chore(deps): update dependency nuxt to v3.21.7 [security]#115
Open
renovate[bot] wants to merge 1 commit into
Open
chore(deps): update dependency nuxt to v3.21.7 [security]#115renovate[bot] wants to merge 1 commit into
renovate[bot] wants to merge 1 commit into
Conversation
1031c6a to
c0546e8
Compare
|
c0546e8 to
a4c4cd1
Compare
a4c4cd1 to
bfb2589
Compare
bfb2589 to
af65ee6
Compare
af65ee6 to
6b8b473
Compare
6b8b473 to
4d3ede4
Compare
4d3ede4 to
77761f5
Compare
9a96240 to
14f56e4
Compare
14f56e4 to
2689b28
Compare
2689b28 to
75c6596
Compare
75c6596 to
844eaac
Compare
844eaac to
2ca26b7
Compare
2ca26b7 to
7282c0d
Compare
7282c0d to
8f09fb4
Compare
8f09fb4 to
5db1380
Compare
5db1380 to
8d02163
Compare
8d02163 to
acc9040
Compare
16094cd to
daddff7
Compare
daddff7 to
bda6207
Compare
bda6207 to
f6f05dc
Compare
f6f05dc to
2cebd6b
Compare
2cebd6b to
53ba7c6
Compare
53ba7c6 to
fa6dd30
Compare
fa6dd30 to
6f64953
Compare
6f64953 to
6a78603
Compare
6a78603 to
609f75c
Compare
609f75c to
fdc7392
Compare
fdc7392 to
8dec5d5
Compare
8dec5d5 to
99bca5d
Compare
99bca5d to
64084c1
Compare
64084c1 to
18f9fe8
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
3.8.1→3.21.7^3.8.1→^3.21.7Nuxt vulnerable to remote code execution via the browser when running the test locally
CVE-2024-34344 / GHSA-v784-fjjh-f8r4
More information
Details
Summary
Due to the insufficient validation of the
pathparameter in the NuxtTestComponentWrapper, an attacker can execute arbitrary JavaScript on the server side, which allows them to execute arbitrary commands.Details
While running the test, a special component named
NuxtTestComponentWrapperis available.https://github.com/nuxt/nuxt/blob/4779f5906fa4d3c784c2e2d6fe5a5c5f181faaec/packages/nuxt/src/app/components/nuxt-root.vue#L42-L43
This component loads the specified path as a component and renders it.
https://github.com/nuxt/nuxt/blob/4779f5906fa4d3c784c2e2d6fe5a5c5f181faaec/packages/nuxt/src/app/components/test-component-wrapper.ts#L9-L27
There is a validation for the
pathparameter to check whether the path traversal is performed, but this check is not sufficient.https://github.com/nuxt/nuxt/blob/4779f5906fa4d3c784c2e2d6fe5a5c5f181faaec/packages/nuxt/src/app/components/test-component-wrapper.ts#L15-L19
Since
import(...)usesquery.pathinstead of the normalizedpath, a non-normalized URL can reach theimport(...)function.For example, passing something like
./components/testnormalizespathto/root/directory/components/test, butimport(...)still receives./components/test.By using this behavior, it's possible to load arbitrary JavaScript by using the path like the following:
Since
resolve(...)resolves the filesystem path, not the URI, the above URI is treated as a relative path, butimport(...)sees it as an absolute URI, and loads it as a JavaScript.PoC
whoamiis written to/tmp/testDemonstration video: https://www.youtube.com/watch?v=FI6mN8WbcE4
Impact
Users who open a malicious web page in the browser while running the test locally are affected by this vulnerability, which results in the remote code execution from the malicious web page.
Since web pages can send requests to arbitrary addresses, a malicious web page can repeatedly try to exploit this vulnerability, which then triggers the exploit when the test server starts.
