create-nuxt-base 2.5.1 → 2.5.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (8) hide show
  1. package/CHANGELOG.md +2 -0
  2. package/nuxt-base-template/.claude/agent-memory/lt-dev-security-reviewer/MEMORY.md +3 -0
  3. package/nuxt-base-template/.claude/agent-memory/lt-dev-security-reviewer/project_dep_maintenance.md +13 -0
  4. package/nuxt-base-template/CLAUDE.md +119 -0
  5. package/nuxt-base-template/README.md +7 -6
  6. package/nuxt-base-template/package.json +67 -21
  7. package/nuxt-base-template/pnpm-lock.yaml +2914 -1965
  8. package/package.json +1 -1
package/CHANGELOG.md CHANGED
@@ -2,6 +2,8 @@
2
2
 
3
3
  All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
4
4
 
5
+ ### [2.5.2](https://github.com/lenneTech/nuxt-base-starter/compare/v2.5.1...v2.5.2) (2026-04-04)
6
+
5
7
  ### [2.5.1](https://github.com/lenneTech/nuxt-base-starter/compare/v2.5.0...v2.5.1) (2026-03-16)
6
8
 
7
9
 
package/nuxt-base-template/.claude/agent-memory/lt-dev-security-reviewer/MEMORY.md ADDED
@@ -0,0 +1,3 @@
1
+ # Security Reviewer Memory Index
2
+
3
+ - [Dependency Maintenance Pattern](project_dep_maintenance.md) — pnpm overrides use open upper bounds (>=) by convention; h3-next is intentionally aliased to RC pre-release
package/nuxt-base-template/.claude/agent-memory/lt-dev-security-reviewer/project_dep_maintenance.md ADDED
@@ -0,0 +1,13 @@
1
+ ---
2
+ name: Dependency Maintenance Pattern
3
+ description: Security override conventions observed in nuxt-base-template — open upper bounds and h3-next RC alias are intentional
4
+ type: project
5
+ ---
6
+
7
+ Security overrides in `package.json` (pnpm.overrides) intentionally use open-upper-bound `>=X.Y.Z` targets rather than pinned ranges. This is the project's deliberate convention so that future patch releases of vulnerable dependencies are automatically picked up.
8
+
9
+ The `h3-next` alias is pinned to `npm:h3@2.0.1-rc.20` because the Nuxt/Nitro ecosystem uses h3 v2 in pre-release form; this is a necessary compatibility shim.
10
+
11
+ **Why:** Reviewed during 2026-04-04 dependency maintenance update (PR: TypeScript 5.9→6.0, @nuxtjs/seo 3.4→5.1, 14 overrides added/updated).
12
+
13
+ **How to apply:** Do not flag open-upper-bound `>=` override targets as findings unless they allow a known-malicious version. Flag only if the lower bound is incorrect (allows still-vulnerable versions) or the target package name is suspicious.
package/nuxt-base-template/CLAUDE.md ADDED
@@ -0,0 +1,119 @@
1
+ # nuxt-base-starter
2
+
3
+ ## Project Overview
4
+
5
+ Starter template for Nuxt 4 applications using the lenne.tech stack. Used by `lt fullstack init` to scaffold new frontend projects.
