[PR #1712] [MERGED] Bump i18next-http-backend from 1.4.5 to 3.0.5 in /web #1701

New issue

Closed

opened 2026-05-07 01:03:18 +02:00 by BreizhHardware · 0 comments

BreizhHardware commented 2026-05-07 01:03:18 +02:00

Owner

Copy link

📋 Pull Request Information

Original PR: https://github.com/binwiederhier/ntfy/pull/1712
Author: @dependabot[bot]
Created: 4/22/2026
Status: ✅ Merged
Merged: 4/23/2026
Merged by: @binwiederhier

Base: main ← Head: dependabot/npm_and_yarn/web/i18next-http-backend-3.0.5

---

📝 Commits (1)

• fe8c9b8 Bump i18next-http-backend from 1.4.5 to 3.0.5 in /web

📊 Changes

2 files changed (+16 additions, -55 deletions)

View changed files

📝 web/package-lock.json (+15 -54)
📝 web/package.json (+1 -1)

📄 Description

Bumps i18next-http-backend from 1.4.5 to 3.0.5.

Changelog

Sourced from i18next-http-backend's changelog.

3.0.5

Security release — all issues found via an internal audit. See published advisory GHSA-q89c-q3h5-w34g.

• security: refuse to build request URLs when lng or ns values contain path-traversal, URL-structure (?, #, %, @, whitespace), path separators, control characters, prototype keys, or exceed 128 chars. Prevents path traversal / SSRF / URL injection via attacker-controlled language-code values. isSafeUrlSegment is permissive for legitimate i18next language codes (any BCP-47-like shape, underscores, hyphens, dots, +-joined multi-language requests) (GHSA-q89c-q3h5-w34g)
• security: per-instance omitFetchOptions — the fetch-options-stripping fallback is now scoped to a single backend instance via options._omitFetchOptions instead of a module-level boolean. One instance hitting a "not implemented" fetch error no longer permanently strips requestOptions (including credentials, mode, cache) from every other backend instance in the same process
• security: strip CR/LF/NUL and other C0/C1 control characters from lng/ns / URL values before they appear in error-callback strings (CWE-117 log forging)
• security: redact user:password credentials from URLs before including them in error-callback strings — prevents leaking basic-auth credentials embedded in loadPath / addPath
• security: iterate own enumerable keys only (Object.keys + prototype-key guard) in addQueryString and in the customHeaders loop in XHR mode — prevents prototype-pollution amplification into the URL and request headers
• chore: ignore .env* and *.pem/*.key files in .gitignore

3.0.4

• use own interpolation function for loadPath and addPath instead of relying on i18next's interpolator i18next#2420 — this means only {{lng}} and {{ns}} placeholders are supported; custom interpolation prefix/suffix from i18next config no longer applies to backend paths

3.0.2

• optimize fetchApi selector

3.0.1

• try to get rid of top-level await

3.0.0

• fix for Deno 2 and removal of unnecessary .cjs file
• for esm build environments not supporting top-level await, you should import the i18next-http-backend/cjs export or stay at v2.6.2 or v2.7.1

2.7.3

• optimize fetchApi selector [backported]

2.7.1

• same as 2.6.2

2.7.0

• deprecated, same as v3.0.0

2.6.2

• improve network error detection across browsers 152

2.6.1

• optimize "Failed to fetch" retry case 147

2.6.0

... (truncated)

Commits

• 5757fa3 3.0.5
• 4cee84f security: hardening for 3.0.5
• 4cbc487 Bump next from 16.2.1 to 16.2.3 in /example/next (#180)
• 0d7dcbb make last change more clear
• c740e01 year
• e1dc72b changelog fix
• 4dbb485 3.0.4
• 5f33a0c use own interpolation function for loadPath and addPath instead of relying on...
• 681c09d update ci actions
• e63ff16 adjust deno test
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

