chore(deps): bump the rest group across 1 directory with 26 updates

[dependabot]

Bumps the rest group with 26 updates in the / directory:

Package	From	To
countly-sdk-nodejs	20.11.0	24.10.4
electron-serve	1.1.0	3.0.1
electron-store	8.1.0	11.0.2
fix-path	3.0.0	5.0.0
fs-extra	10.1.0	11.3.5
i18next	21.8.14	26.3.1
i18next-fs-backend	1.1.4	2.6.6
i18next-icu	2.0.3	2.4.3
intl-messageformat	9.13.0	11.2.8
ipfs-http-client	56.0.2	60.0.1
ipfsd-ctl	10.0.6	17.0.0
it-last	1.0.6	3.0.11
portfinder	1.0.32	1.0.38
untildify	4.0.0	6.0.0
winston	3.7.2	3.19.0
@electron/notarize	1.2.3	3.1.1
@ipfs-shipyard/release-please-ipfs-plugin	1.0.1	1.1.0
dotenv	16.4.5	17.4.2
got	12.1.0	15.0.5
patch-package	6.5.1	8.0.1
pre-commit	1.2.2	2.0.0
semver-regex	3.1.4	4.0.5
shx	0.3.4	0.4.0
standard	16.0.4	17.1.2
tmp	0.2.3	0.2.7
ts-standard	11.0.0	12.0.2

Updates countly-sdk-nodejs from 20.11.0 to 24.10.4

Release notes

Sourced from countly-sdk-nodejs's releases.

Countly NodeJS SDK 24.10.4

• Added a new init time flag salt for request tampering protection (should be used in tandem with server options)

Countly NodeJS SDK 24.10.3

• Added support for uploading user images by providing path to the local image using picturePath parameter in user_details method (non-bulk)
• Reduced SDK log verbosity

Countly NodeJS SDK 24.10.2

• Added timezone support for server

Countly NodeJS SDK 24.10.1

• Added a new method set_id(newDeviceId) for managing device ID changes according to the device ID Type
• Added DeviceIdType enums to be used to evaluate the device ID type.
• Added reserved keys for user properties

Countly NodeJS SDK 24.10.0

• Default max segmentation value count changed from 30 to 100
• Mitigated an issue where SDK could create an unintended dump file
• Added a new init time config option (storage_type) which can make user set the SDK storage option:
  • File Storage
  • Memory Only Storage
• Added a new init time config option (custom_storage_method) which enables user to provide custom storage methods

Countly NodeJS SDK 22.06.0

• Fixed a bug where remote config requests were rejected
• Fixed a bug where empty storage object did cause some issues

Countly NodeJS SDK 22.02.0

• !! Major breaking change !! Device ID provided during the init will be ignored if a device ID was provided previously
• Added a new init time flag which erases the previously stored device ID. This allows to set new device ID during init
• Added a call to get the device ID type of the user
• Added a call to get the device ID of the user
• Now it appends the device ID type with each request

Countly NodeJS SDK 21.11.0

• !! Major breaking change !! Changing device ID without merging will now clear the current consent. Consent has to be given again after performing this action.
• ! Minor breaking change ! Multiple values now have a default limit adjustable at initialization:
  • Maximum size of all string keys is now 128 characters by default.
  • Maximum size of all values in key-value pairs is now 256 characters by default.
  • Maximum amount of segmentation in one event is mow 30 key-value pairs by default.
  • Maximum amount of breadcrumbs that can be recorded at once is now 100 by default.
  • Maximum stack trace lines per thread is now 30 by default.
  • Maximum stack trace line length is now 200 by default.
• ! Minor breaking change ! After initialization, the logging/debugging mode can only be changed with Countly.setLoggingEnabled instead of Countly.debug now.
• When recording internal events with 'add_event', the respective feature consent will now be checked instead of just the 'events' consent.
• Fixed a bug where the SDK throws a Bulk user storage exception due to a missing folder
• Increased the default max event batch size to 100.
• Logs are now color coded and indicate log levels.

Changelog

Sourced from countly-sdk-nodejs's changelog.

24.10.4

• Added a new init time flag salt for request tampering protection (should be used in tandem with server options)

24.10.3

• Added support for uploading user images by providing path to the local image using picturePath parameter in user_details method (non-bulk)
• Reduced SDK log verbosity

24.10.2

• Added timezone support for server

24.10.1

• Added a new method set_id(newDeviceId) for managing device ID changes according to the device ID Type
• Added DeviceIdType enums to be used to evaluate the device ID type.
• Added reserved keys for user properties

24.10.0

• Default max segmentation value count changed from 30 to 100
• Mitigated an issue where SDK could create an unintended dump file
• Added a new init time config option (conf.storage_type) which can make user set the SDK storage option:
  • File Storage
  • Memory Only Storage
• Added a new init time config option (conf.custom_storage_method) which enables user to provide custom storage methods

22.06.0

• Fixed a bug where remote config requests were rejected
• Fixed a bug where empty storage object did cause some issues

22.02.0

• !! Major breaking change !! Device ID provided during the init will be ignored if a device ID was provided previously
• Added a new init time flag which erases the previously stored device ID. This allows to set new device ID during init
• Added a call to get the device ID type of the user
• Added a call to get the device ID of the user
• Now it appends the device ID type with each request

21.11.0

• !! Major breaking change !! Changing device ID without merging will now clear the current consent. Consent has to be given again after performing this action.
• ! Minor breaking change ! Multiple values now have a default limit adjustable at initialization:
  • Maximum size of all string keys is now 128 characters by default.
  • Maximum size of all values in key-value pairs is now 256 characters by default.
  • Maximum amount of segmentation in one event is mow 30 key-value pairs by default.
  • Maximum amount of breadcrumbs that can be recorded at once is now 100 by default.
  • Maximum stack trace lines per thread is now 30 by default.
  • Maximum stack trace line length is now 200 by default.
• ! Minor breaking change ! After initialization, the logging/debugging mode can only be changed with Countly.setLoggingEnabled instead of Countly.debug now.
• When recording internal events with 'add_event', the respective feature consent will now be checked instead of just the 'events' consent.
• Fixed a bug where the SDK throws a Bulk user storage exception due to a missing folder
• Increased the default max event batch size to 100.
• Logs are now color coded and indicate log levels.

20.11

... (truncated)

Commits

• c18f9d6 Merge pull request #142 from Countly/node-salt
• ff35dac test fixes
• dd36f7f salt
• 59b5636 Merge pull request #131 from Countly/pinning_packages
• 29822be feat: pin packages
• d725146 Merge pull request #122 from Countly/image-upload
• 57e61ad package lock
• a2dd15a workflow update
• 2baba4f lint
• c9d4e82 Picture upload
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by turtledreams, a new releaser for countly-sdk-nodejs since your current version.

Updates electron-serve from 1.1.0 to 3.0.1

Release notes

Sourced from electron-serve's releases.

v3.0.1

• Fix: Batch scheme registrations into a single call f773dd5

---

sindresorhus/electron-serve@v3.0.0...v3.0.1

v3.0.0

Breaking

• Require Electron 37 and Node.js 20 184e818

Improvements

• Make directory option optional with default value 09b1909
• Fix source maps support for Chrome DevTools e666c5d
• Replace deprecated registerFileProtocol with protocol.handle 7c429e7

---

sindresorhus/electron-serve@v2.1.1...v3.0.0

v2.1.1

• Fix loading directory specified by relative path (#45) 633af66

sindresorhus/electron-serve@v2.1.0...v2.1.1

v2.1.0

• Improve path resolution (credit to Alan Li) d72acb3

sindresorhus/electron-serve@v2.0.0...v2.1.0

v2.0.0

Breaking

• Require Node.js 18 and Electron 30 a2a542c
• This package is now pure ESM. Please read this and this.

sindresorhus/electron-serve@v1.3.0...v2.0.0

v1.3.0

• Support search parameteres in the loadUrl method (#37) 7ae7d43
• Support loading an HTML file with a custom name (#36) c307a57

sindresorhus/electron-serve@v1.2.0...v1.3.0

v1.2.0

• Add hostname option (#35) 8dd370b

sindresorhus/electron-serve@v1.1.0...v1.2.0

Commits

• d1d76d2 3.0.1
• f773dd5 Batch scheme registrations into a single call
• 1b44e42 3.0.0
• 7e03781 Minor tweaks
• d990353 Add docs for serving multiple windows with different content
• 09b1909 Make directory option optional with default value
• 184e818 Require Electron 37 and Node.js 20
• e666c5d Fix source maps support for Chrome DevTools
• b54ab25 Document ES modules support
• 7c429e7 Replace deprecated registerFileProtocol with protocol.handle
• Additional commits viewable in compare view

Updates electron-store from 8.1.0 to 11.0.2

Release notes

Sourced from electron-store's releases.

