chore(deps): update nuxt core

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
nuxt (source)	4.2.1 → 4.2.2
vue (source)	3.5.25 → 3.5.26

---

Release Notes

nuxt/nuxt (nuxt)

v4.2.2

Compare Source

4.2.2 is the next patch release.

✅ Upgrading

Our recommendation for upgrading is to run:

npx nuxt upgrade --dedupe

This will deduplicate your lockfile as well, and help ensure that you pull in updates from other dependencies that Nuxt relies on, particularly in the unjs ecosystem.

👉 Changelog

compare changes

🩹 Fixes

• nitro: Do not show pretty error handler when testing (243261edb)
• nuxt: Generate valid references for component declaration items (#​33388)
• nuxt: Sync internal route before calling page:finish hook (#​33707)
• kit: Add TypeScript path alias support for test files (#​33672)
• nitro: Ensure html is a string before injecting error handler (f70b70c97)
• nitro: Include layer server directories in tsconfig.server.json (#​33510)
• nuxt: Ensure deduped async data executions return latest promise (#​33740)
• kit,nuxt: Type + respect moduleDependencies by meta name (#​33774)
• nuxt,schema: Ignore .d.vue.ts declarations (1c73525a2)
• kit,nuxt: Protect against resolved nuxt module subpath (#​33767)
• nuxt: Re-execute callOnce during HMR (#​33810)
• nuxt: Resolve watch callback after reactive key change in useAsyncData (#​33802)
• nuxt: Escape HTML in development error page stack trace (#​33820)
• kit: Do not add resolved rootDir to cached layer config (#​33779)
• kit,schema: Add moduleDependencies -> installModule (#​33689)

💅 Refactors

• nuxt: Improve type safety within callOnce function (#​33825)

📖 Documentation

• Split directory structure and re-order guides (v4) (#​33691)
• Add hints release (#​33701)
• Fix link to vitest globals config (#​33702)
• Add mcp server and llms.txt (#​33371)
• Fix 404 link (98c2f1397)
• Text consistency (#​33709)
• Type error as non-optional prop (#​33763)
• Reformat tables (#​33813)

🏡 Chore

• Update pnpm to 10.21 and enable trust policy (d2c9711c0)
• Revert pnpm trust policy and restore provenance action (f9d0e0a3d)
• Update markdownlint config to ignore mdc issues (e7fff7132)
• Pin to single version of unstorage (ec316eae8)

✅ Tests

• Add patchProp and nodeOps to excluded Vue helpers (#​33754)
• Use fake timers for watch params test (08d9d2f3b)

🤖 CI

• Add --pnpm flag to correctly publish prerelease (#​33688)
• Update action lint config (#​33710)

❤️ Contributors

• Daniel Roe (@​danielroe)
• Florian Heuberger (@​Flo0806)
• Konstantin Telyakov (@​kTelyakov)
• abeer0 (@​iiio2)
• Julien Huang (@​huang-julien)
• Matej Černý (@​cernymatej)
• Robin (@​OrbisK)
• Dheeraj Joshi (@​dheeraj3587)
• Alexander Lichter (@​TheAlexLichter)
• Edwin Samodra (@​edwinsamodra)
• edison (@​edison1105)
• 山吹色御守 (@​KazariEX)
• Sébastien Chopin (@​atinux)
• Hugo (@​HugoRCD)
• pierreoa (@​pierreoa)
• Maxime Pauvert (@​maximepvrt)

vuejs/core (vue)

v3.5.26

Compare Source

Bug Fixes

• compat: fix compat handler of draggable (#​12445) (ed85953), closes #​12444
• compat: handle v-model deprecation warning with missing appContext (#​14203) (945a543), closes #​14202
• compiler-sfc: demote const reactive bindings used in v-model (#​14214) (e24ff7d), closes #​11265 #​11275
• compiler-ssr: handle ssr attr fallthrough when preserve whitespace (#​12304) (4783118), closes #​8072
• hmr: handle cached text node update (#​14134) (69ce3c7), closes #​14127
• keep-alive: use resolved component name for async components in cache pruning (#​14212) (dfe667c), closes #​14210
• runtime-core: ensure correct anchor el for deeper unresolved async components (#​14182) (f5b3bf2), closes #​14173
• runtime-core: handle patch stable fragment edge case (#​12411) (94aeb64), closes #​12410
• runtime-core: pass component instance to flushPreFlushCbs on unmount (#​14221) (e857e12), closes #​14215

Performance Improvements

• compiler-core: use binary-search to get line and column (#​14222) (1904053)

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[cloudflare-workers-and-pages]

Deploying unsight with    Cloudflare Pages

Latest commit:	7145bc5
Status:	🚫  Build failed.

View logs

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​wxt-dev/​unocss@​1.0.1
	@​wxt-dev/​module-vue@​1.0.3
	@​vueuse/​core@​14.0.0
	hex-rgb@​5.0.0
	@​wxt-dev/​auto-icons@​1.1.0
	consola@​3.4.2
	drizzle-orm@​0.44.7
	lint-staged@​16.1.6
	drizzle-kit@​0.31.4
	eslint@​9.39.1

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Obfuscated code: npm ioredis is 96.0% likely obfuscated Confidence: 0.96 Location: Package overview From: pnpm-lock.yaml → npm/ioredis@5.8.2 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/ioredis@5.8.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm linkedom is 92.0% likely obfuscated Confidence: 0.92 Location: Package overview From: pnpm-lock.yaml → npm/linkedom@0.18.12 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/linkedom@0.18.12. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report