Skip to content

build(deps): bump i18next-http-backend from 3.0.2 to 3.0.5#319

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/i18next-http-backend-3.0.5
Open

build(deps): bump i18next-http-backend from 3.0.2 to 3.0.5#319
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/i18next-http-backend-3.0.5

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github Apr 22, 2026
edited
Loading

Bumps i18next-http-backend from 3.0.2 to 3.0.5.

Changelog

Sourced from i18next-http-backend's changelog.

3.0.5

Security release — all issues found via an internal audit. See published advisory GHSA-q89c-q3h5-w34g.

  • security: refuse to build request URLs when lng or ns values contain path-traversal, URL-structure (?, #, %, @, whitespace), path separators, control characters, prototype keys, or exceed 128 chars. Prevents path traversal / SSRF / URL injection via attacker-controlled language-code values. isSafeUrlSegment is permissive for legitimate i18next language codes (any BCP-47-like shape, underscores, hyphens, dots, +-joined multi-language requests) (GHSA-q89c-q3h5-w34g)
  • security: per-instance omitFetchOptions — the fetch-options-stripping fallback is now scoped to a single backend instance via options._omitFetchOptions instead of a module-level boolean. One instance hitting a "not implemented" fetch error no longer permanently strips requestOptions (including credentials, mode, cache) from every other backend instance in the same process
  • security: strip CR/LF/NUL and other C0/C1 control characters from lng/ns / URL values before they appear in error-callback strings (CWE-117 log forging)
  • security: redact user:password credentials from URLs before including them in error-callback strings — prevents leaking basic-auth credentials embedded in loadPath / addPath
  • security: iterate own enumerable keys only (Object.keys + prototype-key guard) in addQueryString and in the customHeaders loop in XHR mode — prevents prototype-pollution amplification into the URL and request headers
  • chore: ignore .env* and *.pem/*.key files in .gitignore

3.0.4

  • use own interpolation function for loadPath and addPath instead of relying on i18next's interpolator i18next#2420 — this means only {{lng}} and {{ns}} placeholders are supported; custom interpolation prefix/suffix from i18next config no longer applies to backend paths
Commits

@dependabot dependabot Bot added the bump:patch Bump the patch version on pull request label Apr 22, 2026
@vercel
Copy link
Copy Markdown

vercel Bot commented Apr 22, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
github-emoji-picker Ready Ready Preview, Comment May 11, 2026 8:31am

@github-actions github-actions Bot removed the bump:patch Bump the patch version on pull request label Apr 22, 2026
@dependabot
build(deps): bump i18next-http-backend from 3.0.2 to 3.0.5
7018277 
Bumps [i18next-http-backend](https://github.com/i18next/i18next-http-backend) from 3.0.2 to 3.0.5.
- [Changelog](https://github.com/i18next/i18next-http-backend/blob/master/CHANGELOG.md)
- [Commits](i18next/i18next-http-backend@v3.0.2...v3.0.5)

---
updated-dependencies:
- dependency-name: i18next-http-backend
  dependency-version: 3.0.5
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/i18next-http-backend-3.0.5 branch from adf2d1d to 7018277 Compare May 11, 2026 08:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants