Bump the non-breaking group across 1 directory with 11 updates

[dependabot]

Bumps the non-breaking group with 10 updates in the / directory:

Package	From	To
nuxt	4.4.6	4.4.7
nuxt-swiper	2.0.1	2.0.2
@playwright/test	1.59.1	1.60.0
@types/node	25.6.2	25.9.1
@vitest/coverage-istanbul	4.1.5	4.1.8
eslint-plugin-prettier	5.5.5	5.5.6
playwright-core	1.59.1	1.60.0
postcss-preset-env	11.2.1	11.3.0
vitest	4.1.5	4.1.8
vue-tsc	3.2.8	3.3.3

Updates nuxt from 4.4.6 to 4.4.7

Release notes

Sourced from nuxt's releases.

v4.4.7

4.4.7 is the a security hotfix release.

👉 make sure to check https://github.com/nuxt/nuxt/security/advisories to view open advisories resolved by this release.

👉 Changelog

compare changes

🩹 Fixes

• nitro: Assign noSSR before deciding payload extraction (#35108)
• vite: Avoid filtering out dirs with shared prefix from allowDirs (#35112)
• nuxt: Use resolve from pathe for buildCache path boundary check (#35111)
• nuxt: Prevent sibling-directory traversal in test component wrapper (#35110)
• nitro: Pass event data to isValid in dev clipboard-copy listener (#35109)
• nuxt: Validate protocols in reloadNuxtApp path before reload (#35115)
• vite: Prefix public asset virtuals with null byte (9e303b438)
• nuxt: Re-run getCachedData after initial fetch (#35122)
• nuxt: Propagate useFetch/useAsyncData factory types (#35133)
• vite: Close vite dev server on nuxt close (a10a68abc)
• kit,nuxt: Handle cancelling prompts to install packages (e84813229)
• kit: Avoid excluding node-context files in legacy tsconfig (#35152)
• nuxt: Handle missing payload in chunkError listener (#35155)
• nuxt: Await in-lifght template generation when closing nuxt (#35181)
• nuxt: Clarify page and layout usage warnings (#35184)
• webpack: Surface compilation errors when stats.toString is empty (073b07851)
• nuxt: Reject prototype-chain keys in the island registry (#35205)
• nuxt: Apply isScriptProtocol guard to navigateTo open option (#35206)
• nuxt: Prevent server-only page island from recursing via <NuxtPage> (#35198)
• rspack,webpack: Require loopback host when missing same-origin signals (#35200)
• nitro: Gate chrome devtools workspace endpoint to local requests (#35201)
• nuxt: Escape props in <NuxtClientFallback> ssr output (#35199)
• kit: Improve TS extension stripping/substitutions (#35233)
• nuxt: Preserve .d.mts/.d.cts in resolveTypePaths (#35235)
• nuxt: Escape <NoScript> slot content (4b054e9d9)
• nuxt: Match route rules case-insensitively to mirror vue-router (07e39cd6f)
• nuxt: Reject script-capable protocols in <NuxtLink> href (0103ce06f)
• nuxt: Block path-normalization open redirect in navigateTo (2cce6fb02)
• nuxt: Reject cross-origin paths in reloadNuxtApp (e447a793c)
• vite: Bind vite-node IPC to a permissioned filesystem socket (1f9f4767a)

💅 Refactors

• kit,nuxt,vite: Use es2023 array methods (#34980)
• nuxt: Replace runInNewContext with AST walker (d72a89ef4)

📖 Documentation

• Document vite client and server options (#35090)
• Add dedicated module dependencies page (#35171)
• Add nodeTsConfig and sharedTsConfig options (#35231)
• Edit for clarity and grammar (#35214)

🏡 Chore

• Use execFileSync for safety in release scripts (1d7baaf01)
• Assert there is always a tag (e98c47c3c)

... (truncated)

Commits

• b7d5790 v4.4.7
• dbc5896 chore: lint
• e447a79 fix(nuxt): reject cross-origin paths in reloadNuxtApp
• d72a89e refactor(nuxt): replace runInNewContext with AST walker
• 2cce6fb fix(nuxt): block path-normalization open redirect in navigateTo
• 0103ce0 fix(nuxt): reject script-capable protocols in \<NuxtLink> href
• 07e39cd fix(nuxt): match route rules case-insensitively to mirror vue-router
• 4b054e9 fix(nuxt): escape \<NoScript> slot content
• 03d83bf fix(nuxt): preserve .d.mts/.d.cts in resolveTypePaths (#35235)
• 46960b2 fix(nuxt): escape props in \<NuxtClientFallback> ssr output (#35199)
• Additional commits viewable in compare view

