create-nuxt-base 2.6.0 → 2.6.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (9) hide show
  1. package/.claude/agent-memory/lt-dev-npm-package-maintainer/MEMORY.md +4 -0
  2. package/.claude/agent-memory/lt-dev-npm-package-maintainer/feedback_override_safety.md +13 -0
  3. package/.claude/agent-memory/lt-dev-npm-package-maintainer/project_structure.md +22 -0
  4. package/CHANGELOG.md +10 -2
  5. package/nuxt-base-template/.nuxtrc +1 -1
  6. package/nuxt-base-template/CLAUDE.md +29 -25
  7. package/nuxt-base-template/package.json +36 -34
  8. package/nuxt-base-template/pnpm-lock.yaml +1719 -1536
  9. package/package.json +11 -5
package/.claude/agent-memory/lt-dev-npm-package-maintainer/MEMORY.md ADDED
@@ -0,0 +1,4 @@
1
+ # lt-dev-npm-package-maintainer Memory
2
+
3
+ - [Override Safety Rule](feedback_override_safety.md) — All pnpm.overrides targets MUST use fixed versions (no `>=`, `^`, `~`)
4
+ - [Project Structure](project_structure.md) — Two-level package.json structure: root (create-nuxt-base) + nuxt-base-template/
package/.claude/agent-memory/lt-dev-npm-package-maintainer/feedback_override_safety.md ADDED
@@ -0,0 +1,13 @@
1
+ ---
2
+ name: Override Safety Rule
3
+ description: All pnpm.overrides targets must use fixed versions, never unbounded ranges
4
+ type: feedback
5
+ ---
6
+
7
+ All `pnpm.overrides` target values (right-hand side) MUST be fixed versions — never `>=X`, `^X`, `~X`, or `*`.
8
+
9
+ **Why:** In April 2026 an unbounded override `"vite@>=7.0.0 <=7.3.1": ">=7.3.2"` caused pnpm to install `vite@8.0.8` (major version jump), breaking peer dependencies in `@nuxt/test-utils`, dropping `drizzle-orm` from `better-auth`, and causing 13 e2e test regressions.
10
+
11
+ **How to apply:** When writing or reviewing overrides, always pin to a specific version like `"7.3.2"`. The selector on the LEFT can use ranges (to scope which vulnerable versions are replaced); the value on the RIGHT must be exact.
12
+
13
+ Before this maintenance session (2026-04-17) ALL overrides in nuxt-base-template/package.json had unbounded targets (`>=X`). They were all fixed to exact version strings.
package/.claude/agent-memory/lt-dev-npm-package-maintainer/project_structure.md ADDED
@@ -0,0 +1,22 @@
1
+ ---
2
+ name: Project Structure
3
+ description: nuxt-base-starter has two-level package.json structure requiring checks in both locations
4
+ type: project
5
+ ---
6
+
7
+ This repo has TWO package.json files requiring maintenance:
8
+
9
+ 1. **Root** `/package.json` (package: `create-nuxt-base` v2.6.0+)
10
+ - `dependencies`: cross-spawn, fs-extra (used by index.js scaffolding tool)
11
+ - `devDependencies`: oxfmt, standard-version
12
+ - Has its own `pnpm.overrides` for standard-version's transitive deps (handlebars, lodash, brace-expansion, minimatch)
13
+
14
+ 2. **Template** `/nuxt-base-template/package.json` (the actual Nuxt app template)
15
+ - The bulk of the packages live here
16
+ - `dependencies`: better-auth, @better-auth/passkey, @lenne.tech/nuxt-extensions, @nuxt/ui, tus-js-client, valibot, qrcode, etc.
17
+ - `devDependencies`: nuxt, vitest, playwright, @nuxtjs/seo, typescript, etc.
18
+ - Has extensive `pnpm.overrides` for security CVEs
19
+
20
+ The `check` script in root runs `cd nuxt-base-template && pnpm run check` which covers: audit + format + lint + unit tests + build + server-start verification.
21
+
22
+ **Why:** Maintained as 2026-04-17. The structure ensures the scaffolding tool (root) and the generated project (template) are independently versioned.
package/CHANGELOG.md CHANGED
@@ -2,12 +2,20 @@
2
2
 
3
3
  All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
4
4
 
5
- ## [2.6.0](https://github.com/lenneTech/nuxt-base-starter/compare/v2.5.3...v2.6.0) (2026-04-17)
5
+ ### [2.6.2](https://github.com/lenneTech/nuxt-base-starter/compare/v2.6.1...v2.6.2) (2026-04-17)
6
+
7
+
8
+ ### Bug Fixes
6
9
 
10
+ * **deps:** sync pnpm-lock.yaml with pinned overrides ([26cf45d](https://github.com/lenneTech/nuxt-base-starter/commit/26cf45dad735f2ab9ba4f2e9f0870e3cc04c67e7))
11
+
12
+ ### [2.6.1](https://github.com/lenneTech/nuxt-base-starter/compare/v2.6.0...v2.6.1) (2026-04-17)
13
+
14
+ ## [2.6.0](https://github.com/lenneTech/nuxt-base-starter/compare/v2.5.3...v2.6.0) (2026-04-17)
7
15
 
8
16
  ### Features
9
17
 
10
- * **template:** harden check script with server-start verification and document vendor-mode workflow ([6521650](https://github.com/lenneTech/nuxt-base-starter/commit/65216500261c846a87c66f0cb7a1170a3d0ed2b9))
18
+ - **template:** harden check script with server-start verification and document vendor-mode workflow ([6521650](https://github.com/lenneTech/nuxt-base-starter/commit/65216500261c846a87c66f0cb7a1170a3d0ed2b9))
11
19
 
12
20
  ### [2.5.3](https://github.com/lenneTech/nuxt-base-starter/compare/v2.5.2...v2.5.3) (2026-04-06)
13
21
 
package/nuxt-base-template/.nuxtrc CHANGED
@@ -1 +1 @@
1
- setups.@nuxt/test-utils="4.0.0"
1
+ setups.@nuxt/test-utils="4.0.2"
package/nuxt-base-template/CLAUDE.md CHANGED
@@ -134,31 +134,35 @@ Key rule: Never manually write to the `lt-auth-state` cookie from custom middlew
134
134
 
135
135
  The `pnpm.overrides` in `package.json` force vulnerable transitive dependencies to patched versions. Each override addresses a specific CVE or security advisory:
136
136
 
137
- | Override | Advisory | Notes |
138
- | -------------------------------- | ------------------- | ----------------------------------------------------------------------------------- |
139
- | `@hono/node-server@<1.19.10` | GHSA-7256-2wf4-hf2r | Request smuggling |
140
- | `brace-expansion@>=2.0.0 <2.0.3` | GHSA-f886-m6hf-6m8v | ReDoS via zero-step sequences |
141
- | `brace-expansion@>=4.0.0 <5.0.5` | GHSA-f886-m6hf-6m8v | Same advisory, 5.x range |
142
- | `readdir-glob@<2.0.3` | (transitive) | Forces minimatch upgrade for brace-expansion fix |
143
- | `defu@<=6.1.4` | GHSA-mchp-fgcf-hmfj | Prototype pollution |
144
- | `devalue@<=5.6.3` | GHSA-77p6-w3v8-rqwf | XSS via crafted input |
145
- | `effect@<3.20.0` | GHSA-j44v-mmf2-xvm9 | Denial of service |
146
- | `h3@<1.15.9` | GHSA-wr4h-v87w-p3r7 | Path traversal |
147
- | `h3@>=2.0.0-0 <2.0.1-rc.18` | GHSA-q5pr-72pq-83v3 | Cookie DoS + SSE injection |
148
- | `h3-next` | (alias fix) | `@nuxt/test-utils` pins h3-next to vulnerable RC; remove when h3 v2 stable releases |
149
- | `hono@<4.12.7` | GHSA-rp6g-89hg-4gfv | SSRF via host header |
150
- | `kysely@>=0.26.0 <=0.28.13` | GHSA-4hxq-5gxr-453h | SQL injection |
151
- | `lodash@>=4.0.0 <=4.17.23` | GHSA-x5rq-j2xg-h7qm | Prototype pollution |
152
- | `minimatch@>=9.0.0 <9.0.7` | GHSA-f886-m6hf-6m8v | ReDoS via brace-expansion |
153
- | `node-forge@<1.4.0` | GHSA-997c-fj8j-rq5h | RSA signature forgery |
154
- | `picomatch@<2.3.2` | GHSA-26j4-r882-m4jm | ReDoS |
155
- | `picomatch@>=4.0.0 <4.0.4` | GHSA-26j4-r882-m4jm | Same advisory, 4.x range |
156
- | `rollup@>=4.0.0 <4.59.0` | GHSA-gcx4-mw62-g3rm | DOM clobbering in output |
157
- | `serialize-javascript@<=7.0.4` | GHSA-cqmj-v5x6-4hg7 | XSS via crafted object |
158
- | `srvx@<0.11.13` | GHSA-4r4v-8rg6-5crc | Open redirect |
159
- | `tar@<=7.5.10` | GHSA-jg7w-cxjv-98c2 | Path traversal |
160
- | `unhead@<=2.1.10` | GHSA-gxhp-jfhg-5fv8 | XSS via meta tags |
161
- | `yaml@>=2.0.0 <2.8.3` | GHSA-4hm9-844j-jmxp | Code execution via crafted YAML |
137
+ All override targets use fixed versions (not ranges) to prevent silent major-version jumps. See TurboOps incident (April 2026) in the agent memory for context.
138
+
139
+ | Override | Advisory | Notes |
140
+ | -------------------------------- | ---------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------ |
141
