chore(deps): update dependency nuxt to v3.16.0 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
nuxt (source)	3.7.4 -> 3.16.0
nuxt (source)	3.8.1 -> 3.16.0

GitHub Vulnerability Alerts

CVE-2025-27415

Summary

By sending a crafted HTTP request to a server behind an CDN, it is possible in some circumstances to poison the CDN cache and highly impacts the availability of a site.

It is possible to craft a request, such as https://mysite.com/?/_payload.json which will be rendered as JSON. If the CDN in front of a Nuxt site ignores the query string when determining whether to cache a route, then this JSON response could be served to future visitors to the site.

Impact

An attacker can perform this attack to a vulnerable site in order to make a site unavailable indefinitely. It is also possible in the case where the cache will be reset to make a small script to send a request each X seconds (=caching duration) so that the cache is permanently poisoned making the site completely unavailable.

Conclusion :

This is similar to a vulnerability in Next.js that resulted in CVE-2024-46982 (and see this article, in particular the "Internal URL parameter and pageProps" part, the latter being very similar to the one concerning us here.)

CVE-2024-34344

Summary

Due to the insufficient validation of the path parameter in the NuxtTestComponentWrapper, an attacker can execute arbitrary JavaScript on the server side, which allows them to execute arbitrary commands.

Details

While running the test, a special component named NuxtTestComponentWrapper is available.
https://github.com/nuxt/nuxt/blob/4779f5906fa4d3c784c2e2d6fe5a5c5f181faaec/packages/nuxt/src/app/components/nuxt-root.vue#L42-L43

This component loads the specified path as a component and renders it.

https://github.com/nuxt/nuxt/blob/4779f5906fa4d3c784c2e2d6fe5a5c5f181faaec/packages/nuxt/src/app/components/test-component-wrapper.ts#L9-L27

There is a validation for the path parameter to check whether the path traversal is performed, but this check is not sufficient.

https://github.com/nuxt/nuxt/blob/4779f5906fa4d3c784c2e2d6fe5a5c5f181faaec/packages/nuxt/src/app/components/test-component-wrapper.ts#L15-L19

Since import(...) uses query.path instead of the normalized path, a non-normalized URL can reach the import(...) function.
For example, passing something like ./components/test normalizes path to /root/directory/components/test, but import(...) still receives ./components/test.

By using this behavior, it's possible to load arbitrary JavaScript by using the path like the following:

data:text/javascript;base64,Y29uc29sZS5sb2coMSk

Since resolve(...) resolves the filesystem path, not the URI, the above URI is treated as a relative path, but import(...) sees it as an absolute URI, and loads it as a JavaScript.

PoC

1. Create a nuxt project and run it in the test mode:

npx nuxi@latest init test
cd test
TEST=true npm run dev

2. Open the following URL:

http://localhost:3000/__nuxt_component_test__/?path=data%3Atext%2Fjavascript%3Bbase64%2CKGF3YWl0IGltcG9ydCgnZnMnKSkud3JpdGVGaWxlU3luYygnL3RtcC90ZXN0JywgKGF3YWl0IGltcG9ydCgnY2hpbGRfcHJvY2VzcycpKS5zcGF3blN5bmMoIndob2FtaSIpLnN0ZG91dCwgJ3V0Zi04Jyk

3. Confirm that the output of whoami is written to /tmp/test

Demonstration video: https://www.youtube.com/watch?v=FI6mN8WbcE4

Impact

Users who open a malicious web page in the browser while running the test locally are affected by this vulnerability, which results in the remote code execution from the malicious web page.
Since web pages can send requests to arbitrary addresses, a malicious web page can repeatedly try to exploit this vulnerability, which then triggers the exploit when the test server starts.

CVE-2024-34343

Summary

The navigateTo function attempts to blockthe javascript: protocol, but does not correctly use API's provided by unjs/ufo. This library also contains parsing discrepancies.

Details

The function first tests to see if the specified URL has a protocol. This uses the unjs/ufo package for URL parsing. This function works effectively, and returns true for a javascript: protocol.

After this, the URL is parsed using the parseURL function. This function will refuse to parse poorly formatted URLs. Parsing javascript:alert(1) returns null/"" for all values.

Next, the protocol of the URL is then checked using the isScriptProtocol function. This function simply checks the input against a list of protocols, and does not perform any parsing.

