Skip to content

chore(deps): update dependency i18next to v26.3.4#160

Open
renovate[bot] wants to merge 1 commit into
masterfrom
renovate/i18next-26.x-lockfile
Open

chore(deps): update dependency i18next to v26.3.4#160
renovate[bot] wants to merge 1 commit into
masterfrom
renovate/i18next-26.x-lockfile

Conversation

@renovate

@renovate renovate Bot commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Confidence
i18next (source) 26.3.126.3.4 age confidence

Release Notes

i18next/i18next (i18next)

v26.3.4

Compare Source

  • fix(security): deepExtend (used by addResourceBundle(..., deep, overwrite)) no longer recurses into inherited properties. It checked key existence with the in operator, which walks the prototype chain, so a source key matching an inherited built-in (e.g. hasOwnProperty, toString) caused recursion into the shared Object.prototype function and, with overwrite: true, could overwrite e.g. Object.prototype.hasOwnProperty.call with a non-callable value — corrupting a shared built-in process-wide (DoS). Existence is now checked with Object.prototype.hasOwnProperty.call, so such keys are copied as plain own data instead. This complements the existing __proto__/constructor guard and is also strictly more correct for an own-property merge. Only affects applications that pass attacker-controlled data with deep: true and overwrite: true; no standard backend/integration does this. Distinct from CVE-2026-48713 / CVE-2026-48714 (different packages, setPath mechanism). See advisory GHSA-6jcc-5g8w-32mx, CVSS 5.9 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:H). Thanks to zx (Jace) @​manus-use for the responsible disclosure.

v26.3.3

Compare Source

  • fix(types): selector t($ => $.arr, { returnObjects: true, context }) on a JSON array of heterogeneous objects now preserves each element's full shape (e.g. { transKey1: string; transKey2: string }[]) instead of collapsing to a union of partial element types. Two type-level causes: (1) FilterKeys evaluated the whole array element type at once, so keyof (A | B) only saw the keys common to every element — it now distributes over the object union and filters each element independently; (2) when TypeScript merges mismatched array element types it injects phantom optional undefined keys (e.g. transKey1_withContext?: undefined on elements that don't define it), which the context-detection helpers mistook for real context variants — they now skip keys typed as undefined. Also adds a dedicated context + returnObjects: true selector overload using const Fn + ReturnType<Fn>, so Target is no longer collapsed to unknown via ApplyTarget. Resolves Problem 1 of #​2398 (Problem 2 was already fixed on master). Thanks @​sauravgupta-dotcom (#​2438). Fixes #​2398.

v26.3.2

Compare Source

  • fix: chained formatters with a parenthesised option that contains the format separator (e.g. join(separator: ', ')) now work at any position in the chain, not just first. Previously the comma-in-parens reassembly only repaired formats[0], so {{v, uppercase, join(separator: ', ')}} split the join(...) option on the inner comma and never rejoined it, producing corrupt output. Replaced the first-position-only repair with a position-independent pass that re-joins fragments until each open paren closes. Thanks @​spokodev (#​2437).

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • "before 9am on Monday"
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot force-pushed the renovate/i18next-26.x-lockfile branch from 9f2dc9e to 9c3e50f Compare June 29, 2026 17:41
@renovate renovate Bot changed the title chore(deps): update dependency i18next to v26.3.2 chore(deps): update dependency i18next to v26.3.3 Jun 29, 2026
@renovate renovate Bot force-pushed the renovate/i18next-26.x-lockfile branch from 9c3e50f to fa6e0c3 Compare July 3, 2026 07:12
@renovate renovate Bot changed the title chore(deps): update dependency i18next to v26.3.3 chore(deps): update dependency i18next to v26.3.4 Jul 3, 2026
@renovate renovate Bot force-pushed the renovate/i18next-26.x-lockfile branch from fa6e0c3 to fcdd8d3 Compare July 6, 2026 08:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants