[Snyk] Upgrade nuxt from 3.12.4 to 4.1.3

[nerdy-tech-com-gitub]

Snyk has created this PR to upgrade nuxt from 3.12.4 to 4.1.3.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

• The recommended version is 44 versions ahead of your current version.

• The recommended version was released a month ago.

⚠️ Warning: This PR contains major version upgrade(s), and may be a breaking change.

Issues fixed by the recommended upgrade:

	Issue	Score	Exploit Maturity
	Incorrect Authorization SNYK-JS-VITE-9653016	174	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-CROSSSPAWN-8303230	174	Proof of Concept
	Acceptance of Extraneous Untrusted Data With Trusted Data SNYK-JS-NUXT-9486043	174	No Known Exploit
	Incorrect Authorization SNYK-JS-VITE-9512410	174	Mature
	Access Control Bypass SNYK-JS-VITE-9576207	174	Proof of Concept
	Information Exposure SNYK-JS-VITE-9685035	174	Proof of Concept
	Directory Traversal SNYK-JS-VITE-9919777	174	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-BABELHELPERS-9397697	174	Proof of Concept
	Open Redirect SNYK-JS-KOA-10944994	174	Proof of Concept
	Improper Input Validation SNYK-JS-NANOID-8492085	174	No Known Exploit
	Origin Validation Error SNYK-JS-NUXTVITEBUILDER-8663232	174	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-PATHTOREGEXP-7925106	174	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-BRACEEXPANSION-9789073	174	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-BRACEEXPANSION-9789073	174	Proof of Concept
	Prototype Pollution SNYK-JS-DEVALUE-12205530	174	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-KOA-8720152	174	No Known Exploit
	Insecure Randomness SNYK-JS-UNDICI-8641354	174	Proof of Concept
	Inefficient Regular Expression Complexity SNYK-JS-MICROMATCH-6838728	174	No Known Exploit
	Improper Input Validation SNYK-JS-NANOID-8492085	174	No Known Exploit
	Cross-site Scripting (XSS) SNYK-JS-NUXTDEVTOOLS-13849298	174	No Known Exploit
	Prototype Pollution SNYK-JS-PARSEGITCONFIG-9403763	174	Proof of Concept
	Cross-site Scripting (XSS) SNYK-JS-ROLLUP-8073097	174	Proof of Concept
	Directory Traversal SNYK-JS-VITE-13644406	174	Proof of Concept
	Information Exposure SNYK-JS-VITE-8023174	174	Proof of Concept
	Origin Validation Error SNYK-JS-VITE-8648411	174	Proof of Concept
	Cross-site Scripting (XSS) SNYK-JS-KOA-9679272	174	Proof of Concept
	Directory Traversal SNYK-JS-NUXT-12878602	174	Proof of Concept
	Cross-site Scripting SNYK-JS-SEND-7926862	174	No Known Exploit
	Cross-site Scripting SNYK-JS-SERVESTATIC-7926865	174	No Known Exploit
	Directory Traversal SNYK-JS-SIRV-12558119	174	Proof of Concept
	Missing Release of Memory after Effective Lifetime SNYK-JS-UNDICI-10176064	174	Proof of Concept
	Relative Path Traversal SNYK-JS-VITE-12558116	174	Proof of Concept
	Cross-site Scripting (XSS) SNYK-JS-VITE-8022916	174	Proof of Concept

Release notes

Package name: nuxt

• 4.1.3 - 2025-10-06
  

  4.1.3 is a regularly scheduled patch release.

  ✅ Upgrading

  Our recommendation for upgrading is to run:

  npx nuxt upgrade --dedupe

  This will deduplicate your lockfile as well, and help ensure that you pull in updates from other dependencies that Nuxt relies on, particularly in the unjs ecosystem.

  👉 Changelog

  compare changes

  🔥 Performance

  • vite: Use rolldown's replace plugin when applicable (#33258)

  🩹 Fixes

  • kit: Add default values when adding type references in prepare:types hook (#33239)
  • nuxt: Augment app config in server context (#33287)
  • nuxt: Make lazy component types compatible with h (#33046)
  • vite: Deduplicate inlined server style chunks (#33308)
  • nuxt: Support head option on useHead (#33318)
  • nuxt: Do not relativise importmap if cdnURL is set (#33333)
  • nuxt: Resolve aliases in imports.dirs (#33334)
  • nuxt: Add missing element/vnode props for <NuxtLink> (#33335)
  • nuxt: Do not generate server placeholder components (#33345)
  • nuxt: Dedupe generated component names (#33346)
  • webpack: Test watch instance before closing it (0e5a0a5a0)
  • nuxt: Correctly handle island rendering error (#33302)
  • nuxt: Support v-slot:fallback longform syntax in <DevOnly> (#33368)
  • nuxt: Support typeFrom when generating auto-import type templates (#33373)
  • nuxt: Don't trigger scroll when changing trailing slash (#33358)
  • nuxt: Add stubs for new scripts from @ nuxt/scripts (bed410d60)
  • nuxt: Prevent duplicate execution on key change in useAsyncData (#33325)
  • nuxt: Make middleware _path property configurable for HMR (#33379)
  • nuxt: Handle non-immediate useAsyncData with different key on ssr (#33341)

  💅 Refactors

  • nuxt: Improve implementation of error composables (#33234)
  • nuxt: Resolve path of typed-router.d.ts early for consistency (#33285)
  • nuxt: Move server references to nitro:prepare:types hook (#33286)
  • nuxt: Place filename into componentsIslandsTemplate definition (#33394)
  • nuxt,vite: Use environment-api compatible plugins (#33403)

  📖 Documentation

  • Add 4.x prefix to all internal links (#33264)
  • Fix more links (#33265)
  • Update usage instructions for Windows users (#33284)
  • Update app config paths to use app/app.config.ts (#33297)
  • Remove d suffix in example (#33298)
  • Move directory structure to top-level (#33299)
  • Add information about useFetch reactivity (#33317)
  • Add more 4.x prefixes in urls (47ea684c7)
  • Lint code samples within docs (#33271)
  • Remove duplicated documentation from nuxt.config page (b438d44e1)
  • Remove docs for outdated asyncData configuration (3e4a999e6)
  • Note prepare command NODE_ENV behavior (#33330)
  • Update nuxt command pages (#33336)

  🏡 Chore

  • Temporarily disable link to github sponsors (7e5375390)
  • Update markdownlint ignore (19fc9abbb)
  • Migrate pnpm settings out of .npmrc (14514329b)
  • Ignore errors from npmjs (50febbbba)
  • Lint (09a16d9df)
  • nuxt: Align global components indent (#33340)
  • Remove tea.yaml (5f567c79b)
  • Remove todo comment as resolved (#33389)

  ✅ Tests

  • nuxt: Set locale to en for nuxt-time tests (#33343)
  • Double gotoPath timeout in CI (f1e5a2d4c)

  🤖 CI

  • Add provenance action to check for downgrades in provenance (5ada6861e)
  • Pass commit sha when triggering ecosystem ci (399df6bab)

  ❤️ Contributors

  • Daniel Roe (@ danielroe)
  • 山吹色御守 (@ KazariEX)
  • Julien Huang (@ huang-julien)
  • Florian Heuberger (@ Flo0806)
  • Ondrej Brendy (@ bandiasek)
  • Octavio Araiza (@ 8ctavio)
  • Alex Liu (@ Mini-ghost)
  • Bobbie Goede (@ BobbieGoede)
  • abeer0 (@ iiio2)
  • Harlan Wilton (@ harlan-zw)
  • Alexander Lichter (@ TheAlexLichter)
  • Sébastien Chopin (@ atinux)
  • Ben Hong (@ bencodezen)
  • Daniel Slepov (@ imslepov)
  • Huseyn Guliyev (@ husayt)
  • Hillary (@ hillaryke)
• 4.1.2 - 2025-09-12
  

  4.1.2 is a regularly scheduled patch release.

