Skip to content

fix(deps): bump nuxt to 3.21.2 and @nuxt/nitro-server to ^3.21.2 to fix h3 CVE#19910

Closed
chargome wants to merge 5 commits intodevelopfrom
fix/dependabot-alert-1221-1222
Closed

fix(deps): bump nuxt to 3.21.2 and @nuxt/nitro-server to ^3.21.2 to fix h3 CVE#19910
chargome wants to merge 5 commits intodevelopfrom
fix/dependabot-alert-1221-1222

Conversation

@chargome
Copy link
Member

@chargome chargome commented Mar 20, 2026

Fixes Dependabot alerts #1221 and #1222. Bumps nuxt from 3.17.7 to 3.21.2 and @nuxt/nitro-server from ^3.21.1 to ^3.21.2 to pull in h3 >=1.15.6, fixing SSE injection (CVE-2026-33128) and path traversal vulnerabilities.

@chargome chargome self-assigned this Mar 20, 2026
@chargome chargome requested a review from s1gr1d March 20, 2026 12:13
@github-actions
Copy link
Contributor

github-actions bot commented Mar 20, 2026
edited
Loading

Semver Impact of This PR

🟢 Patch (bug fixes)

📋 Changelog Preview

This is how your changes will appear in the changelog.
Entries from this PR are highlighted with a left border (blockquote style).

New Features ✨

Deps

  • Bump mongodb-memory-server-global from 10.1.4 to 11.0.1 by dependabot in #19888
  • Bump stacktrace-parser from 0.1.10 to 0.1.11 by dependabot in #19887

Bug Fixes 🐛

Cloudflare

  • Send correct events in local development by JPeer264 in #19900
  • Forward ctx argument to Workflow.do user callback by Lms24 in #19891

Core

  • Do not overwrite user provided conversation id in Vercel by nicohrubec in #19903
  • Return same value from startSpan as callback returns by s1gr1d in #19300

Deps

  • Bump nuxt to 3.21.2 and @nuxt/nitro-server to ^3.21.2 to fix h3 CVE by chargome in #19910
  • Bump next to 15.5.14 in nextjs-15 and nextjs-15-intl E2E test apps by chargome in #19917
  • Bump socket.io-parser to 4.2.6 to fix CVE-2026-33151 by chargome in #19880

Other

  • (craft) Add missing mainDocsUrl for @sentry/effect SDK by bc-sentry in #19860
  • (nestjs) Add node to nest metadata by chargome in #19875
  • (serverless) Add node to metadata by nicohrubec in #19878

Internal Changes 🔧

Deps Dev

  • Bump qunit-dom from 3.2.1 to 3.5.0 by dependabot in #19546
  • Bump @react-router/node from 7.13.0 to 7.13.1 by dependabot in #19544

Other

  • (astro) Re-enable server island tracing e2e test in Astro 6 by Lms24 in #19872
  • (ci) Fix "Gatbsy" typo in issue package label workflow by chargome in #19905
  • (lint) Resolve oxlint warnings by isaacs in #19893
  • (node-integration-tests) Remove unnecessary file-type dependency by Lms24 in #19824
  • (remix) Replace glob with native recursive fs walk by roli-lpci in #19531
  • (sveltekit) Replace recast + @babel/parser with acorn by roli-lpci in #19533
  • Add external contributor to CHANGELOG.md by javascript-sdk-gitflow in #19925
  • Add external contributor to CHANGELOG.md by javascript-sdk-gitflow in #19909

🤖 This preview updates automatically when you update the PR.

@chargome chargome force-pushed the fix/dependabot-alert-1221-1222 branch from df52ee9 to 0decc9e Compare March 20, 2026 13:28
@github-actions
Copy link
Contributor

github-actions bot commented Mar 20, 2026
edited
Loading

size-limit report 📦

⚠️ Warning: Base artifact is not the latest one, because the latest workflow run is not done yet. This may lead to incorrect results. Try to re-run all tests to get up to date results.

