Change8

v3.15.3

Breaking Changes
📦 nuxtView on GitHub →
1 breaking1 features🐛 8 fixes🔧 9 symbols

Summary

Nuxt 3.15.3 is a security-focused patch release that introduces mandatory CORS restrictions on the dev server and includes various performance optimizations and bug fixes.

⚠️ Breaking Changes

  • The dev server now imposes CORS origin restrictions by default for Vite and Webpack/Rspack middleware. If you use a custom hostname for development, you must now explicitly configure allowed origins in your config.

Migration Steps

  1. Upgrade Nuxt and its dependencies by running: `npx nuxi@latest upgrade --force`
  2. If using a custom hostname or external access to the dev server, update `nuxt.config` to include `devServer: { cors: { origin: ['https://your-custom-domain.com'] } }`.

✨ New Features

  • Added `devServer.cors` configuration option to allow custom CORS settings (origin, etc.) for the development server.

🐛 Bug Fixes

  • Fixed a security vulnerability by restricting dev server access via CORS to local origins.
  • Improved watching behavior across kit, nuxt, schema, and vite.
  • Fixed variable name generation by falling back to `plugin.src`.
  • Allowed overriding `dev` and `test` environment values in schema.
  • Resolved issue where warnings were incorrectly shown for `[[` optional dynamic parameters.
  • Fixed page meta extraction by implementing deep cloning.
  • Inlined shared folders in Vite dev mode.
  • Corrected `#app-manifest` alias overriding in Vite.

🔧 Affected Symbols

devServer.corsdefineNuxtConfigTransitionfindPathresolvePathaddRouteMiddlewareNuxtLinkcallOnceClientOnly