The combination of refusing to parse poorly formatted URLs, and not performing additional parsing means that script checks fail as no protocol can be found. Even if a protocol was identified, whitespace is not stripped in the parseURL implementation, bypassing the isScriptProtocol checks.

Certain special protocols are identified at the top of parseURL. Inserting a newline or tab into this sequence will block the special protocol check, and bypass the latter checks.

PoC

POC - https://stackblitz.com/edit/nuxt-xss-navigateto?file=app.vue

Attempt payload X, then attempt payload Y.

Impact

XSS, access to cookies, make requests on user's behalf.

Recommendations

As always with these bugs, the URL constructor provided by the browser is always the safest method of parsing a URL.

Given the cross-platform requirements of nuxt/ufo a more appropriate solution is to make parsing consistent between functions, and to adapt parsing to be more consistent with the WHATWG URL specification.

Note

I've reported this vulnerability here as it is unclear if this is a bug in ufo or a misuse of the ufo library.

This ONLY has impact after SSR has occurred, the javascript: protocol within a location header does not trigger XSS.

---

Release Notes

nuxt/nuxt (nuxt)

v3.16.0

Compare Source

👀 Highlights

There's a lot in this one!

⚡️ A New New Nuxt

Say hello to create-nuxt, a new tool for starting Nuxt projects (big thanks to @​devgar for donating the package name)!

It's a streamlined version of nuxi init - just a sixth of the size and bundled as a single file with all dependencies inlined, to get you going as fast as possible.

Starting a new project is as simple as:

npm create nuxt

Special thanks to @​cmang for the beautiful ASCII-art. ❤️

Want to learn more about where we're headed with the Nuxt CLI? Check out our roadmap here, including our plans for an interactive modules selector.

🚀 Unhead v2

We've upgraded to unhead v2, the engine behind Nuxt's <head> management. This major version removes deprecations and improves how context works:

• For Nuxt 3 users, we're shipping a legacy compatibility build so nothing breaks
• The context implementation is now more direct via Nuxt itself

// Nuxt now re-exports composables while properly resolving the context
export function useHead(input, options = {}) {
  const unhead = injectHead(options.nuxt)
  return head(input, { head: unhead, ...options })
}

If you're using Unhead directly in your app, keep in mind:

1. Import from Nuxt's auto-imports or #app/composables/head instead of @unhead/vue
2. Importing directly from @unhead/vue might lose async context

Don't worry though - we've maintained backward compatibility in Nuxt 3, so most users won't need to change anything!

If you've opted into compatibilityVersion: 4, check out our upgrade guide for additional changes.

🔧 Devtools v2 Upgrade

Nuxt Devtools has leveled up to v2 (#​30889)!

You'll love the new features like custom editor selection, Discovery.js for inspecting resolved configs (perfect for debugging), the return of the schema generator, and slimmer dependencies.

One of our favorite improvements is the ability to track how modules modify your Nuxt configuration - giving you X-ray vision into what's happening under the hood.

👉 Discover all the details in the Nuxt DevTools release notes.

⚡️ Performance Improvements

We're continuing to make Nuxt faster, and there are a number of improvements in v3.16:

1. Using exsolve for module resolution (#​31124) along with the rest of the unjs ecosystem (nitro, c12, pkg-types, and more) - which dramatically speeds up module resolution
2. Smarter module resolution paths (#​31037) - prioritizes direct imports for better efficiency
3. Eliminated duplicated Nitro alias resolution (#​31088) - leaner file handling
4. Streamlined loadNuxt by skipping unnecessary resolution steps (#​31176) - faster startups
5. Adopt oxc-parser for parsing in Nuxt plugins (#​30066)

All these speed boosts happen automatically - no configuration needed!

Shout out to CodSpeed with Vitest benchmarking to measure these improvements in CI - it has been really helpful.

To add some anecdotal evidence, my personal site at roe.dev loads 32% faster with v3.16, and nuxt.com is 28% faster. I hope you see similar results! ⚡️

🕰️ Delayed Hydration Support

We're very pleased to bring you native delayed/lazy hydration support (#​26468)! This lets you control exactly when components hydrate, which can improve initial load performance and time-to-interactive. We're leveraging Vue's built-in hydration strategies - check them out in the Vue docs.

