create-nuxt-base 2.4.0 → 2.5.1

package/CHANGELOG.md

@@ -2,6 +2,20 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
+### [2.5.1](https://github.com/lenneTech/nuxt-base-starter/compare/v2.5.0...v2.5.1) (2026-03-16)
+
+
+### Bug Fixes
+
+* prevent build-time baked API URLs by defaulting to empty strings resolved at runtimeOC ([e577648](https://github.com/lenneTech/nuxt-base-starter/commit/e577648a287e18a76c72564d68bacc277b04a500))
+
+## [2.5.0](https://github.com/lenneTech/nuxt-base-starter/compare/v2.3.1...v2.5.0) (2026-03-16)
+
+
+### Features
+
+* add production default dockerfile ([e338c93](https://github.com/lenneTech/nuxt-base-starter/commit/e338c9363a348c1a63d40a71301240c8e8478835))
+
 ## [2.4.0](https://github.com/lenneTech/nuxt-base-starter/compare/v2.3.1...v2.4.0) (2026-03-16)
 
 

package/nuxt-base-template/.claude/agent-memory/lt-dev-npm-package-maintainer/MEMORY.md

@@ -11,6 +11,7 @@
 
 - `better-auth`, `@better-auth/passkey`, `tus-js-client` are peer dependencies of `@lenne.tech/nuxt-extensions` - keep in `dependencies`
 - `@nuxt/ui` and `@vueuse/nuxt` belong in `dependencies` (used in app/ source files with type imports)
+- `@hey-api/client-fetch`: deprecated, moved to devDependencies (only used in openapi-ts.config.ts codegen config)
 - pnpm sometimes auto-moves packages to devDependencies during `-D` updates - watch and fix
 
 ## Security Overrides
@@ -22,38 +23,51 @@
 
 ## Deprecated Package Notes
 
-- `@hey-api/client-fetch`: deprecated ("bundled in @hey-api/openapi-ts since v0.73.0") but still a valid runtime HTTP client for generated API SDKs - KEEP in dependencies
-- `openapi-ts.config.ts` uses deprecated `lint`/`format` options; use `postProcess: ['eslint', 'prettier']` instead
+- `@hey-api/client-fetch`: deprecated ("bundled in @hey-api/openapi-ts since v0.73.0"), moved to devDependencies (codegen config only, no runtime use)
+- `openapi-ts.config.ts`: migrated from deprecated `lint`/`format` options to `postProcess: ['oxlint', 'oxfmt']`
 - `@nuxtjs/color-mode`: do NOT add to devDeps - @nuxt/ui brings its own 3.x internally; 4.0.0 would conflict
 
-## Override Cleanup Notes (2026-03-09)
+## Override Cleanup Notes (2026-03-16)
 
 Removed as no longer needed:
 
-- `devalue@<=5.6.2` - nuxt requires ^5.6.2, latest is 5.6.3 (always picked)
-- `fast-xml-parser@>=5.0.0 <5.3.8` - @nuxtjs/sitemap requires ^5.3.3, latest is 5.4.2 (always safe)
-- `markdown-it@>=13.0.0 <14.1.1` - prosemirror-markdown requires ^14.0.0, latest is 14.1.1 (always picked)
-- `minimatch@>=5.0.0 <5.1.8` - readdir-glob installs minimatch 5.1.9 which is already >=5.1.8 (safe)
+- `svgo@=4.0.0` - postcss-svgo now requires ^4.0.1, so 4.0.0 is never picked
+- `devalue@<=5.6.2` (old) - replaced with `devalue@<=5.6.3` to cover new vulnerability in 5.6.3
+
+Updated overrides:
+
+- `hono@<4.12.4` → `hono@<4.12.7` - new vulnerability discovered in <4.12.7
+- `tar@<=7.5.9` → `tar@<=7.5.10` - new vulnerability discovered in 7.5.10
+- Added `devalue@<=5.6.3` - new vulnerability in devalue <=5.6.3 (proto pollution)
+- Added `unhead@<=2.1.10` - new vulnerability in unhead <=2.1.10
 
