[Snyk] Upgrade nuxt from 3.12.4 to 3.17.5

[nerdy-tech-com-gitub]

Snyk has created this PR to upgrade nuxt from 3.12.4 to 3.17.5.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

• The recommended version is 20 versions ahead of your current version.

• The recommended version was released a month ago.

Issues fixed by the recommended upgrade:

	Issue	Score	Exploit Maturity
	Acceptance of Extraneous Untrusted Data With Trusted Data SNYK-JS-NUXT-9486043	142	No Known Exploit
	Incorrect Authorization SNYK-JS-VITE-9653016	142	Proof of Concept
	Insecure Randomness SNYK-JS-UNDICI-8641354	142	Proof of Concept
	Excessive Platform Resource Consumption within a Loop SNYK-JS-BRACES-6838727	142	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-CROSSSPAWN-8303230	142	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-ES5EXT-6095076	142	Proof of Concept
	Inefficient Regular Expression Complexity SNYK-JS-MICROMATCH-6838728	142	No Known Exploit
	Origin Validation Error SNYK-JS-VITE-8648411	142	Proof of Concept
	Incorrect Authorization SNYK-JS-VITE-9512410	142	Mature
	Regular Expression Denial of Service (ReDoS) SNYK-JS-BABELHELPERS-9397697	142	Proof of Concept
	Origin Validation Error SNYK-JS-NUXTVITEBUILDER-8663232	142	Proof of Concept
	Prototype Pollution SNYK-JS-PARSEGITCONFIG-9403763	142	Proof of Concept
	Access Control Bypass SNYK-JS-VITE-9576207	142	Proof of Concept
	Information Exposure SNYK-JS-VITE-9685035	142	Proof of Concept
	Directory Traversal SNYK-JS-VITE-9919777	142	Proof of Concept
	Cross-site Scripting (XSS) SNYK-JS-ROLLUP-8073097	142	Proof of Concept
	Information Exposure SNYK-JS-VITE-8023174	142	Proof of Concept
	Missing Release of Resource after Effective Lifetime SNYK-JS-INFLIGHT-6095116	142	Proof of Concept
	Improper Input Validation SNYK-JS-NANOID-8492085	142	No Known Exploit
	Improper Input Validation SNYK-JS-NANOID-8492085	142	No Known Exploit
	Regular Expression Denial of Service (ReDoS) SNYK-JS-BRACEEXPANSION-9789073	142	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-BRACEEXPANSION-9789073	142	Proof of Concept
	Cross-site Scripting SNYK-JS-SEND-7926862	142	No Known Exploit
	Cross-site Scripting SNYK-JS-SERVESTATIC-7926865	142	No Known Exploit
	Missing Release of Memory after Effective Lifetime SNYK-JS-UNDICI-10176064	142	Proof of Concept
	Cross-site Scripting (XSS) SNYK-JS-VITE-8022916	142	Proof of Concept

Release notes

Package name: nuxt

• 3.17.5 - 2025-06-03
  

  3.17.5 is a regularly scheduled patch release.

  ✅ Upgrading

  Our recommendation for upgrading is to run:

  npx nuxt upgrade --dedupe

  This will deduplicate your lockfile as well, and help ensure that you pull in updates from other dependencies that Nuxt relies on, particularly in the unjs ecosystem.

  👉 Changelog

  compare changes

  🔥 Performance

  • nuxt: Replace remaining instance of globby (#31688)

  🩹 Fixes

  • nuxt: Export useScriptRybbitAnalytics from script stubs (d275ae1a0)
  • nuxt: Remove unneeded pattern from regexp (2954c092c)
  • nuxt: Ensure appConfig sources are not duplicated (#32216)
  • nuxt: Wrap slot with h() in ClientOnly (#30664)
  • kit: Ensure template filename uses safe patterns (4372b24dd)
  • nuxt: Access asyncData state from nuxt app instance (#32232)
  • nuxt: Make patterns relative to srcDir in buildCache (#32260)
  • nuxt: Return non-existent route component in RouteProvider (#32266)
  • nuxt: Use single asyncData watcher (#32247)
  • vite: Use arrow functions in dynamic imports (#32285)
  • webpack: Use plugin for rollup-compatible dynamic imports (#32281)

