Skip to content

build(deps): bump i18next-http-backend from 3.0.2 to 3.0.5#291

Open
dependabot[bot] wants to merge 1 commit intodevelfrom
dependabot/npm_and_yarn/i18next-http-backend-3.0.5
Open

build(deps): bump i18next-http-backend from 3.0.2 to 3.0.5#291
dependabot[bot] wants to merge 1 commit intodevelfrom
dependabot/npm_and_yarn/i18next-http-backend-3.0.5

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github Apr 22, 2026
edited
Loading

Bumps i18next-http-backend from 3.0.2 to 3.0.5.

Changelog

Sourced from i18next-http-backend's changelog.

3.0.5

Security release — all issues found via an internal audit. See published advisory GHSA-q89c-q3h5-w34g.

  • security: refuse to build request URLs when lng or ns values contain path-traversal, URL-structure (?, #, %, @, whitespace), path separators, control characters, prototype keys, or exceed 128 chars. Prevents path traversal / SSRF / URL injection via attacker-controlled language-code values. isSafeUrlSegment is permissive for legitimate i18next language codes (any BCP-47-like shape, underscores, hyphens, dots, +-joined multi-language requests) (GHSA-q89c-q3h5-w34g)
  • security: per-instance omitFetchOptions — the fetch-options-stripping fallback is now scoped to a single backend instance via options._omitFetchOptions instead of a module-level boolean. One instance hitting a "not implemented" fetch error no longer permanently strips requestOptions (including credentials, mode, cache) from every other backend instance in the same process
  • security: strip CR/LF/NUL and other C0/C1 control characters from lng/ns / URL values before they appear in error-callback strings (CWE-117 log forging)
  • security: redact user:password credentials from URLs before including them in error-callback strings — prevents leaking basic-auth credentials embedded in loadPath / addPath
  • security: iterate own enumerable keys only (Object.keys + prototype-key guard) in addQueryString and in the customHeaders loop in XHR mode — prevents prototype-pollution amplification into the URL and request headers
  • chore: ignore .env* and *.pem/*.key files in .gitignore

3.0.4

  • use own interpolation function for loadPath and addPath instead of relying on i18next's interpolator i18next#2420 — this means only {{lng}} and {{ns}} placeholders are supported; custom interpolation prefix/suffix from i18next config no longer applies to backend paths
Commits

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Apr 22, 2026
@dependabot
build(deps): bump i18next-http-backend from 3.0.2 to 3.0.5
e6c873b 
Bumps [i18next-http-backend](https://github.com/i18next/i18next-http-backend) from 3.0.2 to 3.0.5.
- [Changelog](https://github.com/i18next/i18next-http-backend/blob/master/CHANGELOG.md)
- [Commits](i18next/i18next-http-backend@v3.0.2...v3.0.5)

---
updated-dependencies:
- dependency-name: i18next-http-backend
  dependency-version: 3.0.5
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/i18next-http-backend-3.0.5 branch from c1e0e72 to e6c873b Compare April 23, 2026 08:35
@sonarqube-zextras
Copy link
Copy Markdown

sonarqube-zextras Bot commented Apr 23, 2026

Passed Quality Gate passed

Issues

Measures

Project ID: carbonio-files-public-folder-ui

View in SonarQube

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants