@nuxt/scripts 1.0.0-beta.30 → 1.0.0-beta.32

package/dist/runtime/server/proxy-handler.js

@@ -11,18 +11,8 @@ import {
   stripPayloadFingerprinting
 } from "./utils/privacy.js";
 const COMPRESSION_RE = /gzip|deflate|br|compress|base64/i;
-const ROUTE_WILDCARD_RE = /\/\*\*$/;
 const CLIENT_HINT_VERSION_RE = /;v="(\d+)\.[^"]*"/g;
 const SKIP_RESPONSE_HEADERS = /* @__PURE__ */ new Set(["set-cookie", "transfer-encoding", "content-encoding", "content-length"]);
-let sortedRoutesCache;
-function getSortedRoutes(routes) {
-  const key = JSON.stringify(routes);
-  if (sortedRoutesCache?.key === key)
-    return sortedRoutesCache.sorted;
-  const sorted = Object.entries(routes).sort((a, b) => b[0].length - a[0].length);
-  sortedRoutesCache = { key, sorted };
-  return sorted;
-}
 function stripQueryFingerprinting(query, privacy) {
   const stripped = stripPayloadFingerprinting(query, privacy);
   const params = new URLSearchParams();
@@ -42,37 +32,41 @@ export default defineEventHandler(async (event) => {
       statusMessage: "First-party proxy not configured"
     });
   }
-  const { routes, privacy: globalPrivacy, routePrivacy, debug = import.meta.dev } = proxyConfig;
+  const { proxyPrefix, domainPrivacy, privacy: globalPrivacy, debug = import.meta.dev } = proxyConfig;
   const path = event.path;
   const log = debug ? (message, ...args) => {
     console.debug(message, ...args);
   } : () => {
   };
-  let targetBase;
-  let matchedPrefix;
-  let matchedRoutePattern;
-  for (const [routePattern, target] of getSortedRoutes(routes)) {
-    const prefix = routePattern.replace(ROUTE_WILDCARD_RE, "");
-    if (path.startsWith(prefix)) {
-      targetBase = target.replace(ROUTE_WILDCARD_RE, "");
-      matchedPrefix = prefix;
-      matchedRoutePattern = routePattern;
-      log("[proxy] Matched:", prefix, "->", targetBase);
+  const afterPrefix = path.slice(proxyPrefix.length + 1);
+  const slashIdx = afterPrefix.indexOf("/");
+  const domain = slashIdx > 0 ? afterPrefix.slice(0, slashIdx) : afterPrefix;
+  const remainingPath = slashIdx > 0 ? afterPrefix.slice(slashIdx) : "/";
+  if (!domain) {
+    log("[proxy] No domain in path:", path);
+    throw createError({
+      statusCode: 404,
+      statusMessage: "No proxy domain found",
+      message: `No domain in proxy path: ${path}`
+    });
+  }
+  let perScriptInput;
+  for (const [configDomain, privacyInput] of Object.entries(domainPrivacy)) {
+    if (domain === configDomain || domain.endsWith(`.${configDomain}`)) {
+      perScriptInput = privacyInput;
       break;
     }
   }
-  if (!targetBase || !matchedPrefix || !matchedRoutePattern) {
-    log("[proxy] No match for path:", path);
+  if (perScriptInput === void 0) {
+    log("[proxy] Rejected: domain not in allowlist:", domain);
     throw createError({
-      statusCode: 404,
-      statusMessage: "No proxy route matched",
-      message: `No proxy target found for path: ${path}`
+      statusCode: 403,
+      statusMessage: "Domain not allowed",
+      message: `Proxy domain not in allowlist: ${domain}`
     });
   }
-  const perScriptInput = routePrivacy[matchedRoutePattern];
-  if (debug && perScriptInput === void 0) {
-    log("[proxy] WARNING: No privacy config for route", matchedRoutePattern, "\u2014 defaulting to full anonymization");
-  }
+  const targetBase = `https://${domain}`;
+  log("[proxy] Matched:", domain, "->", targetBase);
   const perScriptResolved = resolvePrivacy(perScriptInput ?? true);
   const privacy = globalPrivacy !== void 0 ? mergePrivacy(perScriptResolved, globalPrivacy) : perScriptResolved;
   const anyPrivacy = privacy.ip || privacy.userAgent || privacy.language || privacy.screen || privacy.timezone || privacy.hardware;
@@ -83,11 +77,7 @@ export default defineEventHandler(async (event) => {
   const isBinaryBody = Boolean(
     originalHeaders["content-encoding"] || contentType.includes("octet-stream") || compressionParam && COMPRESSION_RE.test(compressionParam)
   );
-  let targetPath = path.slice(matchedPrefix.length);
-  if (targetPath && !targetPath.startsWith("/")) {
-    targetPath = `/${targetPath}`;
-  }
-  let targetUrl = targetBase + targetPath;
+  let targetUrl = targetBase + remainingPath;
   let strippedQueryRecord;
   if (anyPrivacy) {
     if (Object.keys(originalQuery).length > 0) {
@@ -260,7 +250,6 @@ export default defineEventHandler(async (event) => {
       duplex: passthroughBody ? "half" : void 0
     });
   } catch (err) {
-    clearTimeout(timeoutId);
     log("[proxy] Upstream error:", err);
     throw createError({
       statusCode: 502,

package/dist/runtime/server/utils/privacy.d.ts

@@ -129,12 +129,4 @@ export declare function generalizeTimezone(value: unknown): string | number;
  * (timezone, language, screen dimensions) while keeping low-entropy values.
  */
 export declare function anonymizeDeviceInfo(value: string): string;
-/**
- * Recursively anonymize fingerprinting data in payload.
- * Fields are generalized or normalized rather than stripped, so endpoints
- * still receive valid data with reduced fingerprinting precision.
- *
- * When `privacy` is provided, only categories with their flag set to `true` are processed.
- * Default (no arg) = all categories active, so existing callers work unchanged.
- */
 export declare function stripPayloadFingerprinting(payload: Record<string, unknown>, privacy?: ResolvedProxyPrivacy): Record<string, unknown>;

package/dist/runtime/server/utils/privacy.js

@@ -232,6 +232,13 @@ export function anonymizeDeviceInfo(value) {
   }
   return result.join(sep);
 }
+function matchesParam(key, params) {
+  const lk = key.toLowerCase();
+  return params.some((pm) => {
+    const lp = pm.toLowerCase();
+    return lk === lp || lk.startsWith(`${lp}[`);
+  });
+}
 export function stripPayloadFingerprinting(payload, privacy) {
   const p = privacy || FULL_PRIVACY;
   const result = {};
@@ -245,13 +252,6 @@ export function stripPayloadFingerprinting(payload, privacy) {
   }
   for (const [key, value] of Object.entries(payload)) {
     const lowerKey = key.toLowerCase();
-    const matchesParam = (key2, params) => {
-      const lk = key2.toLowerCase();
-      return params.some((pm) => {
-        const lp = pm.toLowerCase();
-        return lk === lp || lk.startsWith(`${lp}[`);
-      });
-    };
     const isLanguageParam = NORMALIZE_PARAMS.language.some((pm) => lowerKey === pm.toLowerCase());
     if (isLanguageParam) {
       if (Array.isArray(value)) {

