fix(deps): update dependency vue-router to v5

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
vue-router (source)	^4.6.4 → ^5.0.0

---

Release Notes

vuejs/router (vue-router)

v5.0.6

Compare Source

   🐞 Bug Fixes

• Missing closing quote in generated import  -  by @​zjy040525 and @​posva in #​2688 (32f78)

    View changes on GitHub

v5.0.5

Compare Source

   🚀 Features

• Enable standard schema param parsers  -  by @​posva (ea8e3)
• Normalize param parsers once  -  by @​posva (48087)

   🐞 Bug Fixes

• Track definePage imports per-file to fix named view race condition  -  by @​posva (11191)
• Avoid double decoding hash on string location  -  by @​posva (1578c)

    View changes on GitHub

v5.0.4

Compare Source

   🐞 Bug Fixes

• Avoid iterator helpers for Node 20 compat  -  by @​cwandev in #​2635 (47130)
• Escape backslahes in string literals  -  by @​posva (71fdb)
• Avoid false duplicate route warning for named views  -  by @​posva (72012)
• Allow pushing to auto routes  -  by @​posva (47f03)
• loaders: Restore context in sequential awaits  -  by @​posva (fce5d)

    View changes on GitHub

v5.0.3

Compare Source

   🚨 Breaking Changes

• experimental:
  • Make miss() throw internally and return never  -  by @​posva (077e1)
  • Add reroute() and deprecate NavigationResult  -  by @​posva (308db)
  • Remove selectNavigationResult  -  by @​posva (9e88a)

   🚀 Features

• Support _parent in nested folders  -  by @​posva (0a37f)
• Warn on _parent conflict  -  by @​posva (182fe)
• Set _parent as non matchable by default  -  by @​posva (8f91c)
• Warn on conflicting components for routes  -  by @​posva (34ace)
• Use type module  -  by @​posva (dc9ff)
• Add deprecation warning for next() callback in navigation guards  -  by @​posva (797f5)
• Extract alias from definePage  -  by @​posva (835df)
• Display aliases in logs  -  by @​posva (7aa60)
• Deprecate new NavigationResult(to) in favor of reroute(to)  -  by @​posva (382e3)
• experimental:
  • Handle aliasOf in resolvers  -  by @​posva (8fe45)
  • Generate aliases from override in resolver  -  by @​posva (a00ac)
  • Warn against non absolute aliases  -  by @​posva (476c6)

   🐞 Bug Fixes

• Avoid non matchable routes in auto-routes  -  by @​posva (48649)
• Handle quotes in d.ts  -  by @​posva (d7764)
• Avoid route entry in map for _parent  -  by @​posva (1dfcc)
• Handle nested groups  -  by @​posva (4a4be)
• Stable route ordering for group folders with same path  -  by @​posva (1db94)
• Correct route ordering for group nodes with inflated scores  -  by @​posva (515f4)
• Cleanup old route overrides  -  by @​posva (b28a7)
• Remove name from _parent.vue files  -  by @​posva (6e8f1)
• ci:
  • Format sponsor files before change detection  -  by @​posva (f68d6)
  • Use manual git commit in update-sponsors  -  by @​posva (8ee99)
• experimental:
  • Resolve TS errors in resolver/router type hierarchy  -  by @​posva (a86f1)
• types:
  • Relax RouteMapGeneric constraint for interface-based RouteNamedMap  -  by @​YevheniiKotyrlo in #​2624 (cdf7b)
• volar:
  • Use ts.getTokenPosOfNode instead of node.getStart  -  by @​KazariEX in #​2630 (0b050)

   🏎 Performance

• Avoid merging empty object in record  -  by @​posva (4213e)

    View changes on GitHub

v5.0.2

Compare Source

   🐞 Bug Fixes

• Remove devtools from iife build  -  by @​posva (58c03)
• Loose version check vue-router  -  by @​posva (90e4b)
• volar: Empty options  -  by @​posva (02275)

    View changes on GitHub

v5.0.1

Compare Source

   🐞 Bug Fixes

• volar: Make typed plugin work with vue-tsc  -  by @​peter50216 in #​2607 (7845e)

    View changes on GitHub

v5.0.0

Compare Source

Vue Router 5 is a boring release, it merges unplugin-vue-router into the core package with no breaking changes. The only exception is that the iife build no longer includes @vue/devtools-api because it has been upgraded to v8 and does not expose an IIFE build itself. You can track that change in this issue. See the migration guide for instructions on how to upgrade from unplugin-vue-router to Vue Router 5.

   🚀 Features

• experimental: Query params are optional by default  -  by @​posva (78913)
• Add volar plugins  -  by @​posva (530ac)
• Add data loaders as experimental  -  by @​posva (ab895)
• Add route json schema  -  by @​posva (20675)
• Upgrade devtools-api to v7  -  by @​posva (17b84)
• Upgrade devtools to v8  -  by @​posva (b8aa2)
• Runtime error on missing param parsers  -  by @​posva (3444b)
• volar: Allow rootDir option  -  by @​posva (df65a)

   🐞 Bug Fixes

• Avoid breaking older browsers support  -  by @​posva (c7ba4)
• Trigger navigation guards when keep-alive component is reactivated for different route  -  by @​babu-ch and @​posva in #​2604 (c7735)
• Add automatic types for param parsers  -  by @​posva (0fb5d)
• Param parsers when dts is not at root  -  by @​posva (16b39)
• Expose resolveOptions for unplugin  -  by @​posva (35543)
• Escape tildes in paths  -  by @​posva (aac2e)
• volar: Upgrade config read  -  by @​posva (e3024)

    View changes on GitHub

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
nuxt-evals	Ready	Preview, Comment	May 1, 2026 11:14am

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	happy-dom@​20.9.0
	@​nuxt/​eslint@​1.15.2
	@​nuxt/​test-utils@​4.0.3
	vitest@​4.1.5
	eslint@​10.2.1
	vue-router@​5.0.6
	vue@​3.5.33
	@​vue/​test-utils@​2.4.10
	nuxt@​4.4.4
	playwright@​1.59.1

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Obfuscated code: npm ioredis is 96.0% likely obfuscated Confidence: 0.96 Location: Package overview From: ? → npm/nuxt@4.4.4 → npm/ioredis@5.10.1 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/ioredis@5.10.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm js-beautify is 100.0% likely obfuscated Confidence: 1.00 Location: Package overview From: ? → npm/@vue/test-utils@2.4.10 → npm/js-beautify@1.15.4 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/js-beautify@1.15.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report