+ | `@hono/node-server@<1.19.14` | GHSA-7256-2wf4-hf2r, GHSA-92pp-h63x-v22m | Request smuggling + middleware bypass via repeated slashes |
142
+ | `brace-expansion@>=2.0.0 <2.0.3` | GHSA-f886-m6hf-6m8v | ReDoS via zero-step sequences |
143
+ | `brace-expansion@>=4.0.0 <5.0.5` | GHSA-f886-m6hf-6m8v | Same advisory, 5.x range |
144
+ | `drizzle-orm@<0.45.2` | GHSA-gpj5-g38j-94v9 | SQL injection via improperly escaped identifiers; transitive via @nuxtjs/seo>nuxt-link-checker>unstorage>db0 |
145
+ | `readdir-glob@<2.0.3` | (transitive) | Forces minimatch upgrade for brace-expansion fix |
146
+ | `defu@<=6.1.4` | GHSA-mchp-fgcf-hmfj | Prototype pollution |
147
+ | `devalue@<=5.6.3` | GHSA-77p6-w3v8-rqwf | XSS via crafted input |
148
+ | `effect@<3.20.0` | GHSA-j44v-mmf2-xvm9 | Denial of service |
149
+ | `h3@<1.15.9` | GHSA-wr4h-v87w-p3r7 | Path traversal |
150
+ | `h3@>=2.0.0-0 <2.0.1-rc.18` | GHSA-q5pr-72pq-83v3 | Cookie DoS + SSE injection |
151
+ | `h3-next` | (alias fix) | `@nuxt/test-utils` pins h3-next to vulnerable RC; remove when h3 v2 stable releases |
152
+ | `hono@<4.12.14` | GHSA-rp6g-89hg-4gfv, GHSA-26pp-8wgv-hjvm, GHSA-r5rp-j6wh-rvv4, GHSA-wmmm-f939-6g9c, GHSA-xpcf-pg52-r92g, GHSA-458j-xx4x-4375 | SSRF, cookie validation, IP bypass, JSX injection |
153
+ | `kysely@>=0.26.0 <=0.28.13` | GHSA-4hxq-5gxr-453h | SQL injection |
154
+ | `lodash@>=4.0.0 <=4.17.23` | GHSA-x5rq-j2xg-h7qm | Prototype pollution |
155
+ | `minimatch@>=9.0.0 <9.0.7` | GHSA-f886-m6hf-6m8v | ReDoS via brace-expansion |
156
+ | `node-forge@<1.4.0` | GHSA-997c-fj8j-rq5h | RSA signature forgery |
157
+ | `picomatch@<2.3.2` | GHSA-26j4-r882-m4jm | ReDoS |
158
+ | `picomatch@>=4.0.0 <4.0.4` | GHSA-26j4-r882-m4jm | Same advisory, 4.x range |
159
+ | `rollup@>=4.0.0 <4.59.0` | GHSA-gcx4-mw62-g3rm | DOM clobbering in output |
160
+ | `serialize-javascript@<=7.0.4` | GHSA-cqmj-v5x6-4hg7 | XSS via crafted object |
161
+ | `srvx@<0.11.13` | GHSA-4r4v-8rg6-5crc | Open redirect |
162
+ | `tar@<=7.5.10` | GHSA-jg7w-cxjv-98c2 | Path traversal |
163
+ | `unhead@<=2.1.12` | GHSA-gxhp-jfhg-5fv8, GHSA-95h2-gj7x-gx9w | XSS via meta tags + hasDangerousProtocol() bypass via leading-zero padded HTML entities |
164
+ | `vite@>=7.0.0 <7.3.2` | GHSA-v2wj-q39q-566r, GHSA-p9ff-h696-f583, GHSA-4w7w-66w2-5vf9 | fs.deny bypass, arbitrary file read via WebSocket, path traversal in .map |
165
+ | `yaml@>=2.0.0 <2.8.3` | GHSA-4hm9-844j-jmxp | Code execution via crafted YAML |
162
166
 