  📖 Documentation

  • Update addRouteMiddleware path in example (#32171)
  • Narrow link to just middleware (#32203)
  • Use optional chaining in error example (#32214)
  • Give example of using --env-file (29f6392cd)
  • Recommend nuxt command consistently (#32237)
  • Fix typos (#30413)
  • Add props to special metadata (#29708)
  • Fix wrong alert with warning in /guide/pages (#32270)
  • Update upgrade guide + roadmap (0040ee5e7)

  📦 Build

  • nuxt: Ensure cache is typed (33df20d17)

  🏡 Chore

  • Upgrade webpack dependencies separately (444d60936)
  • Apply lint fixes (221ce99eb)
  • Add missing dependency (720170dea)

  ✅ Tests

  • Add regression test for useAsyncData + transition (29f7c8cb4)
  • Ensure builder tests run sequentially (defa32829)

  ❤️ Contributors

  • Daniel Roe (@ danielroe)
  • Julien Huang (@ huang-julien)
  • Hugo Richard (@ HugoRCD)
  • mxmxmmgg (@ mxmxmmgg)
  • xjccc (@ xjccc)
  • Horu (@ HigherOrderLogic)
  • Baptiste Leproux (@ larbish)
  • Phojie Rengel (@ phojie)
  • duolaameng (@ 1411430556)
  • David Stack (@ davidstackio)
• 3.17.4 - 2025-05-20
  

  3.17.4 is a regularly-scheduled patch release.

  ✅ Upgrading

  Our recommendation for upgrading is to run:

  npx nuxi@latest upgrade --dedupe

  This will deduplicate your lockfile as well, and help ensure that you pull in updates from other dependencies that Nuxt relies on, particularly in the unjs ecosystem.

  👉 Changelog

  compare changes

  🔥 Performance

  • nuxt: Use Set for circular dep plugin (#32110)
  • Refactor Array.includes checks to use Sets (#32133)
  • nuxt: Use shallowRef for primitive values (#32152)
  • nuxt: Skip route rules processing for empty child array (#32166)
  • nuxt: Use Intl.Collator instead of localeCompare (#32167)

  🩹 Fixes

  • nuxt: Do not await lazy asyncData inside <ClientOnly> (#32101)
  • nuxt: Respect cachedData with multiple asyncData calls (#32099)
  • nuxt: Clear async data after a tick (#32096)
  • nuxt: Support reactive keys in useLazyAsyncData (#32092)
  • rspack: Use ts-checker-rspack-plugin (#32115)
  • nuxt: Clear previous head in island-renderer (#32100)
  • nuxt: Handle virtual files prefixed with / (#32129)
  • schema: Remove nitro options from DeepPartial (#31990)
  • nuxt: Ensure legacy async data remains reactive (#32134)
  • nuxt: Pass attrs down to single child of <ClientOnly> (#32131)
  • nuxt: Fix merge conflicts (7044450d4)
  • nuxt: Clone vnode when passing attrs down to client-only (b3acf0c78)
  • vite: Do not replace global with globalThis (#32130)
  • nuxt: Suppress client-side errors by crawlers (#32137)
  • nuxt: Use fresh route when <NuxtLayout> first renders (#24673)
  • nuxt: Add additional logging when skipping error page for bot (68c270083)
  • nuxt: Add watch paths outside srcDir to parcel strategy (#32139)

  📖 Documentation

  • Use emphasis instead of quotes (#32078)
  • Update useNuxtData default return to undefined (#32054)
  • Capitalise headings (#32095)
  • Prefix imports.dirs with alias (0dbf314d9)
  • Mention node v20 is minimum requirement for nuxt setup (#32148)
  • Use more descriptive link text (d0b1b9d35)

  🏡 Chore

  • Remove unneeded JSdoc comments (#32090)
  • Use vitest workspaces for tests (#32121)

  ✅ Tests

  • Add universal routing tests + clean up output (64178b6f4)
  • nuxt: Add unit tests for watch strategies (#32138)
  • Resolve watch path (8fb562c04)
  • Use fake timers instead of setTimeout mock (#32142)

  🤖 CI

  • Rename workflow (835098fcb)
  • Skip codeql event on merge_group events (46c259664)

  ❤️ Contributors

  • John Tanzer (@ moshetanzer)
  • Daniel Roe (@ danielroe)
  • Robin (@ OrbisK)
  • @ beer (@ iiio2)
  • Julien Huang (@ huang-julien)
  • हिमांशु (@ CodeMan62)
  • Norbiros (@ Norbiros)
  • watsonhaw5566 (@ watsonhaw5566)
  • xjccc (@ xjccc)
• 3.17.3 - 2025-05-12
  

  3.17.3 is a regularly-scheduled patch release.

