chore(deps): update nuxt core

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@nuxt/kit (source)	4.3.1 → 4.4.8
nuxt (source)	4.3.1 → 4.4.8
vue (source)	3.5.29 → 3.5.38

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

nuxt/nuxt (@​nuxt/kit)

v4.4.8

Compare Source

4.4.8 is a hotfix release to address an issue running the dev server on MacOS.

👉 Changelog

compare changes

🩹 Fixes

• vite: Shorter socket name for macOs with tmp fallback (#​35265)
• kit: Respect type option in findPath (#​35272)
• deps: Update nuxt/scripts presets (905621594)
• nuxt: Revert unhead dependency back to v2 (e6d578fea)

📖 Documentation

• Fix many typos (#​35266)
• Explain static fallback pages (#​35277)
• Change null to undefined in data-fetching docs to match actual types (#​35301)
• Fix broken internal links, useAsyncData watch type, and NuxtError type (#​35303)

❤️ Contributors

• Daniel Roe (@​danielroe)
• Ali Mahmmoud (@​AliMahmoudDev)
• Quentin Macq (@​quentinmcq)
• Pranav Rajeshirke (@​Pranav188)
• Eduardo San Martin Morote (@​posva)

v4.4.7

Compare Source

4.4.7 is a security hotfix release.

👉 make sure to check https://github.com/nuxt/nuxt/security/advisories to view open advisories resolved by this release.

👉 Changelog

compare changes

🩹 Fixes

• nitro: Assign noSSR before deciding payload extraction (#​35108)
• vite: Avoid filtering out dirs with shared prefix from allowDirs (#​35112)
• nuxt: Use resolve from pathe for buildCache path boundary check (#​35111)
• nuxt: Prevent sibling-directory traversal in test component wrapper (#​35110)
• nitro: Pass event data to isValid in dev clipboard-copy listener (#​35109)
• nuxt: Validate protocols in reloadNuxtApp path before reload (#​35115)
• vite: Prefix public asset virtuals with null byte (9e303b438)
• nuxt: Re-run getCachedData after initial fetch (#​35122)
• nuxt: Propagate useFetch/useAsyncData factory types (#​35133)
• vite: Close vite dev server on nuxt close (a10a68abc)
• kit,nuxt: Handle cancelling prompts to install packages (e84813229)
• kit: Avoid excluding node-context files in legacy tsconfig (#​35152)
• nuxt: Handle missing payload in chunkError listener (#​35155)
• nuxt: Await in-lifght template generation when closing nuxt (#​35181)
• nuxt: Clarify page and layout usage warnings (#​35184)
• webpack: Surface compilation errors when stats.toString is empty (073b07851)
• nuxt: Reject prototype-chain keys in the island registry (#​35205)
• nuxt: Apply isScriptProtocol guard to navigateTo open option (#​35206)
• nuxt: Prevent server-only page island from recursing via <NuxtPage> (#​35198)
• rspack,webpack: Require loopback host when missing same-origin signals (#​35200)
• nitro: Gate chrome devtools workspace endpoint to local requests (#​35201)
• nuxt: Escape props in <NuxtClientFallback> ssr output (#​35199)
• kit: Improve TS extension stripping/substitutions (#​35233)
• nuxt: Preserve .d.mts/.d.cts in resolveTypePaths (#​35235)
• nuxt: Escape <NoScript> slot content (4b054e9d9)
• nuxt: Match route rules case-insensitively to mirror vue-router (07e39cd6f)
• nuxt: Reject script-capable protocols in <NuxtLink> href (0103ce06f)
• nuxt: Block path-normalization open redirect in navigateTo (2cce6fb02)
• nuxt: Reject cross-origin paths in reloadNuxtApp (e447a793c)
• vite: Bind vite-node IPC to a permissioned filesystem socket (1f9f4767a)

💅 Refactors

• kit,nuxt,vite: Use es2023 array methods (#​34980)
• nuxt: Replace runInNewContext with AST walker (d72a89ef4)

📖 Documentation

• Document vite client and server options (#​35090)
• Add dedicated module dependencies page (#​35171)
• Add nodeTsConfig and sharedTsConfig options (#​35231)
• Edit for clarity and grammar (#​35214)

🏡 Chore

• Use execFileSync for safety in release scripts (1d7baaf01)
• Assert there is always a tag (e98c47c3c)
• Add autofix action tag in comment (ffa5c0098)
• Fix type in test (a549652e2)
• Update renovate minimum release age (d12d5e58a)
• Fix lychee dynamic composable exclude (#​35119)
• Update lockfile (91186dc51)
• Lint (dbc58965c)

✅ Tests

• Update test for js payload rendering (bdcb81536)
• Cover add regression test for hmr in sibling local layers (#​35125)
• Improve reliability of hmr test (1d709b3cc)

🤖 CI

• Always run all tests for 4.x/3.x (0dc4665cf)
• Migrate from tibdex (ded29dc0f)
• Add zizmor github actions check (#​35089)
• Update to agentscan v1.8.0 (#​35120)
• Automatically close PRs from automated accounts (#​35161)
• Disable provenance-change enforcement in dependency-review (a2cf43e68)

❤️ Contributors

• Daniel Roe (@​danielroe)
• David Stack (@​davidstackio)
• David De Sloovere (@​DavidDeSloovere)
• anton-gor-dev (@​anton-gor-dev)
• Noah3521 (@​Noah3521)
• Shahar Aviram (@​ShaharAviram1)
• Matej Černý (@​cernymatej)
• Mohit Kumar (@​mohitkum4r)
• Matteo Gabriele (@​MatteoGabriele)
• Julien Huang (@​huang-julien)
• Damian Głowala (@​DamianGlowala)

v4.4.6

Compare Source

4.4.6 is the next patch release.

👉 Changelog

compare changes

🩹 Fixes

• vite: Use spa entry for vite-node fallback (#​35037)
• vite: Invalidate SSR module cache when modules are invalidated via plugin hooks (a86657a0e)
• nuxt: Match deduplicated resolveComponent calls in jsx blocks (#​35028)
• nuxt: Prefer our own builder/server deps (#​35029)
• nuxt: Update useFetch key even with watch: false (#​35002)
• nitro: Mark @babel/plugin-syntax-typescript as optional peer dep (#​35041)
• nitro: Add json extension to payload cache items (#​35043)
• nuxt: Handle errors fetching app manifest (#​35050)
• nuxt: Encode html-significant characters in external redirect body (#​35052)
• nuxt: Preserve setPageLayout props on same-path navigation (#​35055)
• vite: Don't strip buildAssetsDir from vite-node SSR ids (#​35040)
• nuxt: Mark useLoadingIndicator properties as readonly (#​35062)
• vite: Strip queries in css inline styles map (#​35067)
• nitro: Validate island request hash matches props (#​35077)
• nitro: Use regexp to strip query (163e18d4b)
• nitro: Use statusCode for nitro v2 compatibility (952f6841e)
• nitro-server: Re-export h3 named symbols statically (cd99001c8)
• nuxt: Render component-less parent routes during client-side nav (#​35036)
• kit: Respect tsConfig.exclude in legacy tsconfig.json (#​35079)
• nuxt: Run middleware for page islands (#​35092)

💅 Refactors

• rspack,webpack: Extract same-origin check for dev middleware (#​35051)

📖 Documentation

• Remove CSB, set node 22 and use steps for clarity (#​35066)

🏡 Chore

• One more type, one more (50dcf15bb)
• Remove unneeded (?) overrides (6997093af)
• Use explicit versions for fixture dependencies (294a734d4)
• Ignore link-like syntax in code (2584a549c)
• Narrow engines.node in test (5bb17fb47)
• Remove unused import (a52d78626)

✅ Tests

• Relax relative time assertion (c3dcd16f9)
• Add type (732d844ad)
• Drop h3 v2 types (8286e5fcd)

🤖 CI

• Clean up agent-scan workflow (ab8317547)
• Continue autofix workflow when test:engines fails (3025e561e)
• Improve workflows (#​35088)

❤️ Contributors

• Daniel Roe (@​danielroe)
• Tim (@​timhn-bm)
• Julien Huang (@​huang-julien)
• Damian Głowala (@​DamianGlowala)
• Sébastien Chopin (@​atinux)
• Adrien Foulon (@​Tofandel)
• Sami El Achi (@​samiashi)

v4.4.5

Compare Source

4.4.5 is the next patch release.

