chore(deps): update dependency vue to v3.5.27

[renovate-bot-cbcoutinho]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
vue (source)	3.5.26 → 3.5.27

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

vuejs/core (vue)

v3.5.27

Compare Source

Bug Fixes

• compile-sfc: correctly handle variable shadowing in for loop for defineProps destructuring. (#​14296) (6a1bb50), closes #​14294
• compiler-sfc: handle indexed access types in declare global blocks (#​14260) (e4091fe), closes #​14236
• compiler-sfc: use correct scope when resolving indexed access types from external files (#​14297) (f0f0a21), closes #​14292
• reactivity: collection iteration should inherit iterator instance methods (#​12644) (3c8b2fc), closes #​12615
• runtime-core: skip patching reserved props for custom elements (#​14275) (19cc7e2), closes #​14274
• server-renderer: use ssrRenderClass helper for className attribute (#​14327) (a4708f3)
• ssr: handle v-bind modifiers during render attrs (#​14263) (c2f5964), closes #​14262

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[claude]

PR Review: Update Vue.js dependency to v3.5.27

Summary

This is an automated dependency update from Renovate Bot upgrading Vue.js from 3.5.26 to 3.5.27 in the Astrolabe third-party component. The update is a patch release with bug fixes only.

---

Code Quality ✅

Strengths:

• Clean dependency update with proper lockfile regeneration
• Follows semantic versioning (patch release)
• Removes unused pdfjs-dist dependency and related @napi-rs/canvas optional dependencies (190+ lines removed)

Observations:

• The package-lock.json version bump from 0.8.3 to 0.9.0 suggests this may be part of a larger Astrolabe release
• Vue dependency constraint remains ^3.0.0 in package.json, which is appropriate

---

Bug Fixes Included 🐛

According to the Vue 3.5.27 changelog, this release includes:

1. compile-sfc: Fix variable shadowing in for loops with defineProps destructuring (#14296)
2. compiler-sfc: Handle indexed access types in declare global blocks (#14260)
3. compiler-sfc: Use correct scope when resolving indexed access types from external files (#14297)
4. reactivity: Collection iteration should inherit iterator instance methods (#12644)
5. runtime-core: Skip patching reserved props for custom elements (#14275)
6. server-renderer: Use ssrRenderClass helper for className attribute (#14327)
7. ssr: Handle v-bind modifiers during render attrs (#14263)

These are all bug fixes with no breaking changes.

---

Performance Considerations ⚡

Positive:

• Removal of pdfjs-dist and @napi-rs/canvas reduces the dependency tree significantly
• Smaller lockfile (reduced by 248 lines, added only 58 lines = net -190 lines)
• No new dependencies or performance regressions expected from patch release

Neutral:

• Vue patch releases typically have minimal performance impact
• The entities sub-dependency was updated from 7.0.0 to 7.0.1 (minor patch)

---

Security Concerns 🔒

Low Risk:

• Patch version updates from a trusted, well-maintained framework (Vue.js)
• No CVEs or security advisories mentioned in the release notes
• Renovate Bot provides merge confidence indicators (visible in PR description)

Recommendation:

• Review the merge confidence badges in the PR description
• Consider enabling auto-merge for patch-level Vue updates if not already configured

---

Test Coverage 🧪

Concerns:

• ⚠️ No test changes included - This is expected for a dependency update, but manual testing is recommended
• The removal of pdfjs-dist suggests functionality may have been removed from Astrolabe - verify this was intentional

Recommendations:

1. Run Astrolabe's test suite to ensure compatibility:

   cd third_party/astrolabe
   npm run lint
   npm run build

2. Manual verification: If Astrolabe is used in integration tests, run relevant test suites:

   # From project root
   uv run pytest -m integration -v

3. Verify pdfjs-dist removal: Check if PDF viewing functionality in Astrolabe was intentionally removed or moved elsewhere

---

Additional Notes 📝

Version Alignment:

• The package.json constraint (vue: ^3.0.0) allows this update
• All Vue sub-packages are updated in lockstep to 3.5.27 (correct pattern)
• The @vue/server-renderer peer dependency correctly specifies vue@3.5.27

pdfjs-dist Removal:

• This dependency was completely removed from package-lock.json
• Verify this aligns with Astrolabe's functionality requirements
• If PDF support is still needed, it may have been moved to a different implementation

---

Verdict 🎯

Recommendation: APPROVE with verification

This is a low-risk dependency update that includes useful bug fixes. The changes are appropriate, but:

1. ✅ Approve the PR - The update itself is safe
2. ⚠️ Before merging: Run Astrolabe build/lint to confirm compatibility
3. ⚠️ Before merging: Verify pdfjs-dist removal was intentional
4. ✅ After merging: Monitor for any runtime issues in Astrolabe functionality

---

Suggested Actions

# Verify the build works
cd third_party/astrolabe
npm run lint
npm run build

# If successful, merge
gh pr merge 496 --squash

Review completed by Claude Code

[claude]

Pull Request Review: Vue.js 3.5.26 → 3.5.27 Update

Summary

This is an automated dependency update by Renovate Bot upgrading Vue.js from version 3.5.26 to 3.5.27 in the Astrolabe Nextcloud app. The changes are limited to the package-lock.json file within the third_party/astrolabe/ directory.

