fix(deps): bump nuxt to 3.21.6

[chargome]

Summary

Bumps the nuxt devDependency in packages/nuxt from 3.17.7 to 3.21.6 — a minor bump that stays within the 3.x line.

Resolves three Dependabot alerts:

• #1733 — GHSA-fx6j-w5w5-h468 / CVE-2026-45669 (medium) — Reflected XSS in navigateTo() external redirect
• #1737 — GHSA-g8wj-3cr3-6w7v / CVE-2026-46342 (low) — __nuxt_island shared-cache poisoning
• #1765 — GHSA-hg3f-28rg-4jxj / CVE-2026-47200 (medium) — route middleware not enforced for .server.vue island pages

🤖 Generated with Claude Code

[semgrep-code-getsentry]

High severity vulnerability may affect your project—review required:
Line 16689 lists a dependency (esbuild) with a known High severity vulnerability.

ℹ️ Why this matters

Affected versions of esbuild are vulnerable to Download of Code Without Integrity Check / Untrusted Search Path. esbuild's Deno distribution module (lib/deno/mod.ts) contains an import.meta.main CLI entrypoint that calls install() directly when the module is run as a script (deno run https://deno.land/x/esbuild@vX/mod.js). This download path has no SHA-256 integrity verification: if NPM_CONFIG_REGISTRY resolves to an attacker-controlled registry, the fetched binary is executed immediately, yielding arbitrary code execution without any API call in user code.

References: GHSA

To resolve this comment:
Check if you invoke the esbuild Deno module directly as a CLI tool (e.g. deno run https://deno.land/x/esbuild@vX/mod.js) and the NPM_CONFIG_REGISTRY environment variable resolves the binary download to an untrusted registry.

• If you're affected, upgrade this dependency to at least version 0.28.1 at yarn.lock.
• If you're not affected, comment /fp we don't use this [condition]

💬 Ignore this finding

To ignore this, reply with:

• /fp <comment> for false positive
• /ar <comment> for acceptable risk
• /other <comment> for all other reasons

_{You can view more details on this finding in the Semgrep AppSec Platform here.}

[semgrep-code-getsentry]

High severity vulnerability may affect your project—review required:
Line 16657 lists a dependency (esbuild) with a known High severity vulnerability.

ℹ️ Why this matters

Affected versions of esbuild are vulnerable to Download of Code Without Integrity Check / Untrusted Search Path. esbuild's Deno distribution module (lib/deno/mod.ts) contains an import.meta.main CLI entrypoint that calls install() directly when the module is run as a script (deno run https://deno.land/x/esbuild@vX/mod.js). This download path has no SHA-256 integrity verification: if NPM_CONFIG_REGISTRY resolves to an attacker-controlled registry, the fetched binary is executed immediately, yielding arbitrary code execution without any API call in user code.

References: GHSA

To resolve this comment:
Check if you invoke the esbuild Deno module directly as a CLI tool (e.g. deno run https://deno.land/x/esbuild@vX/mod.js) and the NPM_CONFIG_REGISTRY environment variable resolves the binary download to an untrusted registry.

• If you're affected, upgrade this dependency to at least version 0.28.1 at yarn.lock.
• If you're not affected, comment /fp we don't use this [condition]

💬 Ignore this finding

To ignore this, reply with:

• /fp <comment> for false positive
• /ar <comment> for acceptable risk
• /other <comment> for all other reasons

_{You can view more details on this finding in the Semgrep AppSec Platform here.}

[chargome]

Closing: bumping nuxt to 3.21.6 (the only patched version) breaks the @sentry/nuxt build — nuxt 3.21 / nitro-v3 moved the nitro option and nitro:init/nitro:config hooks off the default NuxtOptions/NuxtHooks types, which requires a source migration that overlaps ongoing nitro-v3 work. nuxt is a dev/test-only devDependency here (end users provide their own nuxt), so the three alerts are being dismissed as tolerable_risk instead.