[Snyk] Upgrade @nuxt/ui from 2.17.0 to 4.0.0

[nerdy-tech-com-gitub]

Snyk has created this PR to upgrade @nuxt/ui from 2.17.0 to 4.0.0.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

• The recommended version is 56 versions ahead of your current version.

• The recommended version was released 25 days ago.

⚠️ Warning: This PR contains major version upgrade(s), and may be a breaking change.

Issues fixed by the recommended upgrade:

	Issue	Score	Exploit Maturity
	Incorrect Authorization SNYK-JS-VITE-9653016	155	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-CROSSSPAWN-8303230	155	Proof of Concept
	Acceptance of Extraneous Untrusted Data With Trusted Data SNYK-JS-NUXT-9486043	155	No Known Exploit
	Information Exposure SNYK-JS-VITE-9685035	155	Proof of Concept
	Directory Traversal SNYK-JS-VITE-9919777	155	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-BABELHELPERS-9397697	155	Proof of Concept
	Missing Release of Resource after Effective Lifetime SNYK-JS-INFLIGHT-6095116	155	Proof of Concept
	Open Redirect SNYK-JS-KOA-10944994	155	Proof of Concept
	Open Redirect SNYK-JS-KOA-12143256	155	No Known Exploit
	Origin Validation Error SNYK-JS-NUXTVITEBUILDER-8663232	155	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-PATHTOREGEXP-7925106	155	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-BRACEEXPANSION-9789073	155	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-BRACEEXPANSION-9789073	155	Proof of Concept
	Prototype Pollution SNYK-JS-DEVALUE-12205530	155	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-KOA-8720152	155	No Known Exploit
	Insecure Randomness SNYK-JS-UNDICI-8641354	155	Proof of Concept
	Incorrect Authorization SNYK-JS-VITE-9512410	155	Mature
	Inefficient Regular Expression Complexity SNYK-JS-MICROMATCH-6838728	155	No Known Exploit
	Improper Input Validation SNYK-JS-NANOID-8492085	155	No Known Exploit
	Improper Input Validation SNYK-JS-NANOID-8492085	155	No Known Exploit
	Prototype Pollution SNYK-JS-PARSEGITCONFIG-9403763	155	Proof of Concept
	Cross-site Scripting (XSS) SNYK-JS-ROLLUP-8073097	155	Proof of Concept
	Information Exposure SNYK-JS-VITE-8023174	155	Proof of Concept
	Origin Validation Error SNYK-JS-VITE-8648411	155	Proof of Concept
	Access Control Bypass SNYK-JS-VITE-9576207	155	Proof of Concept
	Cross-site Scripting (XSS) SNYK-JS-KOA-9679272	155	Proof of Concept
	Directory Traversal SNYK-JS-NUXT-12878602	155	Proof of Concept
	Cross-site Scripting SNYK-JS-SEND-7926862	155	No Known Exploit
	Cross-site Scripting SNYK-JS-SERVESTATIC-7926865	155	No Known Exploit
	Directory Traversal SNYK-JS-SIRV-12558119	155	Proof of Concept
	Missing Release of Memory after Effective Lifetime SNYK-JS-UNDICI-10176064	155	Proof of Concept
	Relative Path Traversal SNYK-JS-VITE-12558116	155	Proof of Concept
	Cross-site Scripting (XSS) SNYK-JS-VITE-8022916	155	Proof of Concept

Release notes

Package name: @nuxt/ui

• 4.0.0 - 2025-09-23
• 4.0.0-beta.0 - 2025-09-22
  

  🐛 Bug Fixes

  • ChatMessages: wrap indicator with slot (#5036) (c00bf30)
  • CheckboxGroup: proxy generic to emits (ffa5b23)
  • Form: improve nested form validation handling (#5024) (77a554e)
  • Form: remove joi and yup in favor of @ standard-schema/spec (#5035) (723cf36)
  • InputMenu: ensure to pass a string to items when multiple (9beccbb), closes #5018
  • InputTags: add blur and focus event handlers on input (#5007) (3fd2614)
  • locale: improve translations in pt locale (#5003) (725ef9b)
  • module: only inject tailwindcss vite plugin once (#5008) (c2e39dd)
  • ProseImg: add w-full by default (#4997) (de47add)
  • Tabs: use nullish coalescing on item value (340fc48), closes #4804
  • Tree: remove value-key in favor of get-key (#4999) (240ff42)
  • types: allow arbitrary keys in tv config (#4992) (ae77b69)

  New Contributors

  • @ jd-solanki made their first contribution in #4872
  • @ JoniDS made their first contribution in #5003

  Full Changelog: v4.0.0-alpha.2...v4.0.0-beta.0

• 4.0.0-alpha.2 - 2025-09-17
  

  This 4.0.0-alpha.2 release focused mostly on stability and documentation.

