Update dependency nuxt to v4.4.6 [SECURITY]

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
nuxt (source)	4.0.3 → 4.4.6

---

Nuxt has Client-Side Path Traversal in Nuxt Island Payload Revival

CVE-2025-59414 / GHSA-p6jq-8vc4-79f6

More information

Details

Summary

A client-side path traversal vulnerability in Nuxt's Island payload revival mechanism allowed attackers to manipulate client-side requests to different endpoints within the same application domain when specific prerendering conditions are met.

Technical Details

The vulnerability occurs in the client-side payload revival process (revive-payload.client.ts) where Nuxt Islands are automatically fetched when encountering serialized __nuxt_island objects. The issue affects the following flow:

1. During prerendering, if an API endpoint returns user-controlled data containing a crafted __nuxt_island object
2. This data gets serialized with devalue.stringify and stored in the prerendered page
3. When a client navigates to the prerendered page, devalue.parse deserializes the payload
4. The Island reviver attempts to fetch /__nuxt_island/${key}.json where key could contain path traversal sequences

Prerequisites for Exploitation

This vulnerability requires all of the following conditions:

1. Prerendered pages: The application must use Nuxt's prerendering feature (nitro.prerender)
2. Attacker-controlled API responses: The attacker must be able to control the response content of an API endpoint that is called during prerendering via useFetch, useAsyncData, or similar composables
3. Client-side navigation: A user must navigate to the prerendered page (not during initial SSR hydration)

Attack Scenario

// Malicious API response during prerendering
{
  "__nuxt_island": {
    "key": "../../../../internal/service",
    "params": { "action": "probe" }
  }
}

This could cause the client to make requests to /__nuxt_island/../../../../internal/service.json if path traversal is not properly handled by the server.

Impact Assessment

• Limited Impact: The vulnerability has a low severity due to the highly specific prerequisites
• No Direct Data Exfiltration: The vulnerability does not directly expose sensitive data
• Client-Side Only: Requests originate from the client, not the server

Mitigation

Action Required:

• Update to Nuxt 3.19.0+ or 4.1.0+ immediately
• Review any prerendered pages that fetch external or user-controlled data

Temporary Workarounds (if immediate update is not possible):

1. Disable prerendering for pages that fetch user-controlled data
2. Implement strict input validation on API endpoints used during prerendering
3. Use allowlists for API response structures during prerendering

Fix Details

The fix implemented validation for Island keys in revive-payload.server.ts:

• Island keys must match the pattern /^[a-z][a-z\d-]*_[a-z\d]+$/i
• Maximum length of 100 characters
• Prevents path traversal and special characters

Severity

• CVSS Score: 3.1 / 10 (Low)
• Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N

References

• https://github.com/nuxt/nuxt/security/advisories/GHSA-p6jq-8vc4-79f6
• https://github.com/nuxt/nuxt/commit/2566d2046bccb158d98fb13e42ce4b2c33fb2595
• https://nvd.nist.gov/vuln/detail/CVE-2025-59414
• https://github.com/advisories/GHSA-p6jq-8vc4-79f6

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Nuxt: Reflected XSS in navigateTo() external redirect

CVE-2026-45669 / GHSA-fx6j-w5w5-h468

More information

Details

Summary

navigateTo() with external: true generates a server-side HTML redirect body containing a <meta http-equiv="refresh"> tag. The destination URL is only sanitized by replacing " with %22, leaving <, >, &, and ' unencoded. An attacker who can influence the URL passed to navigateTo(url, { external: true }) can break out of the content="…" attribute and inject arbitrary HTML/JavaScript that executes under the application's origin.

This is a different root cause from CVE-2024-34343 (GHSA-vf6r-87q4-2vjf), which addressed javascript: protocol bypass. The issue here is triggered by any valid URL containing >.

Impact

Applications that pass user-controlled input to navigateTo(url, { external: true }) — typically via a ?next= / ?redirect= query parameter used for post-login or "return to" flows — are vulnerable to reflected cross-site scripting. The injected script runs in the context of the application's origin during the server-rendered redirect response, before the meta-refresh fires.

Details

In packages/nuxt/src/app/composables/router.ts, the SSR redirect path builds an HTML response body with only " percent-encoded in the destination URL:

const encodedLoc = location.replace(/"/g, '%22')
nuxtApp.ssrContext!['~renderResponse'] = {
status: sanitizeStatusCode(options?.redirectCode || 302, 302),
body: `<!DOCTYPE html><html><head><meta http-equiv="refresh" content="0; url=${encodedLoc}"></head></html>`,
headers: { location: encodeURL(location, isExternalHost) },
}

The Location header is normalised through encodeURL() (which uses the URL constructor and correctly percent-encodes attribute-significant characters). The HTML body uses a narrower sanitiser. That mismatch is the root cause.

