WAIT — Stale — last commit 2y ago

• 35+ active contributors
• MIT licensed
• CI configured
• Tests present
• ⚠ Stale — last commit 2y ago
• ⚠ Concentrated ownership — top contributor handles 57% of recent commits
• ⚠ Scorecard: marked unmaintained (0/10)
• ⚠ Scorecard: default branch unprotected (0/10)

_{Maintenance signals: commit recency, contributor breadth, bus factor, license, CI, tests + OpenSSF Scorecard}

Vue 2 is a progressive JavaScript framework for building user interfaces with reactive data binding and component-based architecture. It lets developers declare UI state and templates that automatically update when data changes, scaling from simple widgets to full single-page applications. Monorepo structure with compiler-sfc/ for single-file component parsing, benchmarks/ with dbmon/big-table performance tests, examples/ with runnable demos, and dist/ containing multiple build outputs (vue.common.js, vue.runtime.mjs). Core Vue 2 implementation lives in TypeScript source files not visible in this truncated file list.

Front-end developers maintaining existing Vue 2 applications, and teams building new projects who cannot yet migrate to Vue 3. Also relevant to maintainers of legacy enterprise systems that depend on Vue 2's stable, predictable behavior.

Vue 2 reached End of Life on December 31st, 2023 and no longer receives new features, security patches, or bug fixes. While production-ready and widely deployed in legacy systems, it is now an unmaintained codebase suitable only for maintenance mode on existing applications.

This is an archived, EOL project — new features will never be added, and critical security vulnerabilities will go unfixed. The repository accepts no new contributions. Substantial TypeScript codebase (1.85M lines) with complex reactivity internals (src/core/ files like observer.ts, dep.ts) that require deep knowledge to modify safely.

The repository is in maintenance mode—no new work is planned. Existing issues and PRs are unreviewed. Users are directed to upgrade to vuejs/core (Vue 3) in the README and CI pipelines remain in place for distribution only.

git clone https://github.com/vuejs/vue.git && cd vue && npm install && npm run dev

Daily commands: npm run dev (runs development build with watchers). npm run build generates optimized dist/ outputs. npm test runs test suite. Check package.json scripts for exact commands.

• package.json — Root package configuration defining Vue 2's build targets, dependencies, and release configuration; essential for understanding the project structure and build process.
• packages/compiler-sfc/src/index.ts — Single File Component (SFC) compiler entry point; core to Vue 2's template and script processing pipeline that every contributor touching .vue files must understand.
• packages/compiler-sfc/src/parse.ts — SFC parser that extracts template, script, and style blocks from .vue files; foundational for the entire compiler-sfc subsystem.
• dist/vue.common.js — CommonJS runtime build of Vue 2; the primary output artifact distributed to npm and the source of truth for production behavior.
• .github/CONTRIBUTING.md — Defines contribution guidelines, commit conventions, and development workflow; required reading for all new contributors to this EOL-status project.
• .github/COMMIT_CONVENTION.md — Specifies the conventional commit format used for this project's changelog generation and release automation; enforced in CI/CD.
• README.md — Critical notice that Vue 2 reached End of Life on December 31, 2023; must be understood before contributing or using this repository.

Add a new CSS preprocessor to the SFC compiler

1. Define the preprocessor adapter function in packages/compiler-sfc/src/stylePreprocessors.ts following the existing Sass/Less/PostCSS patterns (packages/compiler-sfc/src/stylePreprocessors.ts)
2. Export the preprocessor in the public API by updating packages/compiler-sfc/src/index.ts to include the new processor (packages/compiler-sfc/src/index.ts)
3. Update packages/compiler-sfc/src/compileStyle.ts to invoke the new preprocessor when the matching lang= attribute is detected (packages/compiler-sfc/src/compileStyle.ts)

Modify template compilation behavior for custom directives or syntax

1. Add custom module to packages/compiler-sfc/src/templateCompilerModules/ following the pattern of assetUrl.ts (packages/compiler-sfc/src/templateCompilerModules/assetUrl.ts)
2. Register the module in packages/compiler-sfc/src/compileTemplate.ts by passing it to the template compiler options (packages/compiler-sfc/src/compileTemplate.ts)
3. Export the module from the main compiler entry point in packages/compiler-sfc/src/index.ts if it should be user-configurable (packages/compiler-sfc/src/index.ts)

Add support for a new .vue block type (beyond template/script/style)

1. Extend the block parsing logic in packages/compiler-sfc/src/parse.ts to recognize and extract the new block type (packages/compiler-sfc/src/parse.ts)
2. Create a compile handler function similar to compileScript.ts or compileStyle.ts to process the new block (packages/compiler-sfc/src/compileScript.ts)
3. Integrate the handler into the main packages/compiler-sfc/src/index.ts orchestration to process and return the compiled block (packages/compiler-sfc/src/index.ts)