 Still required (keep these overrides):
 
 - `@hono/node-server@<1.19.10` - @prisma/dev requires 1.19.9 exactly
-- `hono@<4.12.4` - @prisma/dev requires 4.11.4 exactly
+- `devalue@<=5.6.3` - nuxt requires ^5.6.3 which picks vulnerable 5.6.3; 5.6.4 is safe
+- `hono@<4.12.7` - @prisma/dev requires 4.11.4 exactly (new vuln <4.12.7)
 - `lodash@>=4.0.0 <=4.17.22` - @chevrotain/gast requires 4.17.21 exactly (vulnerable)
 - `minimatch@>=9.0.0 <9.0.7` - editorconfig 1.0.4 requires 9.0.1 exactly (in vulnerable range)
-- `rollup@>=4.0.0 <4.59.0` - vite requires ^4.43.0 which could pick <4.59.0
-- `serialize-javascript@<=7.0.2` - @rollup/plugin-terser requires ^6.0.1 (6.x is vulnerable)
-- `svgo@=4.0.0` - postcss-svgo requires ^4.0.0 which could pick 4.0.0 (vulnerable)
-- `tar@<=7.5.9` - @mapbox/node-pre-gyp requires ^7.4.0 (7.4.x is vulnerable)
+- `rollup@>=4.0.0 <4.59.0` - vite requires range that could pick <4.59.0
+- `serialize-javascript@<=7.0.2` - nitropack uses @rollup/plugin-terser@0.4.4 which requires ^6.0.1 (6.x is vulnerable)
+- `tar@<=7.5.10` - @mapbox/node-pre-gyp requires ^7.4.0 (7.4.x-7.5.10 are vulnerable)
+- `unhead@<=2.1.10` - @nuxt/ui/@nuxtjs/seo use @unhead/vue which pulls vulnerable unhead
 
-## Version History (2026-03-09)
+## Version History (2026-03-16)
 
 After maintenance, all packages at latest:
 
-- `@lenne.tech/nuxt-extensions`: 1.3.0
-- `nuxt`: 4.3.1
-- `vitest`: 4.0.18 (major from 3.x)
-- `@nuxt/test-utils`: 4.0.0 (major from 3.x, requires vitest ^4.0.2)
-- `vitest` v4 + `@nuxt/test-utils` v4 must be updated together (compatibility requirement)
-- Residual vulnerabilities: 1 moderate (nanotar, unfixable)
-- Removed: `@nuxtjs/color-mode` from devDeps (unused, conflicts with @nuxt/ui's internal 3.5.2)
+- `@better-auth/passkey`: 1.5.5 (from 1.5.4)
+- `better-auth`: 1.5.5 (from 1.5.4)
+- `@lenne.tech/nuxt-extensions`: 1.5.0
+- `@iconify-json/lucide`: 1.2.98 (from 1.2.96)
+- `@vitejs/plugin-vue`: 6.0.5 (from 6.0.4)
+- `happy-dom`: 20.8.4 (from 20.8.3)
+- `@types/node`: 25.5.0 (from 25.4.0)
+- `lint-staged`: 16.4.0 (from 16.3.2)
+- `nuxt`: 4.4.2 (from 4.3.1)
+- `vitest`: 4.1.0 (from 4.0.18)
+- `@hey-api/openapi-ts`: 0.94.2 (from 0.94.0)
+- `jsdom`: 29.0.0 (from 28.1.0) - fixes undici vulnerabilities (jsdom 29 requires undici ^7.24.3)
+- Residual vulnerabilities: 0
+- `@hey-api/client-fetch`: moved from dependencies → devDependencies