Proof of concept

Global middleware that forwards a query parameter to navigateTo:

// middleware/redirect.global.ts
export default defineNuxtRouteMiddleware((to) => {
const next = to.query.next as string | undefined
if (next) {
 return navigateTo(next, { external: true })
}
})

Request:

GET /?next=https://evil.example/x><img src=x onerror=alert(document.domain)>

Response body:

<!DOCTYPE html><html><head><meta http-equiv="refresh" content="0; url=https://evil.example/x><img src=x onerror=alert(document.domain)>"></head></html>

The > after evil.example/x terminates the content="…" attribute, and the <img onerror> tag executes JavaScript in the application's origin before any redirect
occurs.

Patches

Fixed in nuxt@4.4.6 and nuxt@3.21.6 by #​35052. The fix percent-encodes the full set of HTML-attribute-significant characters (&, ", ', <, >) before interpolating the URL into the meta-refresh body

Workarounds

If you can't upgrade immediately, validate user-controlled URLs before passing them to navigateTo(url, { external: true }). At minimum, normalise through new URL(input).toString() and reject inputs containing < or > (a normalised URL with these characters is malformed and safe to refuse).

Severity

• CVSS Score: 5.3 / 10 (Medium)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

References

• https://github.com/nuxt/nuxt/security/advisories/GHSA-fx6j-w5w5-h468
• https://github.com/nuxt/nuxt/pull/35052
• https://github.com/advisories/GHSA-fx6j-w5w5-h468

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Nuxt: __nuxt_island endpoint does not bind responses to request props, enabling shared-cache poisoning

CVE-2026-46342 / GHSA-g8wj-3cr3-6w7v

More information

Details

Summary

The /__nuxt_island/* endpoint accepts attacker-controlled props query/body parameters and renders any island component without verifying that the URL-resident hash (<Name>_<hashId>.json) was actually issued for those inputs by <NuxtIsland>. The hash is computed and embedded client-side but never validated server-side, so the same path can return materially different responses depending on the query.

Island components are documented as rendering independently of route context - page middleware does not apply to them, and they are intentionally cacheable as a function of their props. This advisory does not treat that contract as a vulnerability. It treats the absence of a binding between the URL the cache keys on and the response served at that URL as one.

Impact

In applications where a CDN or reverse-proxy in front of the app caches /__nuxt_island/* keyed by path only (ignoring query) - a documented misconfiguration class, see GHSA-jvhm-gjrh-3h93 - an attacker can prime the cache for a path with their own choice of props, and subsequent users requesting the same path receive the attacker's rendered HTML rather than the response intended for them. The cache entry persists until normal expiry.

Where the affected island has any prop flowing into an unsafe HTML sink in application code (v-html, innerHTML, a third-party renderer treating a prop as HTML), this becomes stored XSS in the embedding page's origin until the cache entry expires. HttpOnly cookies remain out of reach but anything else in the origin (other cookies, in-origin requests, DOM state) is reachable by the injected script.

Preconditions:

• experimental.componentIslands enabled (or the default 'auto' with at least one server / island component in the app).
• A shared intermediary cache (CDN, reverse-proxy, edge cache) keyed on path only.
• For the XSS pivot specifically: an application-authored island that puts a prop through an unsafe HTML sink.

Without the second precondition, the response shape is per-request and unaffected. Without the third, the worst case is content-swap / inert HTML injection rather than script execution.

Patches

Patched in nuxt@4.4.6 and nuxt@3.21.6 by #​35077. The island handler now recomputes the expected hashId from (name, props, context) using the same ohash function <NuxtIsland> already uses to embed the hash in the URL, and rejects requests (HTTP 400) whose URL-resident hash does not match. The response is now a pure function of the request path: a path-keyed shared cache returns the correct response to every requester for that path, and an attacker cannot synthesise a path whose hash matches arbitrary props.

Workarounds

For users unable to upgrade immediately:

• Ensure any intermediary cache keys /__nuxt_island/* on the full query string, not on the path alone. This is the recommended configuration regardless.
• Audit application-authored islands for props flowing into v-html / innerHTML / similar HTML sinks; treat island props as untrusted user input.

Note on island authentication

[!IMPORTANT]
It's important to remember that route middleware does not run when rendering island components, and islands cannot rely on routing-layer auth. Applications gating sensitive data behind page middleware should enforce that auth inside the island's own data layer (server-only routes, useRequestEvent + manual session checks, etc.) rather than relying on the embedding page's middleware - this was true before this advisory and remains true after it.

A separate advisory addresses *.server.vue pages registered as page_<routeName> islands, where the documented "middleware doesn't run for islands" contract collides with the page's own definePageMeta({ middleware }) declaration in a way that constitutes a genuine bug rather than documented behaviour.

Severity

• CVSS Score: 2.3 / 10 (Low)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

References

• https://github.com/nuxt/nuxt/security/advisories/GHSA-g8wj-3cr3-6w7v
• https://github.com/nuxt/nuxt/pull/35077
• https://github.com/advisories/GHSA-g8wj-3cr3-6w7v

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Nuxt's route middleware is not enforced when rendering .server.vue pages via /__nuxt_island/page_*

CVE-2026-47200 / GHSA-hg3f-28rg-4jxj

More information

Details

Summary

When experimental.componentIslands is enabled (default in Nuxt 4), any .server.vue file under pages/ is automatically registered as a server island under the key page_<routeName> and exposed via the /__nuxt_island/:name endpoint. Until this fix, requests through that endpoint rendered the page component directly via the SSR renderer without instantiating Vue Router, which meant route middleware declared on the page (including definePageMeta({ middleware })) did not run.

For Nuxt applications that gate a .server.vue page behind route middleware as their sole auth check, an unauthenticated attacker could bypass that check by requesting /__nuxt_island/page_<routeName>_<anyhash> directly and receiving the server-rendered HTML.

Affected configurations

All three conditions must hold for an application to be vulnerable:

1. experimental.componentIslands is enabled (the default in Nuxt 4; opt-in in Nuxt 3).
2. The application defines one or more .server.vue files under pages/, registering them as routed pages.
3. Authentication / authorization for at least one such page is enforced solely via route middleware (middleware/*.ts referenced from definePageMeta), without a server-side check inside the page or its data layer.

Applications that enforce auth inside the island's own data layer (server-only API routes, useRequestEvent + manual session checks, etc.) were not affected. The general "route middleware does not run for non-page island components" behaviour is documented and unchanged; this advisory concerns the .server.vue page case specifically, where running middleware is the user's clear expectation.

Details

• Build (packages/nuxt/src/components/templates.ts): .server.vue pages are registered as island components with page_ prefix, making them addressable through /__nuxt_island/page_<routeName>_<hashId>.
• Runtime (packages/nitro-server/src/runtime/handlers/island.ts): the handler resolves the requested island component and renders it via renderer.renderToString(ssrContext). The Vue Router plugin previously short-circuited middleware execution whenever ssrContext.islandContext was set.
• The two paths interact so that route middleware declared on the source page never runs.

Proof of concept

Given a page app/pages/secret.server.vue:

<script setup lang="ts">
definePageMeta({ middleware: 'auth' })
</script>

<template>
<h1>SECRET DATA</h1>
</template>

with middleware/auth.ts blocking unauthenticated access:

##### Direct page request: blocked by middleware
curl -i http://localhost:3000/secret

##### -> 403 / redirect, depending on the middleware

##### Island request: middleware did not run before this fix
curl -i 'http://localhost:3000/__nuxt_island/page_secret_anyhash'

##### -> 200 OK, body includes <h1>SECRET DATA</h1>

Patches

Patched in nuxt@4.4.6 and nuxt@3.21.6 by #​35092. The Vue Router plugin now runs middleware and redirect handling for page_* islands (i.e. islands that originate from .server.vue files in pages/). The island handler propagates middleware-issued responses (~renderResponse), and a new beforeResolve guard returns HTTP 400 when the requested page_<name> does not match the route component the URL resolves to.

Non-page island components are unaffected - they continue to render without route middleware, by design.

Workarounds

If you cannot upgrade immediately:

• Enforce authentication inside the .server.vue page itself, not via route middleware. Read the session from useRequestEvent() and throw createError({ statusCode: 401 }) (or redirect) before returning data. This is the recommended pattern for islands regardless of this advisory.
• Disable experimental.componentIslands if your app does not use the feature.
• If your app must keep route-middleware-only auth, gate the /__nuxt_island/page_* URL prefix at your reverse proxy or in a server middleware.

Severity

• CVSS Score: 6.3 / 10 (Medium)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

References

• https://github.com/nuxt/nuxt/security/advisories/GHSA-hg3f-28rg-4jxj
• https://github.com/nuxt/nuxt/issues/19772
• https://github.com/nuxt/nuxt/pull/35092
• https://github.com/advisories/GHSA-hg3f-28rg-4jxj

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

nuxt/nuxt (nuxt)

v4.4.6

Compare Source

4.4.6 is the next patch release.

