chore(deps): update dependency vue to v3 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
vue (source)	^2.5.16 -> ^2.5.16 || ^3.0.0
vue (source)	2.6.10 -> 3.0.0

GitHub Vulnerability Alerts

CVE-2024-9506

The ReDoS can be exploited through the parseHTML function in the html-parser.ts file. This flaw allows attackers to slow down the application by providing specially crafted input that causes inefficient processing of regular expressions, leading to excessive resource consumption.

To demonstrate this vulnerability, here's an example. In a Vue client-side application, create a new Vue instance with a template string that includes a <script> tag but closes it incorrectly with something like </textarea>.

new Vue({
  el: '#app',
  template: '
    <div>
      Hello, world!
      <script>${'<'.repeat(1000000)}</textarea>
    </div>'
});

Next, set up a basic HTML page (e.g., index.html) to load this JavaScript and mount the Vue instance:

<!DOCTYPE html>
<html>
<head>
  <title>My first Vue app</title>
</head>
<body>
  <div id=\"app\">Loading...</div>
</body>
</html>

When you visit the app in your browser at http://localhost:3000, you'll notice that the time taken to parse and mount the Vue application increases significantly due to the ReDoS vulnerability, demonstrating how the flaw can affect performance.

---

Release Notes

vuejs/core (vue)

v3.5.24

Compare Source

Reverts

• Revert "fix(compiler-core): correctly handle ts type assertions in expression…" (#​14062) (11ec51a), closes #​14062 #​14060

v3.5.23

Compare Source

Bug Fixes

• compiler-core: correctly handle ts type assertions in expressions (#​13397) (e6544ac), closes #​13395
• compiler-core: fix v-bind shorthand handling for in-DOM templates (#​13933) (b3cca26), closes #​13930
• compiler-sfc: resolve numeric literals and template literals without expressions as static property key (#​13998) (75d44c7)
• compiler-ssr: textarea with v-text directive SSR (#​13975) (006a0c1)
• compiler: using guard instead of non-nullish assertion (#​13982) (dcc6f36)
• custom-element: batch custom element prop patching (#​13478) (c13e674), closes #​12619
• custom-element: optimize slot retrieval to avoid duplicates (#​13961) (84ca349), closes #​13955
• hydration: avoid mismatch during hydrate text with newlines in interpolation (#​9232) (6cbdf78), closes #​9229
• runtime-core: pass props and children to loadingComponent (#​13997) (40c4b2a)
• runtime-dom: ensure iframe sandbox is handled as an attribute to prevent unintended behavior (#​13950) (5689884), closes #​13946
• suspense: clear placeholder and fallback el after resolve to enable GC (#​13928) (f411c66)
• transition-group: use offsetLeft and offsetTop instead of getBoundingClientRect to avoid transform scale affect animation (#​6108) (dc4dd59), closes #​6105
• v-model: handle number modifier on change (#​13959) (8fbe48f), closes #​13958

v3.5.22

Compare Source

Bug Fixes

• compiler-core: identifiers in switch-case should not be inferred as references (#​13923) (5953c9f)
• compiler-dom: nodes with v-once shouldn't be stringified (#​13878) (95c1975)
• compiler-sfc: add support for @vue-ignore in runtime type resolution (#​13906) (ba7f7f9)
• compiler-sfc: enhance inferRuntimeType to support TSMappedType with indexed access (#​13848) (e388f1a), closes #​13847
• compiler-sfc: ensure css custom properties do not start with a digit (#​13870) (9c27951)
• compiler-sfc: ensure props bindings register before compiling template (#​13922) (abd5638), closes #​13920
• compiler-ssr: ensure v-show has a higher priority in SSR (#​12171) (836b829), closes #​12162
• custom-element: properly mount multiple Teleports in custom element component w/ shadowRoot false (#​13900) (5e1e791), closes #​13899
• custom-element: set prop runs pending mutations before disconnect (#​13897) (c4a88cd), closes #​13315
• custom-element: use PatchFlags.BAIL for slot when props are present (#​13907) (5358bca), closes #​13904
• reactivity: respect readonly during ref unwrapping (#​13905) (aba7fed), closes #​13903
• reactivity: update iterator to check for completion instead of value presence (#​13761) (2078f8b)
• runtime-core: simplify block-tracking disabling in h helper (#​13841) (75220c7)
• transition-group: run forceReflow on the correct document (fix #​13849) (#​13853) (1be5ddf)
• types: more precise types for Events and added missing definitions (#​9675) (8bb8fb2)
• types: set dom stub type to never instead of {} (#​13915) (8620a61), closes #​11564
• types: widen directive arg type from string to any (#​13758) (4b71706), closes #​13757