Updates nuxt-swiper from 2.0.1 to 2.0.2

Release notes

Sourced from nuxt-swiper's releases.

v2.0.2

[!WARNING] Security: recommended update. This release bumps the bundled Swiper dependency to a version that patches a critical prototype pollution vulnerability — GHSA-hmx5-qpq5-p643 / CVE-2026-27212 (CVSS 9.4 / Critical). All nuxt-swiper versions prior to v2.0.2 depend on swiper@^11.2.6, which falls in the vulnerable range (>= 6.5.1, < 12.1.2). Upgrading to this release pulls in swiper@^12.1.4, which is patched.

🔒 Security

• swiper: upgrade to ^12.1.4 to patch prototype pollution via swiper.extendDefaults() (GHSA-hmx5-qpq5-p643 / CVE-2026-27212, CVSS 9.4). The upstream fix landed in swiper@12.1.2. The vulnerability allowed bypassing the forbidden-key check in shared/utils.mjs by overriding Array.prototype.indexOf, enabling Object.prototype pollution and — depending on consumer code — auth bypass, DoS, or RCE.

✨ Features

• module: pre-bundle swiper/element (or swiper/element/bundle when bundled: true) via Vite optimizeDeps.include. Eliminates Vite's runtime "new dependencies discovered" warning and the dev-server page reload it triggers.

🔄 Compatibility

This is a major upstream Swiper bump (v11 → v12), but the surface nuxt-swiper exposes is unchanged:

• <swiper-container> / <swiper-slide> custom elements work as before.
• The bundled module option and the useSwiper() composable are unchanged.
• Upstream changes in v12 are scoped to internals + CSS (LESS/SCSS dropped in favor of CSS; SVG icons for navigation). If you were importing swiper/less or swiper/scss paths directly in your app, switch to the CSS equivalents. See the Swiper v12 release notes.

✅ Action required

Run your package manager's install command after upgrading to make sure no other dependency is pinning a vulnerable Swiper version:

pnpm up nuxt-swiper
pnpm why swiper   # confirm only swiper@>=12.1.2 is resolved

Full Changelog: cpreston321/nuxt-swiper@v2.0.1...v2.0.2

Commits

• eaee815 chore(release): v2.0.2
• 9a5dfc3 update and release
• See full diff in compare view

Updates vue from 3.5.34 to 3.5.35

Release notes

Sourced from vue's releases.

v3.5.35

For stable releases, please refer to CHANGELOG.md for details. For pre-releases, please refer to CHANGELOG.md of the minor branch.

Changelog

Sourced from vue's changelog.

3.5.35 (2026-05-27)

Bug Fixes

• compiler-core: avoid double processing v-for keys with v-memo (#14861) (34a0ded), closes #14859
• compiler-sfc: resolve top-level exports from files registered as global types (#14805) (3d077f2), closes nuxt/nuxt#33694
• runtime-core: avoid repeated hydration mismatch checks (#14857) (170fc95), closes #14855
• runtime-core: skip idle persisted transition hooks in keep-alive moves (#14865) (80fc139), closes #14031
• server-renderer: propagate sync errors from ssrRenderSuspense (#14804) (4760997), closes nuxt/nuxt#28162
• teleport: skip child unmount when pending mount discarded (#14876) (#14877) (584beb1)

Performance Improvements

• reactivity: skip type checks for cached proxies (#14860) (5734fe9)
• runtime-dom: optimize array event handler dispatch (#14828) (bb18dc8)
• server-renderer: avoid materializing iterables in ssrRenderList (#14821) (1b7a2cc)

Commits

• 8be32d6 release: v3.5.35
• 80fc139 fix(runtime-core): skip idle persisted transition hooks in keep-alive moves (...
• d6c7371 ci: use backup action for size report comments
• bb18dc8 perf(runtime-dom): optimize array event handler dispatch (#14828)
• 5734fe9 perf(reactivity): skip type checks for cached proxies (#14860)
• 584beb1 fix(teleport): skip child unmount when pending mount discarded (#14876) (#14877)
• 34a0ded fix(compiler-core): avoid double processing v-for keys with v-memo (#14861)
• 170fc95 fix(runtime-core): avoid repeated hydration mismatch checks (#14857)
• 1b7a2cc perf(server-renderer): avoid materializing iterables in ssrRenderList (#14821)
• 3d077f2 fix(compiler-sfc): resolve top-level exports from files registered as global ...
• Additional commits viewable in compare view

Updates @playwright/test from 1.59.1 to 1.60.0

Release notes

Sourced from @​playwright/test's releases.

v1.60.0

🌐 HAR recording on Tracing

tracing.startHar() / tracing.stopHar() expose HAR recording as a first-class tracing API, with the same content, mode and urlFilter options as recordHar. The returned Disposable makes it easy to scope a recording with await using:

await using har = await context.tracing.startHar('trace.har');
const page = await context.newPage();
await page.goto('https://playwright.dev');
// HAR is finalized when `har` goes out of scope.

🪝 Drop API

New locator.drop() simulates an external drag-and-drop of files or clipboard-like data onto an element. Playwright dispatches dragenter, dragover, and drop with a synthetic [DataTransfer] in the page context — works cross-browser and is great for testing upload zones:

await page.locator('#dropzone').drop({
  files: { name: 'note.txt', mimeType: 'text/plain', buffer: Buffer.from('hello') },
});
await page.locator('#dropzone').drop({
data: {
'text/plain': 'hello world',
'text/uri-list': 'https://example.com',
},
});

🎯 Aria snapshots

• expect(page).toMatchAriaSnapshot() now works on a Page, in addition to a Locator — equivalent to asserting against page.locator('body').
• New boxes option on locator.ariaSnapshot() / page.ariaSnapshot() appends each element's bounding box as [box=x,y,width,height], useful for AI consumption.

🛑 test.abort()

New test.abort() aborts the currently running test from a fixture, hook, or route handler with an optional message. Use it when you have detected an unrecoverable misuse and want to fail the test right away:

test('does not publish to the shared page', async ({ page }) => {
  await page.route('**/publish', route => {
    test.abort('Tests must not publish to the shared page. Use the `clone` option.');
    return route.abort();
  });
  // ...
});

New APIs

Browser, Context and Page

... (truncated)

Commits

• 87bb9dd cherry-pick(#40747): fix(yauzl): vendor yauzl with destroy-lifecycle fix
• 9a9c51c cherry-pick(#40733): chore(electron): revert #40184 (move Electron API to a s...
• 4b3b628 cherry-pick(#40736): Revert "feat(electron): add timeout option to electronAp...
• f869f96 chore: bump version to v1.60.0 (#40714)
• 7eb6918 cherry-pick(#40710): docs: release notes v1.60
• 118d2aa cherry-pick(#40693): chore(python): formdata path type
• 54012f5 chore(deps): bump ip-address and express-rate-limit (#40680)
• 9fa531d fix(screencast): unblock frame ack when an async client disconnects (#40674)
• 3649db5 chore(mcp): bump default extension protocol to v2 (#40678)
• bb6c009 chore(extension): mark 0.2.1 (#40679)
• Additional commits viewable in compare view

Updates @types/node from 25.6.2 to 25.9.1

Commits

• See full diff in compare view

Updates @vitest/coverage-istanbul from 4.1.5 to 4.1.8

Release notes

Sourced from @​vitest/coverage-istanbul's releases.

v4.1.8

   🐞 Bug Fixes

• browser:
  • Disable client cdp API when allowWrite/allowExec: false [backport to v4]  -  by @​hi-ogawa and Codex in vitest-dev/vitest#10450 (e4067)
  • Remove orphaned Playwright route when same module is mocked via multiple ids [backport to v4]  -  by @​toxik and @​Zelys-DFKH in vitest-dev/vitest#10474 (675b4)

    View changes on GitHub

v4.1.7

   🐞 Bug Fixes

• runner: Limit concurrency per task branch in addition to per leaf callbacks (backport)  -  by @​hi-ogawa in vitest-dev/vitest#10384 (4f0f2)

    View changes on GitHub

v4.1.6

   🐞 Bug Fixes

• browser: Provide project reference in ToMatchScreenshotResolvePath  -  by @​macarie and @​sheremet-va in vitest-dev/vitest#10138 (31882)
• Global sequence.concurrent: true with top-level test(..., { concurrent: false }) + depreacte sequential test API and options  -  by @​hi-ogawa, Codex and @​sheremet-va in vitest-dev/vitest#10196 (2847d)
• browser: Simplify orchestrator otel carrier  -  by @​hi-ogawa in vitest-dev/vitest#10285 (18af9)

   🏎 Performance

• Stringify diff objects only once  -  by @​sheremet-va in vitest-dev/vitest#10276 (9f7b1)

    View changes on GitHub

Commits

• e61f2dd chore: release v4.1.8
• a09d472 chore: release v4.1.7
• a8fd24c chore: release v4.1.6
• See full diff in compare view

Updates eslint-plugin-prettier from 5.5.5 to 5.5.6

Release notes

Sourced from eslint-plugin-prettier's releases.

v5.5.6

Patch Changes

• #791 b5c96a3 Thanks @​JounQin! - chore: bump all (dev)Dependencies

Changelog

Sourced from eslint-plugin-prettier's changelog.