Severity
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
nuxt vulnerable to Cross-site Scripting in navigateTo if used after SSR
CVE-2024-34343 / GHSA-vf6r-87q4-2vjf
More information
Details
Summary
The
navigateTofunction attempts to blockthejavascript:protocol, but does not correctly use API's provided byunjs/ufo. This library also contains parsing discrepancies.Details
The function first tests to see if the specified URL has a protocol. This uses the unjs/ufo package for URL parsing. This function works effectively, and returns true for a
javascript:protocol.After this, the URL is parsed using the
parseURLfunction. This function will refuse to parse poorly formatted URLs. Parsingjavascript:alert(1)returns null/"" for all values.Next, the protocol of the URL is then checked using the
isScriptProtocolfunction. This function simply checks the input against a list of protocols, and does not perform any parsing.The combination of refusing to parse poorly formatted URLs, and not performing additional parsing means that script checks fail as no protocol can be found. Even if a protocol was identified, whitespace is not stripped in the
parseURLimplementation, bypassing theisScriptProtocolchecks.Certain special protocols are identified at the top of
parseURL. Inserting a newline or tab into this sequence will block the special protocol check, and bypass the latter checks.PoC
POC - https://stackblitz.com/edit/nuxt-xss-navigateto?file=app.vue
Attempt payload X, then attempt payload Y.
Impact
XSS, access to cookies, make requests on user's behalf.
Recommendations
As always with these bugs, the
URLconstructor provided by the browser is always the safest method of parsing a URL.Given the cross-platform requirements of nuxt/ufo a more appropriate solution is to make parsing consistent between functions, and to adapt parsing to be more consistent with the WHATWG URL specification.
Note
I've reported this vulnerability here as it is unclear if this is a bug in ufo or a misuse of the ufo library.
This ONLY has impact after SSR has occurred, the
javascript:protocol within a location header does not trigger XSS.Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Nuxt allows DOS via cache poisoning with payload rendering response
CVE-2025-27415 / GHSA-jvhm-gjrh-3h93
More information
Details
Summary
By sending a crafted HTTP request to a server behind an CDN, it is possible in some circumstances to poison the CDN cache and highly impacts the availability of a site.
It is possible to craft a request, such as
https://mysite.com/?/_payload.jsonwhich will be rendered as JSON. If the CDN in front of a Nuxt site ignores the query string when determining whether to cache a route, then this JSON response could be served to future visitors to the site.Impact
An attacker can perform this attack to a vulnerable site in order to make a site unavailable indefinitely. It is also possible in the case where the cache will be reset to make a small script to send a request each X seconds (=caching duration) so that the cache is permanently poisoned making the site completely unavailable.
Conclusion :
This is similar to a vulnerability in Next.js that resulted in CVE-2024-46982 (and see this article, in particular the "Internal URL parameter and pageProps" part, the latter being very similar to the one concerning us here.)
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Nuxt has Client-Side Path Traversal in Nuxt Island Payload Revival
CVE-2025-59414 / GHSA-p6jq-8vc4-79f6
More information
Details
Summary
A client-side path traversal vulnerability in Nuxt's Island payload revival mechanism allowed attackers to manipulate client-side requests to different endpoints within the same application domain when specific prerendering conditions are met.
Technical Details
The vulnerability occurs in the client-side payload revival process (revive-payload.client.ts) where Nuxt Islands are automatically fetched when encountering serialized
__nuxt_islandobjects. The issue affects the following flow:__nuxt_islandobjectdevalue.stringifyand stored in the prerendered pagedevalue.parsedeserializes the payload/__nuxt_island/${key}.jsonwherekeycould contain path traversal sequencesPrerequisites for Exploitation
This vulnerability requires all of the following conditions:
nitro.prerender)useFetch,useAsyncData, or similar composablesAttack Scenario
This could cause the client to make requests to
/__nuxt_island/../../../../internal/service.jsonif path traversal is not properly handled by the server.Impact Assessment
Mitigation
Action Required:
Temporary Workarounds (if immediate update is not possible):
Fix Details
The fix implemented validation for Island keys in
revive-payload.server.ts:/^[a-z][a-z\d-]*_[a-z\d]+$/iSeverity
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Nuxt: Reflected XSS in
navigateTo()external redirectCVE-2026-45669 / GHSA-fx6j-w5w5-h468
More information
Details
Summary
navigateTo()withexternal: truegenerates a server-side HTML redirect body containing a<meta http-equiv="refresh">tag. The destination URL is only sanitized by replacing"with%22, leaving<,>,&, and'unencoded. An attacker who can influence the URL passed tonavigateTo(url, { external: true })can break out of thecontent="…"attribute and inject arbitrary HTML/JavaScript that executes under the application's origin.This is a different root cause from CVE-2024-34343 (GHSA-vf6r-87q4-2vjf), which addressed
javascript:protocol bypass. The issue here is triggered by any valid URL containing>.Impact
Applications that pass user-controlled input to
navigateTo(url, { external: true })— typically via a?next=/?redirect=query parameter used for post-login or "return to" flows — are vulnerable to reflected cross-site scripting. The injected script runs in the context of the application's origin during the server-rendered redirect response, before the meta-refresh fires.Details
In
packages/nuxt/src/app/composables/router.ts, the SSR redirect path builds an HTML response body with only"percent-encoded in the destination URL:The
Locationheader is normalised throughencodeURL()(which uses theURLconstructor and correctly percent-encodes attribute-significant characters). The HTML body uses a narrower sanitiser. That mismatch is the root cause.Proof of concept
Global middleware that forwards a query parameter to
navigateTo:Request:
Response body:
The
>afterevil.example/xterminates thecontent="…"attribute, and the<img onerror>tag executes JavaScript in the application's origin before any redirectoccurs.
Patches
Fixed in
nuxt@4.4.6andnuxt@3.21.6by #35052. The fix percent-encodes the full set of HTML-attribute-significant characters (&,",',<,>) before interpolating the URL into the meta-refresh bodyWorkarounds
If you can't upgrade immediately, validate user-controlled URLs before passing them to
navigateTo(url, { external: true }). At minimum, normalise throughnew URL(input).toString()and reject inputs containing<or>(a normalised URL with these characters is malformed and safe to refuse).Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Nuxt:
__nuxt_islandendpoint does not bind responses to request props, enabling shared-cache poisoningCVE-2026-46342 / GHSA-g8wj-3cr3-6w7v
More information
Details
Summary
The
/__nuxt_island/*endpoint accepts attacker-controlledpropsquery/body parameters and renders any island component without verifying that the URL-resident hash (<Name>_<hashId>.json) was actually issued for those inputs by<NuxtIsland>. The hash is computed and embedded client-side but never validated server-side, so the same path can return materially different responses depending on the query.Island components are documented as rendering independently of route context - page middleware does not apply to them, and they are intentionally cacheable as a function of their props. This advisory does not treat that contract as a vulnerability. It treats the absence of a binding between the URL the cache keys on and the response served at that URL as one.
Impact
In applications where a CDN or reverse-proxy in front of the app caches
/__nuxt_island/*keyed by path only (ignoring query) - a documented misconfiguration class, see GHSA-jvhm-gjrh-3h93 - an attacker can prime the cache for a path with their own choice of props, and subsequent users requesting the same path receive the attacker's rendered HTML rather than the response intended for them. The cache entry persists until normal expiry.Where the affected island has any prop flowing into an unsafe HTML sink in application code (
v-html,innerHTML, a third-party renderer treating a prop as HTML), this becomes stored XSS in the embedding page's origin until the cache entry expires.HttpOnlycookies remain out of reach but anything else in the origin (other cookies, in-origin requests, DOM state) is reachable by the injected script.Preconditions:
experimental.componentIslandsenabled (or the default'auto'with at least one server / island component in the app).Without the second precondition, the response shape is per-request and unaffected. Without the third, the worst case is content-swap / inert HTML injection rather than script execution.