👉 Changelog

compare changes

🩹 Fixes

• vite: Use spa entry for vite-node fallback (#​35037)
• vite: Invalidate SSR module cache when modules are invalidated via plugin hooks (a86657a0e)
• nuxt: Match deduplicated resolveComponent calls in jsx blocks (#​35028)
• nuxt: Prefer our own builder/server deps (#​35029)
• nuxt: Update useFetch key even with watch: false (#​35002)
• nitro: Mark @babel/plugin-syntax-typescript as optional peer dep (#​35041)
• nitro: Add json extension to payload cache items (#​35043)
• nuxt: Handle errors fetching app manifest (#​35050)
• nuxt: Encode html-significant characters in external redirect body (#​35052)
• nuxt: Preserve setPageLayout props on same-path navigation (#​35055)
• vite: Don't strip buildAssetsDir from vite-node SSR ids (#​35040)
• nuxt: Mark useLoadingIndicator properties as readonly (#​35062)
• vite: Strip queries in css inline styles map (#​35067)
• nitro: Validate island request hash matches props (#​35077)
• nitro: Use regexp to strip query (163e18d4b)
• nitro: Use statusCode for nitro v2 compatibility (952f6841e)
• nitro-server: Re-export h3 named symbols statically (cd99001c8)
• nuxt: Render component-less parent routes during client-side nav (#​35036)
• kit: Respect tsConfig.exclude in legacy tsconfig.json (#​35079)
• nuxt: Run middleware for page islands (#​35092)

💅 Refactors

• rspack,webpack: Extract same-origin check for dev middleware (#​35051)

📖 Documentation

• Remove CSB, set node 22 and use steps for clarity (#​35066)

🏡 Chore

• One more type, one more (50dcf15bb)
• Remove unneeded (?) overrides (6997093af)
• Use explicit versions for fixture dependencies (294a734d4)
• Ignore link-like syntax in code (2584a549c)
• Narrow engines.node in test (5bb17fb47)
• Remove unused import (a52d78626)

✅ Tests

• Relax relative time assertion (c3dcd16f9)
• Add type (732d844ad)
• Drop h3 v2 types (8286e5fcd)

🤖 CI

• Clean up agent-scan workflow (ab8317547)
• Continue autofix workflow when test:engines fails (3025e561e)
• Improve workflows (#​35088)

❤️ Contributors

• Daniel Roe (@​danielroe)
• Tim (@​timhn-bm)
• Julien Huang (@​huang-julien)
• Damian Głowala (@​DamianGlowala)
• Sébastien Chopin (@​atinux)
• Adrien Foulon (@​Tofandel)
• Sami El Achi (@​samiashi)

v4.4.5

Compare Source

4.4.5 is the next patch release.

👉 Changelog

compare changes

🔥 Performance

• kit: Cache layer roots and short-circuit isIgnored relative (#​35015)

🩹 Fixes

• vite: Resolve vite clientServer with ssr: false (#​34959)
• nitro: Correct payload route rule for / + override ssr: true (#​34990)
• nitro: Break recursive rendering deadlocks during prerender (#​34939)
• vite: Drop redundant css link when entry styles are inlined (#​34950)
• vite: Sort optimizeDeps.include in pre-bundle hint (#​34976)
• nuxt: Only force suspense remount after first resolve (#​34949)
• kit: Read .env before resolving nuxt schema (#​34958)
• nitro: Preserve serverHandlers array after nitro:config (#​34985)
• nuxt: Cast partial nitro handlers when prepending to server arrays (61dcde4db)
• vite: Only consider CSS inlined when styles are actually emitted (#​35006)
• nuxt: Dedupe getCachedData for concurrent callers sharing a key (#​34999)
• nuxt: Respect factory fetch/baseURL options in server useFetch (#​35003)
• nuxt: Handle string presets in auto-imports (#​35013)
• nuxt: Correct island transform for server pages and 'deep' mode (#​35005)
• vite: Inline css for non-island children of server components (#​35001)
• nuxt: Defer head DOM updates until page transition finishes (#​35016)
• nuxt: Explicitly freeze head during island plugin phase (#​35010)
• vite: Inline css imported from non-vue js modules (#​35020)

📖 Documentation

• Add warning about routing in server components (#​34994)

🏡 Chore

• Fix lockfile (c3ee07801)
• Pin jiti (c8102228f)
• Lint (39422b6d2)
• Pin @vue/compiler-sfc (cd404a14c)
• Ignore pnpm cyclic workspace deps warn (#​34998)
• Remove jiti from build steps (#​35004)

✅ Tests

• Extract server components fixture + add some failing tests (#​34995)
• Isolate buildDir per matrix project for shared fixtures (#​35007)
• Remove tests for 5.x runtimeBaseURL fature (816c25487)

❤️ Contributors

• Daniel Roe (@​danielroe)
• Harlan Wilton (@​harlan-zw)
• Jonazzzz (@​Bombastickj)
• Damian Głowala (@​DamianGlowala)
• Florian Heuberger (@​Flo0806)

v4.4.4

Compare Source

v4.4.2

Compare Source

v4.3.1

Compare Source

4.3.1 is a regularly scheduled patch release.

