Nuxt.js Dev Toolchain Pins Defu Dependency to Patch High-Severity Prototype Pollution (CVE-2026-35209)

A high-severity prototype pollution vulnerability (CVE-2026-35209 / GHSA-737v-mqg7-c878) in the `defu` library has triggered a forced dependency override within the Nuxt.js framework's development toolchain. The vulnerability, present in `defu` version 6.1.4, was discovered in a transitive dependency used by `@hey-api/openapi-ts`, a tool for generating TypeScript clients from OpenAPI specifications. The Nuxt team has moved to pin the dependency to version `>=6.1.5` to resolve the security flaw.

The fix was implemented by adding a `pnpm.overrides` entry in the project's `package.json` file, explicitly forcing the use of a patched version of `defu`. This action is a direct security patch, not a version bump of a primary dependency. Crucially, the affected `defu` package is used only in the development toolchain and is not shipped in production builds distributed to end-users, significantly limiting the potential attack surface.

While the immediate risk to Nuxt.js applications in production is assessed as low, the incident highlights the persistent security challenges in modern JavaScript toolchains, where deep, transitive dependencies can introduce critical vulnerabilities. The patch has been verified using `pnpm audit` and the Grype vulnerability scanner. This proactive pinning demonstrates the framework's security response protocol to upstream vulnerabilities, even when they are confined to the build process.