v11.0.2

• Update dependencies ccf6f15

---

sindresorhus/electron-store@v11.0.1...v11.0.2

v11.0.1

• Update dependencies (#297) 8ecbb6b

---

sindresorhus/electron-store@v11.0.0...v11.0.1

v11.0.0

• Update conf dependency 3d690aa

---

sindresorhus/electron-store@v10.1.0...v11.0.0

v10.1.0

• Update dependencies dcf42b7

---

sindresorhus/electron-store@v10.0.1...v10.1.0

v10.0.1

• Fix importing electron abc1d2f

---

sindresorhus/electron-store@v10.0.0...v10.0.1

v10.0.0

Breaking

• Switch from JSON Schema draft-v7 to draft-2020-12
  • Please read about the breaking changes.

This is only a breaking change if you use the schema option.

sindresorhus/electron-store@v9.0.0...v10.0.0

v9.0.0

Breaking

• Require Node.js 20 and Electron 30 7ddf0c6
• This package is now pure ESM. Please read this and this.

... (truncated)

Commits

• e1470fd 11.0.2
• ccf6f15 Update dependencies
• c369c90 11.0.1
• 8ecbb6b Update dependencies (#297)
• 28214c1 11.0.0
• 3d690aa Update dependencies
• 8229586 Meta tweaks
• 4680903 10.1.0
• dcf42b7 Update dependencies
• e70553f 10.0.1
• Additional commits viewable in compare view

Updates fix-path from 3.0.0 to 5.0.0

Release notes

Sourced from fix-path's releases.

v5.0.0

Breaking

• Require Node.js 20 df5a5c1

Fixes

• Fix ANSI escape sequences in PATH environment variable 59d681f

---

sindresorhus/fix-path@v4.0.0...v5.0.0

v4.0.0

Breaking

• Require Node.js 12.20 8968c9b
• This package is now pure ESM. Please read this.

Improvements

• Add support for Linux 5f0a1a2

sindresorhus/fix-path@v3.0.0...v4.0.0

Commits

• ef0745f 5.0.0
• 59d681f Fix ANSI escape sequences in PATH environment variable
• df5a5c1 Require Node.js 20
• 40d974d 4.0.0
• 5f0a1a2 Add support for Linux
• 8968c9b Require Node.js 12.20 and move to ESM
• c757835 Move to GitHub Actions (#13)
• See full diff in compare view

Updates fs-extra from 10.1.0 to 11.3.5

Changelog

Sourced from fs-extra's changelog.

11.3.5 / 2026-05-06

• Fix ensureLink*/ensureSymlink* identical file detection on Windows (#1068)
• Fix error handling in timestamp preservation code (#1065, #1069)
• Fix potential file descriptor leak on error in synchronous timestamp preservation code (#1066)

11.3.4 / 2026-03-03

• Fix bug where calling ensureSymlink/ensureSymlinkSync with a relative srcPath would fail if the symlink already existed (#1038, #1064)

11.3.3 / 2025-12-18

• Fix copying symlink when destination is a symlink to the same target (#1019, #1060)

11.3.2 / 2025-09-15

• Fix spurrious UnhandledPromiseRejectionWarning that could occur when calling .copy() in some cases (#1056, #1058)

11.3.1 / 2025-08-05

• Fix case where move/moveSync could incorrectly think files are identical on Windows (#1050)

11.3.0 / 2025-01-15

• Add promise support for newer fs methods (#1044, #1045)
• Use fs.opendir in copy()/copySync() for better perf/scalability (#972, #1028)

11.2.0 / 2023-11-27

• Copy directory contents in parallel for better performance (#1026)
• Refactor internal code to use async/await (#1020)

11.1.1 / 2023-03-20

• Preserve timestamps when moving files across devices (#992, #994)

11.1.0 / 2022-11-29

• Re-add main field to package.json for better TypeScript compatibility (#979, #981)

11.0.0 / 2022-11-28

... (truncated)

Commits

• 8a88f58 11.3.5
• 81a1311 Mirror all utimesMillis() tests for utimesMillisSync() (#1070)
• b7ab7f8 Properly handle close errors in utimesMillis*() (#1069)
• 1c248ed Fix file descriptor leak in utimesMillisSync (#1066)
• a4000d6 Ensure all usages of areIdentical receive bigint stats (#1068)
• 1e9c57d Fix error handling in utimesMillis (#1065)
• 353a29b 11.3.4
• 3e65fbe fix(ensureSymlink): resolve relative srcpath correctly when symlink exists (#...
• e2615e5 Fix git URL in package.json (#1062)
• 1de81e9 11.3.3
• Additional commits viewable in compare view