package/dist/runtime/types.d.ts

@@ -66,16 +66,16 @@ export type NuxtUseScriptOptions<T extends Record<symbol | string, any> = {}> =
      *
      * Note: Using 'force' may significantly increase build time as scripts will be re-downloaded on every build.
      *
-     * @deprecated Use `scripts.firstParty: true` in nuxt.config instead for bundling and routing scripts through your domain.
+     * @deprecated Bundling is now auto-enabled per-script via capabilities. Set `bundle: false` per-script to disable.
      */
     bundle?: boolean | 'force';
     /**
-     * Opt-out of first-party routing for this specific script when global `scripts.firstParty` is enabled.
-     * Set to `false` to load this script directly from its original source instead of through your domain.
-     *
-     * Note: This option only works as an opt-out. To enable first-party routing, use the global `scripts.firstParty` option in nuxt.config.
+     * Control reverse proxy interception for this script.
+     * When `false`, collection requests go directly to the third-party server.
+     * When `true`, collection requests are proxied through `/_scripts/p/`.
+     * Defaults to the script's `defaultCapability.reverseProxyIntercept` from the registry.
      */
-    firstParty?: false;
+    reverseProxyIntercept?: boolean;
     /**
      * Load the script in a web worker using Partytown.
      * When enabled, adds `type="text/partytown"` to the script tag.
@@ -235,6 +235,36 @@ export interface RegistryScriptServerHandler {
     handler: string;
     middleware?: boolean;
 }
+/**
+ * Declares what optimization modes a script supports and what's active by default.
+ * Each flag is an independent capability that must be explicitly opted into.
+ */
+export interface ScriptCapabilities {
+    /** Script can be downloaded at build time and served from `/_scripts/assets/`. */
+    bundle?: boolean;
+    /**
+     * Collection requests can be proxied through `/_scripts/p/`.
+     * When combined with `bundle`: AST URL rewriting + runtime intercept.
+     * Without `bundle` (npm mode): autoInject sets SDK endpoint to proxy URL.
+     */
+    reverseProxyIntercept?: boolean;
+    /** Script can run in a web worker via Partytown. */
+    partytown?: boolean;
+}
+/**
+ * A third-party domain the script communicates with.
+ * Used for proxy routing, AST rewriting, and connection warming (dns-prefetch/preconnect).
+ */
+export interface ScriptDomain {
+    /** The domain hostname (e.g., 'www.google-analytics.com') */
+    domain: string;
+    /**
+     * Whether this domain is used lazily (e.g., only after user interaction or SDK initialization).
+     * When `true`, connection warming uses `dns-prefetch` instead of `preconnect`.
+     * @default false
+     */
+    lazy?: boolean;
+}
 export interface RegistryScript {
     /**
      * The config key used in `scripts.registry` in nuxt.config (e.g., 'googleAnalytics', 'plausibleAnalytics').
@@ -244,14 +274,42 @@ export interface RegistryScript {
     import?: Import;
     scriptBundling?: false | ((options?: any) => string | false);
     /**
-     * First-party proxy config alias. Only needed when a script shares another script's
-     * proxy config (e.g., googleAdsense uses `proxy: 'googleAnalytics'`).
-     *
-     * By default, the proxy config is looked up by `registryKey`. Set to `false` to
-     * explicitly disable first-party routing for this script.
-     * @internal
+     * What optimization modes this script supports (the ceiling).
+     * Each capability must be explicitly opted in. Omitted flags default to false.
+     */
+    capabilities?: ScriptCapabilities;
+    /**
+     * What capabilities are active by default for users (subset of capabilities).
+     * Users inherit these and can toggle individual flags via scriptOptions.
+     * Omitted flags are not active by default (e.g., partytown requires user opt-in).
+     */
+    defaultCapability?: ScriptCapabilities;
+    /**
+     * Third-party domains this script communicates with.
+     * Used for: proxy routing, AST URL rewriting, connection warming (dns-prefetch/preconnect).
+     * Domains marked `lazy: true` use dns-prefetch; others use preconnect for immediate scripts.
+     */
+    domains?: (string | ScriptDomain)[];
+    /**
+     * Privacy controls for proxied requests to this script's domains.
+     * Only relevant when reverseProxyIntercept capability is active.
+     */
+    privacy?: import('../runtime/server/utils/privacy').ProxyPrivacyInput;
+    /**
+     * Auto-inject proxy endpoint config into the script's SDK options.
+     * For scripts that let you configure the collection endpoint (PostHog, Plausible, etc.).
+     */
+    autoInject?: import('../first-party/types').ProxyAutoInject;
+    /**
+     * SDK-specific post-processing applied after AST URL rewriting.
+     * Used for regex patches that can't be handled by the generic AST rewriter.
+     */
+    postProcess?: (output: string, rewrites: import('../runtime/utils/pure').ProxyRewrite[]) => string;
+    /**
+     * Proxy config alias. When set, inherits domains/privacy/autoInject/postProcess
+     * from another script (e.g., googleAdsense → 'googleAnalytics').
      */
-    proxy?: RegistryScriptKey | false;
+    proxyConfig?: RegistryScriptKey;
     label?: string;
     src?: string | false;
     category?: string;