5.5.6

Patch Changes

• #791 b5c96a3 Thanks @​JounQin! - chore: bump all (dev)Dependencies

Commits

• 4f33ea5 chore: release eslint-plugin-prettier (#792)
• 4745b54 ci: declare workflow-level contents: read on 2 workflows (#790)
• b5c96a3 chore: bump all (dev)Dependencies (#791)
• e867680 chore(deps): update all dependencies (#766)
• e8e2f7f chore: testing eslint v10 (#779)
• ca076d9 chore: update dev dependencies (#780)
• 42e6369 build(deps): Bump the actions group with 2 updates (#778)
• 53ff214 Remove empty NPM_TOKEN from release.yml
• See full diff in compare view

Updates playwright-core from 1.59.1 to 1.60.0

Release notes

Sourced from playwright-core's releases.

v1.60.0

🌐 HAR recording on Tracing

tracing.startHar() / tracing.stopHar() expose HAR recording as a first-class tracing API, with the same content, mode and urlFilter options as recordHar. The returned Disposable makes it easy to scope a recording with await using:

await using har = await context.tracing.startHar('trace.har');
const page = await context.newPage();
await page.goto('https://playwright.dev');
// HAR is finalized when `har` goes out of scope.

🪝 Drop API

New locator.drop() simulates an external drag-and-drop of files or clipboard-like data onto an element. Playwright dispatches dragenter, dragover, and drop with a synthetic [DataTransfer] in the page context — works cross-browser and is great for testing upload zones:

await page.locator('#dropzone').drop({
  files: { name: 'note.txt', mimeType: 'text/plain', buffer: Buffer.from('hello') },
});
await page.locator('#dropzone').drop({
data: {
'text/plain': 'hello world',
'text/uri-list': 'https://example.com',
},
});

🎯 Aria snapshots

• expect(page).toMatchAriaSnapshot() now works on a Page, in addition to a Locator — equivalent to asserting against page.locator('body').
• New boxes option on locator.ariaSnapshot() / page.ariaSnapshot() appends each element's bounding box as [box=x,y,width,height], useful for AI consumption.

🛑 test.abort()

New test.abort() aborts the currently running test from a fixture, hook, or route handler with an optional message. Use it when you have detected an unrecoverable misuse and want to fail the test right away:

test('does not publish to the shared page', async ({ page }) => {
  await page.route('**/publish', route => {
    test.abort('Tests must not publish to the shared page. Use the `clone` option.');
    return route.abort();
  });
  // ...
});

New APIs

Browser, Context and Page

... (truncated)

Commits

• 87bb9dd cherry-pick(#40747): fix(yauzl): vendor yauzl with destroy-lifecycle fix
• 9a9c51c cherry-pick(#40733): chore(electron): revert #40184 (move Electron API to a s...
• 4b3b628 cherry-pick(#40736): Revert "feat(electron): add timeout option to electronAp...
• f869f96 chore: bump version to v1.60.0 (#40714)
• 7eb6918 cherry-pick(#40710): docs: release notes v1.60
• 118d2aa cherry-pick(#40693): chore(python): formdata path type
• 54012f5 chore(deps): bump ip-address and express-rate-limit (#40680)
• 9fa531d fix(screencast): unblock frame ack when an async client disconnects (#40674)
• 3649db5 chore(mcp): bump default extension protocol to v2 (#40678)
• bb6c009 chore(extension): mark 0.2.1 (#40679)
• Additional commits viewable in compare view

Updates postcss-preset-env from 11.2.1 to 11.3.0

Changelog

Sourced from postcss-preset-env's changelog.