package/nuxt-base-template/README.md

@@ -91,17 +91,17 @@ npm run generate-types
 
 ## Tech Stack
 
-| Technology            | Version | Description                      |
-| --------------------- | ------- | -------------------------------- |
-| Nuxt                  | 4.2.x   | Vue 3 meta-framework with SSR    |
-| TypeScript            | 5.9.x   | Strict type checking             |
-| Tailwind CSS          | 4.1.x   | Utility-first CSS (Vite plugin)  |
-| NuxtUI                | 4.3.x   | Component library with dark mode |
-| Pinia                 | 0.11.x  | State management                 |
-| Better Auth           | 1.4.x   | Authentication framework         |
-| Playwright            | 1.57.x  | E2E testing                      |
-| @hey-api/client-fetch | 0.13.x  | Type-safe API client             |
-| Valibot               | 1.2.x   | Schema validation                |
+| Technology          | Version | Description                      |
+| ------------------- | ------- | -------------------------------- |
+| Nuxt                | 4.4.x   | Vue 3 meta-framework with SSR    |
+| TypeScript          | 5.9.x   | Strict type checking             |
+| Tailwind CSS        | 4.1.x   | Utility-first CSS (Vite plugin)  |
+| NuxtUI              | 4.3.x   | Component library with dark mode |
+| Pinia               | 0.11.x  | State management                 |
+| Better Auth         | 1.5.x   | Authentication framework         |
+| Playwright          | 1.57.x  | E2E testing                      |
+| @hey-api/openapi-ts | 0.94.x  | API client code generation (dev) |
+| Valibot             | 1.2.x   | Schema validation                |
 
 ## Key Features
 

package/nuxt-base-template/nuxt.config.ts

@@ -85,10 +85,10 @@ export default defineNuxtConfig({
   ltExtensions: {
     auth: {
       enabled: true,
-      // baseURL is used when NUXT_PUBLIC_API_PROXY is NOT enabled (deployed stages)
-      // With proxy: requests go through /api/iam (proxy strips /api/ and forwards to backend)
-      // Without proxy: requests go directly to baseURL + basePath (e.g., https://api.example.com/iam)
-      baseURL: process.env.NUXT_API_URL || 'http://localhost:3000',
+      // baseURL: resolved at runtime via NUXT_PUBLIC_API_URL (not baked at build time)
+      // Local dev: .env provides http://localhost:3000
+      // Production: deployment env provides the production API URL
+      baseURL: '',
       basePath: '/iam',
       loginPath: '/auth/login',
       twoFactorRedirectPath: '/auth/2fa',
@@ -154,11 +154,13 @@ export default defineNuxtConfig({
   // Runtime Configuration (Environment Variables)
   // ============================================================================
   runtimeConfig: {
-    // Server-only — NUXT_API_URL overrides this
-    apiUrl: 'http://localhost:3000',
+    // Server-only — NUXT_API_URL overrides at runtime
+    // Local dev: .env provides http://localhost:3000
+    apiUrl: '',
     public: {
-      // Client-side — NUXT_PUBLIC_API_URL overrides this
-      apiUrl: 'http://localhost:3000',
+      // Client-side — NUXT_PUBLIC_API_URL overrides at runtime
+      // Local dev: .env provides http://localhost:3000
+      apiUrl: '',
       // NUXT_PUBLIC_WEB_PUSH_KEY overrides this
       webPushKey: '',
       // API Proxy: Routes client-side /api/* requests through the Vite dev proxy

package/nuxt-base-template/openapi-ts.config.ts

@@ -1,18 +1,10 @@
 import { defineConfig } from '@hey-api/openapi-ts';
 
 export default defineConfig({
-  client: '@hey-api/client-fetch',
   input: process.env.NUXT_API_URL || 'http://127.0.0.1:3000/api-docs-json',
   output: {
-    format: 'prettier',
-    lint: 'eslint',
     path: './app/api-client',
+    postProcess: ['oxlint', 'oxfmt'],
   },
-  plugins: [
-    '@hey-api/sdk',
-    {
-      dates: true,
-      name: '@hey-api/typescript',
-    },
-  ],
+  plugins: ['@hey-api/client-fetch', '@hey-api/sdk', '@hey-api/typescript', '@hey-api/transformers'],
 });