  The official v4 release should come next week after some more testing.

  📚 Documentation

  We've made significant improvements to the documentation in this release.

  • Theme: rewritten and split into three sections - Design system, CSS variables and Component theming (#4939)
  • Typography: moved to own section with headers, text formatting, lists, tables, images, embeds, and code blocks (#4742)
  • MCP server: Model Context Protocol integration with tools, prompts and resources for AI assistants (#4878)

  🚨 Breaking Changes

  • Form: don't mutate the form's state if transformations are enabled (#4902)

  Read the migration guide about this change: https://ui4.nuxt.com/docs/getting-started/migration/v4#changes-to-form-component

  🚀 Features

  • ContentNavigation: handle collapsible false with type multiple (c42c2ab)

  🐛 Bug Fixes

  • Banner: ensure actions slot renders (#4946) (5d6e1fc)
  • CodeTree/Tree: improve accessibility (#4945) (117b4b3)
  • components: dot notation type support for labelKey and valueKey (#4933) (11a0320)
  • components: proxySlots reactivity (#4969) (3173bee)
  • components: standardize naming for type interfaces (#4990) (788d2de)
  • FileUpload: add missing button type (f33e43c), closes #4935
  • Form: don't mutate the form's state if transformations are enabled (#4902) (99dbe81)
  • Form: handling race condition on clear function (#4843) (2269b48)
  • InputMenu/Select/SelectMenu: show falsy value when model value is falsy (#4882) (073dd14)
  • locale: improve id name (#4890) (1b5d741)
  • Marquee: handle RTL mode (#4887) (1846079)
  • Progress: improve status-position when 0 (#4994) (0e1e44c)
  • types: export missing tv types (#4971) (2bf273c)
  • types: resolve ambient declaration error in icons type (#4991) (6ddf899)

  🔥 Performances

  • module: do not block setup by importing plugin (#4923) (695d9f7)

  🌐 Locales

  • locale: add Georgian language (#4973) (996478f)
  • locale: add Swiss German language (#4962) (dcf17bb)

  👋 New Contributors

  • @ reinacchi made their first contribution in #4890
  • @ USLTD made their first contribution in #4973
  • @ vitpetricak made their first contribution in #4991

  Full Changelog: v4.0.0-alpha.1...v4.0.0-alpha.2

• 4.0.0-alpha.1 - 2025-09-01
  

  📚 Documentation

  You can check out the new docs for v4 on https://ui4.nuxt.com while in alpha.

  🚨 Breaking Changes

  • components: rename nullify modifier to nullable and add optional (#4838)
  • module: update compatibility to nuxt 4

  Read the migration guide to v4.

  🚀 Features

  • Icon: allow passing a component instead of a name (#4766) (61b603f)

  🐛 Bug Fixes

  • AuthForm: use error from form field (#4738) (00dfb6b)
  • BlogPost: ensure date slot renders (#4743) (4514880)
  • ChangelogVersion/ChangelogVersions: handle RTL mode (#4777) (f91c408)
  • ContentSearch/DashboardSearch: make ui.modal work (946c2ec)
  • module: add @ source on components (a16465f), closes #4773
  • PageCard: improve keyboard accessibility (#4733) (3029568)
  • ProseImg: ensure unique motion layout id for images (#4720) (9480a0b)
  • unplugin: handle components overrides in subdirectories (#4781) (69ee75e)

  New Contributors

  • @ cco3 made their first contribution in #4808
  • @ fabianmerino made their first contribution in #4826

  Full Changelog: v4.0.0-alpha.0...v4.0.0-alpha.1

• 4.0.0-alpha.0 - 2025-08-15
  

  📚 Documentation

  You can check out the new docs for v4 on https://ui4.nuxt.com while in alpha.

  🚨 Breaking Changes

  • components: upgrade ai-sdk to v5 (#4698) (9545fdd)
  • FieldGroup: rename from ButtonGroup (#4596) (8aa96d1)
  • components: import @ nuxt/ui-pro components (#4675) (f6ae153)
  • Marquee: rename from PageMarquee (#4741) (0a4d9b4)
  • PageAccordion: remove in favor of Accordion (#4734) (1c63aab)

  Read the migration guide to v4.

