Update dependency @intlify/core-base to v11.1.10 [SECURITY]

[openverse-bot]

This PR contains the following updates:

Package	Type	Update	Change
@intlify/core-base (source)	devDependencies	minor	11.0.1 -> 11.1.10

GitHub Vulnerability Alerts

CVE-2025-53892

Summary

The escapeParameterHtml: true option in Vue I18n is designed to protect against HTML/script injection by escaping interpolated parameters. However, this setting fails to prevent execution of certain tag-based payloads, such as <img src=x onerror=...>, if the interpolated value is inserted inside an HTML context using v-html.

This may lead to a DOM-based XSS vulnerability, even when using escapeParameterHtml: true, if a translation string includes minor HTML and is rendered via v-html.

Details

When escapeParameterHtml: true is enabled, it correctly escapes common injection points.

However, it does not sanitize entire attribute contexts, which can be used as XSS vectors via:

<img src=x onerror=alert(1)>

PoC

In your Vue I18n configuration:

const i18n = createI18n({
  escapeParameterHtml: true,
  messages: {
    en: {
      vulnerable: 'Caution: <img src=x onerror="{payload}">'
    }
  }
});

Use this interpolated payload:

const payload = '<script>alert("xss")</script>';
Render the translation using v-html (even not using v-html):

<p v-html="$t('vulnerable', { payload })"></p>
Expected: escaped content should render as text, not execute.

Actual: script executes in some environments (or the payload is partially parsed as HTML).

Impact

This creates a DOM-based Cross-Site Scripting (XSS) vulnerability despite enabling a security option (escapeParameterHtml) .

---

Release Notes

intlify/vue-i18n (@​intlify/core-base)

v11.1.10

Compare Source

🔒 Security Fixes

• fix: DOM-based XSS via tag attributes for escape parameter, about details see GHSA-x8qp-wqqm-57ph

Full Changelog: intlify/vue-i18n@v11.1.9...v11.1.10

v11.1.9

Compare Source

Full Changelog: intlify/vue-i18n@v11.1.8...v11.1.9

v11.1.8

Compare Source

What's Changed

⚡ Improvement Features

• fix: typo by @​kazupon in https://github.com/intlify/vue-i18n/pull/2221

Full Changelog: intlify/vue-i18n@v11.1.7...v11.1.8

v11.1.7

Compare Source

What's Changed

🐛 Bug Fixes

• fix: declaration order in Number formatting with options ResourceKeys by @​kazupon in https://github.com/intlify/vue-i18n/pull/2208

Full Changelog: intlify/vue-i18n@v11.1.6...v11.1.7

v11.1.6

Compare Source

What's Changed

⚡ Improvement Features

• fix: error on duplicate useI18n calling on local scope by @​kazupon in https://github.com/intlify/vue-i18n/pull/2203

Full Changelog: intlify/vue-i18n@v11.1.5...v11.1.6

v11.1.5

Compare Source

What's Changed

🐛 Bug Fixes

• fix: n() & d() output depending "part" option by @​kazupon in https://github.com/intlify/vue-i18n/pull/2194

Full Changelog: intlify/vue-i18n@v11.1.4...v11.1.5

v11.1.4

Compare Source

What's Changed

🌟 Features

• feat: Part options support $n by @​mauryapari in https://github.com/intlify/vue-i18n/pull/2175
• feat: Part options support $d by @​mauryapari in https://github.com/intlify/vue-i18n/pull/2180

⚡ Improvement Features

• fix: support vue core internal slot key changing by @​kazupon in https://github.com/intlify/vue-i18n/pull/2190

Full Changelog: intlify/vue-i18n@v11.1.3...v11.1.4

v11.1.3

Compare Source

What's Changed

🐛 Bug Fixes

• fix: cannot resolve the ast messages which has json path for v11 by @​kazupon in https://github.com/intlify/vue-i18n/pull/2159

⚡ Improvement Features

• fix: duplicate generated type config naming by @​BobbieGoede in https://github.com/intlify/vue-i18n/pull/2158

Full Changelog: intlify/vue-i18n@v11.1.2...v11.1.3

v11.1.2

Compare Source

What's Changed

🔒 Security Fixes

• fix: prototype pollution in handleFlatJson, about details see GHSA-p2ph-7g93-hw3m

Full Changelog: intlify/vue-i18n@v11.1.1...v11.1.2

v11.1.1

Compare Source

Full Changelog: intlify/vue-i18n@v11.1.0...v11.1.1

v11.1.0

Compare Source

What's Changed

🌟 Features

• feat: configurable ComponentCustomProperties['$i18n'] type by @​BobbieGoede in https://github.com/intlify/vue-i18n/pull/2094

📝️ Documentations

• fix: vue-i18n v8 EOL by @​kazupon in https://github.com/intlify/vue-i18n/pull/2060

Full Changelog: intlify/vue-i18n@v11.0.1...v11.1.0

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled because a matching PR was automerged previously.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[github-actions]

Latest k6 run output¹

     ✓ status was 200

     checks.........................: 100.00% ✓ 416      ✗ 0   
     data_received..................: 96 MB   398 kB/s
     data_sent......................: 54 kB   226 B/s
     http_req_blocked...............: avg=74.58µs  min=2.28µs   med=4.76µs   max=1.59ms   p(90)=148.84µs p(95)=444.77µs
     http_req_connecting............: avg=53.77µs  min=0s       med=0s       max=1.5ms    p(90)=100.54µs p(95)=181.35µs
     http_req_duration..............: avg=153.33ms min=19.46ms  med=105.49ms max=978.97ms p(90)=359.55ms p(95)=410.79ms
       { expected_response:true }...: avg=153.33ms min=19.46ms  med=105.49ms max=978.97ms p(90)=359.55ms p(95)=410.79ms
   ✓ http_req_failed................: 0.00%   ✓ 0        ✗ 416 
     http_req_receiving.............: avg=196.79µs min=60.53µs  med=143.32µs max=3.45ms   p(90)=289.39µs p(95)=429.23µs
     http_req_sending...............: avg=29.05µs  min=7.8µs    med=23.02µs  max=700.81µs p(90)=39.88µs  p(95)=63.57µs 
     http_req_tls_handshaking.......: avg=0s       min=0s       med=0s       max=0s       p(90)=0s       p(95)=0s      
     http_req_waiting...............: avg=153.1ms  min=19.3ms   med=105.35ms max=978.77ms p(90)=357.67ms p(95)=410.41ms
     http_reqs......................: 416     1.725821/s
     iteration_duration.............: avg=824.96ms min=232.46ms med=922.63ms max=1.71s    p(90)=1.12s    p(95)=1.16s   
     iterations.....................: 78      0.323591/s
     vus............................: 3       min=0      max=6 
     vus_max........................: 60      min=60     max=60

Footnotes

1. This comment will automatically update with new output each time k6 runs for this PR ↩