Features

• custom-element: allow specifying additional options for shadowRoot in custom elements (#​12965) (47e628d), closes #​12964

Reverts

• Revert "fix(hmr): prevent VUE_HMR_RUNTIME from being overwritten by vue runtime in 3rd-party libraries" (#​13925) (6b68f72), closes #​13925

v3.5.21

Compare Source

Bug Fixes

• compiler-core: force dynamic slots when slot referencing scope vars (#​9427) (99d54b2), closes #​9380
• compiler-sfc: check lang before attempt to compile script (#​13508) (55922ff), closes #​8368
• compiler-sfc: support ${configDir} in paths for TypeScript 5.5+ (#​13491) (8696e34), closes #​13484
• compiler-sfc: support global augments with named exports (#​13789) (35da3c6)
• custom-element: prevent defineCustomElement from mutating the options object (#​13791) (e322436)
• hmr: prevent __VUE_HMR_RUNTIME__ from being overwritten by vue runtime in 3rd-party libraries (#​13817) (1392734), closes vitejs/vite-plugin-vue#644
• hmr: prevent update unmounting component during HMR reload (#​13815) (ef20b86), closes vitejs/vite-plugin-vue#599
• runtime-core: disable tracking block in h function (#​8213) (8f6b505), closes #​6913
• runtime-core: use separate emits caches for components and mixins (#​11661) (15fc75f)
• Suspence: handle Suspense + KeepAlive HMR updating edge case (#​13076) (5d75a17), closes #​13075
• Teleport: hydrate disabled Teleport with undefined target (#​11235) (00978f7), closes #​11230
• templateRef: prevent unnecessary set ref on dynamic ref change or component unmount (#​12642) (93ba107), closes #​12639
• watch: use maximum depth for duplicates (#​13434) (f2699a5)

Performance Improvements

• improve regexp performance with non-capturing groups (#​13567) (1e8b65a)

v3.5.20

Compare Source

Bug Fixes

• runtime-dom: add name to vShow for prop mismatch check (#​13806) (1031e8d), closes #​13805 re-fix #​13744 revert #​13777

v3.5.19

Compare Source

Bug Fixes

• compiler-core: adjacent v-else should cause a compiler error (#​13699) (911e670), closes #​13698
• compiler-core: prevent cached array children from retaining detached dom nodes (#​13691) (7f60ef8), closes element-plus/element-plus#21408 #​13211
• compiler-sfc: improve type inference for generic type aliases types (#​12876) (d9dd628), closes #​12872
• compiler-sfc: throw mismatched script langs error before invoking babel (#​13194) (0562548), closes #​13193
• compiler-ssr: disable v-memo transform in ssr vdom fallback branch (#​13725) (0a202d8), closes #​13724
• devtools: clear performance measures (#​13701) (c875019), closes #​13700
• hmr: prevent updating unmounting component during HMR rerender (#​13775) (6e5143d), closes #​13771 #​13772
• hydration: also set vShow name if __FEATURE_PROD_HYDRATION_MISMATCH_DETAILS__ flag is enabled (#​13777) (439e1a5), closes #​13744
• reactivity: warn on nested readonly ref update during unwrapping (#​12141) (1498821)
• runtime-core: avoid setting direct ref of useTemplateRef in dev (#​13449) (4a2953f)
• runtime-core: improve consistency of PublicInstanceProxyHandlers.has (#​13507) (d7283f3)
• suspense: don't immediately resolve suspense on last dep unmount (#​13456) (a871315), closes #​13453
• transition: handle KeepAlive + transition leaving edge case (#​13152) (3190b17), closes #​13153

v3.5.18

Compare Source

Bug Fixes

• compiler-core: avoid cached text vnodes retaining detached DOM nodes (#​13662) (00695a5), closes #​13661
• compiler-core: avoid self updates of v-pre (#​12556) (21b685a)
• compiler-core: identifiers in function parameters should not be inferred as references (#​13548) (9b02923)
• compiler-core: recognize empty string as non-identifier (#​12553) (ce93339)
• compiler-core: transform empty v-bind dynamic argument content correctly (#​12554) (d3af67e)
• compiler-sfc: transform empty srcset w/ includeAbsolute: true (#​13639) (d8e40ef), closes vitejs/vite-plugin-vue#631
• css-vars: nullish v-bind in style should not lead to unexpected inheritance (#​12461) (c85f1b5), closes #​12434 #​12439 #​7474 #​7475
• custom-element: ensure exposed methods are accessible from custom elements by making them enumerable (#​13634) (90573b0), closes #​13632
• hydration: prevent lazy hydration for updated components (#​13511) (a9269c6), closes #​13510
• runtime-core: ensure correct anchor el for unresolved async components (#​13560) (7f29943), closes #​13559
• slots: refine internal key checking to support slot names starting with an underscore (#​13612) (c5f7db1), closes #​13611
• ssr: ensure empty slots render as a comment node in Transition (#​13396) (8cfc10a), closes #​13394

v3.5.17

Compare Source

Bug Fixes

• compat: allow v-model built in modifiers on component (#​12654) (cb14b86), closes #​12652
• compile-sfc: handle mapped types work with omit and pick (#​12648) (4eb46e4), closes #​12647
• compiler-core: do not increase newlines in InEntity state (#​13362) (f05a8d6)
• compiler-core: ignore whitespace when matching adjacent v-if (#​12321) (10ebcef), closes #​9173
• compiler-core: prevent comments from blocking static node hoisting (#​13345) (55dad62), closes #​13344
• compiler-sfc: improved type resolution for function type aliases (#​13452) (f3479aa), closes #​13444
• custom-element: ensure configureApp is applied to async component (#​12607) (5ba1afb), closes #​12448
• custom-element: prevent injecting child styles if shadowRoot is false (#​12769) (73055d8), closes #​12630
• reactivity: add __v_skip flag to Dep to prevent reactive conversion (#​12804) (e8d8f5f), closes #​12803
• runtime-core: unset old ref during patching when new ref is absent (#​12900) (47ddf98), closes #​12898
• slots: make cache indexes marker non-enumerable (#​13469) (919c447), closes #​13468
• ssr: handle initial selected state for select with v-model + v-for/v-if option (#​13487) (1552095), closes #​13486
• types: typo of vOnce and vSlot (#​13343) (762fae4)

v3.5.16

Compare Source

Reverts

• Revert "fix(compiler-sfc): add scoping tag to trailing universal selector" (#​13406) (19f23b1), closes #​13406
• Revert "fix(compiler-sfc): add error handling for defineModel() without variable" (#​13390) (42f879f), closes #​13390

v3.5.15

Compare Source

Bug Fixes

• compat: ensure false value on input retains value attribute (#​13216) (1a66474), closes #​13205
• compat: should not warn COMPILER_V_BIND_OBJECT_ORDER when using v-bind together with v-for (#​12993) (93949e6), closes #​12992
• compile-sfc: handle inline template source map in prod build (#​12701) (89edc6c), closes #​12682 vitejs/vite-plugin-vue#500
• compiler-core: ensure mapping is added only if node source is available (#​13285) (d37a2ac), closes #​13261 vitejs/vite-plugin-vue#368
• compiler-dom: improve HTML nesting validation to allow any child element within template tag (#​13320) (163b365), closes #​13318
• compiler-sfc: add error handling for defineModel() without variable assignment (#​13352) (00734af), closes #​13280
• compiler-sfc: add scoping tag to trailing universal selector (#​12918) (949df80), closes #​12906
• compiler-sfc: improve type inference for TSTypeAliasDeclaration with better runtime type detection (#​13245) (cf5a5e0), closes #​13240
• compiler-sfc: simulate allowArbitraryExtensions on resolving type (#​13301) (f7ce5ae), closes #​13295
• custom-element: allow injecting values ​​from app context in nested elements (#​13219) (b991075), closes #​13212
• custom-element: ensure proper remount and prevent redundant slot parsing with shadowRoot false (#​13201) (1d41d4d), closes #​13199
• custom-element: preserve appContext during update (#​12455) (013749e), closes #​12453
• custom-element: properly resolve props for sync component defs (#​12855) (a683c80), closes #​12854
• hydration: handle transition appear hydration edge case (#​13339) (35aeae7), closes #​13335
• hydration: skip lazy hydration for patched components (#​13283) (80055fd), closes #​13255
• suspense: handle edge case in patching list nodes within Suspense (#​13306) (772b008), closes #​13305
• teleport: handle deferred teleport updates before and after mount (#​13350) (d15dce3), closes #​13349
• types: avoid merging component instance into $props in ComponentInstance (#​12870) (f44feed), closes #​12751
• types: exclude undefined from inferred prop types with default values (#​13007) (5179d32), closes #​13006
• watch: update oldValue before running cb to prevent stale value (#​12296) (c69c4bb), closes #​12294

v3.5.14

Compare Source

Bug Fixes

• compat: correct deprecation message for v-bind.sync usage (#​13137) (466b30f), closes #​13133
• compiler-core: remove slot cache from parent renderCache during unmounting (#​13215) (5d166f3)
• compiler-sfc: fix scope handling for props destructure in function parameters and catch clauses (8e34357), closes #​12790
• compiler-sfc: treat the return value of useTemplateRef as a definite ref (#​13197) (8ae1122)
• compiler: fix spelling error in domTagConfig (#​13043) (388295b)
• customFormatter: properly accessing ref value during debugger (#​12948) (fdbd026)
• hmr/teleport: adjust static children traversal for HMR in dev mode (#​12819) (5e37dd0), closes #​12816
• hmr: avoid hydration for hmr root reload (#​12450) (1f98a9c), closes vitejs/vite-plugin-vue#146 vitejs/vite-plugin-vue#477
• hmr: avoid hydration for hmr updating (#​12262) (9c4dbbc), closes #​7706 #​8170
• reactivity: ensure markRaw objects are not reactive (#​12824) (295b5ec), closes #​12807
• reactivity: ensure multiple effectScope on() and off() calls maintains correct active scope (22dcbf3), closes #​12631 #​12632 #​12641
• reactivity: should not recompute if computed does not track reactive data (#​12341) (0b23fd2), closes #​12337
• runtime-core: stop tracking deps in setRef during unmount (#​13210) (016c472)
• runtime-core: update __vnode of static nodes when patching along the optimized path (#​13223) (b3ecee3)
• runtime-core: inherit comment nodes during block patch in production build (#​10748) (6264505), closes #​10747 #​12650
• runtime-core: prevent unmounted vnode from being inserted during transition leave (#​12862) (d6a6ec1), closes #​12860
• runtime-core: respect immutability for readonly reactive arrays in v-for (#​13091) (3f27c58), closes #​13087
• runtime-dom: always treat autocorrect as attribute (#​13001) (1499135), closes #​5705
• slots: properly warn if slot invoked in setup (#​12195) (9196222), closes #​12194
• ssr: properly init slots during ssr rendering (#​12441) (2206cd2), closes #​12438
• transition: fix KeepAlive with transition out-in mode behavior in production (#​12468) (343c891), closes #​12465
• TransitionGroup: reset prevChildren to prevent memory leak (#​13183) (8b848cb), closes #​13181
• types: allow return any for Options API lifecycle hooks (#​5914) (06310e8)
• types: the directive's modifiers should be optional (#​12605) (10e54dc)
• typos: fix comments referencing transformElement.ts (#​12551)[ci-skip] (11c053a)

Features

• types: add type TemplateRef (#​12645) (636a861)

v3.5.13

Compare Source

Bug Fixes

• compiler-core: handle v-memo + v-for with functional key (#​12014) (99009ee), closes #​12013
• compiler-dom: properly stringify template string style (#​12392) (2d78539), closes #​12391
• custom-element: avoid triggering mutationObserver when relecting props (352bc88), closes #​12214 #​12215
• deps: update dependency postcss to ^8.4.48 (#​12356) (b5ff930)
• hydration: the component vnode's el should be updated when a mismatch occurs. (#​12255) (a20a4cb), closes #​12253
• reactivity: avoid unnecessary watcher effect removal from inactive scope (2193284), closes #​5783 #​5806
• reactivity: release nested effects/scopes on effect scope stop (#​12373) (bee2f5e), closes #​12370
• runtime-dom: set css vars before user onMounted hooks (2d5c5e2), closes #​11533
• runtime-dom: set css vars on update to handle child forcing reflow in onMount (#​11561) (c4312f9)
• ssr: avoid updating subtree of async component if it is resolved (#​12363) (da7ad5e), closes #​12362
• ssr: ensure v-text updates correctly with custom directives in SSR output (#​12311) (1f75d4e), closes #​12309
• ssr: handle initial selected state for select with v-model + v-for option (#​12399) (4f8d807), closes #​12395
• teleport: handle deferred teleport update before mounted (#​12168) (8bff142), closes #​12161
• templateRef: set ref on cached async component which wrapped in KeepAlive (#​12290) (983eb50), closes #​4999 #​5004
• test: update snapshot (#​12169) (828d4a4)
• Transition: fix transition memory leak edge case (#​12182) (660132d), closes #​12181
• transition: reflow before leave-active class after leave-from (#​12288) (4b479db), closes #​2593
• types: defineEmits w/ interface declaration (#​12343) (1022eab), closes #​8457
• v-once: setting hasOnce to current block only when in v-once (#​12374) (37300fc), closes #​12371

Performance Improvements

• reactivity: do not track inner key `__v_skip`` (#​11690) (d637bd6)
• runtime-core: use feature flag for call to resolveMergedOptions (#​12163) (1755ac0)

v3.5.12

Compare Source

Bug Fixes

• compiler-dom: avoid stringify option with null value (#​12096) (f6d9926), closes #​12093
• compiler-sfc: do not skip TSInstantiationExpression when transforming props destructure (#​12064) (d3ecde8)
• compiler-sfc: use sass modern api if available and avoid deprecation warning (#​11992) (4474c11)
• compiler: clone loc to ifNode (#​12131) (cde2c06), closes vuejs/language-tools#4911
• custom-element: properly remove hyphenated attribute (#​12143) (e16e9a7), closes #​12139
• defineModel: handle kebab-case model correctly (#​12063) (c0418a3), closes #​12060
• deps: update dependency monaco-editor to ^0.52.0 (#​12119) (f7cbea2)
• hydration: provide compat fallback for idle callback hydration strategy (#​11935) (1ae545a)
• reactivity: trigger reactivity for Map key undefined (#​12055) (7ad289e), closes #​12054
• runtime-core: allow symbol values for slot prop key (#​12069) (d9d4d4e), closes #​12068
• runtime-core: fix required prop check false positive for kebab-case edge cases (#​12034) (9da1ac1), closes #​12011
• runtime-dom: prevent unnecessary updates in v-model checkbox when value is unchanged (#​12146) (ea943af), closes #​12144
• teleport: handle disabled teleport with updateCssVars (#​12113) (76a8223), closes #​12112
• transition/ssr: make transition appear work with Suspense in SSR (#​12047) (f1a4f67), closes #​12046
• types: ensure this.$props type does not include string (#​12123) (704173e), closes #​12122
• types: retain union type narrowing with defaults applied (#​12108) (

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.