Bump the non-breaking group across 1 directory with 12 updates

[dependabot]

Bumps the non-breaking group with 11 updates in the / directory:

Package	From	To
nuxt	4.4.6	4.4.7
nuxt-swiper	2.0.1	2.0.2
@playwright/test	1.59.1	1.60.0
@types/node	25.6.2	25.9.1
@vitest/coverage-istanbul	4.1.5	4.1.8
eslint-plugin-prettier	5.5.5	5.5.6
playwright-core	1.59.1	1.60.0
postcss	8.5.14	8.5.15
postcss-preset-env	11.2.1	11.3.0
vitest	4.1.5	4.1.8
vue-tsc	3.2.8	3.3.3

Updates nuxt from 4.4.6 to 4.4.7

Release notes

Sourced from nuxt's releases.

v4.4.7

4.4.7 is the a security hotfix release.

👉 make sure to check https://github.com/nuxt/nuxt/security/advisories to view open advisories resolved by this release.

👉 Changelog

compare changes

🩹 Fixes

• nitro: Assign noSSR before deciding payload extraction (#35108)
• vite: Avoid filtering out dirs with shared prefix from allowDirs (#35112)
• nuxt: Use resolve from pathe for buildCache path boundary check (#35111)
• nuxt: Prevent sibling-directory traversal in test component wrapper (#35110)
• nitro: Pass event data to isValid in dev clipboard-copy listener (#35109)
• nuxt: Validate protocols in reloadNuxtApp path before reload (#35115)
• vite: Prefix public asset virtuals with null byte (9e303b438)
• nuxt: Re-run getCachedData after initial fetch (#35122)
• nuxt: Propagate useFetch/useAsyncData factory types (#35133)
• vite: Close vite dev server on nuxt close (a10a68abc)
• kit,nuxt: Handle cancelling prompts to install packages (e84813229)
• kit: Avoid excluding node-context files in legacy tsconfig (#35152)
• nuxt: Handle missing payload in chunkError listener (#35155)
• nuxt: Await in-lifght template generation when closing nuxt (#35181)
• nuxt: Clarify page and layout usage warnings (#35184)
• webpack: Surface compilation errors when stats.toString is empty (073b07851)
• nuxt: Reject prototype-chain keys in the island registry (#35205)
• nuxt: Apply isScriptProtocol guard to navigateTo open option (#35206)
• nuxt: Prevent server-only page island from recursing via <NuxtPage> (#35198)
• rspack,webpack: Require loopback host when missing same-origin signals (#35200)
• nitro: Gate chrome devtools workspace endpoint to local requests (#35201)
• nuxt: Escape props in <NuxtClientFallback> ssr output (#35199)
• kit: Improve TS extension stripping/substitutions (#35233)
• nuxt: Preserve .d.mts/.d.cts in resolveTypePaths (#35235)
• nuxt: Escape <NoScript> slot content (4b054e9d9)
• nuxt: Match route rules case-insensitively to mirror vue-router (07e39cd6f)
• nuxt: Reject script-capable protocols in <NuxtLink> href (0103ce06f)
• nuxt: Block path-normalization open redirect in navigateTo (2cce6fb02)
• nuxt: Reject cross-origin paths in reloadNuxtApp (e447a793c)
• vite: Bind vite-node IPC to a permissioned filesystem socket (1f9f4767a)

💅 Refactors

• kit,nuxt,vite: Use es2023 array methods (#34980)
• nuxt: Replace runInNewContext with AST walker (d72a89ef4)

📖 Documentation

• Document vite client and server options (#35090)
• Add dedicated module dependencies page (#35171)
• Add nodeTsConfig and sharedTsConfig options (#35231)
• Edit for clarity and grammar (#35214)

🏡 Chore

• Use execFileSync for safety in release scripts (1d7baaf01)
• Assert there is always a tag (e98c47c3c)

... (truncated)