6
+
7
+ ## Tech Stack
8
+
9
+ - **Framework:** Nuxt 4.x with TypeScript 6.0.x
10
+ - **UI:** NuxtUI 4.x + TailwindCSS 4.x
11
+ - **Auth:** Better Auth (email/password, 2FA/TOTP, passkeys/WebAuthn)
12
+ - **Forms:** Valibot validation
13
+ - **API:** @hey-api/client-fetch with generated types (`types.gen.ts`, `sdk.gen.ts`)
14
+ - **State:** Pinia + VueUse + `useState()` for SSR-safe state
15
+ - **Testing:** Playwright E2E + Vitest
16
+
17
+ ## Structure
18
+
19
+ ```
20
+ app/ # Application code (srcDir)
21
+ ├── api-client/ # Generated types & SDK (types.gen.ts, sdk.gen.ts)
22
+ ├── components/ # Auto-imported Vue components
23
+ ├── composables/ # Auto-imported composables (use*.ts)
24
+ ├── interfaces/ # Frontend-only TypeScript interfaces
25
+ ├── layouts/ # Layout components
26
+ ├── lib/ # Utility libraries (auth-client setup)
27
+ ├── pages/ # File-based routing
28
+ └── utils/ # Auto-imported utilities
29
+ server/ # Nitro server routes
30
+ tests/ # Playwright E2E tests
31
+ nuxt.config.ts # Nuxt configuration
32
+ ```
33
+
34
+ ## Development
35
+
36
+ ```bash
37
+ pnpm dev # Start dev server (port 3001)
38
+ pnpm run generate-types # Generate API types (API must be running on port 3000)
39
+ pnpm test # Run Playwright E2E tests
40
+ pnpm run build # Build for production
41
+ pnpm run check # Full quality check (audit + format + lint + types + test + build)
42
+ ```
43
+
44
+ ## Standards
45
+
46
+ | Rule | Value |
47
+ | ---------------- | ------------------------------------------------------------------ |
48
+ | UI Labels | German (`Speichern`, `Abbrechen`) |
49
+ | Code/Comments | English |
50
+ | Styling | TailwindCSS only, no `<style>` blocks |
51
+ | Colors | Semantic only (`primary`, `error`, `success`) |
52
+ | Types | Explicit, no implicit `any` |
53
+ | Backend Types | Generated only (`types.gen.ts`) — never manual interfaces for DTOs |
54
+ | Forms | Valibot (not Zod) |
55
+ | Modals | `useOverlay()` (programmatic) |
56
+ | Auth | `useBetterAuth()` from `@lenne.tech/nuxt-extensions` |
57
+ | Protected Routes | `middleware: 'auth'` in page `definePageMeta` |
58
+
59
+ ## Framework: @lenne.tech/nuxt-extensions
60
+
61
+ This project depends on `@lenne.tech/nuxt-extensions`. The framework source is available in `node_modules/@lenne.tech/nuxt-extensions/` and **MUST** be read when using or debugging framework features.
62
+
63
+ ### Key Source Files (in node_modules/@lenne.tech/nuxt-extensions/)
64
+
65
+ | File | Purpose |
66
+ | --------------------------- | ---------------------------------------------------------- |
67
+ | `CLAUDE.md` | Framework overview, composables, components, configuration |
68
+ | `dist/runtime/composables/` | Available composables (useBetterAuth, useTusUpload, etc.) |
69
+ | `dist/runtime/components/` | Available auto-imported components |
70
+ | `dist/runtime/middleware/` | Route middleware (auth) |
71
+ | `dist/runtime/plugins/` | Nuxt plugins (auth initialization) |
72
+ | `dist/runtime/server/` | Nitro server routes (auth proxy) |
73
+ | `dist/runtime/utils/` | Available utility functions |
74
+ | `dist/runtime/types/` | TypeScript type definitions |
75
+
76
+ ### Rules
77
+
78
+ 1. **ALWAYS read actual source code** from `node_modules/@lenne.tech/nuxt-extensions/` before guessing framework behavior
79
