chore(deps): update dependency @nuxt/devtools to v2.6.4 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@nuxt/devtools (source)	2.1.0 → 2.6.4

---

Nuxt DevTools vulnerable to cross-site scripting (XSS)

CVE-2025-52662 / GHSA-xmq3-q5pm-rp26

More information

Details

A vulnerability in Nuxt DevTools has been fixed in version 2.6.4*. This issue may have allowed Nuxt auth token extraction via XSS under certain configurations. All users are encouraged to upgrade.

Severity

• CVSS Score: 6.9 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:H/A:N

References

• https://nvd.nist.gov/vuln/detail/CVE-2025-52662
• https://github.com/nuxt/devtools/commit/7cadbbe9
• https://vercel.com/changelog/cve-2025-52662-xss-on-nuxt-devtools
• https://github.com/nuxt/devtools/releases/tag/v2.6.4
• https://github.com/advisories/GHSA-xmq3-q5pm-rp26

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

nuxt/devtools (@​nuxt/devtools)

v2.6.4

Compare Source

Bug Fixes

• using textContent instead of innerHtml for auth pagechore: update lock (7cadbbe)

v2.6.3

Compare Source

v2.6.2

Compare Source

Bug Fixes

• panel dragging issue, close #​874, close #​871, close #​873 (619de37)

v2.6.1

Compare Source

Bug Fixes

• deps: do not depend on @nuxt/schema (#​872) (62443ec)

v2.6.0

Compare Source

Bug Fixes

• timing labels wrapping (#​866) (fd01e60)

Features

• update deps (eef2c09)

v2.5.0

Compare Source

v2.4.1

Compare Source

Bug Fixes

• devtools-kit: explicitly type return type of useDevtoolsHostClient (#​861) (161e847)
• StateEditor: add isPrimitive helper and support bigint type (#​744) (#​854) (f8eed63)
• ui-kit: use object syntax for NButton slots (#​857) (09002d2)

Features

• improve modules view (807405f)
• show docs link for components (9ab0ec8)

v2.4.0

Compare Source

Bug Fixes

• devtools-kit: fix useDevtoolsClient return type (#​845) (5ce9b47)
• module setup times are multiplied by 1000 (#​838) (d16aa96)
• ui-kit: add [@unocss-include](https://redirect.github.com/unocss-include) magic string in NButton (#​852) (f18de78)
• watch() typeof check on array is always false (#​850) (a873199)

2.3.2 (2025-03-26)

Bug Fixes

• prioritize vue-devtools plugin registation, fix #​823, fix #​822 (259853b)
• update vite-plugin-vue-tracer (0c1740c)

2.3.1 (2025-03-20)

Bug Fixes

• downgrade execa to be compatible with Node v18, fix #​821 (f15c7dc)

v2.3.2

Compare Source

Bug Fixes

• prioritize vue-devtools plugin registation, fix #​823, fix #​822 (259853b)
• update vite-plugin-vue-tracer (0c1740c)

v2.3.1

Compare Source

Bug Fixes

• downgrade execa to be compatible with Node v18, fix #​821 (f15c7dc)

v2.3.0

Compare Source

Features

• debug page of module mutation (#​770) (f7e9ab5)

2.2.1 (2025-03-05)

Bug Fixes

• inspector: do not register instapector events if there is already any (db01e1b)

v2.2.1

Compare Source

Bug Fixes

• inspector: do not register instapector events if there is already any (db01e1b)

v2.2.0

Compare Source

Features

• component graph node name toogle (#​797) (2eb2a37)
• migrate to vite-plugin-vue-tracer (#​803) (faa08d3)

2.1.3 (2025-03-03)

2.1.2 (2025-03-03)

2.1.1 (2025-02-28)

Bug Fixes

• use shiki js engine instead of precompiled (d018045)

Features

• update deps (15dbe6d)

v2.1.3

Compare Source

v2.1.1

Compare Source

Bug Fixes

• use shiki js engine instead of precompiled (d018045)

Features

• update deps (15dbe6d)

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.