Commits

• b7d5790 v4.4.7
• dbc5896 chore: lint
• e447a79 fix(nuxt): reject cross-origin paths in reloadNuxtApp
• d72a89e refactor(nuxt): replace runInNewContext with AST walker
• 2cce6fb fix(nuxt): block path-normalization open redirect in navigateTo
• 0103ce0 fix(nuxt): reject script-capable protocols in \<NuxtLink> href
• 07e39cd fix(nuxt): match route rules case-insensitively to mirror vue-router
• 4b054e9 fix(nuxt): escape \<NoScript> slot content
• 03d83bf fix(nuxt): preserve .d.mts/.d.cts in resolveTypePaths (#35235)
• 46960b2 fix(nuxt): escape props in \<NuxtClientFallback> ssr output (#35199)
• Additional commits viewable in compare view

Updates nuxt-swiper from 2.0.1 to 2.0.2

Release notes

Sourced from nuxt-swiper's releases.

v2.0.2

[!WARNING] Security: recommended update. This release bumps the bundled Swiper dependency to a version that patches a critical prototype pollution vulnerability — GHSA-hmx5-qpq5-p643 / CVE-2026-27212 (CVSS 9.4 / Critical). All nuxt-swiper versions prior to v2.0.2 depend on swiper@^11.2.6, which falls in the vulnerable range (>= 6.5.1, < 12.1.2). Upgrading to this release pulls in swiper@^12.1.4, which is patched.

🔒 Security

• swiper: upgrade to ^12.1.4 to patch prototype pollution via swiper.extendDefaults() (GHSA-hmx5-qpq5-p643 / CVE-2026-27212, CVSS 9.4). The upstream fix landed in swiper@12.1.2. The vulnerability allowed bypassing the forbidden-key check in shared/utils.mjs by overriding Array.prototype.indexOf, enabling Object.prototype pollution and — depending on consumer code — auth bypass, DoS, or RCE.

✨ Features

• module: pre-bundle swiper/element (or swiper/element/bundle when bundled: true) via Vite optimizeDeps.include. Eliminates Vite's runtime "new dependencies discovered" warning and the dev-server page reload it triggers.

🔄 Compatibility

This is a major upstream Swiper bump (v11 → v12), but the surface nuxt-swiper exposes is unchanged:

• <swiper-container> / <swiper-slide> custom elements work as before.
• The bundled module option and the useSwiper() composable are unchanged.
• Upstream changes in v12 are scoped to internals + CSS (LESS/SCSS dropped in favor of CSS; SVG icons for navigation). If you were importing swiper/less or swiper/scss paths directly in your app, switch to the CSS equivalents. See the Swiper v12 release notes.

✅ Action required

Run your package manager's install command after upgrading to make sure no other dependency is pinning a vulnerable Swiper version:

pnpm up nuxt-swiper
pnpm why swiper   # confirm only swiper@>=12.1.2 is resolved

Full Changelog: cpreston321/nuxt-swiper@v2.0.1...v2.0.2

Commits

• eaee815 chore(release): v2.0.2
• 9a5dfc3 update and release
• See full diff in compare view

Updates vue from 3.5.34 to 3.5.35

Release notes

Sourced from vue's releases.

v3.5.35

For stable releases, please refer to CHANGELOG.md for details. For pre-releases, please refer to CHANGELOG.md of the minor branch.

Changelog

Sourced from vue's changelog.