---

Code Quality: ✅ Excellent

Positive Aspects:

• Clean, focused dependency update with no manual code changes
• Automated tooling (Renovate) ensures consistency
• Lock file properly regenerated with all transitive dependencies updated

Observations:

• The update includes all Vue.js ecosystem packages (@vue/compiler-core, @vue/compiler-dom, @vue/compiler-sfc, @vue/runtime-core, etc.)
• Entities dependency updated from 7.0.0 → 7.0.1 (transitive dependency of @vue/compiler-core)
• Removal of pdfjs-dist and all @napi-rs/canvas packages appears to be unrelated to the Vue update (likely from package.json changes in commit 2648ef2)

---

Potential Issues: ⚠️ Minor Concerns

1. Unrelated Dependency Removal:

   • The diff shows removal of pdfjs-dist (4.10.38) and @napi-rs/canvas packages
   • These removals are NOT mentioned in the PR title/description
   • This suggests the lock file was regenerated from a modified package.json that already removed these dependencies
   • Recommendation: Verify this was intentional and not accidental

2. Package Version Bump:

   • Lock file shows version bump from 0.8.3 → 0.10.0 for astrolabe itself
   • This is a minor version bump that should have its own changelog/release notes
   • Recommendation: Ensure this version bump is intentional and properly documented

---

Security: ✅ Low Risk

Security Assessment:

• Vue.js 3.5.27 is a patch release with bug fixes only
• Official Vue.js release from the vuejs/core repository
• No security vulnerabilities reported in the changelog
• All fixes are for compiler edge cases and reactivity behavior

Bug Fixes in 3.5.27:

• Improved handling of variable shadowing in for loops with defineProps destructuring
• Fixed indexed access types in TypeScript type resolution
• Collection iteration now inherits iterator instance methods correctly
• Custom element reserved props patching improvements
• SSR className and v-bind modifier handling fixes

---

Performance: ✅ Neutral to Positive

• Patch releases typically include performance improvements or bug fixes
• Compiler fixes (SFC, SSR) may improve build performance
• No breaking changes or new features that would affect runtime performance
• The reactivity fix (#12644) may improve iterator performance for collections

---

Test Coverage: ⚠️ Pending CI Results

Current Status:

• ✅ ESLint: PASSED
• ✅ Stylelint: PASSED
• ✅ Changes detection: PASSED
• ⏳ Node.js build: IN PROGRESS
• ⏳ Integration tests: IN PROGRESS

Recommendations:

1. Wait for all CI checks to complete before merging
2. Verify the Node.js build succeeds with the new Vue version
3. Ensure integration tests pass, especially any UI/component tests

---

Best Practices: ✅ Follows Conventions

Alignment with Project Standards:

• ✅ Automated dependency management via Renovate
• ✅ Semantic versioning respected (patch update)
• ✅ Lock file properly maintained
• ✅ No manual code changes in automated PR

Vue Version Constraint:

• Package.json specifies: "vue": "^3.0.0"
• This allows any 3.x version, so 3.5.27 is within acceptable range
• Consider tightening to ^3.5.0 if relying on 3.5-specific features

---

Action Items

Before Merging:

1. ✅ Verify CI checks complete successfully
2. ⚠️ Confirm the pdfjs-dist and @napi-rs/canvas removals are intentional
3. ⚠️ Validate the astrolabe version bump (0.8.3 → 0.10.0) is correct
4. 📝 Consider testing the Astrolabe UI manually if you have a test Nextcloud instance
5. 📝 Review the Vue 3.5.27 changelog for any edge cases that might affect your SFC components

Optional Improvements:

• Consider adding automated visual regression testing for Vue component updates
• Document which Vue 3.5.x features Astrolabe relies on (for future reference)

---

Recommendation: ✅ APPROVE (with minor verification)

This is a straightforward patch update with legitimate bug fixes. The main concern is understanding why pdfjs-dist was removed—if that was a deliberate dependency cleanup, this PR is safe to merge once CI passes.

Overall Assessment: Low-risk maintenance update that should be merged after CI validation.

---

Reviewed by: Claude Code (Automated Review)
Review Date: 2026-01-28