npm - @nuxt/nitro-server - Versions diffs - 4.3.1 → 4.4.2 - Mend

@nuxt/nitro-server 4.3.1 → 4.4.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (22) hide show

package/README.md +4 -4
package/dist/THIRD-PARTY-LICENSES.md +0 -7
package/dist/index.d.mts +2 -50462
package/dist/index.mjs +180 -27
package/dist/runtime/h3-compat.d.mts +4 -0
package/dist/runtime/h3-compat.mjs +4 -0
package/dist/runtime/handlers/island.d.mts +3 -2
package/dist/runtime/handlers/island.mjs +21 -9
package/dist/runtime/handlers/renderer.d.mts +3 -2
package/dist/runtime/handlers/renderer.mjs +31 -32
package/dist/runtime/middleware/no-ssr.d.mts +3 -2
package/dist/runtime/middleware/no-ssr.mjs +2 -1
package/dist/runtime/plugins/dev-server-logs.d.mts +2 -1
package/dist/runtime/utils/cache.d.mts +11 -5
package/dist/runtime/utils/cache.mjs +2 -2
package/dist/runtime/utils/config.d.mts +1 -1
package/dist/runtime/utils/dev.mjs +1 -1
package/dist/runtime/utils/error.d.mts +1 -1
package/dist/runtime/utils/error.mjs +1 -1
package/dist/runtime/utils/renderer/build-files.d.mts +2 -2
package/dist/runtime/utils/renderer/payload.mjs +23 -7
package/package.json +37 -15

package/dist/runtime/utils/renderer/build-files.d.mts CHANGED Viewed

@@ -10,7 +10,7 @@ interface Renderer {
 		renderScripts: () => string;
 	}>;
 }
-export declare const getSSRRenderer: unknown;
+export declare const getSSRRenderer: () => Promise<Renderer>;
 export declare function getRenderer(ssrContext: NuxtSSRContext): Promise<Renderer>;
-export declare const getSSRStyles: unknown;
+export declare const getSSRStyles: () => Promise<Record<string, () => Promise<string[]>>>;
 export {};

package/dist/runtime/utils/renderer/payload.mjs CHANGED Viewed

@@ -4,10 +4,10 @@ import { stringify, uneval } from "devalue";
 // @ts-expect-error virtual file
 import { appId, multiApp } from "#internal/nuxt.config.mjs";
 // @ts-expect-error virtual file
-import { NUXT_JSON_PAYLOADS, NUXT_NO_SSR, NUXT_PAYLOAD_EXTRACTION, NUXT_RUNTIME_PAYLOAD_EXTRACTION } from "#internal/nuxt/nitro-config.mjs";
+import { NUXT_JSON_PAYLOADS, NUXT_NO_SSR } from "#internal/nuxt/nitro-config.mjs";
 export function renderPayloadResponse(ssrContext) {
 	return {
-		body: NUXT_JSON_PAYLOADS ? stringify(splitPayload(ssrContext).payload, ssrContext["~payloadReducers"]) : `export default ${devalue(splitPayload(ssrContext).payload)}`,
+		body: NUXT_JSON_PAYLOADS ? encodeForwardSlashes(stringify(splitPayload(ssrContext).payload, ssrContext["~payloadReducers"])) : `export default ${devalue(splitPayload(ssrContext).payload)}`,
 		statusCode: getResponseStatus(ssrContext.event),
 		statusMessage: getResponseStatusText(ssrContext.event),
 		headers: {
@@ -17,7 +17,7 @@ export function renderPayloadResponse(ssrContext) {
 	};
 }
 export function renderPayloadJsonScript(opts) {
-	const contents = opts.data ? stringify(opts.data, opts.ssrContext["~payloadReducers"]) : "";
+	const contents = opts.data ? encodeForwardSlashes(stringify(opts.data, opts.ssrContext["~payloadReducers"])) : "";
 	const payload = {
 		"type": "application/json",
 		"innerHTML": contents,
@@ -33,13 +33,29 @@ export function renderPayloadJsonScript(opts) {
 	const config = uneval(opts.ssrContext.config);
 	return [payload, { innerHTML: multiApp ? `window.__NUXT__=window.__NUXT__||{};window.__NUXT__[${JSON.stringify(appId)}]={config:${config}}` : `window.__NUXT__={};window.__NUXT__.config=${config}` }];
 }
+/**
+* Encode forward slashes as unicode escape sequences to prevent
+* Google from treating them as internal links and trying to crawl them.
+* @see https://github.com/nuxt/nuxt/issues/24175
+*/
+function encodeForwardSlashes(str) {
+	return str.replaceAll("/", "\\u002F");
+}
+/**
+* Escape a string for safe interpolation inside a double-quoted JavaScript string literal.
+* Prevents XSS when user-controlled URLs are embedded in inline `<script>` tags.
+*/
+function escapeJsString(str) {
+	return str.replaceAll("\\", "\\\\").replaceAll("\"", "\\\"").replaceAll("\n", "\\n").replaceAll("\r", "\\r").replaceAll("/", "\\u002F").replaceAll("<", "\\u003C");
+}
 export function renderPayloadScript(opts) {
 	opts.data.config = opts.ssrContext.config;
-	const _PAYLOAD_EXTRACTION = !opts.ssrContext.noSSR && (import.meta.prerender && NUXT_PAYLOAD_EXTRACTION || NUXT_RUNTIME_PAYLOAD_EXTRACTION && (opts.routeOptions.isr || opts.routeOptions.cache));
 	const nuxtData = devalue(opts.data);
-	if (_PAYLOAD_EXTRACTION) {
-		const singleAppPayload = `import p from "${opts.src}";window.__NUXT__={...p,...(${nuxtData})}`;
-		const multiAppPayload = `import p from "${opts.src}";window.__NUXT__=window.__NUXT__||{};window.__NUXT__[${JSON.stringify(appId)}]={...p,...(${nuxtData})}`;
+	if (opts.src) {
+		// Escape the URL to prevent XSS when interpolated into a JS string literal
+		const escapedSrc = escapeJsString(opts.src);
+		const singleAppPayload = `import p from "${escapedSrc}";window.__NUXT__={...p,...(${nuxtData})}`;
+		const multiAppPayload = `import p from "${escapedSrc}";window.__NUXT__=window.__NUXT__||{};window.__NUXT__[${JSON.stringify(appId)}]={...p,...(${nuxtData})}`;
 		return [{
 			type: "module",
 			innerHTML: multiApp ? multiAppPayload : singleAppPayload