Path Size % Change Change
@sentry/browser 25.69 kB +0.2% +49 B 🔺
@sentry/browser - with treeshaking flags 24.17 kB +0.14% +33 B 🔺
@sentry/browser (incl. Tracing) 42.67 kB +0.13% +54 B 🔺
@sentry/browser (incl. Tracing, Profiling) 47.33 kB +0.12% +55 B 🔺
@sentry/browser (incl. Tracing, Replay) 81.48 kB +0.08% +57 B 🔺
@sentry/browser (incl. Tracing, Replay) - with treeshaking flags 71.06 kB +0.1% +69 B 🔺
@sentry/browser (incl. Tracing, Replay with Canvas) 86.17 kB +0.06% +50 B 🔺
@sentry/browser (incl. Tracing, Replay, Feedback) 98.41 kB +0.04% +36 B 🔺
@sentry/browser (incl. Feedback) 42.48 kB +0.08% +30 B 🔺
@sentry/browser (incl. sendFeedback) 30.35 kB +0.15% +43 B 🔺
@sentry/browser (incl. FeedbackAsync) 35.4 kB +0.12% +39 B 🔺
@sentry/browser (incl. Metrics) 26.96 kB +0.15% +38 B 🔺
@sentry/browser (incl. Logs) 27.1 kB +0.12% +32 B 🔺
@sentry/browser (incl. Metrics & Logs) 27.78 kB +0.15% +39 B 🔺
@sentry/react 27.45 kB +0.22% +58 B 🔺
@sentry/react (incl. Tracing) 45.01 kB +0.14% +60 B 🔺
@sentry/vue 30.13 kB +0.16% +46 B 🔺
@sentry/vue (incl. Tracing) 44.52 kB +0.09% +39 B 🔺
@sentry/svelte 25.7 kB +0.16% +40 B 🔺
CDN Bundle 28.35 kB +0.27% +75 B 🔺
CDN Bundle (incl. Tracing) 43.57 kB +0.15% +62 B 🔺
CDN Bundle (incl. Logs, Metrics) 29.22 kB +0.27% +77 B 🔺
CDN Bundle (incl. Tracing, Logs, Metrics) 44.43 kB +0.17% +75 B 🔺
CDN Bundle (incl. Replay, Logs, Metrics) 68.29 kB +0.13% +85 B 🔺
CDN Bundle (incl. Tracing, Replay) 80.41 kB +0.1% +73 B 🔺
CDN Bundle (incl. Tracing, Replay, Logs, Metrics) 81.31 kB +0.1% +76 B 🔺
CDN Bundle (incl. Tracing, Replay, Feedback) 85.97 kB +0.12% +103 B 🔺
CDN Bundle (incl. Tracing, Replay, Feedback, Logs, Metrics) 86.86 kB +0.1% +86 B 🔺
CDN Bundle - uncompressed 82.7 kB +0.1% +77 B 🔺
CDN Bundle (incl. Tracing) - uncompressed 128.62 kB +0.05% +64 B 🔺
CDN Bundle (incl. Logs, Metrics) - uncompressed 85.57 kB +0.1% +77 B 🔺
CDN Bundle (incl. Tracing, Logs, Metrics) - uncompressed 131.49 kB +0.05% +64 B 🔺
CDN Bundle (incl. Replay, Logs, Metrics) - uncompressed 209.22 kB +0.05% +102 B 🔺
CDN Bundle (incl. Tracing, Replay) - uncompressed 245.5 kB +0.04% +89 B 🔺
CDN Bundle (incl. Tracing, Replay, Logs, Metrics) - uncompressed 248.35 kB +0.04% +89 B 🔺
CDN Bundle (incl. Tracing, Replay, Feedback) - uncompressed 258.41 kB +0.04% +89 B 🔺
CDN Bundle (incl. Tracing, Replay, Feedback, Logs, Metrics) - uncompressed 261.26 kB +0.04% +89 B 🔺
@sentry/nextjs (client) 47.4 kB +0.08% +37 B 🔺
@sentry/sveltekit (client) 43.12 kB +0.12% +51 B 🔺
@sentry/node-core 56.42 kB +0.13% +73 B 🔺
@sentry/node 173.38 kB +0.13% +221 B 🔺
@sentry/node - without tracing 96.43 kB +0.1% +87 B 🔺
@sentry/aws-serverless 113.44 kB +0.09% +100 B 🔺

View base workflow run

@github-actions
Copy link
Contributor

github-actions bot commented Mar 20, 2026
edited
Loading

node-overhead report 🧳

Note: This is a synthetic benchmark with a minimal express app and does not necessarily reflect the real-world performance impact in an application.
⚠️ Warning: Base artifact is not the latest one, because the latest workflow run is not done yet. This may lead to incorrect results. Try to re-run all tests to get up to date results.

