[PR #378] chore(deps): Bump i18next-http-backend from 3.0.2 to 3.0.5 #378

New issue

Open

opened 2026-05-06 12:16:40 +02:00 by BreizhHardware · 0 comments

BreizhHardware commented

2026-05-06 12:16:40 +02:00

Owner

📋 Pull Request Information

Original PR: https://github.com/BreizhHardware/portfolio/pull/378
Author: @dependabot[bot]
Created: 4/22/2026
Status: 🔄 Open

Base: main ← Head: dependabot/npm_and_yarn/i18next-http-backend-3.0.5

📝 Commits (1)

37e9b0e chore(deps): Bump i18next-http-backend from 3.0.2 to 3.0.5

📊 Changes

2 files changed (+10 additions, -10 deletions)

View changed files

📝 package.json (+1 -1)
📝 pnpm-lock.yaml (+9 -9)

📄 Description

Bumps i18next-http-backend from 3.0.2 to 3.0.5.

Changelog

Sourced from i18next-http-backend's changelog.

3.0.5

Security release — all issues found via an internal audit. See published advisory GHSA-q89c-q3h5-w34g.

security: refuse to build request URLs when lng or ns values contain path-traversal, URL-structure (?, #, %, @, whitespace), path separators, control characters, prototype keys, or exceed 128 chars. Prevents path traversal / SSRF / URL injection via attacker-controlled language-code values. isSafeUrlSegment is permissive for legitimate i18next language codes (any BCP-47-like shape, underscores, hyphens, dots, +-joined multi-language requests) (GHSA-q89c-q3h5-w34g)

security: per-instance omitFetchOptions — the fetch-options-stripping fallback is now scoped to a single backend instance via options._omitFetchOptions instead of a module-level boolean. One instance hitting a "not implemented" fetch error no longer permanently strips requestOptions (including credentials, mode, cache) from every other backend instance in the same process

security: strip CR/LF/NUL and other C0/C1 control characters from lng/ns / URL values before they appear in error-callback strings (CWE-117 log forging)

security: redact user:password credentials from URLs before including them in error-callback strings — prevents leaking basic-auth credentials embedded in loadPath / addPath

security: iterate own enumerable keys only (Object.keys + prototype-key guard) in addQueryString and in the customHeaders loop in XHR mode — prevents prototype-pollution amplification into the URL and request headers

chore: ignore .env* and *.pem/*.key files in .gitignore

3.0.4

use own interpolation function for loadPath and addPath instead of relying on i18next's interpolator i18next#2420 — this means only {{lng}} and {{ns}} placeholders are supported; custom interpolation prefix/suffix from i18next config no longer applies to backend paths

Commits

5757fa3 3.0.5
4cee84f security: hardening for 3.0.5
4cbc487 Bump next from 16.2.1 to 16.2.3 in /example/next (#180)
0d7dcbb make last change more clear
c740e01 year
e1dc72b changelog fix
4dbb485 3.0.4
5f33a0c use own interpolation function for loadPath and addPath instead of relying on...
681c09d update ci actions
e63ff16 adjust deno test
Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the Security Alerts page.

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/BreizhHardware/portfolio/pull/378 **Author:** [@dependabot[bot]](https://github.com/apps/dependabot) **Created:** 4/22/2026 **Status:** 🔄 Open **Base:** `main` ← **Head:** `dependabot/npm_and_yarn/i18next-http-backend-3.0.5` --- ### 📝 Commits (1) - [`37e9b0e`](https://github.com/BreizhHardware/portfolio/commit/37e9b0eadb0711718cf2d907866578d0cd47f896) chore(deps): Bump i18next-http-backend from 3.0.2 to 3.0.5 ### 📊 Changes **2 files changed** (+10 additions, -10 deletions) <details> <summary>View changed files</summary> 📝 `package.json` (+1 -1) 📝 `pnpm-lock.yaml` (+9 -9) </details> ### 📄 Description Bumps [i18next-http-backend](https://github.com/i18next/i18next-http-backend) from 3.0.2 to 3.0.5. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/i18next/i18next-http-backend/blob/master/CHANGELOG.md">i18next-http-backend's changelog</a>.</em></p> <blockquote> <h3>3.0.5</h3> <p>Security release — all issues found via an internal audit. See published advisory <a href="https://github.com/i18next/i18next-http-backend/security/advisories/GHSA-q89c-q3h5-w34g">GHSA-q89c-q3h5-w34g</a>.</p> <ul> <li>security: refuse to build request URLs when <code>lng</code> or <code>ns</code> values contain path-traversal, URL-structure (<code>?</code>, <code>#</code>, <code>%</code>, <code>@</code>, whitespace), path separators, control characters, prototype keys, or exceed 128 chars. Prevents path traversal / SSRF / URL injection via attacker-controlled language-code values. <code>isSafeUrlSegment</code> is permissive for legitimate i18next language codes (any BCP-47-like shape, underscores, hyphens, dots, <code>+</code>-joined multi-language requests) (<a href="https://github.com/i18next/i18next-http-backend/security/advisories/GHSA-q89c-q3h5-w34g">GHSA-q89c-q3h5-w34g</a>)</li> <li>security: per-instance <code>omitFetchOptions</code> — the fetch-options-stripping fallback is now scoped to a single backend instance via <code>options._omitFetchOptions</code> instead of a module-level boolean. One instance hitting a "not implemented" fetch error no longer permanently strips <code>requestOptions</code> (including <code>credentials</code>, <code>mode</code>, <code>cache</code>) from every other backend instance in the same process</li> <li>security: strip CR/LF/NUL and other C0/C1 control characters from <code>lng</code>/<code>ns</code> / URL values before they appear in error-callback strings (CWE-117 log forging)</li> <li>security: redact <code>user:password</code> credentials from URLs before including them in error-callback strings — prevents leaking basic-auth credentials embedded in <code>loadPath</code> / <code>addPath</code></li> <li>security: iterate own enumerable keys only (<code>Object.keys</code> + prototype-key guard) in <code>addQueryString</code> and in the <code>customHeaders</code> loop in XHR mode — prevents prototype-pollution amplification into the URL and request headers</li> <li>chore: ignore <code>.env*</code> and <code>*.pem</code>/<code>*.key</code> files in <code>.gitignore</code></li> </ul> <h3>3.0.4</h3> <ul> <li>use own interpolation function for loadPath and addPath instead of relying on i18next's interpolator <a href="https://redirect.github.com/i18next/i18next/issues/2420">i18next#2420</a> — this means only <code>{{lng}}</code> and <code>{{ns}}</code> placeholders are supported; custom interpolation prefix/suffix from i18next config no longer applies to backend paths</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/i18next/i18next-http-backend/commit/5757fa3283bff31bd75e75598c3bcb44179bd892"><code>5757fa3</code></a> 3.0.5</li> <li><a href="https://github.com/i18next/i18next-http-backend/commit/4cee84f229c637b9c182366d3156f726d407a621"><code>4cee84f</code></a> security: hardening for 3.0.5</li> <li><a href="https://github.com/i18next/i18next-http-backend/commit/4cbc48741128d9b1f6cceb43edabfbec84c92615"><code>4cbc487</code></a> Bump next from 16.2.1 to 16.2.3 in /example/next (<a href="https://redirect.github.com/i18next/i18next-http-backend/issues/180">#180</a>)</li> <li><a href="https://github.com/i18next/i18next-http-backend/commit/0d7dcbb09989d358b3af9a67658469ae8ed361dc"><code>0d7dcbb</code></a> make last change more clear</li> <li><a href="https://github.com/i18next/i18next-http-backend/commit/c740e013ab5ff4ea3a71f9e0842a302bdf4147ae"><code>c740e01</code></a> year</li> <li><a href="https://github.com/i18next/i18next-http-backend/commit/e1dc72b3fb016932959d2bf796d94985baca7050"><code>e1dc72b</code></a> changelog fix</li> <li><a href="https://github.com/i18next/i18next-http-backend/commit/4dbb4851ff53b0058d8f0a254779b45c839e6c24"><code>4dbb485</code></a> 3.0.4</li> <li><a href="https://github.com/i18next/i18next-http-backend/commit/5f33a0c2d72f8f9c1e0add30b9b75a0c2edeb7b6"><code>5f33a0c</code></a> use own interpolation function for loadPath and addPath instead of relying on...</li> <li><a href="https://github.com/i18next/i18next-http-backend/commit/681c09d12ebfafef09351b784d2e7b250328879f"><code>681c09d</code></a> update ci actions</li> <li><a href="https://github.com/i18next/i18next-http-backend/commit/e63ff163717ba02c589e27fa81cc881add892fbd"><code>e63ff16</code></a> adjust deno test</li> <li>Additional commits viewable in <a href="https://github.com/i18next/i18next-http-backend/compare/v3.0.2...v3.0.5">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=i18next-http-backend&package-manager=npm_and_yarn&previous-version=3.0.2&new-version=3.0.5)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/BreizhHardware/portfolio/network/alerts). </details> --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>