  ✅ Upgrading

  Our recommendation for upgrading is to run:

  npx nuxt upgrade --dedupe

  This will deduplicate your lockfile as well, and help ensure that you pull in updates from other dependencies that Nuxt relies on, particularly in the unjs ecosystem.

  👉 Changelog

  compare changes

  🔥 Performance

  • kit: Do not normalise templates in loop if dst is present (#33200)
  • nuxt: Remove watcher from hydrate-when lazy hydration strategy (#33199)
  • nuxt,schema: Normalise components + directories more efficiently (#33207)
  • kit,nuxt: Reduce unnecessary iteration in nuxt code (#33212)
  • nuxt: Skip running lazy hydration transform with filter (#33213)

  🩹 Fixes

  • schema: Add pkg-types to dependencies (9fe2541ca)
  • nuxt: Ignore errors when treeshaking composables within other composables (f99eac516)
  • nuxt: Do not tree-shake composables within other composables (#33153)
  • kit: Ensure module dependencies are typed correctly (4568e8451)
  • nuxt: Prevent Infinity backgroundSize in loading indicator (#33211)
  • nuxt: Remove unused enabled from components dir options (#32844)
  • nuxt: Sync watch request in useAsyncData (#33192)
  • nuxt: Move key imports logic after all modules run (#33214)

  📖 Documentation

  • Update reference to source dir (65712297a)
  • Update language on bridge head migration (c9d986889)
  • Update file path for pinia store (#33205)
  • Add app/ suffix to a few links (#33217)

  🏡 Chore

  • Dedupe lockfile (d054c90d9)
  • Suppress htmlnano type error (ff2e77809)
  • nuxt: Unpin tinyglobby (b9ec6507b)

  ✅ Tests

  • Update bundle size test (4d9feb00d)

  ❤️ Contributors

  • Julien Huang (@ huang-julien)
  • Daniel Roe (@ danielroe)
  • Adrien Foulon (@ Tofandel)
  • Matej Černý (@ cernymatej)
  • Антон Стасюк (@ 11Alone11)
  • wuiyang (@ wuiyang)
  • Revadike (@ Revadike)
• 4.1.1 - 2025-09-05
  

  v4.1.1 is a regularly scheduled patch release

  ✅ Upgrading

  Our recommendation for upgrading is to run:

  npx nuxt upgrade --dedupe

  This will deduplicate your lockfile as well, and help ensure that you pull in updates from other dependencies that Nuxt relies on, particularly in the unjs ecosystem.

  👉 Changelog

  compare changes

  🩹 Fixes

  • nuxt: Correct relative path of auto imported components (#33122)
  • nuxt: Prefer accessing globalThis over window (#33125)
  • nuxt: Migrate to AST-aware tree-shaking + route injection (#33128)
  • nuxt: Ignore #components import mapping inside packages that use it internally (#33049)
  • vite: Remove explicit vite-node configuration of deps.inline (#33133)
  • nuxt: Include trace in dev-time useRoute usage warning (#33039)
  • kit: Improve DX by displaying module name when possible (#33137)
  • nuxt: Print route middleware path in warning (#33136)
  • nuxt: Include core auto-imports from imports:sources in override warning (#33050)
  • nuxt: Render relative importmap entry path if required (#33146)

  📖 Documentation

  • Add -- to bun create command (5e661f0ca)
  • Add app/ prefix in lots of cases (#33117)
  • Add JSDoc for navigateTo (#21442)

  🏡 Chore

  • Correct rou3 github url (#33130)
  • Include .ts extension (db9d840e1)
  • Build before releasing (25f9282a4)

  🤖 CI

  • Remove default discord reactions from thread (more noise than it's worth) (183913fe2)
  • Rewrite release workflow in ts + support multiple tags (4469ead82)
  • Pass correct flag (711037cda)
  • Pass tag via env variable (fb83cd5ba)
  • Drop 4x tags from releases (1cd8a6857)