<template>
  <!-- Hydrate when component becomes visible in viewport -->
  <LazyExpensiveComponent hydrate-on-visible />
  
  <!-- Hydrate when browser is idle -->
  <LazyHeavyComponent hydrate-on-idle />
  
  <!-- Hydrate on interaction (mouseover in this case) -->
  <LazyDropdown hydrate-on-interaction="mouseover" />
  
  <!-- Hydrate when media query matches -->
  <LazyMobileMenu hydrate-on-media-query="(max-width: 768px)" />
  
  <!-- Hydrate after a specific delay in milliseconds -->
  <LazyFooter :hydrate-after="2000" />
</template>

You can also listen for when hydration happens with the @hydrated event:

<LazyComponent hydrate-on-visible @&#8203;hydrated="onComponentHydrated" />

Learn more about lazy hydration in our components documentation.

🧩 Advanced Pages Configuration

You can now fine-tune which files Nuxt scans for pages (#​31090), giving you more control over your project structure:

export default defineNuxtConfig({
  pages: {
    // Filter specific files or directories
    pattern: ['**/*.vue'],
  }
})

🔍 Enhanced Debugging

We've made debugging with the debug option more flexible! Now you can enable just the debug logs you need (#​30578):

export default defineNuxtConfig({
  debug: {
    // Enable specific debugging features
    templates: true,
    modules: true,
    watchers: true,
    hooks: {
      client: true,
      server: true,
    },
    nitro: true,
    router: true,
    hydration: true,
  }
})

Or keep it simple with debug: true to enable all these debugging features.

🎨 Decorators Support

For the decorator fans out there (whoever you are!), we've added experimental support (#​27672). As with all experimental features, feedback is much appreciated.

export default defineNuxtConfig({
  experimental: {
    decorators: true
  }
})

function something (_method: () => unknown) {
  return () => 'decorated'
}

class SomeClass {
  @​something
  public someMethod () {
    return 'initial'
  }
}

const value = new SomeClass().someMethod()
// returns 'decorated'

📛 Named Layer Aliases

It's been much requested, and it's here! Auto-scanned local layers (from your ~~/layers directory) now automatically create aliases. You can access your ~~/layers/test layer via #layers/test (#​30948) - no configuration needed.

If you want named aliases for other layers, you can add a name to your layer configuration:

export default defineNuxtConfig({
  $meta: {
    name: 'example-layer',
  },
})

This creates the alias #layers/example-layer pointing to your layer - making imports cleaner and more intuitive.

🧪 Error Handling Improvements

We've greatly improved error messages and source tracking (#​31144):

1. Better warnings for undefined useAsyncData calls with precise file location information
2. Error pages now appear correctly on island page errors (#​31081)

Plus, we're now using Nitro's beautiful error handling (powered by youch) to provide more helpful error messages in the terminal, complete with stacktrace support.

Nitro now also automatically applies source maps without requiring extra Node options, and we set appropriate security headers when rendering error pages.

📦 Module Development Improvements

For module authors, we've added the ability to augment Nitro types with addTypeTemplate (#​31079):

// Inside your Nuxt module
export default defineNuxtModule({
  setup(options, nuxt) {
    addTypeTemplate({
      filename: 'types/my-module.d.ts',
      getContents: () => `
        declare module 'nitropack' {
          interface NitroRouteConfig {
            myCustomOption?: boolean
          }
        }
      `
    }, { nitro: true })
  }
})

⚙️ Nitro v2.11 Upgrade

We've upgraded to Nitro v2.11. There are so many improvements - more than I can cover in these brief release notes.

👉 Check out all the details in the Nitro v2.11.0 release notes.

📦 New unjs Major Versions

This release includes several major version upgrades from the unjs ecosystem, focused on performance and smaller bundle sizes through ESM-only distributions:

• unenv upgraded to v2 (full rewrite)
• db0 upgraded to v0.3 (ESM-only, native node:sql, improvements)
• ohash upgraded to v2 (ESM-only, native node:crypto support, much faster)
• untyped upgraded to v2 (ESM-only, smaller install size)
• unimport upgraded to v4 (improvements)
• c12 upgraded to v3 (ESM-only)
• pathe upgraded to v2 (ESM-only)
• cookie-es upgraded to v2 (ESM-only)
• esbuild upgraded to v0.25
• chokidar upgraded to v4

✅ Upgrading

As usual, our recommendation for upgrading is to run:

npx nuxi@latest upgrade --dedupe

This refreshes your lockfile and pulls in all the latest dependencies that Nuxt relies on, especially from the unjs ecosystem.

