RepoJournal
Vue.js

@vuejs

Vue + the surrounding frontend ecosystem

Pick a date

  1. Sun 3 may
  2. Mon 4 may
  3. Thu 7 may
  4. Fri 8 may
  5. Sat 9 may
  6. Sun 10 may
  7. Mon 11 may
  8. Tue 12 may
  9. Wed 13 may
  10. Thu 14 may
  11. Fri 15 may
  12. Sat 16 may
  13. Sun 17 may
  14. Mon 18 may
  15. Tue 19 may
  16. Wed 20 may
  17. Thu 21 may
  18. Sat 23 may
  19. Sun 24 may
  20. Mon 25 may
  21. Tue 26 may
  22. Wed 27 may
  23. Thu 28 may
  24. Fri 29 may
  25. Sat 30 may
  26. Sun 31 may
  27. Mon 1 jun
  28. Mon 8 jun
  29. Tue 9 jun
  30. Today 10 jun

The Wire · Showcase

LANGUAGE TOOLS PATCHES SHELL INJECTION HOLE IN CI WORKFLOW

By RepoJournal · Filed · About Vue.js

A supply chain vulnerability in the auto-version GitHub Action could let malicious PR titles execute arbitrary commands during version bumps.

The vulnerability [1] lived in the `auto-version.yml` workflow, which pulled the PR title directly into a shell variable without sanitization. A PR title like `v3.0.0"; id; "` would execute as shell code despite existing regex checks, because GitHub Actions expands template variables before bash runs. The fix [2] now reads the PR title from environment variables instead, which bash treats as data not commands. This is the kind of supply chain risk that compounds quietly across thousands of repos using shared Actions. Update your local copy immediately if you fork language-tools.

Meanwhile, the VSCode extension got a fix [3] that restores TypeScript auto-imports in Vue files [4], closing a gap where IDE behavior diverged from standard TS. Vapor's compiler picked up two hydration fixes [5] [6] synced from core, addressing cursor tracking for nested insertions and useId evaluation order. Vue core shipped beta.13 [7] on the minor branch, so watch the changelog for what's coming next.

Action items

References

  1. [1] fix(ci): read PR title from env in `auto-version` workflow to prevent injection (#6074) vuejs/language-tools
  2. [2] fix(ci): read PR title from env in `auto-version` workflow to prevent injection ↗ vuejs/language-tools
  3. [3] fix(vscode): preserve TS auto imports behavior in Vue files (#6072) vuejs/language-tools
  4. [4] fix(vscode): preserve TS auto imports behavior in Vue files ↗ vuejs/language-tools
  5. [5] fix(compiler/vapor): preserve hydration cursor for nested insertions vuejs/vue-jsx-vapor
  6. [6] fix(compiler/vapor): preserve useId evaluation order before dynamic vuejs/vue-jsx-vapor
  7. [7] v3.6.0-beta.13 ↗ vuejs/core

FAQ

What changed in Vue.js on May 29, 2026?
A supply chain vulnerability in the auto-version GitHub Action could let malicious PR titles execute arbitrary commands during version bumps.
What should Vue.js teams do about it?
Review and merge the auto-version workflow fix [ref:1] immediately if you maintain any shared Actions • Update language-tools to pick up the VSCode extension fix for TS auto-imports • Monitor v3.6.0-beta.13 changelog for breaking changes before upgrading
Which Vue.js repositories shipped on May 29, 2026?
vuejs/language-tools, vuejs/vue-jsx-vapor, vuejs/core

Related across the cluster

For your repos

The showcase is a teaser.
Your wire is the product.

Same engine. Different stack. Below: what changes when the wire is yours.

Showcase wire

  • 14 famous open source orgs
  • One wire per day
  • Public, generic
  • Read on the web, when you remember

Your wire

  • Up to 1,500 of your repos - orgs, deps, vendors
  • Morning and evening briefs
  • Action items routed to your team
  • Slack delivery, email, breaking-news CVE alerts

Want a hands-on demo first? Ask a current user for an invite link.