---

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/binwiederhier/ntfy/pull/1712 **Author:** [@dependabot[bot]](https://github.com/apps/dependabot) **Created:** 4/22/2026 **Status:** ✅ Merged **Merged:** 4/23/2026 **Merged by:** [@binwiederhier](https://github.com/binwiederhier) **Base:** `main` ← **Head:** `dependabot/npm_and_yarn/web/i18next-http-backend-3.0.5` --- ### 📝 Commits (1) - [`fe8c9b8`](https://github.com/binwiederhier/ntfy/commit/fe8c9b8f2cd88165489e6e614266316c103ed85b) Bump i18next-http-backend from 1.4.5 to 3.0.5 in /web ### 📊 Changes **2 files changed** (+16 additions, -55 deletions) <details> <summary>View changed files</summary> 📝 `web/package-lock.json` (+15 -54) 📝 `web/package.json` (+1 -1) </details> ### 📄 Description Bumps [i18next-http-backend](https://github.com/i18next/i18next-http-backend) from 1.4.5 to 3.0.5. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/i18next/i18next-http-backend/blob/master/CHANGELOG.md">i18next-http-backend's changelog</a>.</em></p> <blockquote> <h3>3.0.5</h3> <p>Security release — all issues found via an internal audit. See published advisory <a href="https://github.com/i18next/i18next-http-backend/security/advisories/GHSA-q89c-q3h5-w34g">GHSA-q89c-q3h5-w34g</a>.</p> <ul> <li>security: refuse to build request URLs when <code>lng</code> or <code>ns</code> values contain path-traversal, URL-structure (<code>?</code>, <code>#</code>, <code>%</code>, <code>@</code>, whitespace), path separators, control characters, prototype keys, or exceed 128 chars. Prevents path traversal / SSRF / URL injection via attacker-controlled language-code values. <code>isSafeUrlSegment</code> is permissive for legitimate i18next language codes (any BCP-47-like shape, underscores, hyphens, dots, <code>+</code>-joined multi-language requests) (<a href="https://github.com/i18next/i18next-http-backend/security/advisories/GHSA-q89c-q3h5-w34g">GHSA-q89c-q3h5-w34g</a>)</li> <li>security: per-instance <code>omitFetchOptions</code> — the fetch-options-stripping fallback is now scoped to a single backend instance via <code>options._omitFetchOptions</code> instead of a module-level boolean. One instance hitting a &quot;not implemented&quot; fetch error no longer permanently strips <code>requestOptions</code> (including <code>credentials</code>, <code>mode</code>, <code>cache</code>) from every other backend instance in the same process</li> <li>security: strip CR/LF/NUL and other C0/C1 control characters from <code>lng</code>/<code>ns</code> / URL values before they appear in error-callback strings (CWE-117 log forging)</li> <li>security: redact <code>user:password</code> credentials from URLs before including them in error-callback strings — prevents leaking basic-auth credentials embedded in <code>loadPath</code> / <code>addPath</code></li> <li>security: iterate own enumerable keys only (<code>Object.keys</code> + prototype-key guard) in <code>addQueryString</code> and in the <code>customHeaders</code> loop in XHR mode — prevents prototype-pollution amplification into the URL and request headers</li> <li>chore: ignore <code>.env*</code> and <code>*.pem</code>/<code>*.key</code> files in <code>.gitignore</code></li> </ul> <h3>3.0.4</h3> <ul> <li>use own interpolation function for loadPath and addPath instead of relying on i18next's interpolator <a href="https://redirect.github.com/i18next/i18next/issues/2420">i18next#2420</a> — this means only <code>{{lng}}</code> and <code>{{ns}}</code> placeholders are supported; custom interpolation prefix/suffix from i18next config no longer applies to backend paths</li> </ul> <h3>3.0.2</h3> <ul> <li>optimize fetchApi selector</li> </ul> <h3>3.0.1</h3> <ul> <li>try to get rid of top-level await</li> </ul> <h3>3.0.0</h3> <ul> <li>fix for Deno 2 and removal of unnecessary .cjs file</li> <li>for esm build environments not supporting top-level await, you should import the <code>i18next-http-backend/cjs</code> export or stay at v2.6.2 or v2.7.1</li> </ul> <h3>2.7.3</h3> <ul> <li>optimize fetchApi selector [backported]</li> </ul> <h3>2.7.1</h3> <ul> <li>same as 2.6.2</li> </ul> <h3>2.7.0</h3> <ul> <li>deprecated, same as v3.0.0</li> </ul> <h3>2.6.2</h3> <ul> <li>improve network error detection across browsers <a href="https://redirect.github.com/i18next/i18next-http-backend/pull/152">152</a></li> </ul> <h3>2.6.1</h3> <ul> <li>optimize &quot;Failed to fetch&quot; retry case <a href="https://redirect.github.com/i18next/i18next-http-backend/issues/147">147</a></li> </ul> <h3>2.6.0</h3> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/i18next/i18next-http-backend/commit/5757fa3283bff31bd75e75598c3bcb44179bd892"><code>5757fa3</code></a> 3.0.5</li> <li><a href="https://github.com/i18next/i18next-http-backend/commit/4cee84f229c637b9c182366d3156f726d407a621"><code>4cee84f</code></a> security: hardening for 3.0.5</li> <li><a href="https://github.com/i18next/i18next-http-backend/commit/4cbc48741128d9b1f6cceb43edabfbec84c92615"><code>4cbc487</code></a> Bump next from 16.2.1 to 16.2.3 in /example/next (<a href="https://redirect.github.com/i18next/i18next-http-backend/issues/180">#180</a>)</li> <li><a href="https://github.com/i18next/i18next-http-backend/commit/0d7dcbb09989d358b3af9a67658469ae8ed361dc"><code>0d7dcbb</code></a> make last change more clear</li> <li><a href="https://github.com/i18next/i18next-http-backend/commit/c740e013ab5ff4ea3a71f9e0842a302bdf4147ae"><code>c740e01</code></a> year</li> <li><a href="https://github.com/i18next/i18next-http-backend/commit/e1dc72b3fb016932959d2bf796d94985baca7050"><code>e1dc72b</code></a> changelog fix</li> <li><a href="https://github.com/i18next/i18next-http-backend/commit/4dbb4851ff53b0058d8f0a254779b45c839e6c24"><code>4dbb485</code></a> 3.0.4</li> <li><a href="https://github.com/i18next/i18next-http-backend/commit/5f33a0c2d72f8f9c1e0add30b9b75a0c2edeb7b6"><code>5f33a0c</code></a> use own interpolation function for loadPath and addPath instead of relying on...</li> <li><a href="https://github.com/i18next/i18next-http-backend/commit/681c09d12ebfafef09351b784d2e7b250328879f"><code>681c09d</code></a> update ci actions</li> <li><a href="https://github.com/i18next/i18next-http-backend/commit/e63ff163717ba02c589e27fa81cc881add892fbd"><code>e63ff16</code></a> adjust deno test</li> <li>Additional commits viewable in <a href="https://github.com/i18next/i18next-http-backend/compare/v1.4.5...v3.0.5">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/binwiederhier/ntfy/network/alerts). </details> --- _{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