👉 Changelog

compare changes

🚀 Enhancements

• nuxt: Upgrade @nuxt/devtools to v2 (#​30889)
• nuxt: Granular debug options (#​30578)
• nuxt: Add type hints for NuxtPage (#​30704)
• nuxt: Support tracking changes to nuxt options by modules (#​30555)
• nuxt: Allow disabling auto-imported polyfills (#​30332)
• schema: Add runtime + internal type validation (#​30844)
• kit,nuxt,schema: Support experimental decorators syntax (#​27672)
• kit,nuxt: Allow multiple nuxts to run in one process (#​30510)
• kit: Add named layer aliases (#​30948)
• kit,nuxt,vite: directoryToURL to normalise paths (#​30986)
• nuxt: Allow forcing start/set in loading indicator (#​30989)
• nuxt: Allow specifying glob patterns for scanning pages/ (#​31090)
• nuxt: Add types for default NuxtLink slot (#​31104)
• nuxt: Delayed/lazy hydration support (#​26468)
• vite: Add vite's modulepreload polyfill (#​31164)
• nuxt: Show source file when warning about undefined useAsyncData (#​31144)
• kit,nuxt: Augment nitro types with addTypeTemplate (#​31079)
• kit,nuxt: Resolve template imports from originating module (#​31175)
• nuxt: Use oxc-parser instead of esbuild + acorn (#​30066)
• nuxt: Upgrade to unhead v2 (#​31169)
• nuxt: Align nuxt error handling with nitro (#​31230)

🔥 Performance

• nuxt: Remove duplicated nitro alias resolution (#​31088)
• kit: Try non-subpath routes first to resolve nuxt modules (#​31037)
• nuxt: Migrate to use exsolve for module resolution (#​31124)
• kit: Skip extra module resolution step in loadNuxt (#​31176)

🩹 Fixes

• nuxt: Ensure <NuxtLayout> fallback prop is typed (#​30832)
• nuxt: Assign slot to be rendered for client components (#​30768)
• nuxt,vite: Do not override vite import conditions (#​30887)
• nuxt: Prevent keepalive cache reset (#​30807)
• nuxt: Remove div wrapper in client-only pages (#​30425)
• schema: Update type import to nitropack (aba75bd5a)
• vite: Use resolveId from vite-node to resolve deps (#​30922)
• schema: Normalise additional experimental options (63e0c342c)
• nuxt: Delete existing properties in app config HMR (#​30918)
• schema: Return null from resolve functions (d68e8ce57)
• schema: Check if app.head.meta values are undefined (#​30959)
• nuxt: Make shared/ directories available within layers (#​30843)
• kit: Ensure nuxt is loaded from cwd rather than parent dir (#​30910)
• ui-templates: Remove extra <pre> when rendering dev errors (9aab69ec4)
• nuxt: Use tsx loader for jsx blocks as well (#​31014)
• Remove unimplemented page:transition:start type (#​31040)
• kit: Expose module dependency errors (#​31035)
• nuxt: Deprioritise layer css imports (#​31020)
• nuxt: Ensure provide / inject work in setup of defineNuxtComponent (#​30982)
• nuxt: Decode URI components in cache driver methods (#​30973)
• nuxt: Use _ for NuxtIsland name on server pages (#​31072)
• nuxt: Use ohash to calculate legacy async data key without hash (#​31087)
• nuxt,schema: Resolve shared dir from config (#​31091)
• kit,schema: Set esbuild target for experimental decorators (#​31089)
• nuxt: Set nuxt.options.pages to detected configuration (#​31101)
• nuxt: Warn when definePageMeta does not receive an object (#​31156)
• nuxt: Fix nitro import statements for v2 (151cf7d49)
• nuxt: Update path to no-ssr middleware handler (a99c59fbd)
• nuxt: Align type of custom navigate with vue-router (7a1934509)
• nuxt: Show error page on island page error (#​31081)
• nuxt: Do not render payloads if disabled, and correct regexp (#​31167)
• nuxt: Add backwards-compatible serialisation for nuxt.options.pages (fa480e0a0)
• ui-templates: Escape inline scripts correctly in ui templates (39c2b0a2c)
• nuxt: Add back fallback nuxtlink type signature (a8856de59)
• kit: Provide default extensions in resolveModule (6fb5c9c15)
• nuxt: Provide default extensions in resolveTypePath (a0f9ddfe2)
• nuxt: Strip query before generating payload url (34ddc2d2f)
• schema: Resolve workspaceDir to closest git config (7a2fbce01)
• kit: Include declaration files when resolving compilerOptions.paths (835e89404)
• nuxt: Consolidate head component context (#​31209)
• nuxt: Resolve shared externals to absolute paths (#​31227)
• nuxt: Skip deep merge in dev mode for prototype keys (#​31205)
• schema: Use RawVueCompilerOptions for unresolved tsconfig (#​31202)
• nuxt: Ensure externals are resolved first (#​31235)
• nuxt: Ensure we strip all chars in payload url (4f067f601)
• nuxt: Exempt nitro from import protections (#​31246)
• nuxt: Normalise error url to pathname (87b69c9ae)
• nuxt: Ensure head components are reactive (#​31248)
• nuxt: Preserve query/hash when calling navigateTo with replace (#​31244)
• nuxt: Apply ignore rules to nitro devStorage (#​31233)
• nuxt: Fall back to wasm if oxc native bindings are missing (#​31190)
• nuxt: Pass useFetch function name on server for warning (#​31213)
• vite: Prevent overriding server build chunks (89a29e760)
• nuxt: Strip query in x-nitro-prerender header (2476cab9a)