package/nuxt-base-template/package.json

@@ -48,22 +48,22 @@
     "fix": "pnpm run lint:fix && pnpm run format"
   },
   "dependencies": {
-    "@better-auth/passkey": "1.5.4",
-    "@hey-api/client-fetch": "0.13.1",
+    "@better-auth/passkey": "1.5.5",
     "@lenne.tech/bug.lt": "latest",
-    "@lenne.tech/nuxt-extensions": "1.3.0",
+    "@lenne.tech/nuxt-extensions": "1.5.1",
     "@nuxt/image": "2.0.0",
     "@nuxt/ui": "4.5.1",
     "@pinia/nuxt": "0.11.3",
     "@vueuse/nuxt": "14.2.1",
-    "better-auth": "1.5.4",
+    "better-auth": "1.5.5",
     "qrcode": "1.5.4",
     "tus-js-client": "4.3.1",
     "valibot": "1.2.0"
   },
   "devDependencies": {
-    "@hey-api/openapi-ts": "0.94.0",
-    "@iconify-json/lucide": "1.2.96",
+    "@hey-api/client-fetch": "0.13.1",
+    "@hey-api/openapi-ts": "0.94.2",
+    "@iconify-json/lucide": "1.2.98",
     "@nuxt/devtools": "3.2.3",
     "@nuxt/test-utils": "4.0.0",
     "@nuxtjs/plausible": "3.0.2",
@@ -71,23 +71,23 @@
     "@playwright/test": "1.58.2",
     "@tailwindcss/typography": "0.5.19",
     "@tailwindcss/vite": "4.2.1",
-    "@types/node": "25.4.0",
+    "@types/node": "25.5.0",
     "@types/qrcode": "1.5.6",
-    "@vitejs/plugin-vue": "6.0.4",
+    "@vitejs/plugin-vue": "6.0.5",
     "@vue/test-utils": "2.4.6",
     "dayjs-nuxt": "2.1.11",
-    "happy-dom": "20.8.3",
-    "jsdom": "28.1.0",
-    "lint-staged": "16.3.2",
+    "happy-dom": "20.8.4",
+    "jsdom": "29.0.0",
+    "lint-staged": "16.4.0",
     "mongodb": "7.1.0",
-    "nuxt": "4.3.1",
+    "nuxt": "4.4.2",
     "oxfmt": "latest",
     "oxlint": "latest",
     "rimraf": "6.1.3",
     "simple-git-hooks": "2.13.1",
     "tailwindcss": "4.2.1",
     "typescript": "5.9.3",
-    "vitest": "4.0.18"
+    "vitest": "4.1.0"
   },
   "simple-git-hooks": {
     "pre-commit": "npx lint-staged",
@@ -116,13 +116,14 @@
     ],
     "overrides": {
       "@hono/node-server@<1.19.10": ">=1.19.10",
-      "hono@<4.12.4": ">=4.12.4",
+      "devalue@<=5.6.3": ">=5.6.4",
+      "hono@<4.12.7": ">=4.12.7",
       "lodash@>=4.0.0 <=4.17.22": ">=4.17.23",
       "minimatch@>=9.0.0 <9.0.7": ">=9.0.7",
       "rollup@>=4.0.0 <4.59.0": ">=4.59.0",
       "serialize-javascript@<=7.0.2": ">=7.0.3",
-      "svgo@=4.0.0": ">=4.0.1",
-      "tar@<=7.5.9": ">=7.5.10"
+      "tar@<=7.5.10": ">=7.5.11",
+      "unhead@<=2.1.10": ">=2.1.11"
     }
   }
 }