Patches
Patched in
nuxt@4.4.6andnuxt@3.21.6by #35077. The island handler now recomputes the expectedhashIdfrom(name, props, context)using the sameohashfunction<NuxtIsland>already uses to embed the hash in the URL, and rejects requests (HTTP 400) whose URL-resident hash does not match. The response is now a pure function of the request path: a path-keyed shared cache returns the correct response to every requester for that path, and an attacker cannot synthesise a path whose hash matches arbitrary props.Workarounds
For users unable to upgrade immediately:
/__nuxt_island/*on the full query string, not on the path alone. This is the recommended configuration regardless.v-html/innerHTML/ similar HTML sinks; treat island props as untrusted user input.Note on island authentication
A separate advisory addresses
*.server.vuepages registered aspage_<routeName>islands, where the documented "middleware doesn't run for islands" contract collides with the page's owndefinePageMeta({ middleware })declaration in a way that constitutes a genuine bug rather than documented behaviour.Severity
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Nuxt: URL-handling weaknesses in
navigateToandreloadNuxtApp: SSR open redirect, client-side script execution via theopenoption, and protocol-relative bypass inreloadNuxtAppCVE-2026-56326 / GHSA-c9cv-mq2m-ppp3
More information
Details
Summary
Three weaknesses in Nuxt's client-navigation URL handling, all reachable
from documented public APIs (
navigateToandreloadNuxtApp):SSR open redirect in
navigateTovia path-normalisation bypass.navigateTodecided whether a target was external by inspecting the rawinput with
hasProtocol(..., { acceptRelative: true }). Inputs such as/..//evil.com,/.//evil.com,/%2e%2e//evil.com, or/app/..//evil.comslipped past that check because they start with/, but WHATWG URL parsing then normalised them to theprotocol-relative pathname
//evil.com. The normalised value waswritten to the
Locationresponse header and into the<meta http-equiv="refresh">body of the SSR redirect page, so avictim's browser would resolve the redirect cross-origin to the
attacker's host.
Client-side script execution via
navigateTo({ open: ... }). Theclient-side early-open handler called
window.open(toPath, ...)withoutapplying the
isScriptProtocolcheck that gates the normalnavigateTopath. A target of
javascript:...(or another script-capable scheme)passed to
navigateTo(url, { open: { ... } })therefore executed in theapplication's origin instead of being rejected.
Open redirect in
reloadNuxtAppvia protocol-relative bypass.reloadNuxtApp({ path })rejects script-capable protocols by parsingthe path with
new URL(path, window.location.href)and checking theresolved
protocolagainstisScriptProtocol. Protocol-relative pathssuch as
//evil.comresolve to the current page's protocol (https:),which passes that check; the value is then assigned to
window.location.href, which the browser treats as a cross-originredirect. This is the same protocol-relative bypass family as (1), in
a different sink.
Impact
For (1), the practical risk is phishing or OAuth-code theft against any
Nuxt app that forwards user-controlled input (for example a
?next=query parameter on a login route) into
navigateToon the server. Theframework documents that
navigateToblocks external hosts unlessexternal: trueis passed, so maintainers commonly rely on it as thesafe path for post-login redirects.
For (2), any app that passes a user-controlled URL into
navigateTo(url, { open: { ... } })was vulnerable to reflected XSS inthe application's first-party origin.
For (3), any app that forwards user-controlled input into
reloadNuxtApp({ path })could be redirected cross-origin for phishingor OAuth-code theft, even on releases that already shipped the
isScriptProtocolguard added by #35115.Patches
Fixed in
nuxt@4.4.7and backported tonuxt@3.21.7. The three sinksare addressed by:
navigateTo:2cce6fb01f2dd5e7navigateTo({ open })script-protocol guard:3394716d)62fc32edreloadNuxtApp:e447a7936497d99dWorkarounds
navigateTo,for example reject any input where
new URL(target, 'http://localhost').pathnamestarts with//, oronly accept a known allow-list of paths.
allow-list (typically just
http:andhttps:) before passing it tonavigateTo({ open: ... }).//(or wherenew URL(path, window.location.href).host !== window.location.host)before passing to
reloadNuxtApp({ path }).References
Credits
Reported by Anthropic / Claude as
ANT-2026-S08HN6DHthrough Anthropic'scoordinated vulnerability disclosure programme.
The
reloadNuxtAppprotocol-relative bypass (sink 3) was independentlyreported by @alcls01111 via GitHub's
coordinated disclosure flow (
GHSA-w7fp-2cfv-4837), closed as aduplicate of this advisory.
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:L/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Nuxt: Reflected XSS in
<NuxtLink>via unsanitisedjavascript:ordata:URLCVE-2026-53722 / GHSA-934w-87qh-qr26
More information
Details
Summary
<NuxtLink>did not validate the URL scheme of values bound to itstoorhrefprops before rendering them into thehrefattribute of the underlying<a>element. When an application binds attacker-controlled input (a query parameter, a CMS field, a user-supplied profile URL) to<NuxtLink :to>or:href, the attacker can supply ajavascript:orvbscript:URL that is reflected verbatim into the rendered markup. Clicking the link executes the supplied script in the origin of the Nuxt application, resulting in reflected DOM-based cross-site scripting. Adata:text/html,...payload reflected through the same sink does not execute in the application's origin but enables a same-tab phishing surface anchored to a legitimate application link.The same value was exposed to consumers of the component's
customslot via thehrefandroute.hrefprops, so applications that re-bind those values to their own anchors were affected identically.Unlike the previously reported
navigateToissue (CVE-2024-34343), the sink here is the rendered anchor itself; the existingisScriptProtocolchecks innavigateToandreloadNuxtAppare not on the code path. TheonClickhandler intentionally returns early for external links so the browser's native protocol-based navigation runs.Affected component
packages/nuxt/src/app/components/nuxt-link.tsh('a', { href: href.value, ... })in the default render, plus thehref/route.hrefprops passed to thecustomslot.hasProtocol(path, { acceptRelative: true })value as an "external link", then rendered the value directly as<a href>without rejecting script-capable protocols. There was no equivalent of thenavigateToisScriptProtocol(protocol)gate in this path.Impact
Any Nuxt application that binds user-controlled values to
<NuxtLink :to>/:hrefwas vulnerable. Common shapes: profile-link rendering (<NuxtLink :to="user.website">), "share this" / "open in new tab" handlers that pass through a query parameter, CMS-driven landing pages that render<NuxtLink :to="cms.cta.url">, and marketplace listings that show seller-supplied links.For
javascript:/vbscript:the primitive is reflected XSS in the application's first-party origin (session theft for non-HttpOnlycookies, CSRF token theft, account takeover via DOM rewriting, credential harvesting via fake login overlays). Fordata:text/html,...the attacker gets a same-tab phishing surface anchored to a legitimate application link.Patches
Fixed in
nuxt@4.4.7(commit0103ce06) and backported tonuxt@3.21.7(commit53284043). The fix sanitises the resolved externalhrefbefore it is passed to<a>or thecustomslot: control characters and whitespace are stripped, leadingview-source:prefixes are unwrapped, and any remaining script-capable scheme (perisScriptProtocol) causes thehrefto be replaced with an empty string.Workarounds
Until you can upgrade, validate URLs at the source before binding them to
<NuxtLink :to>/:href. For example, only accept paths that start with/(and not//), or run user-supplied URLs throughnew URL(value)and reject anything whoseprotocolis not in an allow-list (typicallyhttp:andhttps:).Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Cross-site scripting via slot content in Nuxt's head components
GHSA-m3q2-p4fw-w38m
More information
Details
Impact
Nuxt's globally registered
<NoScript>component (from@unhead/vuehead components, re-exported by Nuxt) wrote its default-slot content to theinnerHTMLof the<noscript>head tag, bypassing the HTML escaping that{{ }}interpolation normally applies in Vue templates.Applications that placed untrusted, attacker-controllable data inside a
<NoScript>slot, for example:would emit that value unescaped inside
<noscript>in the server-rendered HTML. With scripting enabled, the HTML parser treats<noscript>content in<head>under the "in head noscript" insertion mode: any tag other thanlink,meta,noframes, orstyleimplicitly closes<noscript>and is re-processed in the head. A payload such as<script>...</script>therefore escapes the element and executes in the document context.Sibling head components (
<Style>,<Title>) were not affected because they already routed slot text through the safetextContentpath.Affected versions
All currently supported versions of
nuxtthat ship the<NoScript>global component.Patches
Fixed in
nuxt@4.4.7(commit4b054e9d) and backported tonuxt@3.21.7(commit7fea9fd6). The fix escapes<NoScript>slot content withescapeHtmlfrom@vue/sharedand writes it totextContentrather thaninnerHTML. Slot content is now rendered as text; intentional markup inside<NoScript>is no longer parsed as HTML.Workarounds
Until you can upgrade:
<NoScript>slots. Replace<NoScript>{{ x }}</NoScript>with a static string, or sanitise / HTML-escapexat the source.useHead({ noscript: [{ textContent: escapedValue }] })after escapingescapedValue.Credit
Reported to Anthropic's coordinated vulnerability disclosure pipeline by Claude (Anthropic's AI assistant) and triaged by the Anthropic security team. Reference: ANT-2026-4NJYDFFM.
Independently reported by @alcls01111 via GitHub's coordinated disclosure flow (
GHSA-8grp-wcq9-925q), closed as a duplicate of this advisory.Severity
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Release Notes
nuxt/nuxt (nuxt)
v3.21.7Compare Source
👉 make sure to check https://github.com/nuxt/nuxt/security/advisories to view open advisories resolved by this release.
👉 Changelog
compare changes
🩹 Fixes
noSSRbefore deciding payload extraction (#35108)allowDirs(#35112)pathefor buildCache path boundary check (#35111)isValidin dev clipboard-copy listener (#35109)reloadNuxtApppath before reload (#35115)clientServerwithssr: false(#34959).d.mts/.d.ctsinresolveTypePaths(#35235)<NuxtClientFallback>ssr output (#35199)isScriptProtocolguard tonavigateToopen option (#35206)defuin app config template (40bedf0db)vue-router(3f3e3fa7b)<NoScript>slot content (7fea9fd68)navigateTo(1f2dd5e78)reloadNuxtApp(6497d99dd)<NuxtLink>href (53284043d)defu(d11d7b1b5)📖 Documentation
🏡 Chore
execFileSyncfor safety in release scripts (9a455a658)✅ Tests
🤖 CI
❤️ Contributors
v3.21.6Compare Source
👉 Changelog
compare changes
🩹 Fixes
setPageLayoutprops on same-path navigation (#35055)useLoadingIndicatorproperties as readonly (#35062)statusCodefor nitro v2 compatibility (82dcd6a31)💅 Refactors
📖 Documentation
🏡 Chore
✅ Tests
app/(6d2ac69ff)🤖 CI
test:enginesfails (958abb882)❤️ Contributors
v3.21.5Compare Source
👉 Changelog
compare changes
🔥 Performance
isIgnoredrelative (#35015)🩹 Fixes
/+ overridessr: true(#34990).envbefore resolving nuxt schema (#34958)serverHandlersarray afternitro:config(#34985)📖 Documentation
🏡 Chore
✅ Tests
buildDirper matrix project for shared fixtures (#35007)❤️ Contributors
v3.21.4Compare Source
v3.21.2Compare Source
v3.21.1Compare Source
👉 Changelog
compare changes
🩹 Fixes
server/forbuilder:watchhook (#34208)x-nitro-prerenderheader (#34202)error.messagefor fatal errors (#34226)#appbarrel export in keyed functions (#34199)Configuration
📅 Schedule: (UTC)
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about these updates again.
This PR was generated by Mend Renovate. View the repository job log.