Updates i18next from 21.8.14 to 26.3.1

Release notes

Sourced from i18next's releases.

v26.3.1

• fix(types): t() with a keyPrefix no longer pollutes its return type with sibling keys' values. A regression in 26.3.0 — the [Res] extends [never] guards added to KeysBuilderWithReturnObjects / KeysBuilderWithoutReturnObjects turned the builders into deferred conditional types, so KeyPrefix<Ns> stopped resolving to a literal union and keyPrefix inference widened to the whole namespace. Symptom: useTranslation(ns, { keyPrefix: 'a.b' }) then t('title') would resolve to '<a.b>.title' | '<other.path>.title' | ... instead of just the scoped value. Affected every react-i18next user using keyPrefix. Restored to the eager 26.2.0 form. The same-namespace conflict handling from #2434 still works via _DropConflictKeys at the merge layer (in options.d.ts). Thanks @​aaronrosenthal (#2436).

v26.3.0

• feat(types): introduce ResourceNamespaceMap — a separate mergeable augmentation surface for namespace resource types, designed for monorepos where multiple packages each want to contribute their own namespaces. Previously, every package had to coordinate on a single CustomTypeOptions.resources declaration (or fall back to typing dependency namespaces as any) because resources is a single property of an interface and TypeScript reports TS2717 when two declarations of the same property disagree. The new interface merges naturally across declare module 'i18next' blocks, so each package can ship its own i18next.d.ts independently. Per-property merge handles same-namespace contributions from multiple packages, and same-key/different-literal conflicts are silently dropped to avoid poisoning t() overload resolution. Fully backwards-compatible — existing CustomTypeOptions.resources augmentations continue to work, and both surfaces can coexist. Scalar options (defaultNS, returnNull, enableSelector, etc.) still belong on CustomTypeOptions. Thanks @​sh3xu (#2434). Fixes #2409.

v26.2.0

• feat(types): new parseInterpolation TypeOption (default true). When set to false in CustomTypeOptions, the type-level extractor stops parsing translation strings for {{variable}} patterns. Required by i18next-icu users — the default extractor mistakes ICU MessageFormat nested-brace plurals like {count, plural, one {{count} row} other {{count} rows}} for an interpolation block and demands a phantom variable name. The flag is type-only; runtime interpolation is governed by InterpolationOptions and is unaffected. Fixes i18next-icu#85.
• fix(types): expose enableSelector on InitOptions so i18next.init({ enableSelector: 'strict' }) typechecks without a module augmentation. The runtime already reads opts?.enableSelector from init options; this lands the matching type declaration next to the other selector-resolution knobs. Accepts false | true | 'optimize' | 'strict'. Thanks @​Faithfinder (#2431)

v26.1.0

• feat: enableSelector: 'strict' (TypeOptions + runtime option). Opt-in mode that drops the flattened-primary form from NsResource at the type level — every namespace (primary included) is exposed only under its own key on $, uniformly across single- and multi-ns hooks. At runtime, a leading selector path segment matching the scope's namespace list is always rewritten as a namespace prefix, including the primary. Eliminates the silent-miss surface area where t($ => $.primary.foo) typechecks but doesn't resolve under the default mode (see #2429). Backward-compatible: default enableSelector: false | true | 'optimize' behavior is unchanged. Note: strict mode is incompatible with the #2405 pattern (keys whose names match sibling namespaces) — those users should stay on default mode.

v26.0.10

• feat: getFixedT accepts a fourth optional fixedOpts argument carrying scopeNs — the full namespace list the bound t was created for. The selector API uses scopeNs to detect when a path's first segment is a namespace prefix, without changing resolution scope. Resolution still uses the bound ns (a single primary string in the typical react-i18next setup), so plain t('key') lookups stay isolated to the primary namespace exactly as before — only t($ => $.secondaryNs.foo) selectors now route correctly under useTranslation([nsA, nsB]). Fixes the runtime side of #2429 for the react-i18next default-nsMode case. The 4th argument is opt-in: existing 3-arg getFixedT(lng, ns, keyPrefix) callers see no behavior change.

v26.0.9

• fix(types): unformatted interpolation values are now typed as string | number (was string). i18next stringifies values at runtime, so requiring callers to wrap numbers in String(...) for plain {{var}} placeholders was unnecessary friction — and could mask the real problem when a non-string value was passed alongside multiple interpolation slots (the t() overload resolution would fall through to the 3-arg form and report a confusing "not assignable to string" error against the options object). Typed format specifiers like {{x, number}}, {{x, currency}}, {{x, datetime}}, etc. keep their precise types; this only relaxes the no-format default. The count variable remains number-only

v26.0.8

• fix(types): restore the pre-v25.10.4 ExistsFunction shape so plain arrow functions can again be assigned to ExistsFunction-typed variables (TypeScript cannot infer type predicates through multi-overload assignment). Direct i18next.exists(key) calls still narrow key to SelectorKey — the predicate is now declared inline on i18n.exists. Custom wrappers that want the narrowing can type themselves as typeof i18next.exists 2425

v26.0.7

• fix: when a plural lookup misses, the missingKey debug log now shows the actual plural-resolved key (e.g. foo.bar_many for Polish count: 14) instead of the base key — making it obvious which plural category was expected and missing 2423
• chore: drop @babel/runtime runtime dependency. The build no longer generates any @babel/runtime imports, so the package is unused by consumers. Rollup now uses babelHelpers: 'bundled' so any helpers that are ever needed in the future will be inlined rather than imported externally 2424
• chore: stop emitting dist/esm/i18next.bundled.js. It was byte-identical to dist/esm/i18next.js because no helpers were being imported 2424

v26.0.6

Security release — all issues found via an internal audit. GHSA advisory filed after release.

• security: warn when a translation string combines escapeValue: false with interpolated variables inside a $t(key, { ... "{{var}}" ... }) nesting-options block. In that narrow combination, attacker-controlled string values containing " can break out of the JSON options literal and inject additional nesting options (e.g. redirect lng/ns). The default escapeValue: true configuration is unaffected because HTML-escaping neutralises the quote before JSON.parse. See the security docs for mitigation guidance (GHSA-TBD)
• security: apply regexEscape to unescapePrefix / unescapeSuffix on par with the other interpolation delimiters. Prevents ReDoS (catastrophic-backtracking) when a misconfigured delimiter contains regex metacharacters, and fixes silent breakage of the {{- var}} syntax when the delimiter contains characters like (, [, .
• security: strip CR/LF/NUL and other C0/C1 control characters from string log arguments to prevent log forging via user-controlled translation keys, language codes, namespaces, or interpolation variable names (CWE-117)
• chore: ignore .env* and *.pem/*.key files in .gitignore

v26.0.5

• fix: cloneInstance().changeLanguage() no longer fails to update language state when the target language is not yet loaded — a race between init()'s deferred load() and the user's changeLanguage() could overwrite isLanguageChangingTo, causing setLngProps to be skipped 2422

v26.0.4

• fix(types): inline formatting options like {{price, currency(EUR)}} are now correctly resolved to their base format type (e.g. number for currency) instead of falling back to string 2378

v26.0.3

• fix(types): addResourceBundle now accepts an optional 6th options parameter ({ silent?: boolean; skipCopy?: boolean }) matching the runtime API 2419

v26.0.2

• fix(types): t("key", {} as TOptions) no longer produces a type error — the context constraint now bypasses strict checking when context is unknown (e.g. from TOptions) 2418

v26.0.1

• fix: Formatter no longer crashes when alwaysFormat is true and no format specifier is present (format is undefined)
• fix: Formatter now returns undefined/null values as-is instead of producing NaN when the value is missing

... (truncated)

Changelog

Sourced from i18next's changelog.

26.3.1

• fix(types): t() with a keyPrefix no longer pollutes its return type with sibling keys' values. A regression in 26.3.0 — the [Res] extends [never] guards added to KeysBuilderWithReturnObjects / KeysBuilderWithoutReturnObjects turned the builders into deferred conditional types, so KeyPrefix<Ns> stopped resolving to a literal union and keyPrefix inference widened to the whole namespace. Symptom: useTranslation(ns, { keyPrefix: 'a.b' }) then t('title') would resolve to '<a.b>.title' | '<other.path>.title' | ... instead of just the scoped value. Affected every react-i18next user using keyPrefix. Restored to the eager 26.2.0 form. The same-namespace conflict handling from #2434 still works via _DropConflictKeys at the merge layer (in options.d.ts). Thanks @​aaronrosenthal (#2436).

26.3.0

• feat(types): introduce ResourceNamespaceMap — a separate mergeable augmentation surface for namespace resource types, designed for monorepos where multiple packages each want to contribute their own namespaces. Previously, every package had to coordinate on a single CustomTypeOptions.resources declaration (or fall back to typing dependency namespaces as any) because resources is a single property of an interface and TypeScript reports TS2717 when two declarations of the same property disagree. The new interface merges naturally across declare module 'i18next' blocks, so each package can ship its own i18next.d.ts independently. Per-property merge handles same-namespace contributions from multiple packages, and same-key/different-literal conflicts are silently dropped to avoid poisoning t() overload resolution. Fully backwards-compatible — existing CustomTypeOptions.resources augmentations continue to work, and both surfaces can coexist. Scalar options (defaultNS, returnNull, enableSelector, etc.) still belong on CustomTypeOptions. Thanks @​sh3xu (#2434). Fixes #2409.

26.2.0

• feat(types): new parseInterpolation TypeOption (default true). When set to false in CustomTypeOptions, the type-level extractor stops parsing translation strings for {{variable}} patterns. Required by i18next-icu users — the default extractor mistakes ICU MessageFormat nested-brace plurals like {count, plural, one {{count} row} other {{count} rows}} for an interpolation block and demands a phantom variable name. The flag is type-only; runtime interpolation is governed by InterpolationOptions and is unaffected. Fixes i18next-icu#85.
• fix(types): expose enableSelector on InitOptions so i18next.init({ enableSelector: 'strict' }) typechecks without a module augmentation. The runtime already reads opts?.enableSelector from init options; this lands the matching type declaration next to the other selector-resolution knobs. Accepts false | true | 'optimize' | 'strict'. Thanks @​Faithfinder (#2431)

26.1.0

• feat: enableSelector: 'strict' (TypeOptions + runtime option). Opt-in mode that drops the flattened-primary form from NsResource at the type level — every namespace (primary included) is exposed only under its own key on $, uniformly across single- and multi-ns hooks. At runtime, a leading selector path segment matching the scope's namespace list is always rewritten as a namespace prefix, including the primary. Eliminates the silent-miss surface area where t($ => $.primary.foo) typechecks but doesn't resolve under the default mode (see #2429). Backward-compatible: default enableSelector: false | true | 'optimize' behavior is unchanged. Note: strict mode is incompatible with the #2405 pattern (keys whose names match sibling namespaces) — those users should stay on default mode.

26.0.10

• feat: getFixedT accepts a fourth optional fixedOpts argument carrying scopeNs — the full namespace list the bound t was created for. The selector API uses scopeNs to detect when a path's first segment is a namespace prefix, without changing resolution scope. Resolution still uses the bound ns (a single primary string in the typical react-i18next setup), so plain t('key') lookups stay isolated to the primary namespace exactly as before — only t($ => $.secondaryNs.foo) selectors now route correctly under useTranslation([nsA, nsB]). Fixes the runtime side of #2429 for the react-i18next default-nsMode case. The 4th argument is opt-in: existing 3-arg getFixedT(lng, ns, keyPrefix) callers see no behavior change.

26.0.9

• fix(types): unformatted interpolation values are now typed as string | number (was string). i18next stringifies values at runtime, so requiring callers to wrap numbers in String(...) for plain {{var}} placeholders was unnecessary friction — and could mask the real problem when a non-string value was passed alongside multiple interpolation slots (the t() overload resolution would fall through to the 3-arg form and report a confusing "not assignable to string" error against the options object). Typed format specifiers like {{x, number}}, {{x, currency}}, {{x, datetime}}, etc. keep their precise types; this only relaxes the no-format default. The count variable remains number-only

26.0.8

• fix(types): restore the pre-v25.10.4 ExistsFunction shape so plain arrow functions can again be assigned to ExistsFunction-typed variables (TypeScript cannot infer type predicates through multi-overload assignment). Direct i18next.exists(key) calls still narrow key to SelectorKey — the predicate is now declared inline on i18n.exists. Custom wrappers that want the narrowing can type themselves as typeof i18next.exists 2425

26.0.7

• fix: when a plural lookup misses, the missingKey debug log now shows the actual plural-resolved key (e.g. foo.bar_many for Polish count: 14) instead of the base key — making it obvious which plural category was expected and missing 2423
• chore: drop @babel/runtime runtime dependency. The build no longer generates any @babel/runtime imports, so the package is unused by consumers. Rollup now uses babelHelpers: 'bundled' so any helpers that are ever needed in the future will be inlined rather than imported externally 2424
• chore: stop emitting dist/esm/i18next.bundled.js. It was byte-identical to dist/esm/i18next.js because no helpers were being imported 2424

26.0.6

Security release — all issues found via an internal audit.

• security: warn when a translation string combines escapeValue: false with interpolated variables inside a $t(key, { ... "{{var}}" ... }) nesting-options block. In that narrow combination, attacker-controlled string values containing " can break out of the JSON options literal and inject additional nesting options (e.g. redirect lng/ns). The default escapeValue: true configuration is unaffected because HTML-escaping neutralises the quote before JSON.parse. See the security note in the Nesting docs for the full pattern and mitigations
• security: apply regexEscape to unescapePrefix / unescapeSuffix on par with the other interpolation delimiters. Prevents ReDoS (catastrophic-backtracking) when a misconfigured delimiter contains regex metacharacters, and fixes silent breakage of the {{- var}} syntax when the delimiter contains characters like (, [, .
• security: strip CR/LF/NUL and other C0/C1 control characters from string log arguments to prevent log forging via user-controlled translation keys, language codes, namespaces, or interpolation variable names (CWE-117)
• chore: ignore .env* and *.pem/*.key files in .gitignore

26.0.5

• fix: cloneInstance().changeLanguage() no longer fails to update language state when the target language is not yet loaded — a race between init()'s deferred load() and the user's changeLanguage() could overwrite isLanguageChangingTo, causing setLngProps to be skipped 2422

26.0.4

... (truncated)

Commits

• 7bdb5d7 26.3.1
• a655e32 changelog: 26.3.1 entry for #2436
• 57ed812 fix(types): keyPrefix no longer pollutes t() return type with sibling keys (#...
• bdf651c 26.3.0
• 988a362 changelog: 26.3.0 entry for #2434
• 159506c feat(types): introduce ResourceNamespaceMap for monorepo namespace augmentati...
• df68b1f ci: restore JSR publishing via GitHub Actions OIDC
• 22fb6ad 26.2.0
• b640ac4 feat(types): parseInterpolation flag for ICU-friendly t() typing (i18next-icu...
• 0b9debd changelog: 26.1.1 entry for #2431
• Additional commits viewable in compare view

Install script changes

This version modifies prepare script that runs during installation. Review the package contents before updating.

Updates i18next-fs-backend from 1.1.4 to 2.6.6

Changelog

Sourced from i18next-fs-backend's changelog.

2.6.6

Security release — coordinated disclosure from @​codeswhite. See published advisory GHSA-2933-q333-qg83.

• security: guard the in-memory setPath / pushPath traversal (utils.getLastOfPath) against prototype pollution via crafted missing-key strings. 2.6.4 sanitised lng/ns interpolation into filesystem paths, but did not cover the JSON-object walk that writeFile() performs on each queued missing-key entry: with the default keySeparator: '.', a key like __proto__.polluted was split into ['__proto__','polluted'] and walked straight into Object.prototype. The traversal helper now refuses to descend through __proto__, constructor, or prototype segments and drops the offending write silently; legitimate dotted keys (header.title) are unaffected. Reachable in practice via i18next-http-middleware's missingKeyHandler when exposed to untrusted input — see also the matching defence-in-depth fix in i18next-http-middleware 3.9.7. Credit: @​codeswhite (GHSA-2933-q333-qg83).

2.6.5

• fix: allow forward slashes in ns values so nested namespace names (mapping to subfolder locale files such as public/locales/en/a/b.json) load correctly again. 2.6.4's security fix applied the same strict path-segment check to both lng and ns, which was correct for lng (no BCP-47 shape contains /) but over-strict for ns — nested namespaces containing / were never officially supported, but the behaviour fell out of the implicit string-substitution semantics of loadPath and is common enough in the wild to be worth accommodating. isSafePathSegment is now split into isSafeLangSegment (strict — still rejects /) and isSafeNsSegment (loose — allows / but still rejects .., \, control chars, prototype keys, and oversized inputs). isSafePathSegment is kept as a backwards-compatible alias for the strict check. The 2.6.4 security fix remains in force for every concrete attack pattern from the original advisory. Fixes #74.

2.6.4

Security release — all issues found via an internal audit. See published advisory GHSA-8847-338w-5hcj.

• security: refuse to build filesystem paths when lng or ns values contain .., path separators (/, \), control characters, prototype keys (__proto__ / constructor / prototype), or exceed 128 chars. Prevents arbitrary filesystem read / write via attacker-controlled language-code values. Any legitimate i18next language-code shape (BCP-47-like, underscores, hyphens, dots, +-joined multi-language requests) is still accepted (GHSA-8847-338w-5hcj)
• docs: new "Security considerations" README section — documents the filesystem-path sanitiser and clarifies the trust model around .js/.ts locale files (their content is eval-ed, so they must be treated as code). The eval behaviour itself is retained: dynamic expressions in .js/.ts locale files are an intentional feature, and safe replacements like import() are async-only and not viable for this sync-capable code path.
• chore: ignore .env* and *.pem/*.key files in .gitignore.

