chore(vue,nuxt): Make initialState prop public and bump dependencies

[wobsoriano]

Description

• Make initialState prop public
• Bump nuxt module dependencies to 3.17.5
• Closes and fixes build error in chore(vue): Update [DEV] minor & patch dependencies #6087

Checklist

• pnpm test runs as expected.
• pnpm build runs as expected.
• (If applicable) JSDoc comments have been added or updated for any package exports
• (If applicable) Documentation has been updated

Type of change

• 🐛 Bug fix
• 🌟 New feature
• 🔨 Breaking change
• 📖 Refactoring / dependency upgrade / documentation
• other:

Summary by CodeRabbit

• New Features

  • Added support for an optional webhookSigningSecret property in runtime configuration for enhanced webhook security.

• Improvements

  • Updated dependency versions for improved stability and compatibility in both Nuxt and Vue packages.
  • Unified and simplified authentication object typing for better type safety and developer experience.
  • Enhanced type safety for shared SSR state in Nuxt and Vue plugins.
  • Extended plugin options to support an optional initialState property.
  • Made the initialState property publicly accessible for broader usage.

[changeset-bot]

🦋 Changeset detected

Latest commit: a0fd8fc

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 2 packages

Name	Type
@clerk/nuxt	Patch
@clerk/vue	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Comments	Updated (UTC)
clerk-js-sandbox	✅ Ready (Inspect)	Visit Preview	💬 Add feedback	Jun 17, 2025 5:34am

[wobsoriano]

SessionAuthObject is a new type introduced in machine auth

see token types

[coderabbitai]

📝 Walkthrough

Walkthrough

This set of changes updates dependency versions in both the Nuxt and Vue package manifests, including Nuxt-related packages and several Vue development dependencies. TypeScript type definitions are refined across Nuxt and Vue source files: in Nuxt, a new optional property webhookSigningSecret is added to the runtime config, the ModuleOptions type is further restricted by excluding initialState, and authentication types are unified to use a single session type. In the Vue plugin, the PluginOptions type is extended to support an optional initialState property, and related type imports are adjusted. Type annotations are clarified for SSR state handling in the Nuxt runtime plugin. Additionally, test mocks for webhook verification are improved to handle different request types. No functional or logic changes are introduced.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (3)

packages/nuxt/src/global.d.ts (1)

11-15: Add brief JSDoc for the new runtime-config key

webhookSigningSecret looks perfectly fine here, but since this file already serves as the single source of truth for downstream consumers, consider adding a one-liner JSDoc comment so IDEs show a short description / guidance on expected value (e.g. “HMAC secret for verifying Clerk webhook payloads”).

packages/nuxt/package.json (1)

74-80: Validate patch bumps & semver ranges

All bumps stay within the same major versions – good.
Nit: we usually lock Nuxt ecosystem deps with ~ (patch-only) to avoid accidental minor jumps that may introduce new hooks / breaking changes. Switching ^3.17.5 → ~3.17.5 keeps reproducibility tighter:

-"@nuxt/kit": "^3.17.5",
-"@nuxt/schema": "^3.17.5",
-"nuxt": "^3.17.5",
+"@nuxt/kit": "~3.17.5",
+"@nuxt/schema": "~3.17.5",
+"nuxt": "~3.17.5",

packages/nuxt/src/module.ts (1)

15-18: initialState exclusion is 👍, but a defensive strip at runtime would be safer

initialState can potentially be a large, SSR-only payload. Even though the type system now prevents the option from being set, a consumer can still sneak it in with an explicit cast, and the unconditional spread at line 58 would push that data into public.runtimeConfig, bloating the client bundle.

A tiny guard avoids the risk altogether:

-    void updateRuntimeConfig({
+    const { initialState: _ignored, ...safeOptions } = options;
+    void updateRuntimeConfig({
 ...
-          ...options,
+          ...safeOptions,

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 6e9bde8 and c540338.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (6)

• packages/nuxt/package.json (1 hunks)
• packages/nuxt/src/global.d.ts (1 hunks)
• packages/nuxt/src/module.ts (2 hunks)
• packages/nuxt/src/runtime/plugin.ts (2 hunks)
• packages/vue/package.json (1 hunks)
• packages/vue/src/plugin.ts (1 hunks)

🧰 Additional context used

🧬 Code Graph Analysis (3)

packages/vue/src/plugin.ts (3)

packages/types/src/utils.ts (1)

• Without (105-107)

packages/types/src/multiDomain.ts (1)

• MultiDomainAndOrProxy (11-35)

packages/types/src/ssr.ts (1)

• InitialState (11-25)

packages/nuxt/src/runtime/plugin.ts (1)

packages/types/src/ssr.ts (1)

• InitialState (11-25)

packages/nuxt/src/module.ts (3)

packages/types/src/utils.ts (1)

• Without (105-107)

packages/vue/src/plugin.ts (1)

• PluginOptions (10-13)

packages/vue/src/index.ts (1)

• PluginOptions (8-8)

⏰ Context from checks skipped due to timeout of 90000ms (5)

• GitHub Check: semgrep-cloud-platform/scan
• GitHub Check: Build Packages
• GitHub Check: Formatting | Dedupe | Changeset
• GitHub Check: semgrep/ci
• GitHub Check: Analyze (javascript-typescript)

🔇 Additional comments (3)

packages/vue/package.json (1)

64-69: Major jump for unplugin-vue – double-check build pipeline

unplugin-vue moved from 5.x → 6.x which contains a few breaking changes around transform hooks. Although it sits in devDependencies, it will affect TS/rollup/vite builds. Please make sure tsup + vue-tsc still succeed and treeshaking results are identical.

packages/nuxt/src/runtime/plugin.ts (1)

10-13: Great: explicit typing for shared SSR state

Explicitly annotating useState with InitialState | undefined removes a whole class of “any” escapes in user land. Nice touch.

packages/nuxt/src/module.ts (1)

112-116: Migration to SessionAuthObject looks correct

The H3 context now exposes a single, unified SessionAuthObject—this simplifies downstream type juggling and matches the current @clerk/backend surface. No issues spotted.

[coderabbitai]

🛠️ Refactor suggestion

initialState leaks into loadClerkJsScript options

pluginOptions now carries initialState, but a few lines below we cast the full object to LoadClerkJsScriptOptions and forward it to loadClerkJsScript:

const options = {
  ...pluginOptions,
  sdkMetadata: pluginOptions.sdkMetadata || SDK_METADATA,
} as LoadClerkJsScriptOptions;

loadClerkJsScript has no concept of initialState; the extra key is silently ignored today but future strict‐mode checks (or external libs doing Object.keys) might fail.

A minimal, type-safe guard:

-const options = {
-  ...pluginOptions,
-  sdkMetadata: pluginOptions.sdkMetadata || SDK_METADATA,
-} as LoadClerkJsScriptOptions;
+const { initialState, ...loadOptions } = pluginOptions;
+const options: LoadClerkJsScriptOptions = {
+  ...loadOptions,
+  sdkMetadata: loadOptions.sdkMetadata || SDK_METADATA,
+};

Keeps runtime payload clean and removes the need for the as cast.

🤖 Prompt for AI Agents

In packages/vue/src/plugin.ts around lines 10 to 13, the PluginOptions type
includes an initialState property that is not part of LoadClerkJsScriptOptions
but is being cast and passed to loadClerkJsScript, causing a type leak. To fix
this, explicitly separate initialState from pluginOptions before passing options
to loadClerkJsScript, ensuring only valid LoadClerkJsScriptOptions keys are
forwarded. Remove the type assertion cast and construct the options object
without initialState to keep the runtime payload clean and maintain type safety.