BreizhHardware 2026-05-07 01:03:18 +02:00

• closed this issue
• added the
  pull-request
  label

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

dependabot/npm_and_yarn/web/fast-uri-3.1.2

email-verification

attachment-no-http2

attachment-fixes

attachment-s3

config-generator

postgres-replica

dockers-v2

postgres-support

postgres-webpush+user+message

postgres-webpush+user

postgres-webpush

1364-copy-action

crashfix

user-header

scalar-api-docs

cancel-scheduled

update-available

windows-server

303-update-notifications

postgres

admin-ui

require-login

http-clipboard

message-cache-lock

debian-stripe

predefined-users

busy-timeout

template-dir

ipv6

client-ip-header

apns-fix

feat_optional_require_login

security-updates

pg-message-cache

templating-disallow

templating-3

templating-2

message-size-limit+delay-limit

remove-rate-topics

html-emails

cf-priority

acl-underscores

auth-user-header

markdown

img-attach

web-improvements

utf8-headers

matrix-507-reject

http-response-writer

new-homepage-design

e2e

canary

windows

electron

update-messages

webhook-templating

v2.22.0

v2.21.0

v2.20.1

v2.20.0

v2.19.2

v2.19.1

v2.19.0

v2.18.0

v2.17.0

v2.16.0

v2.15.0

v2.14.0

v2.13.0

v2.12.0

v2.11.0

v2.10.0

v2.9.0

v2.8.0

v2.7.0

v2.6.2

v2.6.1

v2.6.0

v2.5.0

v2.4.0

v2.3.1

v2.3.0

v2.2.0

v2.1.2

v2.1.1

v2.1.0

v2.0.1

v2.0.0

v1.31.0

v1.30.1

v1.29.1

v1.29.0

v1.28.0

v1.27.2

v1.27.1

v1.26.0

v1.25.2

v1.25.1

v1.25.0

v1.24.0

v1.23.0

v1.22.0

v1.21.2

v1.21.1

v1.21.0

v1.20.0

v1.19.0

v1.18.1

v1.18.0

v1.17.1

v1.17.0

v1.16.0

v1.15.0

v1.14.1

v1.14.0

v1.13.0

v1.12.1

v1.12.0

v1.11.1

v1.11.2

v1.11.0

v1.10.0

v1.9.0

v1.8.0

v1.7.0

v1.6.1

v1.6.0

v1.5.3

v1.5.2

v1.5.1

v1.5.0

v1.4.8

v1.4.7

v1.4.6

v1.4.5

v1.4.4

v1.4.3

v1.4.2

v1.4.1

v1.4.0

v1.3.2

v1.3.3

v1.3.1

v1.3.0

v1.2.5

v1.2.4

v1.2.3

v1.2.2

v1.2.1

v1.2.0

v1.1.3

v1.1.2

v1.1.1

v1.1.0

v1.0.0

v0.0.5

v0.0.4

v0.0.3

v0.0.2

v0.0.1

Labels

Clear labels   

ai-generated

  

android-app

  

android-app

  

android-app

  

🪲 bug

  

build

  

build

  

dependencies

  

docs

  

enhancement

  

enhancement

  

🔥 HOT

  

in-progress 🏃

  

ios

  

prio:low

  

prio:low

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

🔒 security

  

server

  

server

  

unified-push

  

web-app

  

website

No labels

ai-generated

android-app

android-app

android-app

🪲 bug

build

build

dependencies

docs

enhancement

enhancement

🔥 HOT

in-progress 🏃

ios

prio:low

prio:low

pull-request

question

🔒 security

server

server

unified-push

web-app

website

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/ntfy#1701

No description provided.