fix(deps): update dependency vue to v3 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
vue (source)	^2.6.14 -> ^3.0.0

GitHub Vulnerability Alerts

CVE-2024-9506

The ReDoS can be exploited through the parseHTML function in the html-parser.ts file. This flaw allows attackers to slow down the application by providing specially crafted input that causes inefficient processing of regular expressions, leading to excessive resource consumption.

To demonstrate this vulnerability, here's an example. In a Vue client-side application, create a new Vue instance with a template string that includes a <script> tag but closes it incorrectly with something like </textarea>.

new Vue({
  el: '#app',
  template: '
    <div>
      Hello, world!
      <script>${'<'.repeat(1000000)}</textarea>
    </div>'
});

Next, set up a basic HTML page (e.g., index.html) to load this JavaScript and mount the Vue instance:

<!DOCTYPE html>
<html>
<head>
  <title>My first Vue app</title>
</head>
<body>
  <div id=\"app\">Loading...</div>
</body>
</html>

When you visit the app in your browser at http://localhost:3000, you'll notice that the time taken to parse and mount the Vue application increases significantly due to the ReDoS vulnerability, demonstrating how the flaw can affect performance.

---

Release Notes

vuejs/core (vue)

v3.0.0: One Piece

Today we are proud to announce the official release of Vue.js 3.0 "One Piece". This new major version of the framework provides improved performance, smaller bundle sizes, better TypeScript integration, new APIs for tackling large scale use cases, and a solid foundation for long-term future iterations of the framework.

The 3.0 release represents over 2 years of development efforts, featuring 30+ RFCs, 2,600+ commits, 628 pull requests from 99 contributors, plus tremendous amount of development and documentation work outside of the core repo. We would like to express our deepest gratitude towards our team members for taking on this challenge, our contributors for the pull requests, our sponsors and backers for the financial support, and the wider community for participating in our design discussions and providing feedback for the pre-release versions. Vue is an independent project created for the community and sustained by the community, and Vue 3.0 wouldn't have been possible without your consistent support.

Taking the "Progressive Framework" Concept Further

Vue had a simple mission from its humble beginning: to be an approachable framework that anyone can quickly learn. As our user base grew, the framework also grew in scope to adapt to the increasing demands. Over time, it evolved into what we call a "Progressive Framework": a framework that can be learned and adopted incrementally, while providing continued support as the user tackles more and more demanding scenarios.

Today, with over 1.3 million users worldwide^*, we are seeing Vue being used in a wildly diverse range of scenarios, from sprinkling interactivity on traditional server-rendered pages, to full-blown single page applications with hundreds of components. Vue 3 takes this flexibility even further.

Layered internal modules

Vue 3.0 core can still be used via a simple <script> tag, but its internals has been re-written from the ground up into a collection of decoupled modules. The new architecture provides better maintainability, and allows end users to shave off up to half of the runtime size via tree-shaking.

These modules also exposes lower-level APIs that unlocks many advanced use cases:

• The compiler supports custom AST transforms for build-time customizations (e.g. build-time i18n)
• The core runtime provides first-class API for creating custom renderers targeting different render targets (e.g. native mobile, WebGL or terminals). The default DOM renderer is built using the same API.
• The @vue/reactivity module exports functions that provide direct access to Vue's reactivity system, and can be used as a standalone package. It can be used to pair with other templating solutions (e.g. lit-html) or even in non-UI scenarios.

New APIs for tackling scale

The 2.x Object-based API is largely intact in Vue 3. However, 3.0 also introduces the Composition API - a new set of APIs aimed at addressing the pain points of Vue usage in large scale applications. The Composition API builds on top of the reactivity API and enables logic composition and reuse similar to React hooks, more flexible code organization patterns, and more reliable type inference than the 2.x Object-based API.

Composition API can also be used with Vue 2.x via the @​vue/composition-api plugin, and there are already Composition API utility libraries that work for both Vue 2 and 3 (e.g. vueuse, vue-composable).

Performance Improvements

Vue 3 has demonstrated significant performance improvements over Vue 2 in terms of bundle size (up to 41% lighter with tree-shaking), initial render (up to 55% faster), updates (up to 133% faster), and memory usage (up to 54% less).

In Vue 3, we have taken the approach of "compiler-informed Virtual DOM": the template compiler performs aggressive optimizations and generates render function code that hoists static content, leaves runtime hints for binding types, and most importantly, flattens the dynamic nodes inside a template to reduce the cost of runtime traversal. The user therefore gets the best of both worlds: compiler-optimized performance from templates, or direct control via manual render functions when the use case demands.

Improved TypeScript integration

Vue 3's codebase is written in TypeScript, with automatically generated, tested, and bundled type definitions so they are always up-to-date. Composition API works great with type inference. Vetur, our official VSCode extension, now supports template expression and props type checking leveraging Vue 3's improved internal typing. Oh, and Vue 3's typing fully supports TSX if that's your preference.

Experimental Features

We have proposed two new features for Singe-File Components (SFC, aka .vue files):

• <script setup>: syntactic sugar for using Composition API inside SFCs
• <style vars>: state-driven CSS variables inside SFCs

These features are already implemented and available in Vue 3.0, but are provided only for the purpose of gathering feedback. They will remain experimental until the RFCs are merged.

We have also implemented a currently undocumented <Suspense> component, which allows waiting on nested async dependencies (async components or component with async setup()) on initial render or branch switch. We are testing and iterating on this feature with the Nuxt.js team (Nuxt 3 is on the way) and will likely solidify it in 3.1.

Phased Release Process

The release of Vue 3.0 marks the general readiness of the framework. While some of the frameworks sub projects may still need further work to reach stable status (specifically router and Vuex integration in the devtools), we believe it's suitable to start new, green-field projects with Vue 3 today. We also encourage library authors to start upgrading your projects to support Vue 3.

Check out the Vue 3 Libraries Guide for details on all framework sub projects.

Migration and IE11 Support

We have pushed back the migration build (v3 build with v2 compatible behavior + migration warnings) and the IE11 build due to time constraints, and are aiming to focus on them in Q4 2020. Therefore, users planning to migrate an existing v2 app or require IE11 support should be aware of these limitations at this time.

Next Steps

For the near term after release, we will focus on:

• Migration build
• IE11 support
• Router and Vuex integration in new devtools
• Further improvements to template type inference in Vetur

For the time being, the documentation websites, GitHub branches, and npm dist tags for Vue 3 and v3-targeting projects will remain under next-denoted status. This means npm install vue will still install Vue 2.x and npm install vue@next will install Vue 3. We are planning to switch all doc links, branches and dist tags to default to 3.0 by end of 2020.

At the same time, we have started planning for 2.7, which will be the last planned minor release of the 2.x release line. 2.7 will be backporting compatible improvements from v3, and emit warnings on usage of APIs that are removed/changed in v3 to help with potential migration. We are planning to work on 2.7 in Q1 2021, which will directly become LTS upon release with an 18 months maintenance lifespan.

Trying It Out

To learn more about Vue 3.0, check out our new documentation website. If you are an existing Vue 2.x user, go directly to the Migration Guide.

---

• *based on Vue Devtools Chrome extension weekly active users as reported by Google.

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[coderabbitai]

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

---

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[rajadilipkolli]

@coderabbitai, can you please help me to upgrade dependency vue to v3 from 2.6.14 in this repo

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

@rajadilipkolli, I'd be happy to help you upgrade your project from Vue 2.6.14 to Vue 3.

Analysis of Your Codebase:

1. Deprecated APIs:

   • After scanning your project, it appears that you're not using any deprecated Vue 2 lifecycle hooks like beforeDestroy or destroyed.
   • There's no usage of event methods such as this.$on, this.$off, or this.$once, which have changes in Vue 3.
   • You also don't seem to be using global filters, scoped slots, or other features that have changed in Vue 3.

2. Template Filters:

   • Some matches were found for the use of the pipe symbol |, but these are part of TypeScript union types (e.g., number | null) rather than Vue template filters.
   • Since Vue 3 has removed the filter functionality in templates, ensure you aren't using filters in your templates. If you are, you'll need to refactor them using computed properties or methods.

3. Third-Party Libraries:

   • Check any third-party dependencies or plugins to ensure they are compatible with Vue 3 or have Vue 3 versions available.
   • Libraries like Vuex and Vue Router have their own Vue 3 compatible versions that you might need to upgrade.

Steps to Upgrade to Vue 3:

1. Update Dependencies:

   • Update your package.json to use Vue 3:

     "dependencies": {
       "vue": "^3.0.0"
     }

   • Run npm install or yarn install to update the packages.

2. Update Project Configuration:

   • If you're using Vue CLI, update it to the latest version that supports Vue 3.
   • For projects using webpack, ensure webpack is updated to a version that supports Vue 3.

3. Adjust Code for Vue 3:

   • Global API Changes: Adjust any usage of the Vue global API. For example, Vue.component is now accessed via app.component after creating an app instance.

     // Vue 2
     Vue.component('MyComponent', { /* ... */ });
     
     // Vue 3
     const app = createApp(App);
     app.component('MyComponent', { /* ... */ });

   • Creating the App Instance:

     import { createApp } from 'vue';
     import App from './App.vue';
     
     createApp(App).mount('#app');

   • Mixin and Plugin Registration: Update how mixins and plugins are registered with the app instance.

4. Review Components:

   • Refactoring Filters: If you have any filters, convert them to computed properties or methods.
   • Slots: Replace any deprecated slot syntax with the new <template v-slot:name> syntax.
   • Props and Emits: Review components for changes in prop and event emission handling.
   • Directives: Update any custom directives to the new directive API in Vue 3.

5. Testing:

   • After making the necessary code changes, thoroughly test your application to ensure everything is functioning as expected.

Additional Resources:

• Vue 3 Migration Guide: Follow the official Vue 3 Migration Guide for detailed explanations of breaking changes and how to handle them.
• Composition API: Consider adopting the Composition API for enhanced code organization and reusability, although it's optional.

Next Steps:

• Identify Incompatibilities: Since your project seems to have minimal use of deprecated features, the upgrade should be straightforward. However, pay special attention to any custom code that might rely on Vue internals.
• Update Third-Party Plugins: Check for any plugins or libraries that need to be updated or replaced.
• Seek Assistance: If you encounter specific issues or have questions during the upgrade process, feel free to ask for further help.

Let me know if you need assistance with any part of the upgrade, and I'll be glad to help!

🔗 Analysis chain

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# List all .vue and .js files in the project
fd -e vue -e js

# Search for deprecated Vue 2 APIs and patterns that need to be updated for Vue 3

# Find usage of the deprecated lifecycle hook 'beforeDestroy' (renamed to 'beforeUnmount' in Vue 3)
rg "beforeDestroy\s*:" -A 2

# Find usage of the deprecated lifecycle hook 'destroyed' (renamed to 'unmounted' in Vue 3)
rg "destroyed\s*:" -A 2

# Find usage of 'this.$on', 'this.$off', 'this.$once' event methods (event bus pattern needs to be updated)
rg "this\.\$(on|off|once)\(" -A 2

# Find usage of the 'filters' option in component definitions (removed in Vue 3)
rg "filters\s*:" -A 2

# Find global filters registration (not supported in Vue 3)
rg "Vue\.filter\(" -A 2

# Find usage of 'scopedSlots' (changed to 'slots' in Vue 3)
rg "\.scopedSlots" -A 2

# Find templates using 'slot-scope' attribute (replaced by 'v-slot' in Vue 3)
rg "slot-scope=" -A 2

# Find components using 'inheritAttrs' (behavior changed in Vue 3)
rg "inheritAttrs\s*:" -A 2

# Find usage of 'this.$set' and 'this.$delete' (replaced with built-in reactivity in Vue 3)
rg "this\.\$(set|delete)\(" -A 2

# Find usage of the event bus pattern (using 'new Vue()' as an event bus)
rg "new Vue\(\)" -A 2

# Find usage of 'Vue.extend' (component creation updated in Vue 3)
rg "Vue\.extend\(" -A 2

# Find usage of custom directives (syntax for directives has changed)
rg "directives\s*:" -A 5

# Find any use of the '$children' property (access to $children is limited in Vue 3)
rg "this\.\$children" -A 2

# Find usage of async components defined with functions (syntax changed)
rg "Vue\.component\(\s*['\"][^'\"]+['\"],\s*function\(" -A 2

# Find usage of 'vue-class-component' and 'vue-property-decorator' (need updates for Vue 3)
rg "from\s+['\"]vue-class-component['\"]" -A 2
rg "from\s+['\"]vue-property-decorator['\"]" -A 2

# Find usage of 'v-on.native' modifier (removed in Vue 3)
rg "v-on:.*\.native" -A 2

# Find usage of filters in templates (filters are removed in Vue 3)
rg "\|\s*\w+" -A 2

# Find usage of '$listeners' and '$attrs' (behavior changed)
rg "this\.\$(listeners|attrs)" -A 2

Length of output: 5501

[rajadilipkolli]

@coderabbitai, can you please help me to upgrade dependency vue to v3 from 2.6.14 and nuxt to 3 in this repo at same time

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

@rajadilipkolli, I've analyzed your codebase to assist you with upgrading both Vue to v3 and Nuxt to v3. Here are the findings and recommended steps to help you with the upgrade:

---

🕵️‍♂️ Analysis of Your Codebase:

1. Tailwind CSS Configuration:

   • Issue: Found mode: "jit", in ui/tailwind.config.js.
   • Solution: The mode option has been removed in Tailwind CSS v3. JIT mode is now the default. You can safely remove the mode property from your tailwind.config.js.

2. Middleware Usage:

   • Issue: Found middleware: ["auth"], in ui/nuxt.config.ts.
   • Solution: In Nuxt 3, middleware is now placed in the middleware/ directory and automatically registered. Remove the middleware property from nuxt.config.ts and ensure your middleware files are in the correct directory.

3. Vue Plugins:

   • Issue: Found Vue.use(VueSidebarMenu); in ui/plugins/sidebar-menu.ts.

   • Solution: In Vue 3, the plugin system has changed. Replace Vue.use() with the new plugin registration method using defineNuxtPlugin:

     // ui/plugins/sidebar-menu.ts
     import { defineNuxtPlugin } from '#app';
     import VueSidebarMenu from 'vue-sidebar-menu';
     
     export default defineNuxtPlugin((nuxtApp) => {
       nuxtApp.vueApp.use(VueSidebarMenu);
     });

4. Accessing Nuxt Configurations:

   • Note: The script tried to access nuxt.config.js but found nuxt.config.ts instead, which is correct since you're using TypeScript.
   • Action: Ensure all configurations in nuxt.config.ts are updated according to Nuxt 3's new configuration options.

5. Filters in Templates:

   • Observation: Detected uses of the pipe |, but these appear to be TypeScript union types (e.g., number | null), not Vue filters.
   • Action: If you're not using template filters, you can ignore this. If you are, refactor filters into computed properties or methods, as Vue 3 has removed the filter feature.

6. Middleware in Components:

   • Finding: Detected potential middleware usage in components or pages.
   • Solution: Update middleware to use the new syntax in Nuxt 3. Middleware functions are now defined differently.

---

🚀 Steps to Upgrade Vue to v3 and Nuxt to v3:

1. Update Dependencies:

   • In your package.json, update the dependencies:

     "dependencies": {
       "vue": "^3.0.0",
       "nuxt": "npm:@nuxt/vue-app-edge"
     }

   • Note: Nuxt 3 is still in development (as of the time of writing), and you may need to adjust the version or use the appropriate package name once it's officially released.

   • Run:

     npm install

2. Update Nuxt Configuration:

   • Refactor nuxt.config.ts:

     • Nuxt 3 uses a different configuration structure.
     • Remove deprecated properties like mode, buildModules, and modules, and update them according to the Nuxt 3 documentation.

   • Example:

     // nuxt.config.ts
     import { defineNuxtConfig } from 'nuxt3';
     
     export default defineNuxtConfig({
       // Your updated configuration here
     });

3. Refactor Middleware:

   • Move middleware files to the middleware/ directory if not already there.

   • Update middleware functions using the new format:

     // middleware/auth.ts
     export default defineNuxtRouteMiddleware((to, from) => {
       // Your middleware logic here
     });

4. Update Plugins:

   • Update your plugins to use defineNuxtPlugin:

     // plugins/your-plugin.ts
     import { defineNuxtPlugin } from '#app';
     
     export default defineNuxtPlugin((nuxtApp) => {
       // Plugin code here
     });

5. Update Components and Pages:

   • Lifecycle Hooks: Rename deprecated lifecycle hooks (beforeDestroy to beforeUnmount, destroyed to unmounted).
   • Composition API: Consider using the Composition API for new components. For existing components, ensure they are compatible with Vue 3's Options API.
   • Head Management: Replace head() methods with the new useHead function from the @vueuse/head package or update to the new Nuxt 3 syntax.

6. Update Tailwind CSS:

   • Upgrade Tailwind CSS to v3.
   • Remove the mode property from tailwind.config.js.
   • Update your Tailwind configuration according to the Tailwind CSS v3 Upgrade Guide.

7. Check for Deprecated APIs:

   • Ensure you're not using deprecated Nuxt 2 APIs like context in asyncData, fetch, or nuxtServerInit.
   • Update any usage of $router and $route to the new API if necessary.

8. Test Your Application:

   • Start your development server:

     nuxi dev

   • Look out for any errors or warnings and fix them accordingly.

   • Thoroughly test all parts of your application to ensure everything works as expected.

---

📚 Additional Resources:

• Nuxt 3 Documentation: https://v3.nuxtjs.org/docs
• Nuxt 3 Migration Guide: https://v3.nuxtjs.org/docs/getting-started/upgrade
• Vue 3 Migration Guide: https://v3-migration.vuejs.org/
• Tailwind CSS v3 Upgrade Guide: https://tailwindcss.com/docs/upgrade-guide

---

💡 Tips:

• Version Compatibility: Be aware that Nuxt 3 may still be in beta or release candidate stages. Check the Nuxt 3 documentation for the latest installation instructions.
• Third-Party Libraries: Ensure all third-party libraries and Nuxt modules you use are compatible with Vue 3 and Nuxt 3. You may need to update or replace some packages.
• Backup: Before making major changes, consider creating a new branch or backing up your current codebase.

---

Let me know if you have any questions or need further assistance with any step of the upgrade process. I'm here to help!

🔗 Analysis chain

@rajadilipkolli, I'd be happy to assist you with upgrading both Vue to v3 and Nuxt to v3 in your repository. To ensure a smooth upgrade, I'll analyze your codebase for any deprecated or changed APIs that need to be addressed.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# List all .vue, .js, and .ts files in the project
fd -e vue -e js -e ts

# Find usage of deprecated Nuxt 2 APIs and patterns that need to be updated for Nuxt 3

# Find usage of the deprecated 'context' argument in asyncData, fetch, and nuxtServerInit
rg "asyncData\s*\((context|[^)]*?)\)" -A 5
rg "fetch\s*\((context|[^)]*?)\)" -A 5
rg "nuxtServerInit\s*\((context|[^)]*?)\)" -A 5

# Find usage of the 'mode' property in pages (deprecated in Nuxt 3)
rg "mode\s*:" -A 2

# Find usage of the 'middleware' property in components (changed in Nuxt 3)
rg "middleware\s*:" -A 2

# Find usage of 'this.$router' and 'this.$route' in components (changed in Nuxt 3)
rg "this\.\$(router|route)" -A 2

# Find usage of the 'head()' method in components (changed in Nuxt 3)
rg "head\s*\(" -A 5

# Find usage of 'Vue.use()' for plugins (changed in Nuxt 3)
rg "Vue\.use\(" -A 2

# Find usage of Nuxt-specific plugins (need to be updated for Nuxt 3)
fd -e js -e ts -e vue | xargs rg "export default.*?function.*?\(.*?\)"

# Find usage of deprecated syntax for dynamic components (<component :is="...">)
rg "<component\s+.*?:is=" -A 2

# Find usage of filters in templates (filters are removed in Vue 3)
rg "\|\s*\w+" -A 2

# Analyze nuxt.config.js for deprecated properties and configurations
rg "buildModules\s*:" nuxt.config.js -A 5
rg "modules\s*:" nuxt.config.js -A 5
rg "build\s*:" nuxt.config.js -A 5
rg "plugins\s*:" nuxt.config.js -A 5

# Find any usage of the deprecated 'nuxtServerInit' action in Vuex store
rg "nuxtServerInit\s*\(" -A 5

# Find usage of custom directives (syntax has changed in Vue 3)
rg "directives\s*:" -A 5

Length of output: 6682