[pkg-pr-new]

Open in StackBlitz

@clerk/agent-toolkit

npm i https://pkg.pr.new/@clerk/agent-toolkit@6132

@clerk/astro

npm i https://pkg.pr.new/@clerk/astro@6132

@clerk/backend

npm i https://pkg.pr.new/@clerk/backend@6132

@clerk/chrome-extension

npm i https://pkg.pr.new/@clerk/chrome-extension@6132

@clerk/clerk-js

npm i https://pkg.pr.new/@clerk/clerk-js@6132

@clerk/dev-cli

npm i https://pkg.pr.new/@clerk/dev-cli@6132

@clerk/elements

npm i https://pkg.pr.new/@clerk/elements@6132

@clerk/clerk-expo

npm i https://pkg.pr.new/@clerk/clerk-expo@6132

@clerk/expo-passkeys

npm i https://pkg.pr.new/@clerk/expo-passkeys@6132

@clerk/express

npm i https://pkg.pr.new/@clerk/express@6132

@clerk/fastify

npm i https://pkg.pr.new/@clerk/fastify@6132

@clerk/localizations

npm i https://pkg.pr.new/@clerk/localizations@6132

@clerk/nextjs

npm i https://pkg.pr.new/@clerk/nextjs@6132

@clerk/nuxt

npm i https://pkg.pr.new/@clerk/nuxt@6132

@clerk/clerk-react

npm i https://pkg.pr.new/@clerk/clerk-react@6132

@clerk/react-router

npm i https://pkg.pr.new/@clerk/react-router@6132

@clerk/remix

npm i https://pkg.pr.new/@clerk/remix@6132

@clerk/shared

npm i https://pkg.pr.new/@clerk/shared@6132

@clerk/tanstack-react-start

npm i https://pkg.pr.new/@clerk/tanstack-react-start@6132

@clerk/testing

npm i https://pkg.pr.new/@clerk/testing@6132

@clerk/themes

npm i https://pkg.pr.new/@clerk/themes@6132

@clerk/types

npm i https://pkg.pr.new/@clerk/types@6132

@clerk/upgrade

npm i https://pkg.pr.new/@clerk/upgrade@6132

@clerk/vue

npm i https://pkg.pr.new/@clerk/vue@6132

commit: a0fd8fc

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (3)

packages/nextjs/src/__tests__/webhooks.test.ts (3)

16-24: Normalize header keys to avoid case-sensitivity pitfalls

IncomingHttpHeaders in Node/Next normalizes all keys to lowercase, while Request.headers.get is case-insensitive.
Your helper currently looks up the exact casing that was passed in; a mismatch (e.g. 'Svix-ID') will silently fail and the test will throw for “missing headers” even though they exist.

-const getHeader = (key: string) => {
-  if (request instanceof Request) {
-    return request.headers.get(key);
-  }
-  return request.headers?.[key];
-};
+const getHeader = (key: string) => {
+  const k = key.toLowerCase();
+  if (request instanceof Request) {
+    return request.headers.get(k);
+  }
+  // handle both exact and already-lower-cased keys
+  return request.headers?.[k] ?? request.headers?.[key];
+};

---

27-29: Prefer a domain-specific error type over Error

Throwing a bare Error with a hard-coded string makes the mock brittle and loses semantic meaning.
Consider re-using the real library’s error class (e.g. WebhookError) or defining a custom one so callers can assert via instanceof instead of string matching.

---

97-99: Relax exact string assertion to reduce brittleness

The test couples tightly to the error message; any punctuation or wording change will break it while the behaviour remains correct. Matching a substring or regex is usually sufficient and future-proof:

-await expect(verifyWebhook(mockNextApiRequest)).rejects.toThrow(
-  'Missing required Svix headers: svix-id, svix-timestamp, svix-signature',
-);
+await expect(verifyWebhook(mockNextApiRequest)).rejects.toThrow(
+  /Missing required Svix headers/,
+);

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 4042360 and a0fd8fc.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (1)

• packages/nextjs/src/__tests__/webhooks.test.ts (2 hunks)

🧰 Additional context used

🧬 Code Graph Analysis (1)

packages/nextjs/src/__tests__/webhooks.test.ts (1)

packages/nextjs/src/webhooks.ts (1)

• verifyWebhook (50-57)

⏰ Context from checks skipped due to timeout of 90000ms (5)

• GitHub Check: semgrep-cloud-platform/scan
• GitHub Check: Formatting | Dedupe | Changeset
• GitHub Check: Build Packages
• GitHub Check: semgrep/ci
• GitHub Check: Analyze (javascript-typescript)