+ 2. **NEVER re-implement** functionality that nuxt-extensions already provides — check composables first
80
+ 3. **Use `useBetterAuth()`** for authentication — never implement auth manually
81
+ 4. **When debugging auth issues**, read the auth proxy server route and middleware source
82
+ 5. **Check `dist/runtime/composables/`** before creating new composables — may already exist
83
+
84
+ ## Security Overrides (pnpm)
85
+
86
+ The `pnpm.overrides` in `package.json` force vulnerable transitive dependencies to patched versions. Each override addresses a specific CVE or security advisory:
87
+
88
+ | Override | Advisory | Notes |
89
+ | -------------------------------- | ------------------- | ----------------------------------------------------------------------------------- |
90
+ | `@hono/node-server@<1.19.10` | GHSA-7256-2wf4-hf2r | Request smuggling |
91
+ | `brace-expansion@>=2.0.0 <2.0.3` | GHSA-f886-m6hf-6m8v | ReDoS via zero-step sequences |
92
+ | `brace-expansion@>=4.0.0 <5.0.5` | GHSA-f886-m6hf-6m8v | Same advisory, 5.x range |
93
+ | `readdir-glob@<2.0.3` | (transitive) | Forces minimatch upgrade for brace-expansion fix |
94
+ | `defu@<=6.1.4` | GHSA-mchp-fgcf-hmfj | Prototype pollution |
95
+ | `devalue@<=5.6.3` | GHSA-77p6-w3v8-rqwf | XSS via crafted input |
96
+ | `effect@<3.20.0` | GHSA-j44v-mmf2-xvm9 | Denial of service |
97
+ | `h3@<1.15.9` | GHSA-wr4h-v87w-p3r7 | Path traversal |
98
+ | `h3@>=2.0.0-0 <2.0.1-rc.18` | GHSA-q5pr-72pq-83v3 | Cookie DoS + SSE injection |
99
+ | `h3-next` | (alias fix) | `@nuxt/test-utils` pins h3-next to vulnerable RC; remove when h3 v2 stable releases |
100
+ | `hono@<4.12.7` | GHSA-rp6g-89hg-4gfv | SSRF via host header |
101
+ | `kysely@>=0.26.0 <=0.28.13` | GHSA-4hxq-5gxr-453h | SQL injection |
102
+ | `lodash@>=4.0.0 <=4.17.23` | GHSA-x5rq-j2xg-h7qm | Prototype pollution |
103
+ | `minimatch@>=9.0.0 <9.0.7` | GHSA-f886-m6hf-6m8v | ReDoS via brace-expansion |
104
+ | `node-forge@<1.4.0` | GHSA-997c-fj8j-rq5h | RSA signature forgery |
105
+ | `picomatch@<2.3.2` | GHSA-26j4-r882-m4jm | ReDoS |
106
+ | `picomatch@>=4.0.0 <4.0.4` | GHSA-26j4-r882-m4jm | Same advisory, 4.x range |
107
+ | `rollup@>=4.0.0 <4.59.0` | GHSA-gcx4-mw62-g3rm | DOM clobbering in output |
108
+ | `serialize-javascript@<=7.0.4` | GHSA-cqmj-v5x6-4hg7 | XSS via crafted object |
109
+ | `srvx@<0.11.13` | GHSA-4r4v-8rg6-5crc | Open redirect |
110
+ | `tar@<=7.5.10` | GHSA-jg7w-cxjv-98c2 | Path traversal |
111
+ | `unhead@<=2.1.10` | GHSA-gxhp-jfhg-5fv8 | XSS via meta tags |
112
+ | `yaml@>=2.0.0 <2.8.3` | GHSA-4hm9-844j-jmxp | Code execution via crafted YAML |
113
+
114
+ The `ignoredOptionalDependencies` block suppresses 30 platform-specific native binaries (`@img/sharp-*`, `@resvg/resvg-js-*`) that are pulled in by `@nuxtjs/seo` 5.x's OG image engine. Only the host-platform binary is needed at build time.
115
+
116
+ ## Notable Version Changes (v2.5.x)
117
+
118
+ - **TypeScript 5.9 -> 6.0:** Changes `erasableSyntaxOnly` default and tightens module resolution. Run `pnpm run build` to verify no type regressions after upgrading existing projects.
119
+ - **@nuxtjs/seo 3.4 -> 5.1:** Major rewrite (v4 was skipped). The OG image engine switched to `@shikijs/*` for syntax highlighting (SSR/build-time only). `nuxt.config.ts` SEO options are backwards-compatible. The 30 `ignoredOptionalDependencies` entries are required for clean installs.
package/nuxt-base-template/README.md CHANGED
@@ -94,14 +94,15 @@ npm run generate-types
94
94
  | Technology | Version | Description |
95
95
  | ------------------- | ------- | -------------------------------- |
96
96
  | Nuxt | 4.4.x | Vue 3 meta-framework with SSR |
97
- | TypeScript | 5.9.x | Strict type checking |
98
- | Tailwind CSS | 4.1.x | Utility-first CSS (Vite plugin) |
99
- | NuxtUI | 4.3.x | Component library with dark mode |
97
+ | TypeScript | 6.0.x | Strict type checking |
98
+ | Tailwind CSS | 4.2.x | Utility-first CSS (Vite plugin) |
99
+ | NuxtUI | 4.6.x | Component library with dark mode |
100
100
  | Pinia | 0.11.x | State management |
101
101
  | Better Auth | 1.5.x | Authentication framework |
102
- | Playwright | 1.57.x | E2E testing |
103
- | @hey-api/openapi-ts | 0.94.x | API client code generation (dev) |
104
- | Valibot | 1.2.x | Schema validation |
102
+ | @nuxtjs/seo | 5.1.x | SEO, sitemap, robots, OG images |
103
+ | Playwright | 1.59.x | E2E testing |
104
+ | @hey-api/openapi-ts | 0.95.x | API client code generation (dev) |
105
+ | Valibot | 1.3.x | Schema validation |
105
106
 
106
107
  ## Key Features
107
108
 
package/nuxt-base-template/package.json CHANGED
@@ -48,46 +48,46 @@
48
48
  "fix": "pnpm run lint:fix && pnpm run format"
49
49
  },
50
50
  "dependencies": {
51
- "@better-auth/passkey": "1.5.5",
51
+ "@better-auth/passkey": "1.5.6",
52
52
  "@lenne.tech/bug.lt": "latest",
53
- "@lenne.tech/nuxt-extensions": "1.5.1",
53
+ "@lenne.tech/nuxt-extensions": "1.5.2",
54
54
  "@nuxt/image": "2.0.0",
55
- "@nuxt/ui": "4.5.1",
55
+ "@nuxt/ui": "4.6.1",
56
56
  "@pinia/nuxt": "0.11.3",
57
57
  "@vueuse/nuxt": "14.2.1",
58
- "better-auth": "1.5.5",
58
+ "better-auth": "1.5.6",
59
59
  "qrcode": "1.5.4",
60
60
  "tus-js-client": "4.3.1",
61
- "valibot": "1.2.0"
61
+ "valibot": "1.3.1"
62
62
  },
63
63
  "devDependencies": {
64
64
  "@hey-api/client-fetch": "0.13.1",
65
- "@hey-api/openapi-ts": "0.94.2",
66
- "@iconify-json/lucide": "1.2.98",
67
- "@nuxt/devtools": "3.2.3",
65
+ "@hey-api/openapi-ts": "0.95.0",
66
+ "@iconify-json/lucide": "1.2.101",
67
+ "@nuxt/devtools": "3.2.4",
68
68
  "@nuxt/test-utils": "4.0.0",
69
69
  "@nuxtjs/plausible": "3.0.2",
70
- "@nuxtjs/seo": "3.4.0",
71
- "@playwright/test": "1.58.2",
70
+ "@nuxtjs/seo": "5.1.0",
71
+ "@playwright/test": "1.59.1",
72
72
  "@tailwindcss/typography": "0.5.19",
73
- "@tailwindcss/vite": "4.2.1",
74
- "@types/node": "25.5.0",
73
+ "@tailwindcss/vite": "4.2.2",
74
+ "@types/node": "25.5.2",
75
75
  "@types/qrcode": "1.5.6",
76
76
  "@vitejs/plugin-vue": "6.0.5",
77
77
  "@vue/test-utils": "2.4.6",
78
78
  "dayjs-nuxt": "2.1.11",
79
- "happy-dom": "20.8.4",
80
- "jsdom": "29.0.0",
79
+ "happy-dom": "20.8.9",
80
+ "jsdom": "29.0.1",
81
81
  "lint-staged": "16.4.0",
82
- "mongodb": "7.1.0",
82
+ "mongodb": "7.1.1",
83
83
  "nuxt": "4.4.2",
84
84
  "oxfmt": "latest",
85
85
  "oxlint": "latest",
86
86
  "rimraf": "6.1.3",
87
87
  "simple-git-hooks": "2.13.1",
88
- "tailwindcss": "4.2.1",
89
- "typescript": "5.9.3",
90
- "vitest": "4.1.0"
88
+ "tailwindcss": "4.2.2",
89
+ "typescript": "6.0.2",
90
+ "vitest": "4.1.2"
91
91
  },
92
92
  "simple-git-hooks": {
93
93
  "pre-commit": "npx lint-staged",
@@ -107,6 +107,38 @@
107
107
  "pnpm": ">=9"
108
108
  },
109
109
  "pnpm": {
110
+ "ignoredOptionalDependencies": [
111
+ "@img/sharp-linux-arm",
112
+ "@img/sharp-linux-arm64",
113
+ "@img/sharp-linux-ppc64",
114
+ "@img/sharp-linux-riscv64",
115
+ "@img/sharp-linux-s390x",
116
+ "@img/sharp-linux-x64",
117
+ "@img/sharp-linuxmusl-arm64",
118
+ "@img/sharp-linuxmusl-x64",
119
+ "@img/sharp-win32-arm64",
120
+ "@img/sharp-win32-ia32",
121
+ "@img/sharp-win32-x64",
122
+ "@img/sharp-wasm32",
123
+ "@img/sharp-libvips-linux-arm",
124
+ "@img/sharp-libvips-linux-arm64",
125
+ "@img/sharp-libvips-linux-ppc64",
126
+ "@img/sharp-libvips-linux-riscv64",
127
+ "@img/sharp-libvips-linux-s390x",
128
+ "@img/sharp-libvips-linux-x64",
129
+ "@img/sharp-libvips-linuxmusl-arm64",
130
+ "@img/sharp-libvips-linuxmusl-x64",
131
+ "@resvg/resvg-js-android-arm-eabi",
132
+ "@resvg/resvg-js-android-arm64",
133
+ "@resvg/resvg-js-linux-arm-gnueabihf",
134
+ "@resvg/resvg-js-linux-arm64-gnu",
135
+ "@resvg/resvg-js-linux-arm64-musl",
136
+ "@resvg/resvg-js-linux-x64-gnu",
137
+ "@resvg/resvg-js-linux-x64-musl",
138
+ "@resvg/resvg-js-win32-arm64-msvc",
139
+ "@resvg/resvg-js-win32-ia32-msvc",
140
+ "@resvg/resvg-js-win32-x64-msvc"
141
+ ],
110
142
  "onlyBuiltDependencies": [
111
143
  "@parcel/watcher",
112
144
  "esbuild",
@@ -116,14 +148,28 @@
116
148
  ],
117
149
  "overrides": {
118
150
  "@hono/node-server@<1.19.10": ">=1.19.10",
151
+ "brace-expansion@>=2.0.0 <2.0.3": ">=2.0.3",
152
+ "brace-expansion@>=4.0.0 <5.0.5": ">=5.0.5",
153
+ "readdir-glob@<2.0.3": ">=2.0.3",
154
+ "defu@<=6.1.4": ">=6.1.5",
119
155
  "devalue@<=5.6.3": ">=5.6.4",
156
+ "effect@<3.20.0": ">=3.20.0",
157
+ "h3@<1.15.9": ">=1.15.9",
158
+ "h3@>=2.0.0-0 <2.0.1-rc.18": ">=2.0.1-rc.18",
159
+ "h3-next": "npm:h3@2.0.1-rc.20",
120
160
  "hono@<4.12.7": ">=4.12.7",
121
- "lodash@>=4.0.0 <=4.17.22": ">=4.17.23",
161
+ "kysely@>=0.26.0 <=0.28.13": ">=0.28.14",
162
+ "lodash@>=4.0.0 <=4.17.23": ">=4.18.0",
122
163
  "minimatch@>=9.0.0 <9.0.7": ">=9.0.7",
164
+ "node-forge@<1.4.0": ">=1.4.0",
165
+ "picomatch@<2.3.2": ">=2.3.2",
166
+ "picomatch@>=4.0.0 <4.0.4": ">=4.0.4",
123
167
  "rollup@>=4.0.0 <4.59.0": ">=4.59.0",
124
- "serialize-javascript@<=7.0.2": ">=7.0.3",
168
+ "serialize-javascript@<=7.0.4": ">=7.0.5",
169
+ "srvx@<0.11.13": ">=0.11.13",
125
170
  "tar@<=7.5.10": ">=7.5.11",
126
- "unhead@<=2.1.10": ">=2.1.11"
171
+ "unhead@<=2.1.10": ">=2.1.11",
172
+ "yaml@>=2.0.0 <2.8.3": ">=2.8.3"
127
173
  }
128
174
  }
129
175
  }