💅 Refactors

• nuxt: Prefer logical assignment operators (#​31004)
• nuxt: Use isEqual from ohash/utils (2e27cd30c)
• nuxt: Update to noScripts route rule (#​31083)
• nuxt: Re-organize internal runtime/nitro files (#​31131)
• nuxt: Explicitly type internal request fetch (54cb80319)
• nuxt: Use relative imports (1bce3dc3b)
• nuxt: Early return island response (#​31094)

📖 Documentation

• Tiny typo (#​30799)
• Fix typo (#​30817)
• Remove backslashes in spaLoadingTemplate example (#​30830)
• Update path to nuxt binary (8992c4ea0)
• Add nuxt lifecycle (#​30726)
• Add additional information about NuxtPage (#​30781)
• Improve navigateTo docs with clearer structure and examples (#​30876)
• Add auto import info about shared utils (#​30858)
• Fix typo and improve data fetching examples (#​30935)
• Clarify that local layers are scanned from rootDir (27e356fe6)
• Fix typo (#​30963)
• Update links to unhead sources (6c520ef74)
• Fix typo (#​30971)
• Add tips on how to override layers aliases (#​30970)
• Add description for vue:setup and app:data:refresh hooks (#​31001)
• Mention requirement to wrap middleware in defineNuxtRouteMiddleware (#​31005)
• Add port option to preview command (#​30999)
• Remove link to deleted nuxt 2 section (#​31077)
• Link to the scripts releases page (#​31095)
• Add .nuxtrc documentation (#​31093)
• Fix typo in example command (#​31112)
• Explain why headers not forwarded when using $fetch on the server (#​31114)
• Fix links to nitro directory structure (5a696176d)
• Update to use create nuxt command (fe82af4c9)
• Update getCachedData types (#​31208)
• Update code example for nightly release to default to 3x (a243f8fcf)
• Clarify lifecycle behavior of <NuxtPage> during page changes (#​31116)
• Mention workaround for typedPages in unhoisted pnpm setups (#​31262)

📦 Build

• nuxt: Add subpath imports for type support (8ef3fcc4d)

🏡 Chore

• Remove second version of vitest (bc9ac7349)
• Bump bundle size (c5e191165)
• Add basic copilot instructions (d47b830d3)
• Handle undefined author (0161985c0)
• Use logical or assignment (#​30992)
• Reorder options object (11e6b8398)
• Lint (86c960c6f)
• Fix broken lockfile (05501d2c8)
• Add errx dependency (566418177)
• Add additional dummy url to ignore (bc101e4ae)
• Ignore internal resolution errors in nuxt types (0d54dc3f4)
• Bump octokit patch versions (a477065b4)
• Bump @nuxtjs/mdc typechecking dep (f23683b26)
• Ignore nitro/renderer templates (b29c0e86b)

✅ Tests

• Add benchmarks for dev server initial build (#​30742)
• Exclude urls from lychee crawler used in test suite (8e2d9a640)
• Prepare environment to ensure more reproducible dev tests (bc89ef867)
• Update unit test (5a71ef8ac)
• Add major version to unit test (676447239)
• Slightly improve coverage (d992c0da9)
• Bump timeout for route hmr (cbe38cf52)
• Update unit test snapshot for jsx (4910959b9)
• Disable codspeed outside of ci (71de708a0)
• Add some more stability in hmr tests (9a9fcdab5)
• Skip testing spa-preloader in dev (6cf97bfe5)
• Fix time-based hydration test (da3b39d67)
• Simplify further (ad306f472)
• Filter out dev server logs 🙈 (ee040eea3)
• Update unit test snapshot (97ec3143a)
• Provide nuxt extensions in unit test (358729e96)
• Add benchmark for vite client build (#​31118)
• Update build benchmark (82ca08f93)
• Ensure dev tests have separate buildDirs (d7623f884)
• Update nitro type import (8f61d0090)
• Update import to #internal/nitro/app (a1b855cc5)
• Try to improve dev test stability (#​31218)
• Migrate hmr test to use playwright runner (#​31241)

❤️ Contributors

• Anoesj Sadraee (@​Anoesj)
• Daniel Roe (@​danielroe)
• John Tanzer (@​moshetanzer)
• Connor Pearson (@​cjpearson)
• Connor Roberts (@​murshex)
• Harlan Wilton (@​harlan-zw)
• Alex Liu (@​Mini-ghost)
• Kevin Deng 三咲智子 (@​sxzz)
• xjccc (@​xjccc)
• Julien Huang (@​huang-julien)
• Michael Brevard (@​GalacticHypernova)
• Maik Kowol (@​94726)
• Anthony Fu (@​antfu)
• Bobbie Goede (@​BobbieGoede)
• Clayton Chew (@​claytonchew)
• awfulness (@​awfulness)
• Sébastien Chopin (@​atinux)
• Saeid Zareie (@​Saeid-Za)
• Vahagn Zaqaryan (@​Vahagn-Zaqaryan)
• Idorenyin Udoh (@​idorenyinudoh)
• Jonas Thelemann (@​dargmuesli)
• Ryota Watanabe (@​wattanx)
• Horu (@​HigherOrderLogic)
• Nolhan (@​Nonolanlan1007)
• Typed SIGTERM (@​typed-sigterm)
• Hans Tu (@​ChiaHanTu)
• Damian Głowala (@​DamianGlowala)
• David Marr (@​marr)
• Camille Coutens (@​Kamsou)
• Charlie ✨ (@​CharleeWa)
• Hussain Panahy (@​HP8585)
• @​beer (@​iiio2)

v3.15.4

Compare Source

3.15.4 is the next patch release.

✅ Upgrading

As usual, our recommendation for upgrading is to run:

npx nuxi@latest upgrade --force

This will refresh your lockfile as well, and ensures that you pull in updates from other dependencies that Nuxt relies on, particularly in the unjs ecosystem.

👉 Changelog

compare changes

🩹 Fixes

• nuxt: Improve error logging when parsing with acorn (#​30754)
• nuxt: Clear island uid before saving into the payload (#​30767)
• kit: Load @nuxt/schema from nuxt package dir (#​30774)
• nuxt: Allow restarting nuxt on paths outside srcDir (#​30771)
• nuxt: Don't warn about calling useRoute in SFC setup (#​30788)
• webpack: Disallow cross-site requests in no-cors mode (#​30757)
• vite: Restore externality for dev server externals (#​30802)

💅 Refactors

• vite: Use new rollup chunk.names for asset names (#​30780)

❤️ Contributors

• Daniel Roe (@​danielroe)
• Peter Radko (@​Gwynerva)
• Lansi (@​lansi951)
• Julien Huang (@​huang-julien)
• Norbiros (@​Norbiros)

v3.15.3

Compare Source

3.15.3 is the next regularly scheduled patch release.

👀 Highlights

CORS configuration for dev server

Alongside a range of improvements, we've also shipped a significant fix to impose CORS origin restrictions on the dev server. This applies to your Vite or Webpack/Rspack dev middleware only.

This is a significant/breaking change we would not normally ship in a patch but it is a security fix (see GHSA-4gf7-ff8x-hq99 and GHSA-2452-6xj8-jh47) and we urge you to update ASAP.

You can configure the allowed origins and other CORS options via the devServer.cors options in your nuxt.config, which may be relevant if you are developing with a custom hostname:

export default defineNuxtConfig({
  devServer: {
    cors: {
      origin: ['https://custom-origin.com'],
    },
  },
})

✅ Upgrading

As usual, our recommendation for upgrading is to run:

npx nuxi@latest upgrade --force

This will refresh your lockfile as well, and ensures that you pull in updates from other dependencies that Nuxt relies on, particularly in the unjs ecosystem.