👉 Changelog

compare changes

🩹 Fixes

• nuxt: Correct reference format of server builder (#​34177)
• nuxt: Add status/statusText getters to NuxtError (#​34188)
• nuxt: Don't inject shared types for differing auto-imports (#​34191)
• schema: Add direnv and vendor to default ignore (#​34190)
• nuxt: Focus hash links after navigation (#​34193)
• nuxt: Exclude head runtime from unhead imports transform (#​34195)
• kit: Include prereleases in semver satisfy check (#​34210)
• nitro: Encode unicode paths in x-nitro-prerender header (#​34202)
• nuxt: Watch server/ for builder:watch hook (#​34208)
• nitro: Preserve error.message for fatal errors (#​34226)
• Only enable dynamic imports when ts plugin (#​34205)
• webpack: Use H3Error for 403 in dev server (#​34233)
• nuxt: Ensure NuxtError extends Error type (#​34242)
• vite: Use H3Error for 404 in dev server (#​34225)
• nuxt: Add backwards compat for #app barrel export in keyed functions (#​34199)
• nuxt: Track + re-add custom routes on hmr (#​32044)
• nuxt: Keep vnode when leaving deeper nested route (#​33778)
• vite: Prevent CSS flickering in dev mode after config changes (#​33856)
• nuxt: Do not start view transition if there is no route (#​33723)
• nuxt: Call deferHydration done on NuxtPage unmount (#​34152)
• nuxt: Handle invalid datetime in ` (#​33992)
• nuxt: Preserve middleware error status in 404 fallback (#​34148)
• nitro: Do not augment nuxt/schema (#​34255)
• nuxt: Cache manifest files to preserve buildId (#​34002)
• nuxt: Don't decode query string in SSR context URL (#​34252)
• nuxt: Allow specifying moduleDependencies by meta.name (#​34263)
• nuxt: Resolve #components import mapping conflict for packages outside rootDir (#​34139)
• vite,webpack: Use node.res to send 403/404 (#​34266)
• nitro,nuxt: Align path encoding with vue-router (#​34265)
• nitro: Augment nuxt/schema once more (552bbd8d1)

💅 Refactors

• nuxt: Prefer genObjectKey to omit unnecessary quotes (#​34245)
• nuxt: Use ComponentProps helper to extract layout props (#​34248)

📖 Documentation

• Update roadmap dates (#​34166)
• Correct default value of nitroAutoImports (#​34182)
• Clarify shared type context limitations for custom imports (#​34194)
• Fix broken links (#​34223)
• Document payload extraction for ISR/SWR routes (#​34222)
• Update default aliases in configuration reference (#​34237)
• Update example of email validation (#​34247)
• Align server alias examples with #server and rootDir (#​34259)
• Add documentation for keyedComposables (#​34201)

🏡 Chore

• Remove px from width attribute (8d1cbb27a)
• Add ai config in gitignore (#​34220)

✅ Tests

• Vitest v4 compatibility (825b2c202)
• Add runtime tests for deeply nested <NuxtPage> navigation (048efc030)

❤️ Contributors

• Daniel Roe (@​danielroe)
• Matej Černý (@​cernymatej)
• Octavio Araiza (@​8ctavio)
• Muhammad Yasir Ghaffar (@​M-YasirGhaffar)
• mrkaashee (@​mrkaashee)
• Max (@​onmax)
• Bobbie Goede (@​BobbieGoede)
• 纸鹿/Zhilu (@​L33Z22L11)
• Florian Heuberger (@​Flo0806)
• 山吹色御守 (@​KazariEX)
• ExXTreMe315 (@​ExXTreMe315)
• Eugene (@​FlexIDK)
• abeer0 (@​iiio2)
• Jonas Thelemann (@​dargmuesli)
• Erwan Jugand (@​erwanjugand)

v4.3.0

Compare Source

4.3.0 is the next minor release.

Nuxt 4.3 brings powerful new features for layouts, caching, and developer experience – plus significant performance improvements under the hood.

📣 Some News

Extended v3 Support

Early this month, I opened a discussion to find out how the upgrade had gone from v3 to v4. I was really pleased to hear how well it had gone for most people.