👉 Changelog

compare changes

🔥 Performance

• kit: Cache layer roots and short-circuit isIgnored relative (#​35015)

🩹 Fixes

• vite: Resolve vite clientServer with ssr: false (#​34959)
• nitro: Correct payload route rule for / + override ssr: true (#​34990)
• nitro: Break recursive rendering deadlocks during prerender (#​34939)
• vite: Drop redundant css link when entry styles are inlined (#​34950)
• vite: Sort optimizeDeps.include in pre-bundle hint (#​34976)
• nuxt: Only force suspense remount after first resolve (#​34949)
• kit: Read .env before resolving nuxt schema (#​34958)
• nitro: Preserve serverHandlers array after nitro:config (#​34985)
• nuxt: Cast partial nitro handlers when prepending to server arrays (61dcde4db)
• vite: Only consider CSS inlined when styles are actually emitted (#​35006)
• nuxt: Dedupe getCachedData for concurrent callers sharing a key (#​34999)
• nuxt: Respect factory fetch/baseURL options in server useFetch (#​35003)
• nuxt: Handle string presets in auto-imports (#​35013)
• nuxt: Correct island transform for server pages and 'deep' mode (#​35005)
• vite: Inline css for non-island children of server components (#​35001)
• nuxt: Defer head DOM updates until page transition finishes (#​35016)
• nuxt: Explicitly freeze head during island plugin phase (#​35010)
• vite: Inline css imported from non-vue js modules (#​35020)

📖 Documentation

• Add warning about routing in server components (#​34994)

🏡 Chore

• Fix lockfile (c3ee07801)
• Pin jiti (c8102228f)
• Lint (39422b6d2)
• Pin @vue/compiler-sfc (cd404a14c)
• Ignore pnpm cyclic workspace deps warn (#​34998)
• Remove jiti from build steps (#​35004)

✅ Tests

• Extract server components fixture + add some failing tests (#​34995)
• Isolate buildDir per matrix project for shared fixtures (#​35007)
• Remove tests for 5.x runtimeBaseURL fature (816c25487)

❤️ Contributors

• Daniel Roe (@​danielroe)
• Harlan Wilton (@​harlan-zw)
• Jonazzzz (@​Bombastickj)
• Damian Głowala (@​DamianGlowala)
• Florian Heuberger (@​Flo0806)

v4.4.4

Compare Source

v4.4.2

Compare Source

v4.4.1

Compare Source

vuejs/core (vue)

v3.5.38

Compare Source

v3.5.37

Compare Source

v3.5.36

Compare Source

Bug Fixes

• compiler-core: avoid crash on CDATA at the document root (#​14916) (0ea17e2)
• compiler-core: prefix dynamic keys on v-memo elements (#​14922) (68e978e), closes #​14920
• compiler-sfc: handle vue-ignore on leading intersection/union type (#​14950) (0dcd225), closes #​12254
• compiler-sfc: respect var hoisting in props destructure (48ad452)
• reactivity: preserve watch callback return value when wrapped for once: true (#​14902) (450a8a8)
• runtime-core: add dev warning for silent catch in compat mode and fix test description typo (#​14891) (db3e117)
• runtime-core: force model update when reverted before sync (#​14897) (7f76378), closes #​13524
• runtime-core: skip async component callbacks after unmount (#​14911) (5300ead)
• transition: avoid move transition for hidden v-show group children (#​14895) (c11f6ee), closes #​14894
• watch: trigger immediate callback for empty sources (#​14914) (1f2ca7e), closes #​14898

v3.5.35

Compare Source

Bug Fixes

• compiler-core: avoid double processing v-for keys with v-memo (#​14861) (34a0ded), closes #​14859
• compiler-sfc: resolve top-level exports from files registered as global types (#​14805) (3d077f2), closes nuxt/nuxt#33694
• runtime-core: avoid repeated hydration mismatch checks (#​14857) (170fc95), closes #​14855
• runtime-core: skip idle persisted transition hooks in keep-alive moves (#​14865) (80fc139), closes #​14031
• server-renderer: propagate sync errors from ssrRenderSuspense (#​14804) (4760997), closes nuxt/nuxt#28162
• teleport: skip child unmount when pending mount discarded (#​14876) (#​14877) (584beb1)

Performance Improvements

• reactivity: skip type checks for cached proxies (#​14860) (5734fe9)
• runtime-dom: optimize array event handler dispatch (#​14828) (bb18dc8)
• server-renderer: avoid materializing iterables in ssrRenderList (#​14821) (1b7a2cc)

v3.5.34

Compare Source

Bug Fixes

• compiler-sfc: infer Vue ref wrapper types when source is unresolvable (#​14758) (7f46fd4), closes #​14729
• compiler-sfc: preserve hash hrefs on <image> elements (#​14756) (090b2e3)
• compiler-sfc: resolve type re-exports inside declare global (#​14766) (acfffe3)
• reactivity: prevent orphan effect when created in a stopped scope (#​14778) (c8e2d4a), closes #​14777
• runtime-core: avoid symbol coercion during props validation (#​8539) (23d4fb5), closes #​8487
• suspense: avoid DOM leak with out-in transition in v-if fragment (#​14762) (9667e0d), closes #​14761

v3.5.33

Compare Source

Bug Fixes

• compiler-sfc: handle nested :deep in selector pseudos (#​14725) (bb9d265), closes #​14724
• reactivity: unlink effect scopes on out-of-order off (#​14734) (e7659be), closes #​14733
• runtime-dom: preserve textarea resize dimensions (#​14747) (11fb2fd), closes #​14741
• teleport: don't move teleport children if not mounted (#​14702) (6a61f44), closes #​14701
• transition: preserve placeholder for conditional explicit default slots (#​14748) (45990ce), closes #​14727

v3.5.32

Compare Source

Bug Fixes

• runtime-core: prevent currentInstance leak into sibling render during async setup re-entry (#​14668) (f166353), closes #​14667
• teleport: handle updates before deferred mount (#​14642) (32b44f1), closes #​14640
• types: allow customRef to have different getter/setter types (#​14639) (e20ddb0)
• types: use private branding for shallowReactive (#​14641) (302c47a), closes #​14638 #​14493

Reverts

• Revert "fix(server-renderer): cleanup component effect scopes after SSR render" (#​14674) (219d83b), closes #​14674 #​14669

v3.5.31

Compare Source

Bug Fixes

• compiler-sfc: allow Node.js subpath imports patterns in asset urls (#​13045) (95c3356), closes #​9919
• compiler-sfc: support template literal as defineModel name (#​14622) (bd7eef0), closes #​14621
• reactivity: normalize toRef property keys before dep lookup + improve types (#​14625) (1bb28d0), closes #​12427 #​12431
• runtime-core: invalidate detached v-for memo vnodes after unmount (#​14624) (560def4), closes #​12708 #​12710
• runtime-core: preserve nullish event handlers in mergeProps (#​14550) (5725222)
• runtime-core: prevent merging model listener when value is null or undefined (#​14629) (b39e032)
• runtime-dom: defer teleport mount/update until suspense resolves (#​8619) (88ed045), closes #​8603
• runtime-dom: handle activeElement check in Shadow DOM for v-model (#​14196) (959ded2)
• server-renderer: cleanup component effect scopes after SSR render (#​14548) (862f11e)
• suspense: avoid unmount activeBranch twice if wrapped in transition (#​9392) (908c6ad), closes #​7966
• suspense: update suspense vnode's el during branch self-update (#​12922) (a2c1700), closes #​12920
• transition: skip enter guard while hmr updating (#​14611) (be0a2f1), closes #​14608
• types: prevent shallowReactive marker from leaking into value unions (#​14493) (3b561db), closes #​14490

v3.5.30

Compare Source

Bug Fixes

• compat: add entities to @​vue/compat deps to fix CJS edge cases (#​12514) (e725a67), closes #​10609
• custom-element: ensure child component styles are injected in correct order before parent styles (#​13374) (1398bf8), closes #​13029
• custom-element: properly locate parent when slotted in shadow dom (#​12480) (f06c81a), closes #​12479
• custom-element: should properly patch as props for vue custom elements (#​12409) (740983e), closes #​12408
• reactivity: avoid duplicate raw/proxy entries in Set.add (#​14545) (d943612)
• reactivity: fix reduce on reactive arrays to preserve reactivity (#​12737) (16ef165), closes #​12735
• reactivity: handle Set with initial reactive values edge case (#​12393) (5dc27ca), closes #​8647
• runtime-core: warn about negative number in v-for (#​12308) (9438cc5)
• ssr: prevent watch from firing after async setup await (#​14547) (6cda71d), closes #​14546
• types: make generics with runtime props in defineComponent work (fix #​11374) (#​13119) (cea3cf7), closes #​13763
• types: narrow useAttrs class/style typing for TSX (#​14492) (bbb8977), closes #​14489

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
magic-regexp-docs	Error		Jun 11, 2026 10:39pm

[github-actions]

Diagnostics Comparison:

Click to expand

Metric	Previous	New	Status
Files	355	355	± (0.00%)
Lines	159892	159892	± (0.00%)
Identifiers	152369	152369	± (0.00%)
Symbols	252910	252910	± (0.00%)
Types	49252	49252	± (0.00%)
Instantiations	390222	390222	± (0.00%)
Memory used	304206K	348945K	▲ (+12.82%)
I/O read	0.03s	0.03s	± (0.00%)
I/O write	0s	0s	± (0.00%)
Parse time	0.68s	0.69s	± (+1.45%)
Bind time	0.28s	0.28s	± (0.00%)
Check time	1.61s	1.63s	± (+1.23%)
Emit time	0.08s	0.08s	± (0.00%)
Total time	2.64s	2.67s	± (+1.12%)

[codspeed-hq]

Merging this PR will not alter performance

✅ 6 untouched benchmarks

---

_{Comparing renovate/nuxt (75a34ef) with main (1f8e8b2)}

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: pnpm-lock.yaml

Scope: all 3 workspace projects
Progress: resolved 1, reused 0, downloaded 0, added 0
Progress: resolved 27, reused 0, downloaded 0, added 0
Progress: resolved 120, reused 0, downloaded 0, added 0
Progress: resolved 255, reused 0, downloaded 0, added 0
Progress: resolved 363, reused 0, downloaded 0, added 0
Progress: resolved 564, reused 0, downloaded 0, added 0
Progress: resolved 652, reused 0, downloaded 0, added 0
Progress: resolved 749, reused 0, downloaded 0, added 0
Progress: resolved 837, reused 0, downloaded 0, added 0
Progress: resolved 1073, reused 0, downloaded 0, added 0
Progress: resolved 1129, reused 0, downloaded 0, added 0
Progress: resolved 1283, reused 0, downloaded 0, added 0
/tmp/renovate/repos/github/unjs/magic-regexp/docs:
 ERR_PNPM_TRUST_DOWNGRADE  High-risk trust downgrade for "semver@6.3.1" (possible package takeover)

This error happened while installing the dependencies of nuxt@4.4.8
 at @nuxt/vite-builder@4.4.8
 at @vitejs/plugin-vue-jsx@5.1.5
 at @babel/core@7.29.0

Trust checks are based solely on publish date, not semver. A package cannot be installed if any earlier-published version had stronger trust evidence. Earlier versions had provenance attestation, but this version has no trust evidence. A trust downgrade may indicate a supply chain incident.
Progress: resolved 1364, reused 0, downloaded 0, added 0