3.5.35 (2026-05-27)

Bug Fixes

• compiler-core: avoid double processing v-for keys with v-memo (#14861) (34a0ded), closes #14859
• compiler-sfc: resolve top-level exports from files registered as global types (#14805) (3d077f2), closes nuxt/nuxt#33694
• runtime-core: avoid repeated hydration mismatch checks (#14857) (170fc95), closes #14855
• runtime-core: skip idle persisted transition hooks in keep-alive moves (#14865) (80fc139), closes #14031
• server-renderer: propagate sync errors from ssrRenderSuspense (#14804) (4760997), closes nuxt/nuxt#28162
• teleport: skip child unmount when pending mount discarded (#14876) (#14877) (584beb1)

Performance Improvements

• reactivity: skip type checks for cached proxies (#14860) (5734fe9)
• runtime-dom: optimize array event handler dispatch (#14828) (bb18dc8)
• server-renderer: avoid materializing iterables in ssrRenderList (#14821) (1b7a2cc)

Commits

• 8be32d6 release: v3.5.35
• 80fc139 fix(runtime-core): skip idle persisted transition hooks in keep-alive moves (...
• d6c7371 ci: use backup action for size report comments
• bb18dc8 perf(runtime-dom): optimize array event handler dispatch (#14828)
• 5734fe9 perf(reactivity): skip type checks for cached proxies (#14860)
• 584beb1 fix(teleport): skip child unmount when pending mount discarded (#14876) (#14877)
• 34a0ded fix(compiler-core): avoid double processing v-for keys with v-memo (#14861)
• 170fc95 fix(runtime-core): avoid repeated hydration mismatch checks (#14857)
• 1b7a2cc perf(server-renderer): avoid materializing iterables in ssrRenderList (#14821)
• 3d077f2 fix(compiler-sfc): resolve top-level exports from files registered as global ...
• Additional commits viewable in compare view

Updates @playwright/test from 1.59.1 to 1.60.0

Release notes

Sourced from @​playwright/test's releases.

v1.60.0

🌐 HAR recording on Tracing

tracing.startHar() / tracing.stopHar() expose HAR recording as a first-class tracing API, with the same content, mode and urlFilter options as recordHar. The returned Disposable makes it easy to scope a recording with await using:

await using har = await context.tracing.startHar('trace.har');
const page = await context.newPage();
await page.goto('https://playwright.dev');
// HAR is finalized when `har` goes out of scope.

🪝 Drop API

New locator.drop() simulates an external drag-and-drop of files or clipboard-like data onto an element. Playwright dispatches dragenter, dragover, and drop with a synthetic [DataTransfer] in the page context — works cross-browser and is great for testing upload zones:

await page.locator('#dropzone').drop({
  files: { name: 'note.txt', mimeType: 'text/plain', buffer: Buffer.from('hello') },
});
await page.locator('#dropzone').drop({
data: {
'text/plain': 'hello world',
'text/uri-list': 'https://example.com',
},
});

🎯 Aria snapshots

• expect(page).toMatchAriaSnapshot() now works on a Page, in addition to a Locator — equivalent to asserting against page.locator('body').
• New boxes option on locator.ariaSnapshot() / page.ariaSnapshot() appends each element's bounding box as [box=x,y,width,height], useful for AI consumption.

🛑 test.abort()

New test.abort() aborts the currently running test from a fixture, hook, or route handler with an optional message. Use it when you have detected an unrecoverable misuse and want to fail the test right away:

test('does not publish to the shared page', async ({ page }) => {
  await page.route('**/publish', route => {
    test.abort('Tests must not publish to the shared page. Use the `clone` option.');
    return route.abort();
  });
  // ...
});

New APIs

Browser, Context and Page

... (truncated)

Commits

• 87bb9dd cherry-pick(#40747): fix(yauzl): vendor yauzl with destroy-lifecycle fix
• 9a9c51c cherry-pick(#40733): chore(electron): revert #40184 (move Electron API to a s...
• 4b3b628 cherry-pick(#40736): Revert "feat(electron): add timeout option to electronAp...
• f869f96 chore: bump version to v1.60.0 (#40714)
• 7eb6918 cherry-pick(#40710): docs: release notes v1.60
• 118d2aa cherry-pick(#40693): chore(python): formdata path type
• 54012f5 chore(deps): bump ip-address and express-rate-limit (#40680)
• 9fa531d fix(screencast): unblock frame ack when an async client disconnects (#40674)
• 3649db5 chore(mcp): bump default extension protocol to v2 (#40678)
• bb6c009 chore(extension): mark 0.2.1 (#40679)
• Additional commits viewable in compare view

Updates @types/node from 25.6.2 to 25.9.1

Commits

• See full diff in compare view

Updates @vitest/coverage-istanbul from 4.1.5 to 4.1.8

Release notes

Sourced from @​vitest/coverage-istanbul's releases.

v4.1.8

   🐞 Bug Fixes

• browser:
  • Disable client cdp API when allowWrite/allowExec: false [backport to v4]  -  by @​hi-ogawa and Codex in vitest-dev/vitest#10450 (e4067)
  • Remove orphaned Playwright route when same module is mocked via multiple ids [backport to v4]  -  by @​toxik and @​Zelys-DFKH in vitest-dev/vitest#10474 (675b4)

    View changes on GitHub

v4.1.7

   🐞 Bug Fixes

• runner: Limit concurrency per task branch in addition to per leaf callbacks (backport)  -  by @​hi-ogawa in vitest-dev/vitest#10384 (4f0f2)

    View changes on GitHub

v4.1.6

   🐞 Bug Fixes

• browser: Provide project reference in ToMatchScreenshotResolvePath  -  by @​macarie and @​sheremet-va in vitest-dev/vitest#10138 (31882)
• Global sequence.concurrent: true with top-level test(..., { concurrent: false }) + depreacte sequential test API and options  -  by @​hi-ogawa, Codex and @​sheremet-va in vitest-dev/vitest#10196 (2847d)
• browser: Simplify orchestrator otel carrier  -  by @​hi-ogawa in vitest-dev/vitest#10285 (18af9)

   🏎 Performance

• Stringify diff objects only once  -  by @​sheremet-va in vitest-dev/vitest#10276 (9f7b1)

    View changes on GitHub

Commits

• e61f2dd chore: release v4.1.8
• a09d472 chore: release v4.1.7
• a8fd24c chore: release v4.1.6
• See full diff in compare view

Updates eslint-plugin-prettier from 5.5.5 to 5.5.6

Release notes

Sourced from eslint-plugin-prettier's releases.

v5.5.6

Patch Changes

• #791 b5c96a3 Thanks @​JounQin! - chore: bump all (dev)Dependencies

Changelog

Sourced from eslint-plugin-prettier's changelog.

5.5.6

Patch Changes

• #791 b5c96a3 Thanks @​JounQin! - chore: bump all (dev)Dependencies

Commits

• 4f33ea5 chore: release eslint-plugin-prettier (#792)
• 4745b54 ci: declare workflow-level contents: read on 2 workflows (#790)
• b5c96a3 chore: bump all (dev)Dependencies (#791)
• e867680 chore(deps): update all dependencies (#766)
• e8e2f7f chore: testing eslint v10 (#779)
• ca076d9 chore: update dev dependencies (#780)
• 42e6369 build(deps): Bump the actions group with 2 updates (#778)
• 53ff214 Remove empty NPM_TOKEN from release.yml
• See full diff in compare view

Updates playwright-core from 1.59.1 to 1.60.0

Release notes

Sourced from playwright-core's releases.

v1.60.0

🌐 HAR recording on Tracing

tracing.startHar() / tracing.stopHar() expose HAR recording as a first-class tracing API, with the same content, mode and urlFilter options as recordHar. The returned Disposable makes it easy to scope a recording with await using:

await using har = await context.tracing.startHar('trace.har');
const page = await context.newPage();
await page.goto('https://playwright.dev');
// HAR is finalized when `har` goes out of scope.