Having said that, we're committed to making sure no one gets left behind. And so we will continue to provide security updates and critical bug fix releases beyond the previously announced end-of-life date of January 31, 2026, meaning Nuxt v3 will meet its end-of-life on July 31, 2026.

[!TIP]
As usual, today also brings a minor release for v3, with many of the same improvements backported from v4.3.

Preparing for Nuxt 5

We're closer than ever to the releases of Nuxt v5 and Nitro v3. In the coming weeks, the main branch of the Nuxt repository will begin receiving initial commits for Nuxt 5. However, it's still business as usual.

• Continue making pull requests to the main branch
• We'll backport changes to the 4.x and 3.x branches

Keep an eye out on the Upgrade Guide – we'll be adding details about how you can already start migrating your projects to prepare for Nuxt v4 with future.compatibilityVersion: 5.

🗂️ Route Rule Layouts

But that's enough about the future. We have a lot of good things for you today!

First, you can now set layouts directly in route rules using the new appLayout property (#​31092). This provides a centralized, declarative way to manage layouts across your application without scattering definePageMeta calls throughout your pages.

export default defineNuxtConfig({
  routeRules: {
    '/admin/**': { appLayout: 'admin' },
    '/dashboard/**': { appLayout: 'dashboard' },
    '/auth/**': { appLayout: 'minimal' }
  }
})

This might be useful for:

• Admin panels with a shared layout across many routes
• Marketing pages that need a different layout from the app

[!TIP]
Plus, you can pass props to layouts now! See the setPageLayout improvements below.

📦 ISR/SWR Payload Extraction

Payload extraction now works with ISR (incremental static regeneration), SWR (stale-while-revalidate) and cache routeRules (#​33467). Previously, only pre-rendered pages could generate _payload.json files.

This means:

• Client-side navigation to ISR/SWR pages can use cached payloads
• CDNs (Vercel, Netlify, Cloudflare) can cache payload files alongside HTML
• Fewer API calls during navigation – data can be prefetched and served from the cached payload

export default defineNuxtConfig({
  routeRules: {
    '/products/**': { 
      isr: 3600, // Revalidate every hour
    }
  }
})

🧹 Dev Mode Payload Extraction

Related to the above, payload extraction now also works in development mode (#​30784). This makes it easier to test and debug payload behavior without needing to run a production build.

[!IMPORTANT]
Payload extraction works in dev mode with nitro.static set to true, or for individual pages which have isr, swr, prerender or cache route rules.

🚫 Disable Modules from Layers

When extending Nuxt layers, you can now disable specific modules that you don't need (#​33883). Just pass false to the module's options:

export default defineNuxtConfig({
  extends: ['../shared-layer'],
  // disable @​nuxt/image from layer
  image: false,
})

🏷️ Route Groups in Page Meta

Route groups (folders wrapped in parentheses like (protected)/) are now exposed in page meta (#​33460). This makes it easy to check which groups a route belongs to in middleware or anywhere you have access to the route.

<script setup lang="ts">
// This page's meta will include: { groups: ['protected'] }
useRoute().meta.groups
</script>

export default defineNuxtRouteMiddleware((to) => {
  if (to.meta.groups?.includes('protected') && !isAuthenticated()) {
    return navigateTo('/login')
  }
})

This provides a clean, convention-based approach to route-level authorization without needing to add definePageMeta to every protected page.

🎨 Layout Props with setPageLayout

The setPageLayout composable now accepts a second parameter to pass props to your layout (#​33805):

export default defineNuxtRouteMiddleware((to) => {
  setPageLayout('admin', {
    sidebar: true,
    theme: 'dark'
  })
})

<script setup lang="ts">
defineProps<{
  sidebar?: boolean
  theme?: 'light' | 'dark'
}>()
</script>

🔧 #server Alias

A new #server alias provides clean imports within your server directory (#​33870), similar to how #shared works:

// Before: relative path hell
import { helper } from '../../../../utils/helper'

// After: clean and predictable
import { helper } from '#server/utils/helper'

The alias includes import protection – you can't accidentally import #server code from client or shared contexts.