11.3.0

May 13, 2026

• Added @csstools/postcss-container-rule-prelude-list Check the plugin README for usage details.
• Added @csstools/postcss-image-function Check the plugin README for usage details.
• Updated cssdb to 8.9.0

Commits

• See full diff in compare view

Updates vitest from 4.1.5 to 4.1.8

Release notes

Sourced from vitest's releases.

v4.1.8

   🐞 Bug Fixes

• browser:
  • Disable client cdp API when allowWrite/allowExec: false [backport to v4]  -  by @​hi-ogawa and Codex in vitest-dev/vitest#10450 (e4067)
  • Remove orphaned Playwright route when same module is mocked via multiple ids [backport to v4]  -  by @​toxik and @​Zelys-DFKH in vitest-dev/vitest#10474 (675b4)

    View changes on GitHub

v4.1.7

   🐞 Bug Fixes

• runner: Limit concurrency per task branch in addition to per leaf callbacks (backport)  -  by @​hi-ogawa in vitest-dev/vitest#10384 (4f0f2)

    View changes on GitHub

v4.1.6

   🐞 Bug Fixes

• browser: Provide project reference in ToMatchScreenshotResolvePath  -  by @​macarie and @​sheremet-va in vitest-dev/vitest#10138 (31882)
• Global sequence.concurrent: true with top-level test(..., { concurrent: false }) + depreacte sequential test API and options  -  by @​hi-ogawa, Codex and @​sheremet-va in vitest-dev/vitest#10196 (2847d)
• browser: Simplify orchestrator otel carrier  -  by @​hi-ogawa in vitest-dev/vitest#10285 (18af9)

   🏎 Performance

• Stringify diff objects only once  -  by @​sheremet-va in vitest-dev/vitest#10276 (9f7b1)

    View changes on GitHub

Commits

• e61f2dd chore: release v4.1.8
• e4067b3 fix(browser): disable client cdp API when allowWrite/allowExec: false [ba...
• a09d472 chore: release v4.1.7
• a8fd24c chore: release v4.1.6
• 18af98c fix(browser): simplify orchestrator otel carrier (#10285)
• 3188260 feat(browser): provide project reference in ToMatchScreenshotResolvePath (#...
• See full diff in compare view

Updates vue-tsc from 3.2.8 to 3.3.3

Release notes

Sourced from vue-tsc's releases.

v3.3.3

vscode

• fix: prevent grammar scopes leakage in capitalized tags (#6073) - Thanks to @​KazariEX!
• fix: preserve TS auto imports behavior in Vue files (#6072) - Thanks to @​KazariEX!

workspace

• fix: read PR title from env in auto-version workflow to prevent injection (#6074) - Thanks to @​arpitjain099!

Our Sponsors ❤️

... (truncated)

Changelog

Sourced from vue-tsc's changelog.

3.3.3 (2026-05-30)

vscode

• fix: prevent grammar scopes leakage in capitalized tags (#6073) - Thanks to @​KazariEX!
• fix: preserve TS auto imports behavior in Vue files (#6072) - Thanks to @​KazariEX!

workspace

• fix: read PR title from env in auto-version workflow to prevent injection (#6074) - Thanks to @​arpitjain099!

3.3.2 (2026-05-25)

language-core

• feat: preserve literal types for inline v-for sources (#6067) - Thanks to @​kkesidis!
• fix: align v-bind shorthand identifier skipping with interpolation - Thanks to @​KazariEX!

vscode

• feat: transform tsserver content (#6062) - Thanks to @​KazariEX!
• fix: do not mark trailing slash in capitalized self-closing tags as invalid (#6065) - Thanks to @​suisanka!

3.3.1 (2026-05-19)

language-core

• fix: avoid extraneous children error for conditional slots (#6056) - Thanks to @​KazariEX!

language-service

• refactor: replace scanner-based missing props hints detection with AST traversal - Thanks to @​KazariEX!

typescript-plugin

• fix: get component prop details from symbols - Thanks to @​KazariEX!
• fix: skip unchecked JS identifiers in component props (#6055) - Thanks to @​KazariEX!

vscode

• fix: resolve typescript plugin path from resolved server path (#6058) - Thanks to @​KazariEX!

3.3.0 (2026-05-18)

language-core

• feat: check required fallthrough attributes (#6049) - Thanks to @​KazariEX!
• fix: penetrate v-if branch fragments when collecting single root nodes - Thanks to @​KazariEX!
• refactor: rename Sfc APIs to IR - Thanks to @​KazariEX!

... (truncated)

Commits

• 5c41b5f v3.3.3 (#6079)
• 7a00047 v3.3.2 (#6068)
• 9109bf3 v3.3.1 (#6059)
• 1088dce v3.3.0 (#6052)
• c8e90e4 v3.2.9 (#6045)
• ae6f658 chore: refine package publish file lists
• 2d029c7 chore: bump deps
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions