chore(deps): bump nuxt from 3.21.2 to 3.21.6 in the nuxt-ecosystem group across 1 directory

[dependabot]

⚠️ Dependabot is rebasing this PR ⚠️

Rebasing might not happen immediately, so don't worry if this takes some time.

Note: if you make any changes to this PR yourself, they will take precedence over the rebase.

---

Bumps the nuxt-ecosystem group with 1 update in the / directory: nuxt.

Updates nuxt from 3.21.2 to 3.21.6

Release notes

Sourced from nuxt's releases.

v3.21.6

3.21.6 is the next patch release.

👉 Changelog

compare changes

🩹 Fixes

• nuxt: Prefer our own builder/server deps (#35029)
• nitro: Add json extension to payload cache items (#35043)
• nuxt: Handle errors fetching app manifest (#35050)
• nuxt: Preserve setPageLayout props on same-path navigation (#35055)
• vite: Don't strip buildAssetsDir from vite-node SSR ids (#35040)
• nuxt: Mark useLoadingIndicator properties as readonly (#35062)
• vite: Strip queries in css inline styles map (#35067)
• nuxt: Encode html-significant characters in external redirect body (#35052)
• nitro: Validate island request hash matches props (#35077)
• nitro: Use regexp to strip query (042b615e6)
• nitro: Use statusCode for nitro v2 compatibility (82dcd6a31)
• nuxt: Render component-less parent routes during client-side nav (#35036)
• nuxt: Run middleware for page islands (#35092)

💅 Refactors

• rspack,webpack: Extract same-origin check for dev middleware (#35051)

📖 Documentation

• Remove CSB, set node 22 and use steps for clarity (#35066)

🏡 Chore

• Ignore link-like syntax in code (f9bf11b11)
• Narrow engines.node in test (5ed9a2691)
• Remove unused import (3a8bb0030)

✅ Tests

• Relax relative time assertion (256513eb0)
• Move build assets dir fixture out of app/ (6d2ac69ff)

🤖 CI

• Clean up agent-scan workflow (31590cf07)
• Continue autofix workflow when test:engines fails (958abb882)
• Improve workflows (#35088)

❤️ Contributors

• Daniel Roe (@​danielroe)
• Julien Huang (@​huang-julien)
• Damian Głowala (@​DamianGlowala)
• Sébastien Chopin (@​atinux)
• Adrien Foulon (@​Tofandel)

v3.21.5

3.21.5 is the next patch release.

👉 Changelog

... (truncated)

Commits

• 1a8fff3 v3.21.6
• d152a5e fix(nuxt): run middleware for page islands (#35092)
• d6caa8e fix(nuxt): render component-less parent routes during client-side nav (#35036)
• 63e5437 chore(deps): update all non-major dependencies (3.x) (#35076)
• 21c110a fix(nitro): validate island request hash matches props (#35077)
• 17b27b0 fix(nuxt): encode html-significant characters in external redirect body (#35052)
• c67675c fix(nuxt): mark useLoadingIndicator properties as readonly (#35062)
• 702c02b fix(nuxt): preserve setPageLayout props on same-path navigation (#35055)
• aacb18d fix(nuxt): handle errors fetching app manifest (#35050)
• db4b5ff fix(nuxt): prefer our own builder/server deps (#35029)
• Additional commits viewable in compare view

[railway-app]

🚅 Deployed to the euler-lite-pr-458 environment in euler-lite

Service	Status	Web	Updated (UTC)
dev-build	✅ Success (View Logs)	Web	Jun 8, 2026 at 11:13 am

[LeonardEulerXYZ]

Reviewed PR #458 at head 6a302df6b240280d1a6e9ea1cbb576690e02abaa.

Verdict: Comment — no blocking issues found.

Scope:

• Dependency bump only: nuxt 3.21.2 -> 3.21.5 plus lockfile updates.
• Reviewed package.json and package-lock.json diff, including new/removed transitive packages and install-script surface.
• Supply-chain sweep notes: changed packages resolve from https://registry.npmjs.org/; no changed package added hasInstallScript; newly added transitives are proper-lockfile, its signal-exit, and retry via the Nuxt ecosystem update.

Validation performed locally in /home/leonard/euler-lite-worktrees/pr-458:

• Managed worktree bootstrap with Node 24 / npm 11, Nuxt prepare completed.
• npm run test:run passed: 74 files passed, 1 skipped; 843 tests passed, 1 skipped.
• npm run build passed with existing-style Sentry/source-map, Rollup pure annotation, dynamic-import, and large-chunk warnings; no build failure.
• Production-built local server smoke on http://127.0.0.1:3458:
  • / returned 200.
  • /api/euler-chains returned 200 with 17 entries.
  • /api/token-list?chainId=1 returned 200.
  • /api/rpc/1 returned eth_chainId = 0x1.
  • Browser route smoke after “Connect later”: /, /explore, /lend, and /borrow rendered populated content. Console noise was limited to local missing APPKIT_PROJECT_ID / Reown remote-config warnings expected for this minimal local env.

No inline comments: I did not find a concrete changed-line issue worth anchoring. This is a framework dependency bump, so the useful proof is the lockfile/supply-chain sweep plus build/test/runtime smoke rather than source-line nits.

[LeonardEulerXYZ]

Reviewed PR #458 at head 94b48d5.

Verdict: COMMENT — no blocking issues found.

Scope checked:

• package.json / package-lock.json diff for the Nuxt 3.21.2 -> 3.21.6 bump.
• Lockfile package/version churn: Nuxt/Nitro/Vite-builder related transitive updates, including oxc 0.117.0 -> 0.131.0 family and related Nuxt runtime packages. No source-code or app config changes in this PR.
• npm audit comparison: base reported the Nuxt island cache-poisoning advisory on Nuxt <=3.21.5; this PR removes that Nuxt advisory. Remaining moderate audit items are pre-existing / not introduced here (serialize-javascript, unhead override, ws via viem/euler SDK).

Validation performed locally in /home/leonard/euler-lite-worktrees/pr-458:

• npm ci --ignore-scripts via the managed dependency seed, then npx nuxt prepare
• npm run test:run — 803 passed, 1 skipped
• npm run typecheck — passed
• npm run build — passed with existing warning classes (Sentry token/sourcemaps, Rollup pure annotations, dynamic/static import chunking, large chunk warning)
• GitHub check observed: euler-lite - dev-build passed

Browser smoke: not run — this is a package-only Nuxt patch bump with no app source or route changes; build/typecheck/test coverage is the appropriate bounded check here.

[LeonardEulerXYZ]

Reviewed PR #458 at head 6da0908.

Verdict: Comment — no blocking findings found.

Scope reviewed:

• package-only Dependabot diff: nuxt 3.21.2 -> 3.21.6 in package.json plus package-lock refresh
• lockfile supply-chain shape: registry.npmjs.org tarballs only among touched packages; no touched package lifecycle/install scripts detected
• Nuxt/Nitro/Vite/OXC/Vue transitive changes implied by the lockfile

Validation performed:

• Fresh managed Lite worktree: /home/leonard/euler-lite-worktrees/pr-458
• npm ci --ignore-scripts via lockfile-hashed dependency seed, then npx nuxt prepare
• npm run test:run: 72 files passed, 813 tests passed, 1 skipped
• npm run build: passed with existing-style Sentry/source-map, Rollup annotation/chunk-size warnings
• Local built-server smoke on http://127.0.0.1:3458:
  • GET / -> HTTP 200
  • GET /api/euler-chains -> HTTP 200, 17 chains parsed
  • POST /api/rpc/1 eth_chainId -> HTTP 200, result 0x1
  • GET /api/token-list?chainId=1 -> HTTP 200, 6304 tokens parsed
• npm audit --omit=dev compared against base: moderate advisories remain in the tree, but the PR removes the Nuxt island shared-cache poisoning advisory present on 3.21.2; the remaining reported issues are existing/transitive rather than a blocker introduced by this bump.

Caveat:

• Browser-level Playwright smoke was not run because no Chromium/Chrome executable is currently installed in this VM. The production build and local HTTP/API smoke passed.

No inline comments; I did not find a changed-line issue worth anchoring.

[LeonardEulerXYZ]

Reviewed PR #458 at head 628b43a.

Verdict: COMMENT — no PR-specific code/supply-chain blocker found in the changed files, but validation is bounded because install/build could not be completed in this environment and the PR deploy check is currently failing.

Scope reviewed:

• package.json: direct Nuxt bump 3.21.2 -> 3.21.6 only.
• package-lock.json: Nuxt ecosystem transitive update, including @nuxt/nitro-server, @nuxt/vite-builder, @nuxt/schema, nitropack, oxc-*, vite-plugin-checker, and related lockfile integrity/resolved metadata.

Validation performed:

• Confirmed checked-out PR head: 628b43a957554d35010835699c7c4d0ce3df801c.
• Diff inspected against origin/development; changed files are only package.json and package-lock.json.
• Parsed both JSON files successfully.
• Ran npm ls nuxt @nuxt/vite-builder @nuxt/nitro-server nitropack oxc-parser oxc-transform --package-lock-only --depth=1; lock resolves Nuxt packages to 3.21.6 and expected transitive versions.
• Compared base vs PR lockfile package graph: 13 added package entries, 5 removed, 73 version changes, all in the Nuxt/build-tool dependency surface.
• Ran package-lock audit with npm audit --package-lock-only --omit=dev on base and PR locks. Both report 11 moderate vulnerabilities; the PR removes the Nuxt <=3.21.5 advisory ranges for the redirect/island issues, while existing moderate findings remain through unhead/serialize-javascript/viem surfaces.
• Supply-chain sweep of the diff found no new app code, scripts, GitHub Actions, install-script changes, credential material, or non-registry dependency sources introduced by the PR.

Validation caveats:

• npm ci --ignore-scripts failed on both the PR lock and the current base lock because @eulerxyz/euler-v2-sdk@0.2.13-beta resolves to a registry tarball that returned 404. Because of that, I did not run npm run test:run, npm run build, or browser smoke from a clean install.
• GitHub/Railway currently shows euler-lite - dev-build failed for this PR. I did not treat that as a PR-specific Nuxt regression without logs, but it should be resolved or shown to be known baseline noise before merge.

No inline comments from me; the diff is mechanical and I did not find a changed-line issue worth anchoring.