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@nuxt/nitro-server",
-  "version": "4.3.1",
+  "version": "4.4.2",
   "repository": {
     "type": "git",
     "url": "git+https://github.com/nuxt/nuxt.git",
@@ -11,49 +11,71 @@
   "license": "MIT",
   "type": "module",
   "types": "./dist/index.d.mts",
+  "typesVersions": {
+    "*": {
+      "h3": [
+        "./dist/runtime/h3-compat.d.mts"
+      ]
+    }
+  },
   "exports": {
-    ".": "./dist/index.mjs"
+    ".": "./dist/index.mjs",
+    "./h3": "./dist/runtime/h3-compat.mjs"
   },
   "files": [
     "dist"
   ],
   "dependencies": {
+    "@babel/plugin-syntax-typescript": "^7.28.6",
     "@nuxt/devalue": "^2.0.2",
-    "@unhead/vue": "^2.1.3",
-    "@vue/shared": "^3.5.27",
+    "@unhead/vue": "^2.1.12",
+    "@vue/shared": "^3.5.30",
     "consola": "^3.4.2",
     "defu": "^6.1.4",
     "destr": "^2.0.5",
-    "devalue": "^5.6.2",
+    "devalue": "^5.6.3",
     "errx": "^0.1.0",
     "escape-string-regexp": "^5.0.0",
     "exsolve": "^1.0.8",
-    "h3": "^1.15.5",
-    "impound": "^1.0.0",
+    "h3": "^1.15.6",
+    "impound": "^1.1.5",
     "klona": "^2.0.6",
     "mocked-exports": "^0.1.1",
     "nitropack": "^2.13.1",
+    "nypm": "^0.6.5",
     "ohash": "^2.0.11",
     "pathe": "^2.0.3",
     "pkg-types": "^2.3.0",
-    "rou3": "^0.7.12",
-    "std-env": "^3.10.0",
+    "rou3": "^0.8.1",
+    "std-env": "^4.0.0",
     "ufo": "^1.6.3",
     "unctx": "^2.5.0",
     "unstorage": "^1.17.4",
-    "vue": "^3.5.27",
+    "vue": "^3.5.30",
     "vue-bundle-renderer": "^2.2.0",
     "vue-devtools-stub": "^0.1.0",
-    "@nuxt/kit": "4.3.1"
+    "@nuxt/kit": "4.4.2"
   },
   "peerDependencies": {
-    "nuxt": "^4.3.1"
+    "@babel/plugin-proposal-decorators": "^7.25.0",
+    "@rollup/plugin-babel": "^6.0.0 || ^7.0.0",
+    "nuxt": "^4.4.2"
+  },
+  "peerDependenciesMeta": {
+    "@babel/plugin-proposal-decorators": {
+      "optional": true
+    },
+    "@rollup/plugin-babel": {
+      "optional": true
+    }
   },
   "devDependencies": {
-    "obuild": "0.4.27",
+    "@babel/plugin-proposal-decorators": "7.29.0",
+    "@rollup/plugin-babel": "7.0.0",
+    "obuild": "0.4.32",
     "vitest": "4.0.18",
-    "@nuxt/schema": "4.3.1",
-    "nuxt": "4.3.1"
+    "nuxt": "4.4.2",
+    "@nuxt/schema": "4.4.2"
   },
   "engines": {
     "node": "^20.19.0 || >=22.12.0"