  Full Changelog: v3.3.2...v4.0.0-alpha.0

• 3.3.6 - 2025-10-03
• 3.3.5 - 2025-09-23
• 3.3.4 - 2025-09-15
  

  🐛 Bug Fixes

  • FileUpload: add missing button type (91f86d9), closes #4935
  • Form: handling race condition on clear function (#4843) (0a8ead7)
  • InputMenu/Select/SelectMenu: show falsy value when model value is falsy (#4882) (5b9d9d8)
  • locale: improve id name (#4890) (e5cb55b)

  Full Changelog: v3.3.3...v3.3.4

• 3.3.3 - 2025-09-01
  

  🚀 Features

  • useFormField: export form errors injection key (#4808) (ec2bc0a)

  🐛 Bug Fixes

  • components: broken types for update:model-value event (#4853) (7133f50)
  • Form: default slot types (#4758) (a32cc37)
  • Form: update Form interface to accept RegExp (#4821) (0c2d390)
  • InputMenu/Select/SelectMenu: show placeholder when model value is falsy (#4825) (90b5daf)
  • InputMenu: prevent focus-outside event on content (77b6b9a)
  • Link: ensure target _blank is flagged as external for Inertia (#4746) (520b277)
  • Table: ensure colspan calc for loading and empty states (#4826) (bdcc8c4)

  New Contributors

  • @ cco3 made their first contribution in #4808
  • @ fabianmerino made their first contribution in #4826

  Full Changelog: v3.3.2...v3.3.3

• 3.3.2 - 2025-08-14
  

  This release ensures the [email protected] dependency is installed. The 2.1.0 version is somehow broken at the moment: heroui-inc/tailwind-variants#259 / heroui-inc/tailwind-variants#258

  Full Changelog: v3.3.1...v3.3.2

• 3.3.1 - 2025-08-14
• 3.3.0 - 2025-07-24
• 3.2.0 - 2025-06-25
• 3.1.3 - 2025-05-26
• 3.1.2 - 2025-05-15
• 3.1.1 - 2025-05-02
• 3.1.0 - 2025-04-24
• 3.0.2 - 2025-03-28
• 3.0.1 - 2025-03-21
• 3.0.0 - 2025-03-12
• 3.0.0-beta.4 - 2025-03-12
• 3.0.0-beta.3 - 2025-03-07
• 3.0.0-beta.2 - 2025-02-28
• 3.0.0-beta.1 - 2025-02-28
• 3.0.0-alpha.13 - 2025-02-17
• 3.0.0-alpha.12 - 2025-01-27
• 3.0.0-alpha.11 - 2025-01-13
• 3.0.0-alpha.10 - 2024-12-09
• 3.0.0-alpha.9 - 2024-11-19
• 3.0.0-alpha.8 - 2024-11-07
• 3.0.0-alpha.7 - 2024-10-23
• 3.0.0-alpha.6 - 2024-10-09
• 3.0.0-alpha.5 - 2024-10-02
• 3.0.0-alpha.4 - 2024-10-01
• 3.0.0-alpha.3 - 2024-09-18
• 3.0.0-alpha.2 - 2024-09-18
• 3.0.0-alpha.1 - 2024-09-11
• 3.0.0-alpha.0 - 2024-09-05
• 2.22.3 - 2025-09-01
  

  Release 2.22.3

• 2.22.2 - 2025-09-01
  

  🐛 Bug Fixes

  • Meter: correct vertical alignment of progress bar (#4735) (875be4b)
  • SelectMenu/InputMenu: ensure object compare with by prop (#4791) (44382cd)

  New Contributors

  • @ DanielPagani made their first contribution in #4735

  Full Changelog: v2.22.1...v2.22.2

• 2.22.1 - 2025-07-16
• 2.22.0 - 2025-04-22
• 2.21.1 - 2025-03-08
• 2.21.0 - 2025-01-14
• 2.20.0 - 2024-12-09
• 2.19.2 - 2024-11-05
• 2.19.1 - 2024-11-05
• 2.19.0 - 2024-11-05
• 2.18.7 - 2024-10-09
• 2.18.6 - 2024-09-23
• 2.18.5 - 2024-09-18
• 2.18.4 - 2024-08-05
• 2.18.3 - 2024-07-30
• 2.18.2 - 2024-07-25
• 2.18.1 - 2024-07-25
• 2.18.0 - 2024-07-25
• 2.17.0 - 2024-06-13

from @nuxt/ui GitHub release notes

---

Important

• Warning: This PR contains a major version upgrade, and may be a breaking change.
• Check the changes in this PR to ensure they won't cause issues with your project.
• This PR was automatically created by Snyk using the credentials of a real user.
• Max score is 1000. Note that the real score may have changed since the PR was raised.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

• 🧐 View latest project report
• 📜 Customise PR templates
• 🛠 Adjust upgrade PR settings
• 🔕 Ignore this dependency or unsubscribe from future upgrade PRs