Skip to content

chore(deps): bump i18next-http-middleware from 3.7.4 to 3.9.7#2775

Open
dependabot[bot] wants to merge 2 commits into
mainfrom
dependabot/npm_and_yarn/i18next-http-middleware-3.9.7
Open

chore(deps): bump i18next-http-middleware from 3.7.4 to 3.9.7#2775
dependabot[bot] wants to merge 2 commits into
mainfrom
dependabot/npm_and_yarn/i18next-http-middleware-3.9.7

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 28, 2026

Copy link
Copy Markdown
Contributor

Bumps i18next-http-middleware from 3.7.4 to 3.9.7.

Changelog

Sourced from i18next-http-middleware's changelog.

v3.9.7

Security release — coordinated disclosure from @​codeswhite. See published advisory GHSA-f49m-vf83-692w.

  • security: extend the missingKeyHandler prototype-pollution guard to also reject dotted (or otherwise keySeparator-segmented) keys whose segments contain __proto__, constructor, or prototype. The 3.9.3 fix blocked the literal keys but missed dotted variants like __proto__.polluted, which downstream backends that split the missing-key string on keySeparator before persisting (notably i18next-fs-backend ≤ 2.6.5 in its now-patched writeFile() path) walked into Object.prototype. New utils.hasUnsafeKeySegment(key, keySeparator) helper is now used by missingKeyHandler; the configured i18next.options.keySeparator is honoured (default .; false disables segment splitting and only the literal-key denylist applies). Pairs with the root-cause fix in i18next-fs-backend 2.6.6. Credit: @​codeswhite (GHSA-f49m-vf83-692w).

v3.9.6

  • Fix cookie header being overwritten instead of appended #126

v3.9.5

  • fix: allow forward slashes in ns values so nested namespace names (mapping to subfolder locale layouts such as public/locales/en/a/b.json on fs-backend, /locales/en/a/b.json on http-backend) are no longer dropped by getResourcesHandler. 3.9.3's security fix applied the same strict identifier check to both lng and ns via utils.isSafeIdentifier, which was correct for lng (no BCP-47 shape contains /) but over-strict for ns — nested namespaces containing / were never officially supported, but the behaviour fell out of the implicit string-substitution semantics of the backend loadPath and is common enough in the wild to be worth accommodating. isSafeIdentifier is now split into isSafeLangIdentifier (strict — still rejects /) and isSafeNsIdentifier (loose — allows / but still rejects .., \, control chars, prototype keys, and oversized inputs). isSafeIdentifier is kept as a backwards-compatible alias for the strict check. The 3.9.3 security fix remains in force for every concrete attack pattern from the original advisory.

v3.9.4

  • Add Set-Cookie header to response in Fresh plugin so language preference persists across reloads/new tabs #125

v3.9.3

Security release — all issues found via an internal audit. See published GHSA advisories GHSA-5fgg-jcpf-8jjw and GHSA-c3h8-g69v-pjrg.

  • security: guard utils.setPath against prototype pollution via crafted lng/ns in getResourcesHandler (GHSA-5fgg-jcpf-8jjw)
  • security: sanitise Content-Language response header to prevent CRLF injection / unhandled ERR_INVALID_CHAR crash via unsanitised language codes (GHSA-c3h8-g69v-pjrg)
  • security: skip inherited/prototype-polluting keys (__proto__, constructor, prototype) in missingKeyHandler request body (GHSA-5fgg-jcpf-8jjw)
  • security: filter unsafe lng/ns values in getResourcesHandler (reject path-traversal, path separators, control characters, prototype keys, over-long inputs) to prevent path traversal / SSRF via the backend connector and unbounded growth of the shared i18next.options.ns array. Any legitimate language code shape is still accepted — i18next permits arbitrary codes (FAQ) (GHSA-5fgg-jcpf-8jjw)
  • security: hasXSS regex now catches event handlers in any attribute position (previously only matched when the handler was the first attribute; e.g. <input autofocus onfocus=…> bypassed the filter)
  • security: automatically set the Secure flag on the language cookie when cookieSameSite: 'none' — browsers reject SameSite=None without Secure
  • chore: ignore .env* and *.pem/*.key files in .gitignore

v3.9.2

  • TS definition for default export #100

v3.9.1

  • Adds missing TS declaration and options argument. #99

v3.9.0

  • Fresh 2 support #98

v3.8.3

  • Supports the parsing of Deno headers (fixes #94) #95

v3.8.2

  • fix: properly handle fallbackLng when configured as an object with default property or language-specific fallback chains #92

v3.8.1

  • Try to fix Language detector doesn't fall back to basic language when dialect is present #91 by making sure fix for #26 is still working

v3.8.0

  • Introduce 'cookieHttpOnly' option to configure HttpOnly cookie #89
Commits
  • 23145ac 3.9.7
  • 7c6d26f security: reject missing keys whose split segments hit proto / constructo...
  • 72f03fa Modernize locize.com URLs and refresh UTM tags
  • 7a2128a Bump i18next-http-middleware from 3.1.4 to 3.9.3 in /example/fastify (#128)
  • f24900b Bump i18next-fs-backend from 1.1.1 to 2.6.4 in /example/fastify-pov (#127)
  • 8d2354a 3.9.6
  • c5c20a1 release
  • 4c28da5 Fix cookie header being overwritten instead of appended (#126)
  • 6edc535 docs: clarify that nested-ns with slashes was never officially supported
  • 98afc71 3.9.5
  • Additional commits viewable in compare view

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code labels Jun 28, 2026
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code labels Jun 28, 2026
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/i18next-http-middleware-3.9.7 branch 8 times, most recently from 95381ac to e687cb4 Compare July 2, 2026 10:32
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/i18next-http-middleware-3.9.7 branch 8 times, most recently from 48d2d6a to ea86a99 Compare July 10, 2026 13:32
Bumps [i18next-http-middleware](https://github.com/i18next/i18next-http-middleware) from 3.7.4 to 3.9.7.
- [Changelog](https://github.com/i18next/i18next-http-middleware/blob/master/CHANGELOG.md)
- [Commits](i18next/i18next-http-middleware@v3.7.4...v3.9.7)

---
updated-dependencies:
- dependency-name: i18next-http-middleware
  dependency-version: 3.9.7
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/i18next-http-middleware-3.9.7 branch from 1df5b3a to 27cadb8 Compare July 10, 2026 17:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants