chore: bump

Author: harlan-zw

CHANGELOG.md

@@ -1,6 +1,28 @@
 # Changelog
 
 
+## v6.4.11...main
+
+[compare changes](https://github.com/nuxt-modules/og-image/compare/v6.4.11...main)
+
+### 🚀 Enhancements
+
+- **nuxt-ui:** Color mode aware token resolution via `data-theme` ([#598](https://github.com/nuxt-modules/og-image/pull/598))
+
+### 🩹 Fixes
+
+- **fonts:** Skip fontaine fallbacks ([aa33012c](https://github.com/nuxt-modules/og-image/commit/aa33012c))
+- **takumi:** Treat single-entry variable fonts as axis-driven (defensive) ([#599](https://github.com/nuxt-modules/og-image/pull/599))
+- **takumi:** Keep variable WOFF2 over per-weight static fallback ([#600](https://github.com/nuxt-modules/og-image/pull/600))
+
+### 🏡 Chore
+
+- Bump ([01efcf4e](https://github.com/nuxt-modules/og-image/commit/01efcf4e))
+
+### ❤️ Contributors
+
+- Harlan Wilton ([@harlan-zw](https://github.com/harlan-zw))
+
 ## v6.4.9...main
 
 [compare changes](https://github.com/nuxt-modules/og-image/compare/v6.4.9...main)

devtools/app.vue

@@ -43,7 +43,9 @@ function getHostOgImageDebugUrl(): string | undefined {
       return
     return new URL(content).pathname.replace(RE_IMAGE_EXT, '.json')
   }
-  catch {}
+  catch {
+    // Cross-origin parent documents cannot be inspected; fall back to route options.
+  }
 }
 
 const { data: pathDebug, refresh: refreshPathDebug, status: pathDebugStatus } = useAsyncData<PathDebugResponse>('path-debug', async () => {

devtools/pages/index.vue

@@ -997,7 +997,9 @@ const productionHostname = computed(() => {
                   rows="3"
                   @change="(() => {
                     try { editProp(key, JSON.parse(($event.target as HTMLTextAreaElement).value)) }
-                    catch {}
+                    catch {
+                      // Invalid JSON is expected while editing; keep the previous prop value.
+                    }
                   })()"
                 />
                 <input

docs/content/3.guides/13.security.md

@@ -3,7 +3,7 @@ title: Security
 description: Learn about the security defaults and how to further harden your OG image endpoint.
 ---
 
-Nuxt OG Image ships with secure defaults. Image dimensions are clamped, renders are time limited, internal network requests are blocked, and user provided props are sanitized. No configuration is needed for these protections.
+Nuxt OG Image ships with secure defaults. The module clamps image dimensions, time limits renders, blocks internal network requests, and sanitizes user-provided props. These protections require no configuration.
 
 The primary security concern with runtime OG image generation is **denial of service**: without protection, anyone can craft arbitrary image generation requests to your `/_og/d/` endpoint, consuming server CPU and memory. URL signing prevents this by ensuring only your application can generate valid image URLs.
 
@@ -36,15 +36,15 @@ Enabling `strict` mode applies all recommended security defaults in a single fla
 
 Any of these can still be overridden explicitly. Strict mode only changes the defaults.
 
-The build will fail if `strict` is enabled without a `secret`. Generate one with:
+The build will fail if you enable `strict` without a `secret`. Generate one with:
 
 ```bash
 npx nuxt-og-image generate-secret
 ```
 
 ## URL Signing
 
-When a signing secret is configured, every OG image URL includes a cryptographic signature in the path. The server verifies this signature before rendering, rejecting any URL that has been tampered with or crafted manually.
+When you configure a signing secret, every OG image URL includes a cryptographic signature in the path. The server verifies this signature before rendering, rejecting any URL that has been tampered with or crafted manually.
 
 This prevents unauthorized image generation requests that would otherwise consume server resources.
 
@@ -76,7 +76,7 @@ export default defineNuxtConfig({
 
 ### How It Works
 
-When a secret is configured:
+When you configure a secret:
 - `defineOgImage()`{lang="ts"} appends a signature to the URL path: `/_og/d/w_1200,h_600,s_abc123def456.png`
 - The server extracts and verifies the signature before processing the request
 - Requests with missing or invalid signatures receive a `403` response
@@ -104,9 +104,9 @@ export default defineNuxtConfig({
 })
 ```
 
-When zero runtime is enabled:
-- No server-side rendering code is included in your production build
-- Images are generated once at build time and served as static assets
+When you enable zero runtime:
+- Your production build includes no server-side rendering code
+- The build generates images once and serves them as static assets
 - The `/_og` endpoint is not available at runtime
 
 If your OG images don't need to change dynamically after deployment, this is the recommended approach.
@@ -157,7 +157,7 @@ If you find yourself passing large amounts of data through query parameters (tit
 
 ## Restrict Runtime Images to Origin
 
-When runtime image generation is enabled, anyone who knows the `/_og` endpoint pattern can request an image directly. The `restrictRuntimeImagesToOrigin` option limits runtime generation to requests whose `Host` header matches your configured site URL.
+When you enable runtime image generation, anyone who knows the `/_og` endpoint pattern can request an image directly. The `restrictRuntimeImagesToOrigin` option limits runtime generation to requests whose `Host` header matches your configured site URL.
 
 ```ts [nuxt.config.ts]
 export default defineNuxtConfig({
@@ -173,7 +173,7 @@ export default defineNuxtConfig({
 
 The module reads the `Host` header from each runtime request using h3's `getRequestHost` (with `X-Forwarded-Host` support for reverse proxies) and compares it against the host from your [Nuxt Site Config](https://nuxtseo.com/docs/site-config/getting-started/introduction) `url`. If the hosts don't match, the request receives a `403` response.
 
-Because the `Host` header is mandatory in HTTP/1.1, this check works with all clients including social media crawlers. No `Origin` or `Referer` header is required.
+Because HTTP/1.1 requires the `Host` header, this check works with all clients including social media crawlers. The server does not need an `Origin` or `Referer` header.
 
 ### Allowing Additional Origins
 
@@ -197,7 +197,7 @@ Prerendering and dev mode bypass the host check entirely.
 
 ## Debug Mode Warning
 
-Enabling `ogImage.debug` in production exposes the `/_og/debug.json` endpoint. The module will log a warning at build time if debug is enabled outside of dev mode. Make sure to disable it before deploying.
+Enabling `ogImage.debug` in production exposes the `/_og/debug.json` endpoint. The module will log a warning at build time if you enable debug outside of dev mode. Make sure to disable it before deploying.
 
 ```ts [nuxt.config.ts]
 export default defineNuxtConfig({

docs/content/3.guides/3.runtime-cache.md

@@ -3,7 +3,7 @@ title: Runtime Cache
 description: How OG image caching works at runtime, including internal storage, CDN edge caching, and platform integration.
 ---
 
-When generating images at runtime, Nuxt OG Image provides two layers of caching to minimise server load and response times. For most deployments, the defaults work well and no configuration is needed.
+When generating images at runtime, Nuxt OG Image provides two layers of caching to minimise server load and response times. For most deployments, the defaults work well and require no configuration.
 
 ## Quick Start
 
@@ -50,7 +50,7 @@ That's it. The module handles cache headers, CDN integration, and cache key gene
 
 ### Layer 1: Internal Cache (Nitro Storage)
 
-The module caches rendered image buffers in Nitro storage. On a cache hit, the image is served in ~5-30ms instead of re-rendering (400-3500ms).
+The module caches rendered image buffers in Nitro storage. On a cache hit, Nitro serves the image in ~5-30ms instead of re-rendering (400-3500ms).
 
 By default, this uses **in-memory** storage. The cache is lost on server restart or redeployment. Configuring a [persistent storage driver](#persistent-storage) fixes this.
 
@@ -83,7 +83,7 @@ The module sets `Cache-Control` on every OG image response so CDNs cache it corr
 | `/_og/d/**` (dynamic) | `public, max-age=<ttl>, s-maxage=<ttl>, immutable` |
 | `/_og/r/**` (resolver) | Same as dynamic |
 
-Where `<ttl>`{lang="html"} is `cacheMaxAgeSeconds` (default 72 hours). URLs are content-addressed (encoded params + component hash), so `immutable` is safe; the response bytes never change for a given URL. No Nitro `swr`/`isr` route rule is needed (and it wouldn't work anyway, as `cachedEventHandler` JSON-serializes responses and breaks binary PNG/JPEG output).
+Where `<ttl>`{lang="html"} means `cacheMaxAgeSeconds` (default 72 hours). URLs use content addressing (encoded params + component hash), so `immutable` is safe; the response bytes never change for a given URL. You do not need a Nitro `swr`/`isr` route rule (and it wouldn't work anyway, as `cachedEventHandler` JSON-serializes responses and breaks binary PNG/JPEG output).
 
 ## Query Parameters
 
@@ -95,7 +95,7 @@ OG image URLs encode all options in the **URL path**, not query parameters:
 
 The cache key is deterministic from the path alone. Appending query parameters like `?ref=twitter` or `?utm_source=og` directly to an OG image URL has no effect on rendering. If you need different image variants, use a [custom cache key](#custom-cache-key).
 
-Note that your **page URL's** query parameters (e.g., `/products?page=2`) are encoded into the generated OG image URL via the `_query` field. This means different page query strings produce different OG image URLs, since the page may render differently with different query params. Each unique combination gets its own cached image.
+Note that the generated OG image URL encodes your **page URL's** query parameters (e.g., `/products?page=2`) via the `_query` field. This means different page query strings produce different OG image URLs, since the page may render differently with different query params. Each unique combination gets its own cached image.
 
 ## Persistent Storage
 
@@ -218,7 +218,7 @@ export default defineNuxtConfig({
 
 Append `?purge` to any OG image URL to invalidate its internal cache entry and force a fresh render.
 
-When [URL signing](/docs/og-image/guides/security#url-signing) is enabled, you must provide the signing secret as the purge value: `?purge=<your-secret>`{lang="html"}. This prevents unauthorized cache invalidation.
+When you enable [URL signing](/docs/og-image/guides/security#url-signing), you must provide the signing secret as the purge value: `?purge=<your-secret>`{lang="html"}. This prevents unauthorized cache invalidation.
 
 Note that this only clears the module's internal Nitro storage cache (Layer 1). CDN edge caches (Layer 2) may continue serving the previous version until their TTL expires. To force CDN re-fetch:
 

docs/content/4.api/0.define-og-image.md

@@ -82,7 +82,7 @@ The emoji set to use when generating the image. Set to `false` to disable emoji
 ### `html`
 
 ::deprecated
-The `html` option is deprecated and will be removed in the next major version due to SSRF risk. Use a Vue component instead. This option is disabled when `security.strict` is enabled.
+The `html` option is deprecated and the next major version will remove it due to SSRF risk. Use a Vue component instead. `security.strict` disables this option.
 ::
 
 - Type: `string`{lang="ts"}
@@ -109,7 +109,7 @@ The number of seconds to cache the image for. This is useful for reducing the nu
 - Type: `string`{lang="ts"}
 - Default: `undefined`{lang="ts"}
 
-Custom cache key for this OG image. When set, this key is used directly for caching instead of the auto-generated key.
+Custom cache key for this OG image. When set, the module uses this key directly for caching instead of the auto-generated key.
 
 ### `key`
 

docs/content/6.migration-guide/v6.md

@@ -302,7 +302,7 @@ Query parameters are no longer included in cache keys. Previously, `/page?foo=ba
 
 See [PR #427](https://github.com/nuxt-modules/og-image/pull/427).
 
-All image options are encoded in the URL path, so query parameters on the OG image URL have no effect. In v5, query parameter overrides (e.g. `?title=Override`) worked in production when URL signing was disabled. In v6, query param overrides are only available in dev and prerender modes. Use `defineOgImage` props to pass dynamic values instead.
+The URL path encodes all image options, so query parameters on the OG image URL have no effect. In v5, query parameter overrides (e.g. `?title=Override`) worked in production without URL signing. In v6, query param overrides only work in dev and prerender modes. Use `defineOgImage` props to pass dynamic values instead.
 
 #### Cache Version Control
 

examples/basic-satori/package.json

@@ -10,13 +10,13 @@
   "dependencies": {
     "@nuxt/fonts": "^0.14.0",
     "@resvg/resvg-js": "^2.6.2",
-    "@tailwindcss/vite": "^4.2.4",
+    "@tailwindcss/vite": "^4.3.0",
     "fontless": "^0.2.1",
-    "nuxt": "^4.4.4",
+    "nuxt": "^4.4.6",
     "nuxt-og-image": "latest",
     "nuxt-site-config": "^4.0.8",
     "satori": "^0.26.0",
-    "tailwindcss": "^4.2.4",
-    "vue": "^3.5.33"
+    "tailwindcss": "^4.3.0",
+    "vue": "^3.5.34"
   }
 }

examples/basic-takumi/package.json

@@ -9,12 +9,12 @@
   },
   "dependencies": {
     "@nuxt/fonts": "^0.14.0",
-    "@tailwindcss/vite": "^4.2.4",
-    "@takumi-rs/core": "^1.1.2",
-    "nuxt": "^4.4.4",
+    "@tailwindcss/vite": "^4.3.0",
+    "@takumi-rs/core": "^1.2.1",
+    "nuxt": "^4.4.6",
     "nuxt-og-image": "latest",
     "nuxt-site-config": "^4.0.8",
-    "tailwindcss": "^4.2.4",
-    "vue": "^3.5.33"
+    "tailwindcss": "^4.3.0",
+    "vue": "^3.5.34"
   }
 }

examples/content/package.json

@@ -8,16 +8,16 @@
     "preview": "nuxt preview"
   },
   "dependencies": {
-    "@nuxt/content": "^3.13.0",
+    "@nuxt/content": "^3.14.0",
     "@nuxt/fonts": "^0.14.0",
     "@resvg/resvg-js": "^2.6.2",
-    "@tailwindcss/vite": "^4.2.4",
+    "@tailwindcss/vite": "^4.3.0",
     "fontless": "^0.2.1",
-    "nuxt": "^4.4.4",
+    "nuxt": "^4.4.6",
     "nuxt-og-image": "latest",
     "nuxt-site-config": "^4.0.8",
     "satori": "^0.26.0",
-    "tailwindcss": "^4.2.4",
-    "vue": "^3.5.33"
+    "tailwindcss": "^4.3.0",
+    "vue": "^3.5.34"
   }
 }