👉 Changelog

compare changes

🔥 Performance

• kit,nuxt: Don't resolve paths from local layers/modules (#​30650)
• nuxt: Reduce number of mkdirSync calls (#​30651)
• nuxt: Reduce unnecessary template updating (#​30684)
• kit: Reduce duplication between findPath and resolvePath (#​30682)
• kit: Run components compat check synchronously (#​30685)
• nuxt: Early return from annotation for non-object syntax plugins (#​30683)
• nuxt: Enable Transition component only on client side (#​30720)

🩹 Fixes

• vite: Override previous #app-manifest alias (#​30618)
• kit,nuxt,schema,vite: Improve watching behaviour (#​30620)
• nuxt: Fall back to plugin.src for variable name generation (#​30649)
• schema: Allow overriding dev/test environment value (#​30667)
• vite: Drop unneeded call to invalidate module (d2a95c542)
• vite: Add back invalidateModule call (9bd71e498)
• nuxt: Do not warn about [[ optional dynamic params (#​30619)
• vite: Inline shared folder in dev mode (#​30690)
• nuxt: Deep clone extracted page meta (#​30717)
• vite,webpack: Restrict access via cors to local origins + allow configuration via devServer.cors (406db5b4d)

💅 Refactors

• vite: Drop externality and use vite internal config (#​30634)

📖 Documentation

• Add link to custom useFetch example (#​30629)
• Fix example command (#​30628)
• Fix links to nuxi source code (4fabe0025)
• Add description for prefetch and other details of NuxtLink (#​30614)
• Update nuxt/content example (542987627)
• Adjust examples, type and description for addRouteMiddleware (#​30656)
• Explain how to use ClientOnly with onMounted hook (#​30670)
• Update links to unhead source (eb5344b43)
• Add more context about navigation mode in callOnce composable (#​30612)
• Add example on how to disable default routes for ssg (#​30729)

📦 Build

• schema: Use new inlineDependencies option (01adefcec)

🏡 Chore

• kit: Explicitly inline lodash-es (0c01273f5)
• Add debug timing jiti/unbuild plugins (#​30648)
• Do not clobber global tracker objects (df8554331)
• Remove stray console log (47c40f310)
• Improve debugging plugins (492b1ec65)
• Write metrics to disk for better diffing (c5c6b8105)
• Lint (86aff854c)

🤖 CI

• Run bundle size assertion outside of matrix (#​30688)
• Reenable nuxt benchmarking (#​30711)

❤️ Contributors

• Alex Liu (@​Mini-ghost)
• Daniel Roe (@​danielroe)
• Alan Schio (@​schirrel)
• xjccc (@​xjccc)
• Saeid Zareie (@​Saeid-Za)
• Zakhar Shymanchyk (@​zshimanchik)
• Arturs Jansons (@​iegik)
• Maxime Pauvert (@​maximepvrt)

v3.15.2

Compare Source

3.15.2 is the next regularly scheduled patch release.

👀 Highlights

🔥 Startup performance improvements

It is worth noting that this release includes some pretty significant performance improvements which you should notice particularly in the startup time. In my tests in the nuxt monorepo,

fixture	time to vite build complete (v3.15.1)	time to vite build complete (v3.15.2)
minimal	850ms	710ms
everything bagel	3,021ms	1,690ms

There's more improvement to do here but hopefully these are good numbers!

📦 CLI refactor

To improve performance within Nuxt projects, we've published a new @nuxt/cli distribution of nuxi, which is used under-the-hood in nuxt (see issue). This should behave exactly the same and nothing needs to be updated in your projects (for example, you will continue to use the nuxi or nuxt commands). The only significant change is that it no longer inlines dependencies. Feedback is welcome 🙏

✅ Upgrading

As usual, our recommendation for upgrading is to run:

npx nuxi@latest upgrade --force

This will refresh your lockfile as well, and ensures that you pull in updates from other dependencies that Nuxt relies on, particularly in the unjs ecosystem.

👉 Changelog

compare changes

🔥 Performance

• nuxt: Remove code duplication in client-only (#​30460)
• nuxt: Use lighter @nuxt/cli dependency (#​30526)
• kit: Remove iterations when resolving module path (#​30562)
• nuxt: Avoid checking fs for existence of scanned pages (#​30581)
• nuxt: Defer version/config warnings to after build (#​30567)

🩹 Fixes

• nuxt: Collect all identifiers before extracting page metadata (#​30478)
• nuxt: Don't hoist identifiers declared locally in definePageMeta when extracting page metadata (#​30490)
• kit: Reorder #build to the end of tsConfig paths (#​30520)
• nuxt: Use fullPath instead of empty string in router hmr (#​30500)
• Relax nuxt version constraints to current (23b968289)
• nuxt: Add import protection for @nuxt/cli (618bbc6da)
• kit: Fully resolve plugin paths when normalising them (#​30540)
• nuxt: Call page:loading:end only once with nested pages (#​29009)
• nuxt: Warn about ignored char while parsing route segment (#​30396)
• nuxt: Allow url-specific chars in vfs (#​30584)
• nuxt: Do not warn about invalid characters in route groups/catchalls (0249c74bc)
• vite: Provide fallback alias for #app-manifest (#​30587)
• nuxt: Avoid invoking shouldPrefetch on the server side (#​30591)
• nuxt: Decode id before resolving relative imports (#​30599)

💅 Refactors

• kit,nuxt,webpack: Reduce reassignments (#​30589)

📖 Documentation

• Document --dev option for the module command (#​30477)
• Document the add layer command (#​30476)
• Update v4 release date (#​30514)
• Ensure correct type for url in useFetch (#​30531)
• Update link to @nuxt/module-builder source (509cf4a5c)
• Add status detail and enhance getCachedData readability (#​30536)
• Update hash link to correct heading (#​30543)
• Update links to unhead source (fef3a59bb)
• Adjust example and additional instructions of useNuxtData (#​30570)
• Resolve many twoslash errors (#​30573)
• Add context for useAsyncData side effects (#​30479)
• Update examples to use function declarations for clarity (#​30588)

🏡 Chore

• Control dependency import into nuxt/app (1adf3e31f)
• Ignore automated renovate node engines updates (6895993fb)

🤖 CI

• Don't block release on fixtures + add pkg.pr.new (#​30548)
• Remove concurrency group from release-pr job (8ac54ff10)

❤️ Contributors

• Daniel Roe (@​danielroe)
• Alex Liu (@​Mini-ghost)
• Anthony Fu (@​antfu)
• Camille Coutens (@​Kamsou)
• Julien Huang (@​huang-julien)
• Peter Buglavecz (@​buglavecz)
• ikxin (@​ikxin)
• Guspan Tanadi (@​guspan-tanadi)
• Vuk Marjanovic (@​vmrjnvc)
• Saeid Zareie (@​Saeid-Za)
• Matej Černý (@​cernymatej)
• Clément Ollivier (@​clemcode)

v3.15.1

Compare Source

3.15.1 is the next regularly scheduled patch release.

✅ Upgrading

As usual, our recommendation for upgrading is to run:

npx nuxi@latest upgrade --force

This will refresh your lockfile as well, and ensures that you pull in updates from other dependencies that Nuxt relies on, particularly in the unjs ecosystem.

👉 Changelog

compare changes

🔥 Performance

• nuxt: Skip experimental async context transform in client build (#​30360)
• schema: Drop unneeded type-only schema dependencies (#​30411)
• rspack,webpack: Drop lodash-es dependency (#​30409)
• nuxt: Drop pathe browser dep for deep server components (#​30456)

🩹 Fixes

• nuxt: Update module path for defaults (#​30371)
• nuxt: Ignore non-reference identifiers when extracting page metadata (#​30381)
• nuxt: Pass nuxt instance to resolvePagesRoutes (e4a372e12)
• schema: Support pfx certificate for dev server (#​30412)
• nuxt: Use node location instead of range for route meta property extraction (#​30447)
• schema: Override vueCompilerOptions.plugins type (#​30454)
• nuxt: Respect baseURL when ignoring prerendered manifest (#​30446)
• nuxt: Respect router.options when hmring routes (#​30455)

💅 Refactors

• nuxt: Use consola with nuxt tag instead of console (#​30408)

📖 Documentation

• Update references to lodash and recommend es-toolkit (8e2ca5bdc)
• Add warning about prerendering (#​30437)

🏡 Chore

• Add configuration for JetBrains IDEs (#​30380)
• Update lockfile (db65a703b)
• Dedupe lockfile + bump nanoid (c5eb6a81d)

❤️ Contributors

• Daniel Roe (@​danielroe)
• Anders Bootsmann Larsen ([@​boot

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Comments	Updated (UTC)
vue3-lottie	Error			Aug 19, 2025 0:45am