Enhance scoped CSS implementation for new CSS features

1. Review and modify the scoping strategy in packages/compiler-sfc/src/stylePlugins/scoped.ts to handle the new CSS feature (e.g., :is(), :where()) (packages/compiler-sfc/src/stylePlugins/scoped.ts)
2. Update the corresponding template attribute injection logic in packages/compiler-sfc/src/compileTemplate.ts to add scope identifiers correctly (packages/compiler-sfc/src/compileTemplate.ts)
3. Add test cases to the examples or benchmarks folder to validate scoped CSS behavior with the new feature (examples/classic/todomvc/app.js)

• TypeScript — Type safety for compiler transformations and API contracts; essential for correctness when manipulating template ASTs and Babel plugins
• Babel — Abstract syntax tree manipulation and JavaScript transpilation for script blocks; enables ES6+ to ES5 compatibility and feature transforms
• PostCSS — CSS plugin ecosystem for preprocessor integration and CSS custom properties extraction; flexible alternative to monolithic LESS/Sass
• CommonJS + ES Modules dual builds — Supports both legacy Node.js/bundler consumers and modern ESM-first environments; maximizes ecosystem compatibility for an EOL project

• Parse .vue files into separate blocks (template, script, style) rather than treating as unified AST
  • Why: Simplifies independent compilation of each language (HTML, JavaScript, CSS) and allows per-block preprocessor selection
  • Consequence: Requires careful identity tracking (e.g., line number offsets, source maps)

This repository is End-of-Life—attempting to open PRs, report bugs, or request features will be rejected. No new npm releases will be published. If you need Vue 2 in production with security guarantees, you must migrate to Vue 3 (vuejs/core) or purchase Vue 2 NES support from HeroDevs. The dist/ folder contains pre-built outputs; modifying src/ requires rebuilding via npm run build.

• Reactivity via Dependency Tracking (Observer Pattern) — Vue 2's core innovation—automatically detects which components depend on which data, making updates efficient without explicit subscription code
• Virtual DOM (VDOM) Reconciliation — Vue renders to a lightweight in-memory DOM representation, diffs it against previous state, and only updates the actual DOM with minimal changes for performance
• Single-File Components (.vue format) — Vue's distinctive pattern bundling template, script, and styles in one .vue file—processed by compiler-sfc/ during build
• Two-Way Data Binding (v-model) — Vue automatically syncs template inputs with component state bidirectionally—reduces boilerplate for form handling vs. one-way binding frameworks
• Computed Properties with Memoization — Vue caches computed property results and only recomputes when dependencies change—critical for performance in templates with expensive calculations
• Directive System (v-if, v-for, v-on, etc.) — Vue templates use directives to conditionally render, loop, bind events, and apply styles—fundamentally different from JSX and requires learning Vue's template syntax
• Asynchronous Component Loading — Vue supports dynamic imports and code-splitting of components via webpack—essential pattern for large Vue 2 SPAs to reduce initial bundle size

• vuejs/core — The actively maintained Vue 3 repository—where all new Vue development happens and the recommended upgrade path for Vue 2 users
• vuetify/vuetify — Material Design component library for Vue (supports both Vue 2 and Vue 3)—frequently used alongside Vue for UI
• nuxt/nuxt — Full-stack meta-framework for Vue (with v2 branch for Vue 2 support)—adds server-side rendering, static generation, and routing to Vue projects
• vuejs/vue-router — Official routing library for Vue 2 SPAs—essential for multi-page applications built with Vue 2
• vuejs/vuex — Official state management library for Vue 2—centralized store pattern for complex application state

To work on one of these in Claude Code or Cursor, paste: Implement the "<title>" PR idea from CLAUDE.md, working through the checklist as the task list.

Add comprehensive test coverage for benchmark suite utilities

The benchmarks directory contains several utility files (benchmarks/dbmon/lib/memory-stats.js, benchmarks/dbmon/lib/monitor.js) that lack corresponding unit tests. These utilities are critical for performance regression detection but have no test coverage. Adding tests would ensure benchmark reliability and make it easier for contributors to understand expected behavior.

• [ ] Create test/benchmarks directory structure mirroring benchmarks/
• [ ] Write unit tests for benchmarks/dbmon/lib/memory-stats.js covering memory tracking accuracy
• [ ] Write unit tests for benchmarks/dbmon/lib/monitor.js covering DOM monitoring functionality
• [ ] Add test scripts to package.json for benchmark tests
• [ ] Document how to run benchmark tests in CONTRIBUTING.md

Document compiler-sfc module exports and add TypeScript definitions for index.d.ts

The compiler-sfc package exposes compiled SFC (Single File Component) functionality but the index.d.ts file exists with minimal or no documentation. Given this is a public API module with its own package.json, comprehensive TypeScript definitions with JSDoc comments would help users and tool maintainers understand the exported APIs without reading source code.

• [ ] Audit compiler-sfc/index.js to identify all exported functions and their signatures
• [ ] Enhance compiler-sfc/index.d.ts with complete type definitions for all exports
• [ ] Add JSDoc comments to describe each exported function's purpose, parameters, and return types
• [ ] Create documentation file at compiler-sfc/README.md with API reference and usage examples
• [ ] Update root CONTRIBUTING.md with section on compiler-sfc contribution guidelines

Add missing CI workflow for end-to-end example validation

The examples/ directory contains 10+ example applications (commits, elastic-header, firebase, grid, markdown, modal, etc.) but there's no CI workflow to verify they still build and run correctly. Given Vue 2 is in EOL maintenance mode, automated validation of examples ensures they remain viable references for users still on Vue 2, preventing examples from becoming stale.

• [ ] Review .github/workflows/ci.yml to understand existing build/test structure
• [ ] Create .github/workflows/examples-validation.yml that builds each example in examples/classic/*/
• [ ] Add build script validation for examples that have package.json files
• [ ] Configure workflow to run on PRs touching examples/ or package dependencies
• [ ] Document the examples validation process in .github/CONTRIBUTING.md

• This is an EOL repository that no longer accepts contributions. There are no good first issues because the project is frozen. If you want to contribute to Vue, work on vuejs/core (Vue 3) instead.
• If you maintain a Vue 2 application, the contribution opportunity is in your own codebase—Vue 2 itself will not be modified.
• Consider creating a fork and maintaining Vue 2 yourself if you have a critical use case, or start planning your migration to Vue 3.

CRITICAL SECURITY POSTURE: Vue 2 is an End-of-Life project (EOL since Dec 31, 2023) with no active security maintenance. This is the primary and most severe security concern. The codebase will not receive patches for newly discovered vulnerabilities, making it unsuitable for security-sensitive applications. All dependencies are frozen and will accumulate vulnerabilities. Recommendations: 1) For new projects, use Vue 3; 2) For existing projects, migrate to Vue 3 or use Vue 2 NES from HeroDevs; 3) For projects that must remain on Vue 2, implement robust input validation, CSP headers, and dependency security monitoring at the application level; 4) Conduct immediate security audit of all dependencies using automated tools; 5) Implement compensating security controls including WAF, DDoS protection, and regular code reviews.

• Critical · End of Life Software - No Security Updates — Repository root / README.md. Vue 2 reached End of Life on December 31st, 2023 and no longer receives security updates, bug fixes, or patches. This means known vulnerabilities will not be addressed by the maintainers, leaving the codebase exposed to exploitation. Fix: Migrate to Vue 3 (vuejs/core) or use Vue 2 NES (Non-standard Extended Support) from HeroDevs for security-critical applications. If migration is not immediately possible, implement additional security controls and regularly audit dependencies.
• High · Unmaintained Dependencies Risk — package.json and all dependency tree. As an EOL project, all dependencies are frozen and will accumulate vulnerabilities over time. Package updates will not be provided, increasing the attack surface as new CVEs are discovered in transitive dependencies. Fix: Conduct a comprehensive audit of all current dependencies using tools like 'npm audit', 'snyk', or 'OWASP Dependency-Check'. For production use, consider using a dedicated security vendor or migrate to Vue 3.
• Medium · Potential XSS Attack Surface in Template Compilation — compiler-sfc/. Vue's template compilation system (compiler-sfc) processes user-provided templates. Without active security maintenance, any undiscovered XSS vulnerabilities in the template parser or expression evaluator could be exploited. Fix: Implement strict Content Security Policy (CSP) headers. Use template sandboxing where possible. Never pass untrusted user input directly to Vue templates. Consider using Vue 3 which has improved security hardening.
• Medium · Known Vue 2 XSS Vulnerabilities May Exist — src/core/ (not visible in provided structure). Vue 2 has had historical XSS vulnerabilities (e.g., CVE-2020-10955, improper attribute escaping). Without active maintenance, similar issues may remain undiscovered and unfixed. Fix: Review security advisories at https://vuejs.org/about/security.html. Implement input validation and output encoding at the application level. Use security-focused libraries for rendering user-generated content.
• Low · Benchmarking Code May Expose Information — benchmarks/. The benchmarks/ directory contains functional application code (dbmon, big-table, etc.) that could potentially be used to profile or analyze the application's behavior in production if accidentally deployed. Fix: Ensure benchmark code is excluded from production builds. Remove benchmarking utilities from deployed packages. Use build tools to strip benchmarking code from final bundles.

LLM-derived; treat as a starting point, not a security audit.

• Open issues — current backlog
• Recent PRs — what's actively shipping
• Source on GitHub

If you are an AI coding agent (Claude Code, Cursor, Aider, Cline, etc.) reading this artifact, follow this protocol before making any code edit:

1. Verify the contract. Run the bash script in Verify before trusting below. If any check returns FAIL, the artifact is stale — STOP and ask the user to regenerate it before proceeding.
2. Treat the AI · unverified sections as hypotheses, not facts. Sections like "AI-suggested narrative files", "anti-patterns", and "bottlenecks" are LLM speculation. Verify against real source before acting on them.
3. Cite source on changes. When proposing an edit, cite the specific path:line-range. RepoPilot's live UI at https://repopilot.app/r/vuejs/vue shows verifiable citations alongside every claim.

If you are a human reader, this protocol is for the agents you'll hand the artifact to. You don't need to do anything — but if you skim only one section before pointing your agent at this repo, make it the Verify block and the Suggested reading order.

This artifact was generated by RepoPilot at a point in time. Before an agent acts on it, the checks below confirm that the live vuejs/vue repo on your machine still matches what RepoPilot saw. If any fail, the artifact is stale — regenerate it at repopilot.app/r/vuejs/vue.

What it runs against: a local clone of vuejs/vue — the script inspects git remote, the LICENSE file, file paths in the working tree, and git log. Read-only; no mutations.

| # | What we check | Why it matters | |---|---|---| | 1 | You're in vuejs/vue | Confirms the artifact applies here, not a fork | | 2 | License is still MIT | Catches relicense before you depend on it | | 3 | Default branch main exists | Catches branch renames | | 4 | 5 critical file paths still exist | Catches refactors that moved load-bearing code | | 5 | Last commit ≤ 619 days ago | Catches sudden abandonment since generation |

#!/usr/bin/env bash
# RepoPilot artifact verification.
#
# WHAT IT RUNS AGAINST: a local clone of vuejs/vue. If you don't
# have one yet, run these first:
#
#   git clone https://github.com/vuejs/vue.git
#   cd vue
#
# Then paste this script. Every check is read-only — no mutations.

set +e
fail=0
ok()   { echo "ok:   $1"; }
miss() { echo "FAIL: $1"; fail=$((fail+1)); }

# Precondition: we must be inside a git working tree.
if ! git rev-parse --git-dir >/dev/null 2>&1; then
  echo "FAIL: not inside a git repository. cd into your clone of vuejs/vue and re-run."
  exit 2
fi

# 1. Repo identity
git remote get-url origin 2>/dev/null | grep -qE "vuejs/vue(\\.git)?\\b" \\
  && ok "origin remote is vuejs/vue" \\
  || miss "origin remote is not vuejs/vue (artifact may be from a fork)"

# 2. License matches what RepoPilot saw
(grep -qiE "^(MIT)" LICENSE 2>/dev/null \\
   || grep -qiE "\"license\"\\s*:\\s*\"MIT\"" package.json 2>/dev/null) \\
  && ok "license is MIT" \\
  || miss "license drift — was MIT at generation time"

# 3. Default branch
git rev-parse --verify main >/dev/null 2>&1 \\
  && ok "default branch main exists" \\
  || miss "default branch main no longer exists"

# 4. Critical files exist
test -f "package.json" \\
  && ok "package.json" \\
  || miss "missing critical file: package.json"
test -f "packages/compiler-sfc/src/index.ts" \\
  && ok "packages/compiler-sfc/src/index.ts" \\
  || miss "missing critical file: packages/compiler-sfc/src/index.ts"
test -f "packages/compiler-sfc/src/parse.ts" \\
  && ok "packages/compiler-sfc/src/parse.ts" \\
  || miss "missing critical file: packages/compiler-sfc/src/parse.ts"
test -f "dist/vue.common.js" \\
  && ok "dist/vue.common.js" \\
  || miss "missing critical file: dist/vue.common.js"
test -f ".github/CONTRIBUTING.md" \\
  && ok ".github/CONTRIBUTING.md" \\
  || miss "missing critical file: .github/CONTRIBUTING.md"

# 5. Repo recency
days_since_last=$(( ( $(date +%s) - $(git log -1 --format=%at 2>/dev/null || echo 0) ) / 86400 ))
if [ "$days_since_last" -le 619 ]; then
  ok "last commit was $days_since_last days ago (artifact saw ~589d)"
else
  miss "last commit was $days_since_last days ago — artifact may be stale"
fi

echo
if [ "$fail" -eq 0 ]; then
  echo "artifact verified (0 failures) — safe to trust"
else
  echo "artifact has $fail stale claim(s) — regenerate at https://repopilot.app/r/vuejs/vue"
  exit 1
fi

Each check prints ok: or FAIL:. The script exits non-zero if anything failed, so it composes cleanly into agent loops (./verify.sh || regenerate-and-retry).

Generated by RepoPilot. Verdict based on maintenance signals — see the live page for receipts. Re-run on a new commit to refresh.