  ❤️ Contributors

  • Daniel Roe (@ danielroe)
  • Matej Černý (@ cernymatej)
  • Bobbie Goede (@ BobbieGoede)
  • Sébastien Chopin (@ atinux)
  • Octavio Araiza (@ 8ctavio)
  • Michael Brevard (@ GalacticHypernova)
  • abeer0 (@ iiio2)
  • 山吹色御守 (@ KazariEX)
• 4.1.0 - 2025-09-02
  

  👀 Highlights

  🔥 Build and Performance Improvements

  🍫 Enhanced Chunk Stability

  Build stability has been significantly improved with import maps (#33075). This prevents cascading hash changes that could invalidate large portions of your build when small changes are made:

  <!-- Automatically injected import map -->
  <script type="importmap">{"imports":{"#entry":"/_nuxt/DC5HVSK5.js"}}</script>

  By default, JS chunks emitted in a Vite build are hashed, which means they can be cached immutably. However, this can cause a significant issue: a change to a single component can cause every hash to be invalidated, massively increasing the chance of 404s.

  In short:

  1. a component is changed slightly - the hash of its JS chunk changes
  2. the page which uses the component has to be updated to reference the new file name
  3. the entry now has its hash changed because it dynamically imports the page
  4. every other file which imports the entry has its hash changed because the entry file name is changed

  Obviously this wasn't optimal. With this new feature, the hash of (otherwise) unchanged files which import the entry won't be affected.

  This feature is automatically enabled and helps maintain better cache efficiency in production. It does require native import map support, but Nuxt will automatically disable it if you have configured vite.build.target to include a browser that doesn't support import maps.

  And of course you can disable it if needed:

  export default defineNuxtConfig({
    experimental: {
      entryImportMap: false
    }
  })

  🦀 Experimental Rolldown Support

  Nuxt now includes experimental support for rolldown-vite (#31812), bringing Rust-powered bundling for potentially faster builds.

  To try Rolldown in your Nuxt project, you need to override Vite with the rolldown-powered version since Vite is a dependency of Nuxt. Add the following to your package.json:

  npm:

  {
    "overrides": {
      "vite": "npm:rolldown-vite@latest"
    }
  }

  pnpm:

  {
    "pnpm": {
      "overrides": {
        "vite": "npm:rolldown-vite@latest"
      }
    }
  }

  yarn:

  {
    "resolutions": {
      "vite": "npm:rolldown-vite@latest"
    }
  }

  bun:

  {
    "overrides": {
      "vite": "npm:rolldown-vite@latest"
    }
  }

  After adding the override, reinstall your dependencies. Nuxt will automatically detect when Rolldown is available and adjust its build configuration accordingly.

  For more details on Rolldown integration, see the Vite Rolldown guide.

  Note

  This is experimental and may have some limitations, but offers a glimpse into the future of high-performance bundling in Nuxt.

  🧪 Improved Lazy Hydration

  Lazy hydration macros now work without auto-imports (#33037), making them more reliable when component auto-discovery is disabled:

  <script setup>
  // Works even with components: false
  const LazyComponent = defineLazyHydrationComponent(
    'visible',
    () => import('./MyComponent.vue')
  )
  </script>

  This ensures that components that are not "discovered" through Nuxt (e.g., because components is set to false in the config) can still be used in lazy hydration macros.

  📄 Enhanced Page Rules

  If you have enabled experimental extraction of route rules, these are now exposed on a dedicated rules property on NuxtPage objects (#32897), making them more accessible to modules and improving the overall architecture:

  // In your module
  nuxt.hook('pages:extend', pages => {
    pages.push({
      path: '/api-docs',
      rules: { 
        prerender: true,
        cors: true,
        headers: { 'Cache-Control': 's-maxage=31536000' }
      }
    })
  })

  The defineRouteRules function continues to work exactly as before, but now provides better integration possibilities for modules.

  🚀 Module Development Enhancements

  🪾 Module Dependencies and Integration

  Modules can now specify dependencies and modify options for other modules (#33063). This enables better module integration and ensures proper setup order:

  export default defineNuxtModule({
    meta: {
      name: 'my-module',
    },
    moduleDependencies: {
      'some-module': {
        // You can specify a version constraint for the module
        version: '>=2',
        // By default moduleDependencies will be added to the list of modules 
        // to be installed by Nuxt unless `optional` is set.
        optional: true,
        // Any configuration that should override `nuxt.options`.
        overrides: {},
        // Any configuration that should be set. It will override module defaults but
        // will not override any configuration set in `nuxt.options`.
        defaults: {}
      }
    },
    setup (options, nuxt) {
      // Your module setup logic
    }
  })

  This replaces the deprecated installModule function and provides a more robust way to handle module dependencies with version constraints and configuration merging.

  🪝 Module Lifecycle Hooks

  Module authors now have access to two new lifecycle hooks: onInstall and onUpgrade (#32397). These hooks allow modules to perform additional setup steps when first installed or when upgraded to a new version:

  export default defineNuxtModule({
  meta: {
  name: 'my-module',
  version: '1.0.0',
  },

  onInstall(nuxt) {
  // This will be run when the module is first installed
  console.log('Setting up my-module for the first time!')
  },

  onUpgrade(inlineOptions, nuxt, previousVersion) {
  // This will be run when the module is upgraded
  console.log(Upgrading my-module from v<span class="pl-s1"><span class="pl-kos">${</span><span class="pl-s1">previousVersion</span><span class="pl-kos">}</span></span>)
  }
  })

  The hooks are only triggered when both name and version are provided in the module metadata. Nuxt uses the .nuxtrc file internally to track module versions and trigger the appropriate hooks. (If you haven't come across it before, the .nuxtrc file should be committed to version control.)

  Tip

  This means module authors can begin implementing their own 'setup wizards' to provide a better experience when some setup is required after installing a module.

  🙈 Enhanced File Resolution

  The new ignore option for resolveFiles (#32858) allows module authors to exclude specific files based on glob patterns:

  // Resolve all .vue files except test files
  const files = await resolveFiles(srcDir, '**/*.vue', {
    ignore: ['**/*.test.vue', '**/__tests__/**']
  })

  📂 Layer Directories Utility

  A new getLayerDirectories utility (#33098) provides a clean interface for accessing layer directories without directly accessing private APIs:

  import { getLayerDirectories } from '@ nuxt/kit'

  const layerDirs = await getLayerDirectories(nuxt)
  // Access key directories:
  // layerDirs.app - /app/ by default
  // layerDirs.appPages - /app/pages by default
  // layerDirs.server - /server by default
  // layerDirs.public - /public by default

  ✨ Developer Experience Improvements

  🎱 Simplified Kit Utilities

  Several kit utilities have been improved for better developer experience:

  • addServerImports now supports single imports (#32289):
  // Before: required array
  addServerImports([{ from: 'my-package', name: 'myUtility' }])

  // Now: can pass directly
  addServerImports({ from: 'my-package', name: 'myUtility' })

  🔥 Performance Optimizations

  This release includes several internal performance optimizations:

  • Improved route rules cache management (#32877)
  • Optimized app manifest watching (#32880)
  • Better TypeScript processing for page metadata (#32920)

  🐛 Notable Fixes

  • Improved useFetch hook typing (#32891)
  • Better handling of TypeScript expressions in page metadata (#32902, #32914)
  • Enhanced route matching and synchronization (#32899)
  • Reduced verbosity of Vue server warnings in development (#33018)
  • Better handling of relative time calculations in <NuxtTime> (#32893)

  ✅ Upgrading

  As usual, our recommendation for upgrading is to run:

  npx nuxt upgrade --dedupe

  This will refresh your lockfile and pull in all the latest dependencies that Nuxt relies on, especially from the unjs ecosystem.

  👉 Changelog

  compare changes

  🚀 Enhancements

  • kit: