rollup-plugin-vuetify
rollup-plugin-vuetify copied to clipboard
vatson
chore(deps): update dependency vuetify to v3 [security]
This PR contains the following updates:
| Package | Change | Age | Confidence |
|---|---|---|---|
| vuetify (source) | ^2.4.4 β ^3.0.0 |
GitHub Vulnerability Alerts
CVE-2022-25873
The package vuetify from 2.0.0-beta.4 and before 2.6.10 are vulnerable to Cross-site Scripting (XSS) due to improper input sanitization in the 'eventName' function within the VCalendar component.
CVE-2025-8083
The Preset configurationΒ feature of Vuetify is vulnerable to Prototype Pollution due to the internal 'mergeDeep' utility function used to merge options with defaults.Β Using a specially-crafted, malicious preset can result in polluting all JavaScript objects with arbitrary properties, which can further negatively affect all aspects of the application's behavior. This can lead to a wide range of security issues, including resource exhaustion/denial of service or unauthorized access to data.
If the application utilizesΒ Server-Side Rendering (SSR), this vulnerability could affect the whole server process.
This issue affects Vuetify versions greater than or equal to 2.2.0-beta.2Β and less than 3.0.0-alpha.10.
Note: Version 2.x of Vuetify is End-of-Life and will not receive any updates to address this issue. For more information see here https://v2.vuetifyjs.com/en/about/eol/ .
CVE-2025-8082
Improper neutralization of the title date in the 'VDatePicker' component in Vuetify, allows unsanitized HTML to be inserted into the page.Β This can lead to a Cross-Site Scripting (XSS) https://owasp.org/www-community/attacks/xss Β attack. The vulnerability occurs because theΒ 'title-date-format' property of the 'VDatePicker' can accept a user created function and assign its output to the 'innerHTML' property of the title element without sanitization.
This issue affects Vuetify versions greater than or equal to 2.0.0 and less than 3.0.0.
Note: Version 2.x of Vuetify is End-of-Life and will not receive any updates to address this issue. For more information see here https://v2.vuetifyjs.com/en/about/eol/ .
Release Notes
vuetifyjs/vuetify (vuetify)
v3.0.0
v3.0.0 (Titan)
Welcome to the v3.0.0 release of Vuetify!
Supporting Vuetify
Vuetify is an open source MIT project that has been made possible due to the generous contributions by sponsors and backers. If you are interested in supporting this project, please consider:
- Becoming a sponsor on Github
- Becoming a sponsor on Patreon
- Make a one-time payment with Paypal
- Supporting the Core Team on Open Collective (supports the core team)
- Becoming a subscriber on Tidelift
- Direct support from Vuetify
βοΈ Important Links
π― Release notes
:rocket: Features
- theme: rename code/kbd variables to match conventions (18537d3)
- VList: add keyboard navigation (#β15998) (48ef134), closes #β15428
:wrench: Bug Fixes
- don't destroy components when transition value changes (e6b0d7a), closes #β15995
- types: add shims to UMD types (fce23d1)
- types: remove UMD package export (e23e92c)
- types: expose LocaleMessages interface (3a2dbd3)
- validation: add validate-on prop (#β15979) (c669540), closes #β15976
- VDialog: explicit prop definitions (#β15971) (be3ceca), closes #β15967
- VIcon: add collapse alias for mdi-svg (#β15963) (fa841a3)
- VTabs: respect height prop (6c5b180), closes #β15972
v2.7.2
:wrench: Bug Fixes
- update types (#β16951) (7e3d35d)
- check both $slots and $scopedSlots, normalise slot case (7d67046), closes #β8676 #β15293
- locale: Update French translations (#β18215) (ceeafb6)
- VAutocomplete: highlight correct item in list on click (bc48f00), closes #β17201
- VSelect: don't blur input on menu mousedown (0a77965), closes #β15839
v2.7.1
:wrench: Bug Fixes
- VSelect: don't update scroll position if menu is closed (c53b2f8), closes #β17085
- VTabs: remove quotes from text-transform (#β17771) (153d17b), closes #β17799
v2.7.0
:rocket: Features
- styles: add xxl border-radius option (#β14546) (018525e)
- VDataTable: backport filterMode prop from v3 (#β17747) (05c10a3), closes #β11600
- VDataTable: add item-style prop (#β15332) (13c5765), closes #β15049
- VDataTable: forward arbitrary row events (#β15617) (243efcc), closes #β13332
- VDataTable: expose row default props to item slots (#β15711) (034ca21)
- VExpansionPanel: add open prop to content and header slots (7738eee), closes #β15782
- VForm: allow individual inputs to be enabled in disabled form (42ec8c5), closes #β17391
- VInput: add locale keys for append/prepend buttons (#β15612) (980ef7f), closes #β12582
- VMenu: add contentProps prop (#β15865) (48de295)
- VPagination: add props for coloring navigation buttons (#β15691) (a85b85f)
- VSlideGroup: add show-arrows="never" (#β14587) (354a999), closes #β14586
- VTab: add tabValue prop (#β16383) (d4421cf), closes #β10540
- VTabs: add tab-text-transform SASS variable (#β14545) (8253c7e)
- VTimePicker: add activePicker prop (#β14632) (09f1102), closes #β14629
:wrench: Bug Fixes
- VItem: support disabled effect (#β14941) (415322d), closes #β14923
- VMenu: ignore key presses when disable-keys is true (#β16464) (922e05a), closes #β12998
- VSkeletonLoader: apply aria-label for screenreaders (#β17073) (a0d8d34), closes #β10999
v2.6.16
:wrench: Bug Fixes
- icons: FA5 warning icon alias more consistent with MDI (#β15607) (3c525fe)
- VDataTable: add class to root element when show-select (#β14987) (ee72ee5)
- VDialog: check if scrolling element parentNode exists (e148110), closes #β15977
- VIcon: center button icon in system bar (#β15918) (bc7a264), closes #β14975
- VMenu: prefer existing menuProps.attach (50ea98d), closes #β7547
- VSelect: update lastItem when selection changes with hideSelected (b121493), closes #β17085
- VTextarea: correctly apply reverse prop styles (#β15858) (1e4b2f7), closes #β15432
v2.6.15
:wrench: Bug Fixes
- remove charset statement from vuetify.css (3b5fbe9), closes #β16989
- VColorPicker: correct swatches-padding variable name (bb152d4), closes #β14887 #β14878
- VDataIterator: check shiftKey on any keypress (8ad6f7b), closes #β16128
- VLabel: inherit attrs (116bcab), closes #β16938
- VSelect: only lookup keypresses for printable characters (e4208c8), closes #β7260
v2.6.14
:wrench: Bug Fixes
v2.6.13
:wrench: Bug Fixes
- ripple: check parent before calling removeChild (#β14573) (63c2267), closes #β13457
- VAutocomplete: remove unused allowOverflow prop (f16c2c5), closes #β16008
- VDataTable: native event as argument to click:row (#β15864) (17dd133), closes #β10302
v2.6.12
:wrench: Bug Fixes
- VCalendar: display name on all-day events in event slot (30b7281), closes #β15915
- VCombobox: emit paste event (7417807), closes #β11186
- VFileInput: label click opens dialog twice (#β15902) (7c9f717), closes #β15888
- VStepper: increate error label selector specificity (785de11), closes #β15886
v2.6.11
:wrench: Bug Fixes
- click-outside: remove unused vnode reference (4d3359a)
v2.6.10
:wrench: Bug Fixes
- VCalendar: prevent XSS from eventName function (ade1434), closes #β15757
-
VDialog: don't try to focus
tabindex="-1"or hidden inputs (89e3850), closes #β15745 - VMenu: disable activatorFixed when attach is enabled (#β15709) (464529a), closes #β14922
- VTextField: only show clear icon on hover or when focused (7a51ad0)
- VTextField: prevent tabbing to clear button (f8ee680), closes #β11202
- web-types: add support for VDataTable pattern slots (#β15694) (ac45c98)
:microscope: Code Refactoring
- VSelect: render highlight with vnodes instead of innerHTML (4468e3c)
BREAKING CHANGES
-
VCalendar:
eventNamefunction can no longer render arbitrary HTML, convert to VNodes instead.eventSummarycan no longer be used with v-html, replace with<component :is="{ render: eventSummary }" />
v2.6.9
:wrench: Bug Fixes
- VCalendar: add aria roles to monthly calendar (#β14640) (2cd34b4), closes #β14604
- VCalendar: forward all bound events to internal elements (#β15592) (299330c)
- VCarousel: add keys to delimiter buttons (#β15459) (8d3895b)
- VPagination: ignore invalid length values (f3f8d15), closes #β15499
- VRadio: change icon color when disabled (0cc43e2)
- VSwitch: only affect control opacity when disabled (1e0a4ad)
v2.6.8
:wrench: Bug Fixes
- VDataTable: display header text instead of value in group headers (100053f), closes #β11516
- VItemGroup: use valueComparator when updating value (#β15395) (8bedb7c), closes #β15394
- VSimpleCheckbox: directly specify ripple directive definition (00a9668), closes #β12224
v2.6.7
:wrench: Bug Fixes
- styles: resolve css validation errors (621f273), closes #β15320
- VDialog: focus on internal content when shown (#β14584) (ffbaae1), closes #β14581
- VInput: allow text selection in disabled inputs (#β14465) (760490d), closes #β14238
- VList: don't trigger keyboard events on disabled items (#β15339) (817df79), closes #β15322
- VOtpInput: support paste and autofill on mobile (8c67ed8), closes #β14801
- VRadio: use correct disabled color for icons (3115798)
- VSelect: allow keyboard selection of items with value 0 (969aba4), closes #β15166
- VTabs: use ResizeObserver if available (ff519c6), closes #β4733 #β10455 #β12783 #β14195 #β15316
- VTimeline: disable arrow shadow on clickable cards (27ba2c9), closes #β14193
v2.6.6
:wrench: Bug Fixes
- locale: update catalan translations (#β15012) (2eab4f2)
- mdi-svg: update contextual icons (5918484), closes #β14327
- VOverflowBtn: make persistentPlaceholder label visible (#β15055) (002afbe), closes #β15052
- VSelect: set min-height on correct element (d41a327), closes #β15047
:microscope: Code Refactoring
v2.6.5
:wrench: Bug Fixes
- locale: add missing Finnish translations (#β14824) (f0e5889)
- locale: improve spanish translations (#β14965) (a427b96)
- selection controls: emit focus/blur events (75404fb), closes #β14862
- VCalendar: fix transparent header on category calendar (#β14725) (33002fa), closes #β14723
- VImg: accept scopedSlots (96888d5), closes #β14686
- VTreeview: independent selection inheriting parent state (#β14956) (2034df6), closes #β14955
v2.6.4
:wrench: Bug Fixes
- VDialog/VMenu: remove duplicate toggleable mixin (860be6b), closes #β14719
- VPagination: get available width before initial mount (472bbb4), closes #β14590
- VSelect: update menu position on selection change (5974a84), closes #β14688
v2.6.3
:wrench: Bug Fixes
- VCalendar: use theme background color for categories (#β14558) (185408b), closes #β14433
- VData: don't reset sortBy/sortDesc to [] on clear (9cf48e4), closes #β14423
- VDialog: change the role from "document" to "dialog" (#β14602) (158e0b5), closes #β14231
- VMenu: null check content in mouseleave handler (e13eee1), closes #β14619
- VMenu: wrong alignment in RTL mode (#β14556) (446963f), closes #β12195
- VNavigationDrawer: don't update miniVariant without expandOnHover (bb2b11e), closes #β14555
- VTab: disabled tab can be reached by keyboard (#β14606) (d110f58), closes #β14601
v2.6.2
:wrench: Bug Fixes
- application: allow use of multiple drawers (#β14450) (85a1186), closes #β13665
- types: add missing VOtpInput export in lib.d.ts (#β14497) (00f3f0a), closes #β14496
- VBottomNavigation: only calculate isActive state when using hideOnScroll (f58afb4), closes #β11640
- VCombobox: don't reset search when cleared (#β14531) (79cd41d), closes #β14507
- VMenu: don't add button role with openOnHover (24ccd88), closes #β14377
- VNavigationDrawer: always bind mouseover events (#β14523) (03e683f), closes #β13309
- VOtpInput: update internalValue on paste (bab2fa2), closes #β14536
-
VOtpInput: update the
otpwhenvaluechanges (#β14460) (c58f02a), closes #β14437 - VSelect: Do not keep null items when filtering duplicates (#β14464) (8fd3510), closes #β14421
- VSlideGroup: account for inverted RTL scrolling (092fceb), closes #β14529
- VSlideGroup: skip width update if destroyed (1bb1455), closes #β14470
- VStepper: editable step tab navigation (#β14036) (256fa93), closes #β14022
- VTabs: correctly set active state with exact prop (#β14500) (74ec950), closes #β14431 #β14459
- VTextarea: apply correct input styles with solo-inverted prop (ea96084), closes #β11848
- VTooltip: allow disabling openOnClick/openOnFocus (28a64c4), closes #β14444
Configuration
π Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
π¦ Automerge: Disabled by config. Please merge this manually once you are satisfied.
β» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
π Ignore: Close this PR and you won't be reminded about this update again.
- [ ] If you want to rebase/retry this PR, check this box
This PR was generated by Mend Renovate. View the repository job log.
![renovate[bot] avatar](https://avatars.githubusercontent.com/in/2740?v=4 "Published by a pub.dev verified publisher"){kind=small}