RepoJournal
Vue.js

@vuejs

Vue + the surrounding frontend ecosystem

Pick a date

  1. Sun 3 may
  2. Mon 4 may
  3. Thu 7 may
  4. Fri 8 may
  5. Sat 9 may
  6. Sun 10 may
  7. Mon 11 may
  8. Tue 12 may
  9. Wed 13 may
  10. Thu 14 may
  11. Fri 15 may
  12. Sat 16 may
  13. Sun 17 may
  14. Mon 18 may
  15. Tue 19 may
  16. Wed 20 may
  17. Thu 21 may
  18. Sat 23 may
  19. Sun 24 may
  20. Mon 25 may
  21. Tue 26 may
  22. Wed 27 may
  23. Thu 28 may
  24. Fri 29 may
  25. Sat 30 may
  26. Sun 31 may
  27. Mon 1 jun
  28. Mon 8 jun
  29. Tue 9 jun
  30. Today 10 jun

The Wire · Showcase

SUPPLY CHAIN DEFENSE HARDENS ACROSS VUEJS CORE AND TEST-UTILS

By RepoJournal · Filed · About Vue.js

Vue's core team is locking down dependency updates with new release-age gates while hardening CI permissions to block token creep.

Two security-minded infrastructure moves landed overnight that raise the bar for supply chain safety. Vue core merged explicit least-privilege permissions [1] on its CI workflows, capping the GitHub token to read-only `contents` scope to prevent accidental over-scoping as the pipeline evolves. In parallel, the same team added `minimumReleaseAge: 1440` settings [2], which delays npm dependency updates by 24 hours—enough time to catch compromised packages before they're installed, a pattern that aligns Vue with pnpm 11's security defaults. Over in test-utils, the dependency refresh train rolled through with vue-router 5.0.7 [3], @types/node bumps [4], and tooling updates [5] [6]—all low-risk patches that merit merging at standard velocity. The guardrails matter more than the patches here: you're looking at a core team that's closing gaps before they become incidents.

Action items

References

  1. [1] chore(ci): set explicit least-privilege workflow permissions ↗ vuejs/core
  2. [2] chore: add `minimumReleaseAge` settings ↗ vuejs/core
  3. [3] chore(deps): update dependency vue-router to v5.0.7 ↗ vuejs/test-utils
  4. [4] chore(deps): update all non-major dependencies ↗ vuejs/test-utils
  5. [5] chore(deps): update dependency vue-tsc to v3.2.9 ↗ vuejs/test-utils
  6. [6] chore(deps): update dependency pkg-pr-new to v0.0.72 ↗ vuejs/test-utils

FAQ

What changed in Vue.js on May 14, 2026?
Vue's core team is locking down dependency updates with new release-age gates while hardening CI permissions to block token creep.
What should Vue.js teams do about it?
Merge core's CI permissions hardening and minimumReleaseAge settings into your fork or mirror • Pull test-utils dependency updates at next maintenance window—no blockers
Which Vue.js repositories shipped on May 14, 2026?
vuejs/core, vuejs/test-utils

Related across the cluster

For your repos

The showcase is a teaser.
Your wire is the product.

Same engine. Different stack. Below: what changes when the wire is yours.

Showcase wire

  • 14 famous open source orgs
  • One wire per day
  • Public, generic
  • Read on the web, when you remember

Your wire

  • Up to 1,500 of your repos - orgs, deps, vendors
  • Morning and evening briefs
  • Action items routed to your team
  • Slack delivery, email, breaking-news CVE alerts

Want a hands-on demo first? Ask a current user for an invite link.