https://togithub.com/nuxt/nuxt/pull/27521)) ##### ๐ Documentation - Update more references to v3.12 ([1d2eee00d](https://togithub.com/nuxt/nuxt/commit/1d2eee00d)) - Mention 3.12 for testing nuxt 4 ([#27525](https://togithub.com/nuxt/nuxt/pull/27525)) ##### ๐ก Chore - Fix release script ([7777f0564](https://togithub.com/nuxt/nuxt/commit/7777f0564)) - Lint ([24b8533e7](https://togithub.com/nuxt/nuxt/commit/24b8533e7)) - Bump `nuxi` dependency ([#27526](https://togithub.com/nuxt/nuxt/pull/27526)) ##### โ Tests - Update scrolling test ([52b85a886](https://togithub.com/nuxt/nuxt/commit/52b85a886)) ##### โค๏ธ Contributors - Daniel Roe ([@danielroe](https://togithub.com/danielroe)) - Pooya Parsa ([@pi0](https://togithub.com/pi0)) - Alexander Lichter ([@manniL](https://togithub.com/manniL)) ### [`v3.12.0`](https://togithub.com/nuxt/nuxt/releases/tag/v3.12.0) [Compare Source](https://togithub.com/nuxt/nuxt/compare/v3.11.2...v3.12.0) #### ๐ Highlights We're on the road to the release of Nuxt 4, but we've not held back in Nuxt v3.12. A huge thank you to the 75+ Nuxt contributors and community members who have been part of this release. โค๏ธ ##### ๐ Testing Nuxt 4 changes Nuxt 4 is on the horizon, and it's now possible to test out the behaviour changes that will be coming in the next major release ([#26925](https://togithub.com/nuxt/nuxt/pull/26925)) by setting an option in your `nuxt.config` file: ```ts export default defineNuxtConfig({ future: { compatibilityVersion: 4, }, }) ``` As we've been merging PRs for Nuxt 4, we've been enabling them behind this flag. As much as possible we're aiming for backwards compatibility - our test matrix is running the same fixtures in both v3 and v4 compatibility mode. There is a lot to say here, with 10+ different PRs and behaviour changes documented and testable, but for full details, including migration steps, see [the v4 upgrade documentation](https://nuxt.com/docs/getting-started/upgrade#testing-nuxt-4). We'd be very grateful for early testing of what's coming in Nuxt 4! ๐ ##### ๐ Nuxt Scripts auto-install We've been gradually working to release [Nuxt Scripts](https://scripts.nuxt.com/). It's currently in public preview, but we're near a public release, so we've added some stubs for composables that (when used) will prompt installing the `@nuxt/scripts` module. ๐ Watch out for the launch - and an article explaining more! ##### ๐ Layer auto-registration and bugfixes Just like `~/modules`, any layers within your project in the `~/layers` directory will now be automatically registered as layers in your project ([#27221](https://togithub.com/nuxt/nuxt/pull/27221)). We also now correctly load layer dependencies, which should resolve a range of issues with monorepos and git installations ([#27338](https://togithub.com/nuxt/nuxt/pull/27338)). ##### ๐ Built-in accessibility improvements We now have a built-in [`Configuration
๐ Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
๐ฆ Automerge: Disabled by config. Please merge this manually once you are satisfied.
โป Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
๐ Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.