chore(deps-dev): Bump nuxt from 3.17.7 to 3.21.7

[dependabot]

Bumps nuxt from 3.17.7 to 3.21.7.

Release notes

Sourced from nuxt's releases.

v3.21.7

3.21.7 is the a security hotfix release.

👉 make sure to check https://github.com/nuxt/nuxt/security/advisories to view open advisories resolved by this release.

👉 Changelog

compare changes

🩹 Fixes

• nitro: Assign noSSR before deciding payload extraction (#35108)
• vite: Avoid filtering out dirs with shared prefix from allowDirs (#35112)
• nuxt: Use resolve from pathe for buildCache path boundary check (#35111)
• nuxt: Prevent sibling-directory traversal in test component wrapper (#35110)
• nitro: Pass event data to isValid in dev clipboard-copy listener (#35109)
• nuxt: Validate protocols in reloadNuxtApp path before reload (#35115)
• vite: Resolve vite clientServer with ssr: false (#34959)
• vite: Prefix public asset virtuals with null byte (38d330179)
• nuxt: Handle missing payload in chunkError listener (#35155)
• vite: Close vite dev server on nuxt close (d007d7060)
• kit,nuxt: Handle cancelling prompts to install packages (59821a5ca)
• nuxt: Await in-lifght template generation when closing nuxt (#35181)
• webpack: Surface compilation errors when stats.toString is empty (71dccff2b)
• kit: Improve TS extension stripping/substitutions (#35233)
• nuxt: Preserve .d.mts/.d.cts in resolveTypePaths (#35235)
• nuxt: Reject prototype-chain keys in the island registry (#35205)
• nitro: Gate chrome devtools workspace endpoint to local requests (#35201)
• nuxt: Escape props in <NuxtClientFallback> ssr output (#35199)
• nuxt: Apply isScriptProtocol guard to navigateTo open option (#35206)
• rspack,webpack: Require loopback host when missing same-origin signals (#35200)
• nuxt: Absolutely resolve defu in app config template (40bedf0db)
• nuxt: Match route rules case-insensitively to mirror vue-router (3f3e3fa7b)
• nuxt: Escape <NoScript> slot content (7fea9fd68)
• nuxt: Block path-normalization open redirect in navigateTo (1f2dd5e78)
• nuxt: Reject cross-origin paths in reloadNuxtApp (6497d99dd)
• vite: Bind vite-node IPC to a permissioned filesystem socket (c293bf950)
• nuxt: Reject script-capable protocols in <NuxtLink> href (53284043d)
• nuxt: Clarify page and layout usage warnings (#35184)
• nuxt: Do not absolutely resolve defu (d11d7b1b5)

📖 Documentation

• Edit for clarity and grammar (#35214)
• Add dedicated module dependencies page (#35171)

🏡 Chore

• Use execFileSync for safety in release scripts (9a455a658)
• Assert there is always a tag (8da21fba8)
• Fix type in test (bc2837125)
• Fix lychee dynamic composable exclude (#35119)
• Add autofix action tag in comment (70eba297f)
• Update renovate minimum release age (27a6821a1)

✅ Tests

• Update test for js payload rendering (b51a80840)

... (truncated)

Commits

• fd806be v3.21.7
• d11d7b1 fix(nuxt): do not absolutely resolve defu
• 13e177e fix(nuxt): clarify page and layout usage warnings (#35184)
• 5328404 fix(nuxt): reject script-capable protocols in \<NuxtLink> href
• 6497d99 fix(nuxt): reject cross-origin paths in reloadNuxtApp
• 1f2dd5e fix(nuxt): block path-normalization open redirect in navigateTo
• 7fea9fd fix(nuxt): escape \<NoScript> slot content
• 3f3e3fa fix(nuxt): match route rules case-insensitively to mirror vue-router
• 40bedf0 fix(nuxt): absolutely resolve defu in app config template
• 62fc32e fix(nuxt): apply isScriptProtocol guard to navigateTo open option (#35206)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for nuxt since your current version.

[semgrep-code-getsentry]

High severity vulnerability may affect your project—review required:
Line 31363 lists a dependency (vite) with a known High severity vulnerability.

ℹ️ Why this matters

Affected versions of vite and vite-plus are vulnerable to Exposure of Sensitive Information to an Unauthorized Actor / Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'). Vite's server.fs.deny blocklist—which protects sensitive files such as .env and certificate files from being served—can be bypassed on Windows using alternate path representations (NTFS Alternate Data Stream syntax like /.env::$DATA?raw, or 8.3 short filenames), allowing an attacker to read otherwise-denied files when the dev server is exposed to the network.

References: GHSA

To resolve this comment:
Check if you expose the Vite dev server or vite-plus to the network by configuring a non-loopback address using the --host CLI flag on Windows.

• If you're affected, upgrade this dependency to at least version 6.4.3 at yarn.lock.
• If you're not affected, comment /fp we don't use this [condition]

💬 Ignore this finding

To ignore this, reply with:

• /fp <comment> for false positive
• /ar <comment> for acceptable risk
• /other <comment> for all other reasons

_{You can view more details on this finding in the Semgrep AppSec Platform here.}

[semgrep-code-getsentry]

High severity vulnerability may affect your project—review required:
Line 17008 lists a dependency (esbuild) with a known High severity vulnerability.

ℹ️ Why this matters

Affected versions of esbuild are vulnerable to Download of Code Without Integrity Check / Untrusted Search Path. esbuild's Deno distribution module (lib/deno/mod.ts) contains an import.meta.main CLI entrypoint that calls install() directly when the module is run as a script (deno run https://deno.land/x/esbuild@vX/mod.js). This download path has no SHA-256 integrity verification: if NPM_CONFIG_REGISTRY resolves to an attacker-controlled registry, the fetched binary is executed immediately, yielding arbitrary code execution without any API call in user code.

References: GHSA

To resolve this comment:
Check if you invoke the esbuild Deno module directly as a CLI tool (e.g. deno run https://deno.land/x/esbuild@vX/mod.js) and the NPM_CONFIG_REGISTRY environment variable resolves the binary download to an untrusted registry.

• If you're affected, upgrade this dependency to at least version 0.28.1 at yarn.lock.
• If you're not affected, comment /fp we don't use this [condition]

💬 Ignore this finding

To ignore this, reply with:

• /fp <comment> for false positive
• /ar <comment> for acceptable risk
• /other <comment> for all other reasons

_{You can view more details on this finding in the Semgrep AppSec Platform here.}

[semgrep-code-getsentry]

High severity vulnerability may affect your project—review required:
Line 16976 lists a dependency (esbuild) with a known High severity vulnerability.

ℹ️ Why this matters

Affected versions of esbuild are vulnerable to Download of Code Without Integrity Check / Untrusted Search Path. esbuild's Deno distribution module (lib/deno/mod.ts) contains an import.meta.main CLI entrypoint that calls install() directly when the module is run as a script (deno run https://deno.land/x/esbuild@vX/mod.js). This download path has no SHA-256 integrity verification: if NPM_CONFIG_REGISTRY resolves to an attacker-controlled registry, the fetched binary is executed immediately, yielding arbitrary code execution without any API call in user code.

References: GHSA

To resolve this comment:
Check if you invoke the esbuild Deno module directly as a CLI tool (e.g. deno run https://deno.land/x/esbuild@vX/mod.js) and the NPM_CONFIG_REGISTRY environment variable resolves the binary download to an untrusted registry.

• If you're affected, upgrade this dependency to at least version 0.28.1 at yarn.lock.
• If you're not affected, comment /fp we don't use this [condition]

💬 Ignore this finding

To ignore this, reply with:

• /fp <comment> for false positive
• /ar <comment> for acceptable risk
• /other <comment> for all other reasons

_{You can view more details on this finding in the Semgrep AppSec Platform here.}

[dependabot]

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.

[nicohrubec]

@dependabot recreate