Skip to content

feat!: require explicit vue-loader@legacy for Vue 2, remove hidden install #688

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Nov 3, 2025
Merged

feat!: require explicit vue-loader@legacy for Vue 2, remove hidden install #688

merged 4 commits into from
Nov 3, 2025

Conversation

@ShGKme
Copy link
Collaborator

@ShGKme ShGKme commented Oct 25, 2025
edited
Loading

Current approach

Currently webpack-vue-config supports both Vue 2 (with vue-loader@15) and Vue 3 (with vue-loader@17) via a postinstall script.

In Vue 2 projects it replaces vue-loader@17 with required vue-loader@15 by installing it with --no-save.

In other words, there might be no vue-loader specified in package.json and an incorrect version specified in package-lock.json while everything magically works.

New approach (breaking change)

No more hidden install. In Vue 2 apps a developer MUST install the required vue-loader manually.

npm i -D vue-loader@legacy

Motivation

This postinstall is a bit hacky. It is intended since there is no other way to have conditional dependencies. For example, popular vue-demi package does something similar.

However, it doesn't work in environments where only explicitly specified in the package-lock.json dependencies are installed. For example, nixpkgs.

cc @provokateurin

Making migration simpler

postinstall script is kept only for the version checking and showing a warning.

Otherwise there is no npm ci error, and the build error might be less obvious.

image

@ShGKme ShGKme self-assigned this Oct 25, 2025
@ShGKme ShGKme added enhancement New feature or request 3. to review 💥 breaking PR that requires a new major version labels Oct 25, 2025
provokateurin
provokateurin previously approved these changes Oct 26, 2025
View reviewed changes
This was referenced Oct 26, 2025
Merged
Merged
Closed
ShGKme added 2 commits October 27, 2025 13:05
@ShGKme
feat!: require explicit vue-loader@legacy for Vue 2
9c76c63 
Signed-off-by: Grigorii K. Shartsev <me@shgk.me>
@ShGKme
test: specify vue-loader in tests
f4d7629 
Signed-off-by: Grigorii K. Shartsev <me@shgk.me>
@ShGKme ShGKme force-pushed the feat/require-vue-loader branch from 07cbad2 to c2d1a2b Compare October 27, 2025 12:05
@ShGKme
Copy link
Collaborator Author

ShGKme commented Oct 27, 2025

Changes in the force-push:

  • Rebased onto main
  • Added a test for the Vue 2 + incompatible vue-loader
  • Simplified version checking (only check package.json, do not load entire Vue module)
  • In case of version check error - just skip the check

The last one change is important.

The purpose of the script is to warn in a simple way about an incompatible vue-loader version.
If something goes wrong, just skip the check (for example, nixpkgs or other unusual setups might run postinstall when dependencies are not installed as expected by npm).
In case of incompatibility, an error will be raised when using the package anyway, just less directly - with compilation errors.

cc @provokateurin

ShGKme added 2 commits October 27, 2025 13:09
@ShGKme
test: add test for Vue 2 app with no vue-loader failture
2313479 
Signed-off-by: Grigorii K. Shartsev <me@shgk.me>
@ShGKme
chore(README): require explicit vue-loader@legacy for Vue 2
d760682 
Signed-off-by: Grigorii K. Shartsev <me@shgk.me>
@ShGKme ShGKme force-pushed the feat/require-vue-loader branch from c2d1a2b to d760682 Compare October 27, 2025 12:09
@ShGKme
Copy link
Collaborator Author

ShGKme commented Oct 27, 2025

  • Added the new test files to REUSE

@ShGKme ShGKme requested a review from provokateurin October 27, 2025 12:09
@ShGKme ShGKme mentioned this pull request Oct 27, 2025
Merged
@ShGKme ShGKme requested a review from DorraJaouad October 31, 2025 16:10
@ShGKme
Copy link
Collaborator Author

ShGKme commented Oct 31, 2025

@DorraJaouad Also adding you as it is kind of a security issue. Currently vue-loader and its dependencies may not be listed in the package-lock file at all. This PR makes it required via a small breaking change.

@ShGKme ShGKme merged commit 672ee12 into main Nov 3, 2025
6 checks passed
@ShGKme ShGKme deleted the feat/require-vue-loader branch November 3, 2025 08:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@provokateurin provokateurin provokateurin approved these changes

@DorraJaouad DorraJaouad DorraJaouad approved these changes

@skjnldsv skjnldsv Awaiting requested review from skjnldsv

Assignees

@ShGKme ShGKme

Labels

3. to review 💥 breaking PR that requires a new major version enhancement New feature or request

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@ShGKme @provokateurin @DorraJaouad