Announcing Nuxt Scripts v1

Nuxt Scripts v1 is here — privacy and performance for third-party scripts in Nuxt.
Harlan Wilton Harlan Wilton
5 mins read
Published

Introduction

Over a year ago I set out to build a module that would give Nuxt developers the best possible experience for managing third-party scripts - without sacrificing performance or their users' privacy.

Today I'm excited to announce that Nuxt Scripts has reached stable with v1.

In this post I'll cover what Nuxt Scripts does, the highlights of this release and what's next.

The Problem with Third-Party Scripts

Third-party scripts are everywhere - analytics, ads, chat widgets, social embeds. They're also one of the biggest threats to your site's performance and your users' privacy:

  • Performance: Scripts block rendering, compete for the main thread, and bloat page weight.
  • Privacy: Every request leaks your users' IP address, and scripts can set third-party cookies for cross-site tracking.
  • Security: A compromised script has full access to your page.

Nuxt Scripts was built to solve all three.

Stable Release: v1

To consider Nuxt Scripts stable I wanted to make sure it covered the most common use cases for third-party scripts while pushing the boundaries of what's possible with privacy and performance.

As of today, the module supports 30+ registry scripts, first-party proxying, web worker offloading, SSR social embeds and automatic SRI hashes - with a full suite of tests to avoid regressions.

Here are the highlights.

First-Party Mode

Third-party scripts expose data that can be used for fingerprinting users across sites. Ad blockers rightfully block these for privacy reasons.

First-party mode routes all script traffic through your own domain.

export default defineNuxtConfig({
  scripts: {
    firstParty: true,
    registry: {
      googleAnalytics: { id: 'G-XXXXXX' },
      metaPixel: { id: '123456' },
    }
  }
})

What happens:

  • Scripts downloaded at build time and served from your domain
  • Collection URLs rewritten to local paths (/_scripts/c/ga)
  • Nitro route rules proxy requests to original endpoints
  • User IPs stay private: third parties see your server's IP, not your users'
  • No third-party cookies: requests are same-origin
  • Works with ad blockers: requests appear first-party

Supported: Google Analytics, GTM, Meta Pixel, TikTok, Segment, Clarity, Hotjar, X/Twitter, Snapchat, Reddit.

Partytown Web Worker Support

Load third-party scripts off the main thread using Partytown. Scripts run in a web worker, freeing the main thread for your app.

export default defineNuxtConfig({
  modules: ['@nuxtjs/partytown', '@nuxt/scripts'],
  scripts: {
    partytown: ['plausible', 'fathom', 'umami'],
    registry: {
      plausible: { domain: 'example.com' },
      fathom: { site: 'XXXXX' }
    }
  }
  // Forward array auto-configured — no manual setup needed!
})

Auto-forwarding is supported for all major analytics and pixel scripts including Google Analytics, Plausible, Fathom, Umami, Matomo, Segment, and more.

SSR Social Embeds

Third-party embed scripts (Twitter widgets, Instagram embeds) hurt performance and leak user data. Following the Cloudflare Zaraz approach, we now fetch embed data server-side and proxy all assets through your domain.

<ScriptXEmbed tweet-id="1754336034228171055">
  <template #default="{ userName, text, likesFormatted, photos }">
    <!-- Full styling control via scoped slots -->
  </template>
</ScriptXEmbed>

Privacy benefits:

  • Zero third-party JavaScript loaded
  • No cookies set by X/Instagram
  • User IPs not shared with third parties
  • All content served from your domain

Script Reload API

Scripts now expose a .reload() method for re-executing DOM-scanning scripts after SPA navigation.

const script = useScript('/third-party.js')
await script.reload()

Automatic SRI Integrity Hashes

Bundled scripts can automatically generate Subresource Integrity hashes, protecting against tampered scripts.

export default defineNuxtConfig({
  scripts: {
    assets: {
      integrity: 'sha384'
    }
  }
})

New Registry Scripts

  • PostHog Analytics: Product analytics with feature flags
  • Google reCAPTCHA v3: Invisible bot protection
  • TikTok Pixel: Conversion tracking
  • Google Sign-In: One-tap authentication

YouTube Player Overhaul

  • Isolated player instances: Multiple players work correctly
  • Aspect ratio control: New ratio prop
  • Proper cleanup: Players destroyed on unmount

Google Maps Enhancements

  • Color mode support: Auto light/dark switching
  • Static maps proxy: Hide API keys, fix CORS

GTM Consent Mode

Built-in support for Google's Consent Mode v2, making GDPR compliance straightforward.

export default defineNuxtConfig({
  scripts: {
    registry: {
      googleTagManager: {
        id: 'GTM-XXXX',
        defaultConsent: {
          ad_storage: 'denied',
          analytics_storage: 'denied'
        }
      }
    }
  }
})

Breaking Changes

This release includes a small number of breaking changes, primarily around the YouTube Player component.

  • YouTube Player: ratio prop replaces width/height for aspect ratio control
  • YouTube Player: Placeholder object-fit default changed to cover
  • GTM: onBeforeGtmStart callback timing changed

Full migration guide: v1 Migration Guide

What's Next?

There are a few areas I'm excited to explore:

  • More first-party integrations: Expanding the list of scripts that support first-party mode.
  • Nuxt v4 / Nitro v3: Full support as they reach stable.
  • New registry scripts: Continuing to grow the library of drop-in script integrations.

Conclusion

I'd like to thank the community for their patience and feedback in getting the module to where it is today. The 30+ contributors and everyone who filed issues and tested pre-releases made this possible.

I hope Nuxt Scripts helps you build faster, more private apps for your users.