vue-nuxt-securitylisted

# Vue / Nuxt Security Audit Audit Vue.js (2 and 3) and Nuxt (2 and 3) applications for framework-specific vulnerabilities. ## When this skill applies - Reviewing Vue components for XSS sinks - Auditing Nuxt server routes and `useFetch` / `$fetch` patterns - Reviewing runtime config (public vs private) for env leakage - Checking SSR state hydration for data exposure - Auditing Pinia / Vuex store exposure Use other skills for: Vite build (`vite-security`), backend services (`nodejs-express-security` etc.), auth providers, generic patterns (`saas-security-pack/saas-code-security-review`). ## Workflow Follow `../_shared/audit-workflow.md`. ### Phase 1: Stack detection ```bash grep -E '"(vue|nuxt|@nuxt/.*|pinia|vuex)":' package.json find . -name 'nuxt.config.*' -not -path '*/node_modules/*' find . -name '*.vue' -not -path '*/node_modules/*' | head ``` Confirm: Vue 2 vs 3, Nuxt 2 vs 3, Vite vs Webpack (Nuxt 3 = Vite default; Nuxt 2 = Webpack). ### Phase 2: Inventory ```bash # XSS sinks in templates grep -rn 'v-html\|innerHTML' src/ pages/ components/ layouts/ 2>/dev/null # Nuxt 3 server routes find server/api server/routes -type f 2>/dev/null # Runtime config grep -nE 'runtimeConfig|publicRuntimeConfig|privateRuntimeConfig' nuxt.config.* 2>/dev/null # Fetch patterns grep -rn 'useFetch\|\$fetch\|useAsyncData' src/ pages/ components/ 2>/dev/null | head -30 # Stores grep -rn 'defineStore\|createStore' src/ stores/ 2>/dev/null | head ``` ### Phase 3: Detection — the che