Change8

v4.4.7

📦 nuxtView on GitHub →
3 features🐛 30 fixes🔧 25 symbols

Summary

This is a security hotfix release (4.4.7) addressing several vulnerabilities and improving stability across Nitro, Vite, and Nuxt core components. Numerous bug fixes related to security, payload extraction, and build processes were implemented.

✨ New Features

  • Added documentation for vite client and server options.
  • Added dedicated module dependencies documentation page.
  • Added documentation for nodeTsConfig and sharedTsConfig options.

🐛 Bug Fixes

  • Nitro: Assigned `noSSR` before deciding payload extraction.
  • Vite: Avoided filtering out directories with shared prefix from `allowDirs`.
  • Nuxt: Used resolve from `pathe` for buildCache path boundary check.
  • Nuxt: Prevented sibling-directory traversal in test component wrapper.
  • Nitro: Passed event data to `isValid` in dev clipboard-copy listener.
  • Nuxt: Validated protocols in `reloadNuxtApp` path before reload.
  • Vite: Prefixed public asset virtuals with null byte.
  • Nuxt: Re-ran `getCachedData` after initial fetch.
  • Nuxt: Propagated `useFetch`/`useAsyncData` factory types.
  • Vite: Closed vite dev server on nuxt close.
  • Kit/Nuxt: Handled cancelling prompts to install packages.
  • Kit: Avoided excluding node-context files in legacy tsconfig.
  • Nuxt: Handled missing payload in chunkError listener.
  • Nuxt: Awaited in-light template generation when closing nuxt.
  • Nuxt: Clarified page and layout usage warnings.
  • Webpack: Surfaced compilation errors when stats.toString is empty.
  • Nuxt: Rejected prototype-chain keys in the island registry.
  • Nuxt: Applied `isScriptProtocol` guard to `navigateTo` open option.
  • Nuxt: Prevented server-only page island from recursing via `<NuxtPage>`.
  • Rspack/Webpack: Required loopback host when missing same-origin signals.
  • Nitro: Gated chrome devtools workspace endpoint to local requests.
  • Nuxt: Escaped props in `<NuxtClientFallback>` ssr output.
  • Kit: Improved TS extension stripping/substitutions.
  • Nuxt: Preserved `.d.mts`/`.d.cts` in `resolveTypePaths`.
  • Nuxt: Escaped `<NoScript>` slot content.
  • Nuxt: Matched route rules case-insensitively to mirror `vue-router`.
  • Nuxt: Rejected script-capable protocols in `<NuxtLink>` href.
  • Nuxt: Blocked path-normalization open redirect in `navigateTo`.
  • Nuxt: Rejected cross-origin paths in `reloadNuxtApp`.
  • Vite: Bound vite-node IPC to a permissioned filesystem socket.

Affected Symbols

nitrovitenuxtpatheisValiduseFetchuseAsyncDatakittsconfiggetCachedDatachunkError listenertemplate generationpage/layout usage warningswebpackisland registrynavigateToNuxtPagerspackchrome devtools workspace endpointNuxtClientFallbackresolveTypePathsNoScript slotroute rulesNuxtLinkreloadNuxtApp