package/dist/shared/scripts.T4Z99VT8.mjs

@@ -0,0 +1,37 @@
+function buildProxyConfigsFromRegistry(scripts) {
+  const configs = {};
+  const scriptByKey = /* @__PURE__ */ new Map();
+  for (const script of scripts) {
+    if (script.registryKey)
+      scriptByKey.set(script.registryKey, script);
+  }
+  for (const script of scripts) {
+    if (!script.registryKey || !script.capabilities?.reverseProxyIntercept)
+      continue;
+    if (script.proxyConfig) {
+      const source = scriptByKey.get(script.proxyConfig);
+      if (source?.domains) {
+        const domains2 = source.domains.map((d) => typeof d === "string" ? d : d.domain);
+        configs[script.registryKey] = {
+          domains: domains2,
+          privacy: source.privacy || { ip: false, userAgent: false, language: false, screen: false, timezone: false, hardware: false },
+          autoInject: source.autoInject,
+          postProcess: source.postProcess
+        };
+      }
+      continue;
+    }
+    if (!script.domains?.length)
+      continue;
+    const domains = script.domains.map((d) => typeof d === "string" ? d : d.domain);
+    configs[script.registryKey] = {
+      domains,
+      privacy: script.privacy || { ip: false, userAgent: false, language: false, screen: false, timezone: false, hardware: false },
+      autoInject: script.autoInject,
+      postProcess: script.postProcess
+    };
+  }
+  return configs;
+}
+
+export { buildProxyConfigsFromRegistry as b };

package/dist/stats.mjs

@@ -1,4 +1,4 @@
-import { g as getAllProxyConfigs } from './shared/scripts.ViOoYQXH.mjs';
+import { b as buildProxyConfigsFromRegistry } from './shared/scripts.T4Z99VT8.mjs';
 