163
167
  The `ignoredOptionalDependencies` block suppresses 30 platform-specific native binaries (`@img/sharp-*`, `@resvg/resvg-js-*`) that are pulled in by `@nuxtjs/seo` 5.x's OG image engine. Only the host-platform binary is needed at build time.
164
168
 
package/nuxt-base-template/package.json CHANGED
@@ -48,35 +48,35 @@
48
48
  "fix": "pnpm run lint:fix && pnpm run format"
49
49
  },
50
50
  "dependencies": {
51
- "@better-auth/passkey": "1.5.6",
51
+ "@better-auth/passkey": "1.6.5",
52
52
  "@lenne.tech/bug.lt": "latest",
53
53
  "@lenne.tech/nuxt-extensions": "1.5.3",
54
54
  "@nuxt/image": "2.0.0",
55
55
  "@nuxt/ui": "4.6.1",
56
56
  "@pinia/nuxt": "0.11.3",
57
57
  "@vueuse/nuxt": "14.2.1",
58
- "better-auth": "1.5.6",
58
+ "better-auth": "1.6.5",
59
59
  "qrcode": "1.5.4",
60
60
  "tus-js-client": "4.3.1",
61
61
  "valibot": "1.3.1"
62
62
  },
63
63
  "devDependencies": {
64
- "@hey-api/openapi-ts": "0.95.0",
65
- "@iconify-json/lucide": "1.2.101",
64
+ "@hey-api/openapi-ts": "0.96.0",
65
+ "@iconify-json/lucide": "1.2.102",
66
66
  "@nuxt/devtools": "3.2.4",
67
- "@nuxt/test-utils": "4.0.0",
67
+ "@nuxt/test-utils": "4.0.2",
68
68
  "@nuxtjs/plausible": "3.0.2",
69
- "@nuxtjs/seo": "5.1.0",
69
+ "@nuxtjs/seo": "5.1.3",
70
70
  "@playwright/test": "1.59.1",
71
71
  "@tailwindcss/typography": "0.5.19",
72
72
  "@tailwindcss/vite": "4.2.2",
73
- "@types/node": "25.5.2",
73
+ "@types/node": "25.6.0",
74
74
  "@types/qrcode": "1.5.6",
75
- "@vitejs/plugin-vue": "6.0.5",
75
+ "@vitejs/plugin-vue": "6.0.6",
76
76
  "@vue/test-utils": "2.4.6",
77
77
  "dayjs-nuxt": "2.1.11",
78
- "happy-dom": "20.8.9",
79
- "jsdom": "29.0.1",
78
+ "happy-dom": "20.9.0",
79
+ "jsdom": "29.0.2",
80
80
  "lint-staged": "16.4.0",
81
81
  "mongodb": "7.1.1",
82
82
  "nuxt": "4.4.2",
@@ -85,8 +85,8 @@
85
85
  "rimraf": "6.1.3",
86
86
  "simple-git-hooks": "2.13.1",
87
87
  "tailwindcss": "4.2.2",
88
- "typescript": "6.0.2",
89
- "vitest": "4.1.2"
88
+ "typescript": "6.0.3",
89
+ "vitest": "4.1.4"
90
90
  },
91
91
  "simple-git-hooks": {
92
92
  "pre-commit": "npx lint-staged",
@@ -146,29 +146,31 @@
146
146
  "vue-demi"
147
147
  ],
148
148
  "overrides": {
149
- "@hono/node-server@<1.19.10": ">=1.19.10",
150
- "brace-expansion@>=2.0.0 <2.0.3": ">=2.0.3",
151
- "brace-expansion@>=4.0.0 <5.0.5": ">=5.0.5",
152
- "readdir-glob@<2.0.3": ">=2.0.3",
153
- "defu@<=6.1.4": ">=6.1.5",
154
- "devalue@<=5.6.3": ">=5.6.4",
155
- "effect@<3.20.0": ">=3.20.0",
156
- "h3@<1.15.9": ">=1.15.9",
157
- "h3@>=2.0.0-0 <2.0.1-rc.18": ">=2.0.1-rc.18",
149
+ "@hono/node-server@<1.19.14": "1.19.14",
150
+ "brace-expansion@>=2.0.0 <2.0.3": "2.1.0",
151
+ "brace-expansion@>=4.0.0 <5.0.5": "5.0.5",
152
+ "drizzle-orm@<0.45.2": "0.45.2",
153
+ "readdir-glob@<2.0.3": "3.0.0",
154
+ "defu@<=6.1.4": "6.1.7",
155
+ "devalue@<=5.6.3": "5.7.1",
156
+ "effect@<3.20.0": "3.21.0",
157
+ "h3@<1.15.9": "1.15.11",
158
+ "h3@>=2.0.0-0 <2.0.1-rc.18": "2.0.1-rc.20",
158
159
  "h3-next": "npm:h3@2.0.1-rc.20",
159
- "hono@<4.12.7": ">=4.12.7",
160
- "kysely@>=0.26.0 <=0.28.13": ">=0.28.14",
161
- "lodash@>=4.0.0 <=4.17.23": ">=4.18.0",
162
- "minimatch@>=9.0.0 <9.0.7": ">=9.0.7",
163
- "node-forge@<1.4.0": ">=1.4.0",
164
- "picomatch@<2.3.2": ">=2.3.2",
165
- "picomatch@>=4.0.0 <4.0.4": ">=4.0.4",
166
- "rollup@>=4.0.0 <4.59.0": ">=4.59.0",
167
- "serialize-javascript@<=7.0.4": ">=7.0.5",
168
- "srvx@<0.11.13": ">=0.11.13",
169
- "tar@<=7.5.10": ">=7.5.11",
170
- "unhead@<=2.1.10": ">=2.1.11",
171
- "yaml@>=2.0.0 <2.8.3": ">=2.8.3"
160
+ "hono@<4.12.14": "4.12.14",
161
+ "kysely@>=0.26.0 <=0.28.13": "0.28.16",
162
+ "lodash@>=4.0.0 <=4.17.23": "4.18.1",
163
+ "minimatch@>=9.0.0 <9.0.7": "9.0.9",
164
+ "node-forge@<1.4.0": "1.4.0",
165
+ "picomatch@<2.3.2": "2.3.2",
166
+ "picomatch@>=4.0.0 <4.0.4": "4.0.4",
167
+ "rollup@>=4.0.0 <4.59.0": "4.60.1",
168
+ "serialize-javascript@<=7.0.4": "7.0.5",
169
+ "srvx@<0.11.13": "0.11.15",
170
+ "tar@<=7.5.10": "7.5.13",
171
+ "unhead@<=2.1.12": "2.1.13",
172
+ "vite@>=7.0.0 <7.3.2": "7.3.2",
173
+ "yaml@>=2.0.0 <2.8.3": "2.8.3"
172
174
  }
173
175
  }
174
176
  }