Scenario Requests/s % of Baseline Prev. Requests/s Change %
GET Baseline 9,077 - 8,614 +5%
GET With Sentry 1,661 18% 1,584 +5%
GET With Sentry (error only) 6,013 66% 6,004 +0%
POST Baseline 1,196 - 1,172 +2%
POST With Sentry 589 49% 583 +1%
POST With Sentry (error only) 1,052 88% 1,061 -1%
MYSQL Baseline 3,231 - 3,210 +1%
MYSQL With Sentry 451 14% 462 -2%
MYSQL With Sentry (error only) 2,600 80% 2,588 +0%

View base workflow run

@chargome chargome marked this pull request as draft March 20, 2026 15:04
chargome and others added 3 commits March 23, 2026 09:23
@chargome @claude
fix(deps): bump nuxt to 3.21.2 and @nuxt/nitro-server to ^3.21.2 to f…
42ff975 
…ix h3 CVE

Fixes Dependabot alerts #1221 and #1222. Bumps nuxt from 3.17.7 to 3.21.2
and @nuxt/nitro-server from ^3.21.1 to ^3.21.2 to pull in h3 >=1.15.6,
fixing SSE injection (CVE-2026-33128) and path traversal vulnerabilities.

Co-Authored-By: Claude Sonnet 4.6 <[email protected]>
@chargome @claude
fix(nuxt): add @nuxt/nitro-server type reference for nuxt 3.21.x comp…
5117462 
…atibility

In nuxt 3.21.x, NuxtOptions.nitro and the nitro:* hooks were moved from
@nuxt/schema into @nuxt/nitro-server via module augmentation. Adding the
triple-slash reference makes TypeScript include these augmentations, also
allowing removal of now-unnecessary @ts-expect-error suppressions on the
render:html hook.

Co-Authored-By: Claude Sonnet 4.6 <[email protected]>
@chargome @claude
fix(nuxt): add @nuxt/nitro-server reference to files used in test com…
8396d81 
…pilation

The triple-slash reference in module.ts alone was insufficient because vitest
typecheck only processes files reachable from test/**/* imports. Adding the
reference to server-template.ts (imported via databaseConfig.ts) and
sourceMaps.ts (directly imported by tests) ensures the @nuxt/nitro-server
module augmentations are loaded during test type checking.

Co-Authored-By: Claude Sonnet 4.6 <[email protected]>
@chargome chargome force-pushed the fix/dependabot-alert-1221-1222 branch from bd8d727 to 8396d81 Compare March 23, 2026 08:24
chargome and others added 2 commits March 23, 2026 09:27
@chargome @claude
fix(deps): restore vitest vite resolution to 6.4.1 to fix ERR_REQUIRE…
5756e8c 
…_ESM

nuxt 3.21.2 added @nuxt/vite-builder which requires vite@^7.3.1. Yarn
deduplication merged this with vitest's union range resolving both to
vite 7.3.1 (ESM-only), causing ERR_REQUIRE_ESM in vitest's config.cjs.

Split the merged lockfile entry so vite@^7.3.1 resolves to 7.3.1 and
the vitest union range resolves to 6.4.1.

Co-Authored-By: Claude Sonnet 4.6 <[email protected]>
@chargome @claude
chore(deps): run dedupe-deps:fix on yarn.lock
e95d41d 
Co-Authored-By: Claude Sonnet 4.6 <[email protected]>
@chargome chargome mentioned this pull request Mar 23, 2026
Draft
@chargome chargome closed this Mar 23, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@s1gr1d s1gr1d s1gr1d approved these changes

Assignees

@chargome chargome

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@chargome @s1gr1d