 const scriptMeta = {
   // Analytics
@@ -3767,7 +3767,6 @@ function computePerformanceRating(perf, transferKb, network, cwv) {
     }
   };
 }
-const DOMAIN_RE = /^https?:\/\/([^/]+)/;
 const USE_SCRIPT_RE = /^useScript/;
 const WORD_SPLIT_RE = /[\s-]+/;
 function computePrivacyLevel(privacy) {
@@ -3780,14 +3779,8 @@ function computePrivacyLevel(privacy) {
     return "partial";
   return "none";
 }
-function extractDomains(routes) {
-  const domains = /* @__PURE__ */ new Set();
-  for (const { proxy } of Object.values(routes)) {
-    const match = proxy.match(DOMAIN_RE);
-    if (match?.[1])
-      domains.add(match[1]);
-  }
-  return [...domains].sort();
+function extractDomains(proxyDomains) {
+  return [...proxyDomains].sort();
 }
 function deriveMetaKey(importName, label) {
   if (importName) {
@@ -3805,13 +3798,13 @@ function deriveMetaKey(importName, label) {
 async function getScriptStats() {
   const { registry } = await import('./registry.mjs');
   const entries = await registry();
-  const proxyConfigs = getAllProxyConfigs("/_scripts/p");
+  const proxyConfigs = buildProxyConfigsFromRegistry(entries);
   const sizes = scriptSizes;
   return entries.map((entry) => {
     const id = entry.registryKey || deriveMetaKey(entry.import?.name, entry.label);
     const meta = id && id in scriptMeta ? scriptMeta[id] : void 0;
     const size = sizes[id || ""];
-    const proxyConfigKey = entry.proxy === false ? void 0 : entry.proxy || entry.registryKey;
+    const proxyConfigKey = !entry.capabilities?.reverseProxyIntercept ? void 0 : entry.proxyConfig || entry.registryKey;
     const proxyConfig = proxyConfigKey ? proxyConfigs[proxyConfigKey] : void 0;
     let loadingMethod = "cdn";
     if (entry.src === false)
@@ -3819,9 +3812,8 @@ async function getScriptStats() {
     else if (!entry.src && typeof entry.scriptBundling === "function")
       loadingMethod = "dynamic";
     const privacy = proxyConfig?.privacy ?? null;
-    const routes = proxyConfig?.routes ?? {};
-    const domains = extractDomains(routes);
-    const endpoints = Object.keys(routes).length;
+    const domains = extractDomains(proxyConfig?.domains ?? []);
+    const endpoints = domains.length;
     const emptyApis = {};
     const emptyNetwork = { requestCount: 0, domains: [], outboundBytes: 0, inboundBytes: 0, injectedElements: [] };
     const emptyPerf = { taskDurationMs: 0, scriptDurationMs: 0, heapDeltaKb: 0 };