2.6.3

• use own interpolation function instead of relying on i18next's interpolator

2.6.1

• Bump js-yaml from 4.1.0 to 4.1.1 (#64)

2.6.0

• support initImmediate -> initAsync renaming of i18next v24

2.5.0

• fix for Deno 2 and removal of unnecessary .cjs file
• for esm build environments not supporting top-level await, you should import the i18next-fs-backend/cjs export or stay at v2.4.0

Commits

• 0fff98b 2.6.6
• 3ab0448 security: guard setPath/pushPath traversal against prototype pollution
• 321916b Add Locize advice section near the top of README
• 47d7198 Modernize locize.com URLs and refresh UTM tags
• f24b597 docs: clarify that nested-ns with slashes was never officially supported
• c5c2f2a 2.6.5
• a910688 fix: allow forward slashes in ns values (fixes #74)
• deced92 Bump i18next-http-backend in /example/updatable-cache (#73)
• ca78fd4 Bump i18next-http-backend from 2.6.2 to 3.0.5 in /example/caching (#72)
• 8651d31 Bump i18next-fs-backend from 2.4.0 to 2.6.4 in /example/updatable-cache (#71)
• Additional commits viewable in compare view

Updates i18next-icu from 2.0.3 to 2.4.3

Changelog

Sourced from i18next-icu's changelog.

2.4.3

• ESM by default, trying to address 78

2.4.2

• try to address: Can't resolve latest version of intl-messageformat 77

2.4.1

• types for escapeVariables option 74

2.4.0

• Fix HTML special characters truncation in variable values 73 by introducing escapeVariables option

2.3.0

• Adding function to parse language for ICU 63

2.2.0

• update intl-messageformat dependency to address 62

2.1.0

• update intl-messageformat dependency to address 57

Commits

• e9141c0 2.4.3
• f59bfad ESM by default, trying to address #78
• bf609f8 2.4.2
• 92e1351 try to address #77
• a1fd7f2 Bump lodash from 4.17.21 to 4.17.23 (#76)
• 1a4743d Bump js-yaml from 3.14.1 to 3.14.2 (#75)

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	ipfs-http-client@​56.0.2 ⏵ 60.0.1	-4
	fix-path@​3.0.0 ⏵ 5.0.0
	intl-messageformat@​9.13.0 ⏵ 11.2.8	+1		-1
	@​ipfs-shipyard/​release-please-ipfs-plugin@​1.0.1 ⏵ 1.1.0	-5			+6
	ipfsd-ctl@​10.0.6 ⏵ 17.0.0	+1			+4
	electron-serve@​1.1.0 ⏵ 3.0.1	+1		+7
	it-last@​3.0.11
	countly-sdk-nodejs@​20.11.0 ⏵ 24.10.4	+2		-7	+5
	@​electron/​notarize@​1.2.3 ⏵ 3.1.1	+1
	electron-store@​8.1.0 ⏵ 11.0.2
	i18next-icu@​2.0.3 ⏵ 2.4.3			+1
	got@​12.1.0 ⏵ 15.0.5	+1		+1
	dotenv@​16.4.5 ⏵ 17.4.2			+1
	i18next-fs-backend@​1.1.4 ⏵ 2.6.6	+4	+16		-1
	i18next@​21.8.14 ⏵ 26.3.1	+1		+1	-1

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Obfuscated code: npm @hapi/hapi is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: package-lock.json → npm/ipfsd-ctl@17.0.0 → npm/@hapi/hapi@21.4.9 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@hapi/hapi@21.4.9. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm es-abstract is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: package-lock.json → npm/es-abstract@1.24.2 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/es-abstract@1.24.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm eslint-plugin-react is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: package-lock.json → npm/eslint-plugin-react@7.37.5 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/eslint-plugin-react@7.37.5. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm execa is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: package-lock.json → npm/ipfsd-ctl@17.0.0 → npm/execa@9.6.1 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/execa@9.6.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm ipfs-http-client is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: package-lock.json → npm/ipfs-http-client@60.0.1 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/ipfs-http-client@60.0.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm ipfs-http-client is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: package-lock.json → npm/ipfs-http-client@60.0.1 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/ipfs-http-client@60.0.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report