[Snyk] Fix for 2 vulnerabilities

[yoon-chi]

Snyk has created this PR to fix 2 vulnerabilities in the pnpm dependencies of this project.

Snyk changed the following file(s):

• package.json

⚠️ Warning

Failed to update the pnpm-lock.yaml, please update manually before merging.

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score
	Directory Traversal SNYK-JS-VITE-15922213	62
	Server-side Request Forgery (SSRF) SNYK-JS-NUXTOGIMAGE-15912491	60

Breaking Change Risk

Notice: This assessment is enhanced by AI.

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Server-side Request Forgery (SSRF)
🦉 Directory Traversal

[yoon-chi]

This upgrade has a high risk of breaking changes, primarily due to the major version jump in nuxt-og-image which introduces significant API changes and an incompatibility with the target Nuxt version.

nuxt-og-image@3.0.6 → nuxt-og-image@6.2.5 (High Risk)

This is a major upgrade across multiple versions (v3 → v6) with several breaking changes. Most importantly, nuxt-og-image v5.0.0 and higher require Nuxt v3.16+, but the target Nuxt version in this upgrade is v3.15.3. This dependency conflict will block the upgrade.

Key breaking changes include:

• Component Removal: The <OgImage> and <OgImageScreenshot> components are removed in v6. You must migrate to the defineOgImage() and defineOgImageScreenshot() composables. [15]
• Mandatory File Naming: In v6, component templates must include a renderer suffix, such as MyComponent.satori.vue or MyComponent.takumi.vue. [9]
• Configuration Changes: Several configuration options from v2/v3 like host and siteUrl were removed and replaced by nuxt-site-config. [19]

Recommendation: Do not proceed with this upgrade as specified. The nuxt package must be upgraded to at least v3.16.0 to be compatible with nuxt-og-image v5+. A dedicated migration effort is required to address the breaking API changes in nuxt-og-image v6.

nuxt@3.13.2 → nuxt@3.15.3 (Medium Risk)

This minor version upgrade introduces two notable changes that require verification:

• Vite 6 Integration: Nuxt v3.15 includes Vite 6. While the Nuxt team expects this to be non-breaking for most users, it could affect projects with dependencies tied to a specific Vite version. [2, 5]
• Dev Server CORS Policy: Version 3.15.3 includes a security fix that enforces CORS restrictions on the development server. [14] This is a breaking change for development environments using custom hostnames, which will now require explicit configuration via devServer.cors in nuxt.config. [14]

Recommendation: Verify your development server setup and any dependencies that rely on a specific version of Vite before merging.

Notice 🤖: This content was augmented using artificial intelligence. AI-generated content may contain errors and should be reviewed for accuracy before use.