  ✅ Upgrading

  Our recommendation for upgrading is to run:

  npx nuxi@latest upgrade --dedupe

  This will deduplicate your lockfile as well, and help ensure that you pull in updates from other dependencies that Nuxt relies on, particularly in the unjs ecosystem.

  👉 Changelog

  compare changes

  🔥 Performance

  • nuxt: Pre-calculate extension glob before app resolution (#32052)
  • nuxt: Improve islands client components chunks (#32015)

  🩹 Fixes

  • nuxt: Preload async layouts (#32002)
  • nuxt: Handle File within FormData (#32013)
  • schema: Respect user-provided ignore patterns (#32020)
  • nuxt: Allow loading virtual files with query params (#32022)
  • nuxt: Don't use reactive key for useFetch with watch: false (#32019)
  • nuxt: Do not clear data if custom getCachedData is provided (#32003)
  • nuxt: Provide nuxtApp for asyncData functions run on server (#32038)
  • vite: Strip queries when skipping vite transform middleware (#32041)
  • nuxt: Sort hash sources and files (#32048)
  • nuxt: Do not suppress chunk import error (#32064)

  💅 Refactors

  • nuxt: Directly access initialised asyncData (e779d6cd5)

  📖 Documentation

  • Fix module initialization command for pnpm (#32024)
  • Provide nuxt installation guide with deno (#32029)
  • Add codeblock closing tag (#32043)
  • Tweak nuxt doc (#32063)
  • Add space between sentences (#32069)

  🤖 CI

  • Convert bug/enhancement labels to issue types (3ff743fe0)
  • Update payload for issue types (791e5f443)

  ❤️ Contributors

  • Ryota Watanabe (@ wattanx)
  • Julien Huang (@ huang-julien)
  • John Tanzer (@ moshetanzer)
  • @ beer (@ iiio2)
  • Daniel Roe (@ danielroe)
  • xjccc (@ xjccc)
  • Max (@ onmax)
• 3.17.2 - 2025-05-05
  

  3.17.2 is a regularly-scheduled patch release.

  ✅ Upgrading

  Our recommendation for upgrading is to run:

  npx nuxi@latest upgrade --dedupe

  This will deduplicate your lockfile as well, and help ensure that you pull in updates from other dependencies that Nuxt relies on, particularly in the unjs ecosystem.

  👉 Changelog

  compare changes

  🔥 Performance

  • nuxt: Tree-shake router's handleHotUpdate in production (#31971)

  🩹 Fixes

  • nuxt: Ensure asyncData is initialised before effects run (#31946)
  • nuxt: Skip view transition if user agent provides one before defining transition (#31945)
  • nuxt: Improve hashing for complex body in useFetch (#31963)
  • nuxt: Immediately call asyncData within client-only components (#31964)
  • nuxt: Don't render errors if event is already handled (#31966)
  • nuxt: Track whether need to reinit asyncData separately from deps (#31965)
  • nuxt: Preserve params/meta/matched with universal router (#31950)
  • nuxt: Respect scroll behavior set by scrollToTop (#31914)
  • nuxt: Load live data from vfs even if a file exists in buildDir (#31969)
  • nuxt: Short circuit middleware when validate returns false (#31967)
  • nuxt: Ensure useAsyncData reactive to key changes when immediate: false (#31987)
  • nuxt: Resolve real paths imported into virtual files (0bb07f129)
  • webpack: Broaden WarningFilter type (2a79dbd68)
  • schema: Broaden warningIgnoreFilters (a62e808ac)

  📖 Documentation

  • Add missing article (#31952)
  • Improve @ nuxt/kit documentation (#31793)
  • Fix type issues in twoslash blocks (85ab105b8)
  • Add events page (#31977)

  🏡 Chore

  • Update approved builds (02b33cc58)
  • Sort package keys (06aabc548)

  ✅ Tests

  • Update bundle size snapshot (e03d44b47)
  • Update bundle size (7f75f5ea5)
  • Update bundle size again (e8a244bfc)
  • Use asyncDataDefaults.value (91568c5da)

  🤖 CI

  • Run docs workflow against pull requests (08f968903)
  • Run tests against node v20 (3c97d3493)

  ❤️ Contributors

  • Daniel Roe (@ danielroe)
  • Alex Liu (@ Mini-ghost)
  • Martins Zeltins (@ martinszeltins)
  • Ivan Martianov (@ ivansky)
  • Lorenzo Fiamingo (@ lorenzofiamingo)
  • James (@ Koshux)
• 3.17.1 - 2025-04-29
  

  3.17.1 is the next patch release.

  ✅ Upgrading

  Our recommendation for upgrading is to run:

  npx nuxi@latest upgrade --dedupe

  This will deduplicate your lockfile as well, and help ensure that you pull in updates from other dependencies that Nuxt relies on, particularly in the unjs ecosystem.

  👉 Changelog

  compare changes

  🩹 Fixes

  • nuxt: Check if match exists with new unplugin filter (#31929)
  • nuxt: Reinitialise stale async data (#31940)
  • nuxt: Skip view transition if user agent is providing one (#31938)
  • nuxt: Trigger execute when non-immediate fetch key changes (#31941)
  • nuxt: Don't redirect when route has trailing slash (#31902)
  • ui-templates: Use escapeHTML from vue (8e4b8d62f)
  • schema: Add @ vue/shared dependency (7d445c963)

  📦 Build

  • Copy README/LICENSE from repo root (8e287d556)

  🏡 Chore

  • Update docs version (db5ad4a8f)
  • Add docs directory to publish scripts (d3bcad632)

  ✅ Tests

  • Update snapshots (a197d1087)

  ❤️ Contributors

  • Daniel Roe (@ danielroe)
  • Pooya Parsa (@ pi0)
  • Kyohei Sonokawa (@ kyohei-23)
  • Lorenzo Fiamingo (@ lorenzofiamingo)
• 3.17.0 - 2025-04-27
  

  👀 Highlights

  This release brings a major reworking of the async data layer, a new built-in component, better warnings, and performance improvements!

  📊 Data Fetching Improvements

  A major reorganization of Nuxt's data fetching layer brings significant improvements to useAsyncData and useFetch.

  Although we have aimed to maintain backward compatibility and put breaking changes behind the experimental.granularCachedData flag (disabled by default), we recommend testing your application thoroughly after upgrading. You can also disable experimental.purgeCachedData to revert to the previous behavior if you are relying on cached data being available indefinitely after components using useAsyncData are unmounted.

  👉 Read the the original PR for full details (#31373), but here are a few highlights.

  Consistent Data Across Components

  All calls to useAsyncData or useFetch with the same key now share the underlying refs, ensuring consistency across your application:

  <!-- ComponentA.vue -->
  <script setup>
  const { data: users, pending } = useAsyncData('users', fetchUsers)
  </script>

  <!-- ComponentB.vue -->
  <script setup>
  // This will reference the same data state as ComponentA
  const { data: users, status } = useAsyncData('users', fetchUsers)
  // When either component refreshes the data, both will update consistently
  </script>

  This solves various issues where components could have inconsistent data states.

  Reactive Keys

  You can now use computed refs, plain refs, or getter functions as keys:

  const userId = ref('123')
  const { data: user } = useAsyncData(
  computed(() => user-<span class="pl-s1"><span class="pl-kos">${</span><span class="pl-s1">userId</span><span class="pl-kos">.</span><span class="pl-c1">value</span><span class="pl-kos">}</span></span>),
  () => fetchUser(userId.value)
  )

  // Changing the userId will automatically trigger a new data fetch
  // and clean up the old data if no other components are using it
  userId.value = '456'

  Optimized Data Refetching

  Multiple components watching the same data source will now trigger only a single data fetch when dependencies change:

  // In multiple components:
  const { data } = useAsyncData(
  'users',
  () => $fetch(/api/users?page=<span class="pl-s1"><span class="pl-kos">${</span><span class="pl-s1">route</span><span class="pl-kos">.</span><span class="pl-c1">query</span><span class="pl-kos">.</span><span class="pl-c1">page</span><span class="pl-kos">}</span></span>),
  { watch: [() => route.query.page] }
  )

  // When route.query.page changes, only one fetch operation will occur
  // All components using this key will update simultaneously

  🎭 Built-In Nuxt Components

  <NuxtTime> - A new component for safe time display

  We've added a new <NuxtTime> component for SSR-safe time display, which resolves hydration mismatches when working with dates (#31876):

  <template>
    <NuxtTime :datetime="Date.now()" />
  </template>

  The component accepts multiple time formats and gracefully handles both client and server rendering.