🪝 Drop API

New locator.drop() simulates an external drag-and-drop of files or clipboard-like data onto an element. Playwright dispatches dragenter, dragover, and drop with a synthetic [DataTransfer] in the page context — works cross-browser and is great for testing upload zones:

await page.locator('#dropzone').drop({
  files: { name: 'note.txt', mimeType: 'text/plain', buffer: Buffer.from('hello') },
});
await page.locator('#dropzone').drop({
data: {
'text/plain': 'hello world',
'text/uri-list': 'https://example.com',
},
});

🎯 Aria snapshots

• expect(page).toMatchAriaSnapshot() now works on a Page, in addition to a Locator — equivalent to asserting against page.locator('body').
• New boxes option on locator.ariaSnapshot() / page.ariaSnapshot() appends each element's bounding box as [box=x,y,width,height], useful for AI consumption.

🛑 test.abort()

New test.abort() aborts the currently running test from a fixture, hook, or route handler with an optional message. Use it when you have detected an unrecoverable misuse and want to fail the test right away:

test('does not publish to the shared page', async ({ page }) => {
  await page.route('**/publish', route => {
    test.abort('Tests must not publish to the shared page. Use the `clone` option.');
    return route.abort();
  });
  // ...
});

New APIs

Browser, Context and Page

... (truncated)

Commits

• 87bb9dd cherry-pick(#40747): fix(yauzl): vendor yauzl with destroy-lifecycle fix
• 9a9c51c cherry-pick(#40733): chore(electron): revert #40184 (move Electron API to a s...
• 4b3b628 cherry-pick(#40736): Revert "feat(electron): add timeout option to electronAp...
• f869f96 chore: bump version to v1.60.0 (#40714)
• 7eb6918 cherry-pick(#40710): docs: release notes v1.60
• 118d2aa cherry-pick(#40693): chore(python): formdata path type
• 54012f5 chore(deps): bump ip-address and express-rate-limit (#40680)
• 9fa531d fix(screencast): unblock frame ack when an async client disconnects (#40674)
• 3649db5 chore(mcp): bump default extension protocol to v2 (#40678)
• bb6c009 chore(extension): mark 0.2.1 (#40679)
• Additional commits viewable in compare view

Updates postcss from 8.5.14 to 8.5.15

Release notes

Sourced from postcss's releases.

8.5.15

• Fixed declaration parsing performance (by @​homanp).

Changelog

Sourced from postcss's changelog.

8.5.15

• Fixed declaration parsing performance (by @​homanp).

Commits

• eae46db Release 8.5.15 version
• 79508ff Update CI actions
• b128e21 Speed up declaration parsing by avoiding creating new array on each token
• 9825dca Fix code format
• 55789c8 Update dependencies
• 84fbbe9 Install older pnpm action for old Node.js
• 9f860bd Revert pnpm action for old Node.js
• 0877198 Update CI actions
• b2d1a33 Fix linter warnings
• 0700dac Merge pull request #2088 from rootvector2/add-oss-fuzz-harness
• Additional commits viewable in compare view

Updates postcss-preset-env from 11.2.1 to 11.3.0

Changelog

Sourced from postcss-preset-env's changelog.

11.3.0

May 13, 2026

• Added @csstools/postcss-container-rule-prelude-list Check the plugin README for usage details.
• Added @csstools/postcss-image-function Check the plugin README for usage details.
• Updated cssdb to 8.9.0

Commits

• See full diff in compare view

Updates vitest from 4.1.5 to 4.1.8

Release notes

Sourced from vitest's releases.

v4.1.8

   🐞 Bug Fixes

• browser:
  • Disable client cdp API when allowWrite/allowExec: false [backport to v4]  -  by @​hi-ogawa and Codex in vitest-dev/vitest#10450 (e4067)
  • Remove orphaned Playwright route when same module is mocked via multiple ids [backport to v4]  -  by @​toxik and @​Zelys-DFKH in vitest-dev/vitest#10474 (675b4)

    View changes on GitHub

v4.1.7

   🐞 Bug Fixes

• runner: Limit concurrency per task branch in addition to per leaf callbacks (backport)  -  by @​hi-ogawa in vitest-dev/vitest#10384 (4f0f2)