🪟 Draggable Error Overlay

The development error overlay introduced in Nuxt 4.2 is now draggable and can be minimized (#​33695). You can:

• Drag it to any corner of the screen (it snaps to edges)
• Minimize it to a small pill button when you want to keep working
• Your position and minimized state persist across page reloads

This is a quality-of-life improvement when you're iterating on fixes and don't want the overlay blocking your view.

https://github.com/user-attachments/assets/nuxt_4-3_error_demo.mp4

⚙️ Async Plugin Constructors

Module authors can now use async functions when adding build plugins (#​33619):

export default defineNuxtModule({
  async setup() {
    // Lazy load only when actually needed
    addVitePlugin(() => import('my-cool-plugin').then(r => r.default()))
    
    // No need to load webpack plugin if using Vite
    addWebpackPlugin(() => import('my-cool-plugin/webpack').then(r => r.default()))
  }
})

This enables true lazy loading of build plugins, avoiding unnecessary code loading when plugins aren't needed.

🚀 Performance Improvements

This release includes several performance optimizations for faster builds:

• Hook filters - Internal plugins now use filters to avoid running hooks unnecessarily (#​33898)
• SSR styles optimization - The nuxt:ssr-styles plugin is now significantly faster (#​33862, #​33865)
• Layer alias transform - Skipped when using Vite (it handles this natively) (#​33864)
• Route rules compilation - Route rules are now compiled into a client chunk using rou3, removing the need for radix3 in the client bundle and eliminating app manifest fetches (#​33920)

🎨 Inline Styles for Webpack/Rspack

The inlineStyles feature now works with webpack and rspack builders (#​33966), not just Vite. This enables critical CSS inlining for better Core Web Vitals regardless of your bundler choice.

⚠️ Deprecations

statusCode → status, statusMessage → statusText

In preparation for Nitro v3 and H3 v2, we're moving to use Web API naming conventions (#​33912). The old properties still work but are deprecated in advance of v5:

- throw createError({ statusCode: 404, statusMessage: 'Not Found' })
+ throw createError({ status: 404, statusText: 'Not Found' })

🐛 Bug Fixes

Notable fixes in this release:

• Fixed head component deduplication using key attribute (#​33958, #​33963)
• Fixed async data properties not being reactive in Options API (#​34119)
• Fixed useCookie unsafe number parsing during decode (#​34007)
• Fixed NuxtPage not re-rendering when nested NuxtLayout has layouts disabled (#​34078)
• Fixed client-side pathname decoding for non-ASCII route aliases (#​34043)
• Fixed suspense remounting when navigating after pending state (#​33991)
• Fixed clipboard copy in error overlay (#​33873)
• Enabled allowArbitraryExtensions by default in TypeScript config (#​34084)
• Added noUncheckedIndexedAccess to server tsconfig for safer typing (#​33985)

[!IMPORTANT]
Enabling noUncheckedIndexedAccess in the Nitro server TypeScript config improves type safety but may surface new type errors in your server code. This change was necessary because Nuxt's app context performs type checks on server routes (learn more).

While we recommend keeping this enabled for better type safety, you can disable it if needed:

export default defineNuxtConfig({
  nitro: {
    typescript: {
      tsConfig: {
        compilerOptions: {
          noUncheckedIndexedAccess: false
        }
      }
    }
  }
})

Note that disabling this may allow type errors to slip through that could cause runtime issues with indexed access.

📚 Documentation

• Improved module author guides with clearer structure (#​33803)
• Added MCP setup instructions for Claude Desktop (#​33914)
• Added layers directory documentation (#​33967)
• Added Deno package manager examples (#​34070)
• Clarified type-checking context limitations for server routes (#​33964)

🎉 Nuxt 3.21.0

Alongside v4.3.0, we're releasing Nuxt v3.21.0 with many of the same improvements backported to the 3.x branch. This release includes:

• All the same features: Route rule layouts, ISR payload extraction, layout props with setPageLayout, #server alias, draggable error overlay, and more
• All performance improvements: SSR styles optimization, hook filters, and route rules compilation
• Module disabling: Disable layer modules by setting options to false
• Critical bug fixes: Async data reactivity in Options API, useCookie number parsing, head component deduplication, and more

✅ Upgrading

Our recommendation for upgrading is to run:

npx nuxt upgrade --dedupe

# or, if you are upgrading to v3.21
npx nuxt@latest upgrade --dedupe --channel=v3

This will deduplicate your lockfile and help ensure you pull in updates from other dependencies that Nuxt relies on, particularly in the unjs ecosystem.

[!TIP]
Check out our upgrade guide if upgrading from an older version.

👉 Changelog

compare changes

🚀 Enhancements

• kit: Support async constructor for adding plugins (#​33619)
• kit: Export Nuxt major version type (#​33700)
• schema: Add #server alias for server directory imports (#​33870)
• ui-templates: Let it snow! ❄️ (#​33804)
• schema: Hoist nitro crossws types (5b16a51f5)
• nitro,nuxt: Compile route rules into client chunk (#​33920)
• nuxt: Allow disabling modules by setting module options to false (#​33883)
• kit: Allow specifying moduleDependencies as an async function (#​33504)
• nuxt: Support appLayout in route rules (#​31092)
• nuxt: Add route groups to page meta (#​33460)
• nuxt: Enable payload extraction for ISR/SWR routes (#​33467)
• nuxt: Allow updating props with setPageLayout (#​33805)
• nuxt: Enable dragging and minimizing for error overlay (#​33695)
• nitro,nuxt: Add support for payload extraction in dev (#​30784)
• rspack,webpack: Add inline styles (#​33966)
• kit: Add forward-compatible nitro types (#​34036)

🔥 Performance

• nuxt: Do not init layer alias transform when using vite (#​33864)
• vite: Add hook filters for ssr styles plugin (#​33865)
• vite: Optimize nuxt:ssr-styles plugin (#​33862)
• nuxt: Use filter for vfs plugin load (eb3d2d4c6)
• nuxt,vite: Use filters to avoid running hooks unnecessarily (6b7fc7477)
• nuxt,vite: Add more filters to internal plugins (#​33898)

🩹 Fixes

• kit: Normalize local layer paths with trailing slashes (#​33858)
• nuxt: Avoid overwriting multiple head input in island handler (#​33849)
• nuxt: Update meta instead of calling router.replace in page hmr (#​33897)
• nuxt: Don't call page:loading:end in cache if already called (7789f73bd)
• vite: Add error handling for parsing NUXT_VITE_NODE_OPTIONS (41a564d23)
• nuxt: Do not skip middleware when appMiddleware references invalid key (323f27bc8)
• nitro: Clipboard copy in error overlay (#​33873)
• webpack,rspack: Resolve deep imports in virtual files (#​33927)
• webpack: Disable async chunks in dev mode (0310c4070)
• webpack: Correctly evaluate sourcemap name (653f364af)
• nuxt: Handle node10 resolution for nuxt/meta (01c2c9b13)
• nuxt: Do not early return if component priorities conflict (#​33955)
• nuxt: Use key for tag deduplication in <Head> component (#​33958)
• schema,vite: Resolve build.transpile when initialising vite (#​33868)
• nuxt,rspack,webpack: Inject module identifiers for webpack builders (#​33962)
• nuxt: Add key to head components for proper deduplication (#​33963)
• nitro: Check prettyResponse.body type before error overlay (#​33977)
• nuxt: Don't URI-encode static route paths (#​33990)
• nuxt: Skip internal stub routes from prerender (#​34001)
• kit,schema: Align module onUpgrade arguments with types (#​33988)
• nuxt: Handle unsafe number parsing in useCookie decode (#​34007)
• nuxt: Do not externalise rou3 (2df4e1ae3)
• nitro: Add noUncheckedIndexedAccess to server tsconfig (#​33985)
• nuxt: Add auto-import declarations for shared/ context (#​33978)
• nuxt: Update global reference to globalThis in useRequestFetch (#​33976)
• vite: Configure hmr port for server build (#​33929)
• kit: Add forward compatible nitro v3 types (#​34053)
• nitro,nuxt: Do not import nitro deps in builders (#​34054)
• nitro: Add h3 types to auto-imports (#​34035)
• schema: Add some more directories to ignore (ebc2a66ab)
• nitro: Also augment nuxt/schema (a6a044d81)
• nuxt: Make asyncData properties reactive in Options API (#​34119)
• nuxt: Rerender NuxtPage when nested NuxtLayout has explicitly disabled layouts (#​34078)
• kit,nitro: Enable allowArbitraryExtensions by default (#​34084)
• nuxt: Decode client-side pathname for non-ASCII route aliases (#​34043)
• nuxt: Force remount suspense when navigating after pending (#​33991)
• nuxt: Add documentation link to server builder error message (#​34122)
• nuxt: Validate placeholder/fallback tags + warn about placeholder/fallback props (567a1c6fb)
• nuxt: Force flush useAsyncData debounced execute post watcher flush (#​34125)
• nitro: Process isr/swr/cache keys (d84278622)
• nuxt: Add typeFrom support for imports.d.ts template exports (#​34135)
• nuxt: Ensure we inline styles for hydrate-never components (#​34132)

💅 Refactors

• kit: Add explicit return types for kit utilities (6cd1289d1)
• nitro,nuxt,schema,vite: Provide explicit return types (1d2c0c25f)
• kit,nuxt,schema: Use named imports from defu + consola (322dae3e0)
• Add explicit .ts file extensions to relative imports ([80778c0cd](https://redirect.github.com/nuxt/nuxt/commit/80

✂ Note

PR body was truncated to here.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.