  Enhanced <NuxtErrorBoundary>

  The <NuxtErrorBoundary> component has been converted to a Single File Component and now exposes error and clearError from the component - as well as in the error slot types, giving you greater ability to handle errors in your templates and via useTemplateRef (#31847):

  NuxtErrorBoundary @error="handleError">
  <template #error="{ error, clearError }">
  <div>
  <p>{{ error.message }}</p>
  <button @ click="clearError">Try again</button>
  </div>
  </template>

  <!-- Content that might error -->
  <MyComponent />
  </NuxtErrorBoundary>

  🔗 Router Improvements

  <NuxtLink> now accepts a trailingSlash prop, giving you more control over URL formatting (#31820):

  <NuxtLink to="/about" trailing-slash>About</NuxtLink>
  <!-- Will render <a href="/about/"> -->

  🔄 Loading Indicator Customization

  You can now customize the loading indicator with new props directly on the component (#31532):

  • hideDelay: Controls how long to wait before hiding the loading bar
  • resetDelay: Controls how long to wait before resetting loading indicator state

  <template>
    <NuxtLoadingIndicator :hide-delay="500" :reset-delay="300" />
  </template>

  📚 Documentation as a Package

  The Nuxt documentation is now available as an npm package! You can install @ nuxt/docs to access the raw markdown and YAML content used to build the documentation website (#31353).

  💻 Developer Experience Improvements

  We've added several warnings to help catch common mistakes:

  • Warning when server components don't have a root element #31365
  • Warning when using the reserved runtimeConfig.app namespace #31774
  • Warning when core auto-import presets are overridden #29971
  • Error when definePageMeta is used more than once in a file #31634

  🔌 Enhanced Module Development

  Module authors will be happy to know:

  • A new experimental.enforceModuleCompatibility allows Nuxt to throw an error when a module is loaded that isn't compatible with it (#31657). It will be enabled by default in Nuxt v4.
  • You can now automatically register every component exported via named exports from a file with addComponentExports #27155

  🔥 Performance Improvements

  Several performance improvements have been made:

  • Switched to tinyglobby for faster file globbing #31668
  • Excluded .data directory from type-checking for faster builds #31738
  • Improved tree-shaking by hoisting the purgeCachedData check #31785

  ✅ Upgrading

  Our recommendation for upgrading is to run:

  npx nuxi@latest upgrade --dedupe

  This refreshes your lockfile and pulls in all the latest dependencies that Nuxt relies on, especially from the unjs ecosystem.

  👉 Changelog

  compare changes

  🚀 Enhancements

  • nuxt: Accept hideDelay and resetDelay props for loading indicator (#31532)
  • nuxt: Warn server components need root element (#31365)
  • docs: Publish raw markdown/yaml docs as @ nuxt/docs (#31353)
  • kit,nuxt: Pass dotenv values from loadNuxtConfig to nitro (#31680)
  • nuxt,vite: Support disabling scripts in dev mode (#31724)
  • nuxt: Warn if user uses reserved runtimeConfig.app namespace (#31774)
  • kit,schema: Allow throwing error if modules aren't compatible (#31657)
  • nuxt: Extract middleware when scanning page metadata (#30708)
  • nuxt: Warn if core auto-import presets are overridden (Summary by Sourcery

    Build:

    • Bump Nuxt version in package.json from 3.12.4 to 3.17.5

[sourcery-ai]

Reviewer's Guide

This PR upgrades the Nuxt dependency in the user-management example from version 3.12.4 to 3.17.5 by updating the package.json entry, addressing flagged vulnerabilities without altering any application code.

Flow diagram for Nuxt upgrade process in the project

flowchart TD
  Start([Start]) --> Check[Check current Nuxt version]
  Check --> Update[Update package.json to Nuxt 3.17.5]
  Update --> Install[Run package manager install]
  Install --> Test[Test application]
  Test --> End([End])

Loading

File-Level Changes

Change	Details	Files
Bump Nuxt version in dependencies	Updated nuxt version from ^3.12.4 to ^3.17.5 in package.json	examples/user-management/nuxt3-user-management/package.json

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.