package/dist/types-source.mjs

@@ -276,7 +276,7 @@ const types = {
 		{
 			name: "ScriptGoogleMapsOverlayViewProps",
 			kind: "interface",
-			code: "interface ScriptGoogleMapsOverlayViewProps {\n  /**\n   * Geographic position for the overlay. Falls back to parent marker position if omitted.\n   * @see https://developers.google.com/maps/documentation/javascript/reference/overlay-view#OverlayView\n   */\n  position?: google.maps.LatLngLiteral\n  /**\n   * Anchor point of the overlay relative to its position.\n   * @default 'bottom-center'\n   */\n  anchor?: OverlayAnchor\n  /**\n   * Pixel offset from the anchor position.\n   */\n  offset?: { x: number, y: number }\n  /**\n   * The map pane on which to render the overlay.\n   * @default 'floatPane'\n   * @see https://developers.google.com/maps/documentation/javascript/reference/overlay-view#MapPanes\n   */\n  pane?: OverlayPane\n  /**\n   * CSS z-index for the overlay element.\n   */\n  zIndex?: number\n  /**\n   * Whether to block map click and gesture events from passing through the overlay.\n   * @default true\n   */\n  blockMapInteraction?: boolean\n}"
+			code: "interface ScriptGoogleMapsOverlayViewProps {\n  /**\n   * Geographic position for the overlay. Falls back to parent marker position if omitted.\n   * @see https://developers.google.com/maps/documentation/javascript/reference/overlay-view#OverlayView\n   */\n  position?: google.maps.LatLngLiteral\n  /**\n   * Anchor point of the overlay relative to its position.\n   * @default 'bottom-center'\n   */\n  anchor?: OverlayAnchor\n  /**\n   * Pixel offset from the anchor position.\n   */\n  offset?: { x: number, y: number }\n  /**\n   * The map pane on which to render the overlay.\n   * @default 'floatPane'\n   * @see https://developers.google.com/maps/documentation/javascript/reference/overlay-view#MapPanes\n   */\n  pane?: OverlayPane\n  /**\n   * CSS z-index for the overlay element.\n   */\n  zIndex?: number\n  /**\n   * Whether to block map click and gesture events from passing through the overlay.\n   * @default true\n   */\n  blockMapInteraction?: boolean\n  /**\n   * Pan the map so the overlay is fully visible when opened, similar to InfoWindow behavior.\n   * Set to `true` for default 40px padding, or a number for custom padding.\n   * @default true\n   */\n  panOnOpen?: boolean | number\n  /**\n   * Automatically hide the overlay when its parent marker joins a cluster (on zoom out).\n   * Only applies when nested inside a ScriptGoogleMapsMarkerClusterer.\n   * @default true\n   */\n  hideWhenClustered?: boolean\n}"
 		},
 		{
 			name: "ScriptGoogleMapsPinElementProps",
@@ -429,7 +429,7 @@ const types = {
 		{
 			name: "GravatarApi",
 			kind: "interface",
-			code: "export interface GravatarApi {\n  /**\n   * Get a proxied avatar URL for a given SHA256 email hash.\n   * When firstParty mode is enabled, this routes through your server.\n   */\n  getAvatarUrl: (hash: string, options?: { size?: number, default?: string, rating?: string }) => string\n  /**\n   * Get a proxied avatar URL using the server-side hashing endpoint.\n   * The email is sent to YOUR server (not Gravatar) for hashing.\n   * Only available when the gravatar proxy is enabled.\n   */\n  getAvatarUrlFromEmail: (email: string, options?: { size?: number, default?: string, rating?: string }) => string\n}"
+			code: "export interface GravatarApi {\n  /**\n   * Get a proxied avatar URL for a given SHA256 email hash.\n   * When proxy mode is enabled, this routes through your server.\n   */\n  getAvatarUrl: (hash: string, options?: { size?: number, default?: string, rating?: string }) => string\n  /**\n   * Get a proxied avatar URL using the server-side hashing endpoint.\n   * The email is sent to YOUR server (not Gravatar) for hashing.\n   * Only available when the gravatar proxy is enabled.\n   */\n  getAvatarUrlFromEmail: (email: string, options?: { size?: number, default?: string, rating?: string }) => string\n}"
 		}
 	],
 	hotjar: [
@@ -2697,6 +2697,20 @@ const schemaFields = {
 			description: "Whether to block map click and gesture events from passing through the overlay.",
 			defaultValue: "true"
 		},
+		{
+			name: "panOnOpen",
+			type: "boolean | number",
+			required: false,
+			description: "Pan the map so the overlay is fully visible when opened, similar to InfoWindow behavior. Set to `true` for default 40px padding, or a number for custom padding.",
+			defaultValue: "true"
+		},
+		{
+			name: "hideWhenClustered",
+			type: "boolean",
+			required: false,
+			description: "Automatically hide the overlay when its parent marker joins a cluster (on zoom out). Only applies when nested inside a ScriptGoogleMapsMarkerClusterer.",
+			defaultValue: "true"
+		},
 		{
 			name: "v-model:open",
 			type: "boolean",

package/dist/types.d.mts

@@ -6,4 +6,4 @@ declare module '@nuxt/schema' {
 
 export { default } from './module.mjs'
 
-export { type FirstPartyOptions, type FirstPartyPrivacy, type ModuleHooks, type ModuleOptions } from './module.mjs'
+export { type FirstPartyPrivacy, type ModuleHooks, type ModuleOptions } from './module.mjs'

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@nuxt/scripts",
   "type": "module",
-  "version": "1.0.0-beta.30",
+  "version": "1.0.0-beta.32",
   "description": "Load third-party scripts with better performance, privacy and DX in Nuxt Apps.",
   "author": {
     "name": "Harlan Wilton",
@@ -144,7 +144,7 @@
     "vue": "^3.5.30",
     "vue-router": "^5.0.4",
     "vue-tsc": "^3.2.6",
-    "@nuxt/scripts": "1.0.0-beta.30"
+    "@nuxt/scripts": "1.0.0-beta.32"
   },
   "resolutions": {
     "@nuxt/scripts": "workspace:*"