v2.0.2

Warning

Security: recommended update. This release bumps the bundled Swiper dependency to a version that patches a critical prototype pollution vulnerability —
GHSA-hmx5-qpq5-p643 / CVE-2026-27212 (CVSS 9.4 / Critical). All nuxt-swiper versions prior to v2.0.2 depend on
swiper@^11.2.6, which falls in the vulnerable range (>= 6.5.1, < 12.1.2). Upgrading to this release pulls in swiper@^12.1.4, which is patched.

🔒 Security

• swiper: upgrade to ^12.1.4 to patch prototype pollution via swiper.extendDefaults() (GHSA-hmx5-qpq5-p643 /
  CVE-2026-27212, CVSS 9.4). The upstream fix landed in swiper@12.1.2. The vulnerability allowed bypassing the forbidden-key check in shared/utils.mjs by overriding
  Array.prototype.indexOf, enabling Object.prototype pollution and — depending on consumer code — auth bypass, DoS, or RCE.

✨ Features

• module: pre-bundle swiper/element (or swiper/element/bundle when bundled: true) via Vite optimizeDeps.include. Eliminates Vite's runtime "new dependencies discovered" warning and the dev-server page reload
  it triggers.

🔄 Compatibility

This is a major upstream Swiper bump (v11 → v12), but the surface nuxt-swiper exposes is unchanged:

• <swiper-container> / <swiper-slide> custom elements work as before.
• The bundled module option and the useSwiper() composable are unchanged.
• Upstream changes in v12 are scoped to internals + CSS (LESS/SCSS dropped in favor of CSS; SVG icons for navigation). If you were importing swiper/less or swiper/scss paths directly in your app, switch to the CSS
  equivalents. See the Swiper v12 release notes.

✅ Action required

Run your package manager's install command after upgrading to make sure no other dependency is pinning a vulnerable Swiper version:

pnpm up nuxt-swiper
pnpm why swiper   # confirm only swiper@>=12.1.2 is resolved

Full Changelog: v2.0.1...v2.0.2