RepoJournal
Vue.js

@vuejs

Vue + the surrounding frontend ecosystem

Pick a date

  1. Sun 3 may
  2. Mon 4 may
  3. Thu 7 may
  4. Fri 8 may
  5. Sat 9 may
  6. Sun 10 may
  7. Mon 11 may
  8. Tue 12 may
  9. Wed 13 may
  10. Thu 14 may
  11. Fri 15 may
  12. Sat 16 may
  13. Sun 17 may
  14. Mon 18 may
  15. Tue 19 may
  16. Wed 20 may
  17. Thu 21 may
  18. Sat 23 may
  19. Sun 24 may
  20. Mon 25 may
  21. Tue 26 may
  22. Wed 27 may
  23. Thu 28 may
  24. Fri 29 may
  25. Sat 30 may
  26. Sun 31 may
  27. Mon 1 jun
  28. Mon 8 jun
  29. Tue 9 jun
  30. Today 10 jun

The Wire · Showcase

VUE HARDENS CI PIPELINE, ROUTER TIGHTENS TYPE SAFETY

By RepoJournal · Filed · About Vue.js

Vue's core team is locking down GitHub Actions with commit hash pinning while Router graduates stricter type definitions for route parameters.

The Vue core team merged critical CI hardening work overnight, pinning GitHub Actions to full commit SHAs instead of mutable tags [1]. This closes a real security vector: tag-based actions can be silently rewritten by third parties, potentially injecting malicious code into your build pipeline. The team also unlocked ecosystem-ci permissions to write pull requests [2], enabling automated compatibility testing across the entire Vue ecosystem. Over in Router, the team is tightening the type system: strict typing for definePage param defaults [5] now prevents silent type mismatches that would have leaked into production. Three additional fixes landed targeting param parsing reliability: filtering invalid query params without breaking route matching [6], avoiding unused param parser imports [7], and ordering param parser types deterministically [8]. Create-vue picked up a minor Vite plugin bump [3], and docs reverted a VueConf 2026 banner that shipped premature [4].

Action items

References

  1. [1] ci: pin action versions ↗ vuejs/core
  2. [2] ci: allow ecosystem-ci trigger to write pull requests ↗ vuejs/core
  3. [3] chore(deps): update dependency @vitejs/plugin-vue to ^6.0.7 ↗ vuejs/create-vue
  4. [4] Revert "added vueconf 2026 banner (#3372)" vuejs/docs
  5. [5] feat: strict type for definePage param default vuejs/router
  6. [6] fix: filter invalid query params without failing to match vuejs/router
  7. [7] fix: avoid importing unused param parsers vuejs/router
  8. [8] fix: deterministic param parser types order vuejs/router

FAQ

What changed in Vue.js on May 21, 2026?
Vue's core team is locking down GitHub Actions with commit hash pinning while Router graduates stricter type definitions for route parameters.
What should Vue.js teams do about it?
Review your GitHub Actions workflows and pin all third-party actions to commit SHAs • Test Router route parameter handling with the new strict types if you use definePageRoute
Which Vue.js repositories shipped on May 21, 2026?
vuejs/core, vuejs/create-vue, vuejs/docs, vuejs/router

Related across the cluster

For your repos

The showcase is a teaser.
Your wire is the product.

Same engine. Different stack. Below: what changes when the wire is yours.

Showcase wire

  • 14 famous open source orgs
  • One wire per day
  • Public, generic
  • Read on the web, when you remember

Your wire

  • Up to 1,500 of your repos - orgs, deps, vendors
  • Morning and evening briefs
  • Action items routed to your team
  • Slack delivery, email, breaking-news CVE alerts

Want a hands-on demo first? Ask a current user for an invite link.