Skip to content

๐Ÿšจ [security] Update vue-router 4.6.4 โ†’ 5.1.0 (major)#238

Open
depfu[bot] wants to merge 1 commit into
mainfrom
depfu-update-npm-vue-router-5.1.0
Open

๐Ÿšจ [security] Update vue-router 4.6.4 โ†’ 5.1.0 (major)#238
depfu[bot] wants to merge 1 commit into
mainfrom
depfu-update-npm-vue-router-5.1.0

Conversation

@depfu

@depfu depfu Bot commented Jun 10, 2026

Copy link
Copy Markdown
Contributor

๐Ÿšจ Your current dependencies have known security vulnerabilities ๐Ÿšจ

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!


Here is everything you need to know about this upgrade. Please take a good look at what changed and the test results before merging this pull request.

What changed?

โœณ๏ธ vue-router (4.6.4 โ†’ 5.1.0) ยท Repo

Release Notes

5.1.0

ย ย ย ๐Ÿš€ Features

  • Typed definePage params.path ย -ย  by @posva in #2716 (d65de)
  • Strict type for definePage param default ย -ย  by @posva (0ae10)
  • Support raw param parsers ย -ย  by @posva (eadec)
  • Force array type raw param parsers ย -ย  by @posva (7a68b)
  • Allow overriding the global Router type ย -ย  by @posva (1cd93)
  • Emit runtime warning for invalid format in query params ย -ย  by @posva (8259a)
  • Override useRouter() return with experimental types config ย -ย  by @posva (39a34)
  • Allow string as a param parser for convenience ย -ย  by @posva (be37b)

ย ย ย ๐Ÿž Bug Fixes

  • Fix auto import fixes and make experimental esm only ย -ย  by @posva (db3a6)
  • Deterministic param parser types order ย -ย  by @posva (bf0fc)
  • Avoid importing unused param parsers ย -ย  by @posva (41c00)
  • Filter invalid query params without failing to match ย -ย  by @posva (db717)
  • Detect not set format ย -ย  by @posva (aa89e)
  • Allow undefined values for params in query ย -ย  by @posva (4726e)
  • experimental: Repeatable params in subsegments ย -ย  by @posva (84664)
  • types: Add vite as optional peer dependency ย -ย  by @ForgottenR, @posva and shihuijie in #2712 (facbf)
ย ย ย ย View changes on GitHub

5.0.7

ย ย ย ๐Ÿš€ Features

  • Upgrade to babel 8 ย -ย  by @posva (8d3e6)
  • Make defineParamParser() more intuitive ย -ย  by @posva (8715b)
  • Upgrade @vue/devtools-api ย -ย  by @posva (87c3a)
  • matcher: Hint at params: {} workaround in discarded params warning ย -ย  by @posva and shanliuling in #2689 (c2b13)
  • param-parsers: Add include/exclude options ย -ย  by @posva (91cde)

ย ย ย ๐Ÿž Bug Fixes

ย ย ย ย View changes on GitHub

5.0.6

ย ย ย ๐Ÿž Bug Fixes

ย ย ย ย View changes on GitHub

5.0.5

ย ย ย ๐Ÿš€ Features

ย ย ย ๐Ÿž Bug Fixes

  • Track definePage imports per-file to fix named view race condition ย -ย  by @posva (11191)
  • Avoid double decoding hash on string location ย -ย  by @posva (1578c)
ย ย ย ย View changes on GitHub

5.0.4

ย ย ย ๐Ÿž Bug Fixes

  • Avoid iterator helpers for Node 20 compat ย -ย  by @cwandev in #2635 (47130)
  • Escape backslahes in string literals ย -ย  by @posva (71fdb)
  • Avoid false duplicate route warning for named views ย -ย  by @posva (72012)
  • Allow pushing to auto routes ย -ย  by @posva (47f03)
  • loaders: Restore context in sequential awaits ย -ย  by @posva (fce5d)
ย ย ย ย View changes on GitHub

5.0.3

ย ย ย ๐Ÿšจ Breaking Changes

  • experimental:
    • Make miss() throw internally and return never ย -ย  by @posva (077e1)
    • Add reroute() and deprecate NavigationResult ย -ย  by @posva (308db)
    • Remove selectNavigationResult ย -ย  by @posva (9e88a)

ย ย ย ๐Ÿš€ Features

  • Support _parent in nested folders ย -ย  by @posva (0a37f)
  • Warn on _parent conflict ย -ย  by @posva (182fe)
  • Set _parent as non matchable by default ย -ย  by @posva (8f91c)
  • Warn on conflicting components for routes ย -ย  by @posva (34ace)
  • Use type module ย -ย  by @posva (dc9ff)
  • Add deprecation warning for next() callback in navigation guards ย -ย  by @posva (797f5)
  • Extract alias from definePage ย -ย  by @posva (835df)
  • Display aliases in logs ย -ย  by @posva (7aa60)
  • Deprecate new NavigationResult(to) in favor of reroute(to) ย -ย  by @posva (382e3)
  • experimental:
    • Handle aliasOf in resolvers ย -ย  by @posva (8fe45)
    • Generate aliases from override in resolver ย -ย  by @posva (a00ac)
    • Warn against non absolute aliases ย -ย  by @posva (476c6)

ย ย ย ๐Ÿž Bug Fixes

  • Avoid non matchable routes in auto-routes ย -ย  by @posva (48649)
  • Handle quotes in d.ts ย -ย  by @posva (d7764)
  • Avoid route entry in map for _parent ย -ย  by @posva (1dfcc)
  • Handle nested groups ย -ย  by @posva (4a4be)
  • Stable route ordering for group folders with same path ย -ย  by @posva (1db94)
  • Correct route ordering for group nodes with inflated scores ย -ย  by @posva (515f4)
  • Cleanup old route overrides ย -ย  by @posva (b28a7)
  • Remove name from _parent.vue files ย -ย  by @posva (6e8f1)
  • ci:
    • Format sponsor files before change detection ย -ย  by @posva (f68d6)
    • Use manual git commit in update-sponsors ย -ย  by @posva (8ee99)
  • experimental:
    • Resolve TS errors in resolver/router type hierarchy ย -ย  by @posva (a86f1)
  • types:
  • volar:

ย ย ย ๐ŸŽ Performance

  • Avoid merging empty object in record ย -ย  by @posva (4213e)
ย ย ย ย View changes on GitHub

5.0.2

ย ย ย ๐Ÿž Bug Fixes

ย ย ย ย View changes on GitHub

5.0.0

Vue Router 5 is a boring release, it merges unplugin-vue-router into the core package with no breaking changes. The only exception is that the iife build no longer includes @vue/devtools-api because it has been upgraded to v8 and does not expose an IIFE build itself. You can track that change in this issue. See the migration guide for instructions on how to upgrade from unplugin-vue-router to Vue Router 5.

ย ย ย ๐Ÿš€ Features

ย ย ย ๐Ÿž Bug Fixes

ย ย ย ย View changes on GitHub

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

โ†—๏ธ acorn (indirect, 8.15.0 โ†’ 8.16.0) ยท Repo

Commits

See the full diff on Github. The new version differs by 22 commits:

โ†—๏ธ picomatch (indirect, 4.0.3 โ†’ 4.0.4) ยท Repo ยท Changelog

Security Advisories ๐Ÿšจ

๐Ÿšจ Picomatch has a ReDoS vulnerability via extglob quantifiers

Impact

picomatch is vulnerable to Regular Expression Denial of Service (ReDoS) when processing crafted extglob patterns. Certain patterns using extglob quantifiers such as +() and *(), especially when combined with overlapping alternatives or nested extglobs, are compiled into regular expressions that can exhibit catastrophic backtracking on non-matching input.

Examples of problematic patterns include +(a|aa), +(*|?), +(+(a)), *(+(a)), and +(+(+(a))). In local reproduction, these patterns caused multi-second event-loop blocking with relatively short inputs. For example, +(a|aa) compiled to ^(?:(?=.)(?:a|aa)+)$ and took about 2 seconds to reject a 41-character non-matching input, while nested patterns such as +(+(a)) and *(+(a)) took around 29 seconds to reject a 33-character input on a modern M1 MacBook.

Applications are impacted when they allow untrusted users to supply glob patterns that are passed to picomatch for compilation or matching. In those cases, an attacker can cause excessive CPU consumption and block the Node.js event loop, resulting in a denial of service. Applications that only use trusted, developer-controlled glob patterns are much less likely to be exposed in a security-relevant way.

Patches

This issue is fixed in picomatch 4.0.4, 3.0.2 and 2.3.2.

Users should upgrade to one of these versions or later, depending on their supported release line.

Workarounds

If upgrading is not immediately possible, avoid passing untrusted glob patterns to picomatch.

Possible mitigations include:

  • disable extglob support for untrusted patterns by using noextglob: true
  • reject or sanitize patterns containing nested extglobs or extglob quantifiers such as +() and *()
  • enforce strict allowlists for accepted pattern syntax
  • run matching in an isolated worker or separate process with time and resource limits
  • apply application-level request throttling and input validation for any endpoint that accepts glob patterns

Resources

๐Ÿšจ Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching

Impact

picomatch is vulnerable to a method injection vulnerability (CWE-1321) affecting the POSIX_REGEX_SOURCE object. Because the object inherits from Object.prototype, specially crafted POSIX bracket expressions (e.g., [[:constructor:]]) can reference inherited method names. These methods are implicitly converted to strings and injected into the generated regular expression.

This leads to incorrect glob matching behavior (integrity impact), where patterns may match unintended filenames. The issue does not enable remote code execution, but it can cause security-relevant logic errors in applications that rely on glob matching for filtering, validation, or access control.

All users of affected picomatch versions that process untrusted or user-controlled glob patterns are potentially impacted.

Patches

This issue is fixed in picomatch 4.0.4, 3.0.2 and 2.3.2.

Users should upgrade to one of these versions or later, depending on their supported release line.

Workarounds

If upgrading is not immediately possible, avoid passing untrusted glob patterns to picomatch.

Possible mitigations include:

  • Sanitizing or rejecting untrusted glob patterns, especially those containing POSIX character classes like [[:...:]].

  • Avoiding the use of POSIX bracket expressions if user input is involved.

  • Manually patching the library by modifying POSIX_REGEX_SOURCE to use a null prototype:

    const POSIX_REGEX_SOURCE = {
      __proto__: null,
      alnum: 'a-zA-Z0-9',
      alpha: 'a-zA-Z',
      // ... rest unchanged
    };

Resources

Release Notes

4.0.4

This is a security release fixing several security relevant issues.

What's Changed

Full Changelog: 4.0.3...4.0.4

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 18 commits:

โ†—๏ธ tinyglobby (indirect, 0.2.15 โ†’ 0.2.17) ยท Repo ยท Changelog

Release Notes

0.2.17

Changed

  • Enabled staged publishing for stronger supply-chain security

Fixed

  • Defaults when undefined is passed to any of the options by @chloeelim
  • Drive-relative paths on Windows by @Andrej730
  • FileSystemAdapter is now exported again

Consider sponsoring if you'd like to support the development of this project and the goal of reaching a lighter and faster ecosystem

0.2.16

Fixed

Changed

  • Overhauled and optimized most internals by @Torathion
  • Ignore patterns are no longer compiled twice by @webpro

Consider sponsoring if you'd like to support the development of this project and the goal of reaching a lighter and faster ecosystem

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 42 commits:

๐Ÿ†• @โ€‹jridgewell/remapping (added, 2.3.5)

๐Ÿ†• @โ€‹types/jsesc (added, 2.5.1)

๐Ÿ†• @โ€‹vue-macros/common (added, 3.1.2)

๐Ÿ†• @โ€‹vue/devtools-kit (added, 8.1.2)

๐Ÿ†• @โ€‹vue/devtools-shared (added, 8.1.2)

๐Ÿ†• ast-kit (added, 2.2.0)

๐Ÿ†• ast-walker-scope (added, 0.9.0)

๐Ÿ†• birpc (added, 2.9.0)

๐Ÿ†• confbox (added, 0.2.4)

๐Ÿ†• confbox (added, 0.1.8)

๐Ÿ†• exsolve (added, 1.0.8)

๐Ÿ†• hookable (added, 5.5.3)

๐Ÿ†• local-pkg (added, 1.2.1)

๐Ÿ†• magic-string-ast (added, 1.0.3)

๐Ÿ†• mlly (added, 1.8.2)

๐Ÿ†• pkg-types (added, 1.3.1)

๐Ÿ†• pkg-types (added, 2.3.1)

๐Ÿ†• muggle-string (added, 0.4.1)

๐Ÿ†• pathe (added, 2.0.3)

๐Ÿ†• perfect-debounce (added, 2.1.0)

๐Ÿ†• quansync (added, 0.2.11)

๐Ÿ†• scule (added, 1.3.0)

๐Ÿ†• ufo (added, 1.6.4)

๐Ÿ†• unplugin (added, 3.0.0)

๐Ÿ†• unplugin-utils (added, 0.3.1)

๐Ÿ†• @โ€‹babel/generator (added, 8.0.0-rc.6)

๐Ÿ†• @โ€‹babel/helper-string-parser (added, 7.29.7)

๐Ÿ†• @โ€‹babel/helper-string-parser (added, 8.0.0-rc.6)

๐Ÿ†• @โ€‹babel/helper-validator-identifier (added, 7.29.7)

๐Ÿ†• @โ€‹babel/helper-validator-identifier (added, 8.0.0-rc.6)

๐Ÿ†• @โ€‹babel/parser (added, 7.29.7)

๐Ÿ†• @โ€‹babel/parser (added, 8.0.0-rc.6)

๐Ÿ†• @โ€‹babel/types (added, 7.29.7)

๐Ÿ†• @โ€‹babel/types (added, 8.0.0-rc.6)

๐Ÿ†• @โ€‹vue/devtools-api (added, 8.1.2)

๐Ÿ†• chokidar (added, 5.0.0)

๐Ÿ†• readdirp (added, 5.0.0)

๐Ÿ†• webpack-virtual-modules (added, 0.6.2)

๐Ÿ†• yaml (added, 2.9.0)

๐Ÿ—‘๏ธ @โ€‹babel/helper-string-parser (removed)

๐Ÿ—‘๏ธ @โ€‹babel/helper-validator-identifier (removed)

๐Ÿ—‘๏ธ prettier (removed)


Depfu Status

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands
@โ€‹depfu rebase
Rebases against your default branch and redoes this update
@โ€‹depfu recreate
Recreates this PR, overwriting any edits that you've made to it
@โ€‹depfu merge
Merges this PR once your tests are passing and conflicts are resolved
@โ€‹depfu cancel merge
Cancels automatic merging of this PR
@โ€‹depfu close
Closes this PR and deletes the branch
@โ€‹depfu reopen
Restores the branch and reopens this PR (if it's closed)
@โ€‹depfu pause
Ignores all future updates for this dependency and closes this PR
@โ€‹depfu pause [minor|major]
Ignores all future minor/major updates for this dependency and closes this PR
@โ€‹depfu resume
Future versions of this dependency will create PRs again (leaves this PR as is)

@depfu depfu Bot added dependencies Only updates dependecies depfu labels Jun 10, 2026
@depfu depfu Bot assigned Tobi2K Jun 10, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Only updates dependecies depfu

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant