Change8

v3.21.7

📦 nuxtView on GitHub →
🐛 29 fixes🔧 20 symbols

Summary

Version 3.21.7 is a security hotfix release addressing multiple vulnerabilities and fixing various bugs across Nitro, Vite, and Nuxt core components.

🐛 Bug Fixes

  • Fixed an issue in Nitro where `noSSR` was not assigned before deciding payload extraction.
  • Fixed Vite to avoid filtering out directories with shared prefixes from `allowDirs`.
  • Fixed Nuxt to use resolve from `pathe` for buildCache path boundary check.
  • Fixed Nuxt to prevent sibling-directory traversal in the test component wrapper.
  • Fixed Nitro to pass event data to `isValid` in the dev clipboard-copy listener.
  • Fixed Nuxt to validate protocols in `reloadNuxtApp` path before reloading.
  • Fixed Vite to resolve vite `clientServer` with `ssr: false`.
  • Fixed Vite to prefix public asset virtuals with null byte.
  • Fixed Nuxt to handle missing payload in the chunkError listener.
  • Fixed Vite to close the dev server on Nuxt close.
  • Fixed Nuxt Kit to handle cancelling prompts to install packages.
  • Fixed Nuxt to await in-light template generation when closing Nuxt.
  • Fixed Webpack to surface compilation errors when stats.toString is empty.
  • Improved Nuxt Kit TS extension stripping/substitutions.
  • Fixed Nuxt to preserve `.d.mts`/`.d.cts` in `resolveTypePaths`.
  • Fixed Nuxt to reject prototype-chain keys in the island registry.
  • Fixed Nitro to gate chrome devtools workspace endpoint to local requests.
  • Fixed Nuxt to escape props in `<NuxtClientFallback>` ssr output.
  • Fixed Nuxt to apply `isScriptProtocol` guard to `navigateTo` open option.
  • Fixed Rspack/Webpack to require loopback host when missing same-origin signals.
  • Fixed an issue where `defu` was absolutely resolved in app config template (reverted in a subsequent fix).
  • Fixed Nuxt to match route rules case-insensitively to mirror `vue-router`.
  • Fixed Nuxt to escape `<NoScript>` slot content.
  • Fixed Nuxt to block path-normalization open redirect in `navigateTo`.
  • Fixed Nuxt to reject cross-origin paths in `reloadNuxtApp`.
  • Fixed Vite to bind vite-node IPC to a permissioned filesystem socket.
  • Fixed Nuxt to reject script-capable protocols in `<NuxtLink>` href.
  • Fixed Nuxt to clarify page and layout usage warnings.
  • Reverted absolute resolution of `defu` in app config template.

Affected Symbols

nitrovitenuxtpatheisValidclientServerallowDirschunkError listenerkitwebpackresolveTypePathsisland registrychrome devtools workspace endpointNuxtClientFallbacknavigateTorspackdefuroute rulesNuxtLinkreloadNuxtApp