    View changes on GitHub

v4.1.6

   🐞 Bug Fixes

• browser: Provide project reference in ToMatchScreenshotResolvePath  -  by @​macarie and @​sheremet-va in vitest-dev/vitest#10138 (31882)
• Global sequence.concurrent: true with top-level test(..., { concurrent: false }) + depreacte sequential test API and options  -  by @​hi-ogawa, Codex and @​sheremet-va in vitest-dev/vitest#10196 (2847d)
• browser: Simplify orchestrator otel carrier  -  by @​hi-ogawa in vitest-dev/vitest#10285 (18af9)

   🏎 Performance

• Stringify diff objects only once  -  by @​sheremet-va in vitest-dev/vitest#10276 (9f7b1)

    View changes on GitHub

Commits

• e61f2dd chore: release v4.1.8
• e4067b3 fix(browser): disable client cdp API when allowWrite/allowExec: false [ba...
• a09d472 chore: release v4.1.7
• a8fd24c chore: release v4.1.6
• 18af98c fix(browser): simplify orchestrator otel carrier (#10285)
• 3188260 feat(browser): provide project reference in ToMatchScreenshotResolvePath (#...
• See full diff in compare view

Updates vue-tsc from 3.2.8 to 3.3.3

Release notes

Sourced from vue-tsc's releases.

v3.3.3

vscode

• fix: prevent grammar scopes leakage in capitalized tags (#6073) - Thanks to @​KazariEX!
• fix: preserve TS auto imports behavior in Vue files (#6072) - Thanks to @​KazariEX!

workspace

• fix: read PR title from env in auto-version workflow to prevent injection (#6074) - Thanks to @​arpitjain099!

Our Sponsors ❤️

... (truncated)

Changelog

Sourced from vue-tsc's changelog.

3.3.3 (2026-05-30)

vscode

• fix: prevent grammar scopes leakage in capitalized tags (#6073) - Thanks to @​KazariEX!
• fix: preserve TS auto imports behavior in Vue files (#6072) - Thanks to @​KazariEX!

workspace

• fix: read PR title from env in auto-version workflow to prevent injection (#6074) - Thanks to @​arpitjain099!

3.3.2 (2026-05-25)

language-core

• feat: preserve literal types for inline v-for sources (#6067) - Thanks to @​kkesidis!
• fix: align v-bind shorthand identifier skipping with interpolation - Thanks to @​KazariEX!

vscode

• feat: transform tsserver content (#6062) - Thanks to @​KazariEX!
• fix: do not mark trailing slash in capitalized self-closing tags as invalid (#6065) - Thanks to @​suisanka!

3.3.1 (2026-05-19)

language-core

• fix: avoid extraneous children error for conditional slots (#6056) - Thanks to @​KazariEX!

language-service

• refactor: replace scanner-based missing props hints detection with AST traversal - Thanks to @​KazariEX!

typescript-plugin

• fix: get component prop details from symbols - Thanks to @​KazariEX!
• fix: skip unchecked JS identifiers in component props (#6055) - Thanks to @​KazariEX!

vscode

• fix: resolve typescript plugin path from resolved server path (#6058) - Thanks to @​KazariEX!

3.3.0 (2026-05-18)

language-core

• feat: check required fallthrough attributes (#6049) - Thanks to @​KazariEX!
• fix: penetrate v-if branch fragments when collecting single root nodes - Thanks to @​KazariEX!
• refactor: rename Sfc APIs to IR - Thanks to @​KazariEX!

... (truncated)

Commits

• 5c41b5f v3.3.3 (#6079)
• 7a00047 v3.3.2 (#6068)
• 9109bf3 v3.3.1 (#6059)
• 1088dce v3.3.0 (#6052)
• c8e90e4 v3.2.9 (#6045)
• ae6f658 chore: refine package publish file lists
• 2d029c7 chore: bump deps
• See full diff in compare view

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.